Spam Hunter

Viagra, penis enhancements, porn, mortgage rates, and much more are shoved into my inbox everyday. I'm not trying to win the spam war. I just like to vent by choosing one email a day, tracing down the jerk who sent it and publishing any antics that ensue.

Tuesday, March 22, 2005

Re: Pharamacy[33:34]


Delivered-To: jake@domain.com
Received: (qmail 15747 invoked from network); 22 Mar 2005 17:14:52 -0000
Received: from unknown (HELO kaytonelectric.com) (81.158.238.67)
by loop.phpwebhosting.com with SMTP; 22 Mar 2005 17:14:52 -0000
From: "Zofia Flood"
To: "Dionysodoros Huff"
Subject: Re: Pharamacy[33:34]
Date: Tue, 22 Mar 2005 12:11:16 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0008_01C52E1D.42405FCE"
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

Hello , Visit Our PharmmacyByMailSHOP and Save 75%


Normally these types of URLs are meant to make someone think they are accessing a more reputable site. Generally they are in the same field that they are pitching their wares from. So this one is a bit confusing. wc.com is the home of Williams & Connolly which is a large litigation firm. The spam is obviously trying to sell prescriptions so I'm not real sure what they are trying to do here. Maybe bypass filters?

the domain is owned by Richard Syke
Domain Name : bodpartatthe.com

::Registrant::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845

::Administrative Contact::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845

::Technical Contact::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845

::Name Servers::
ns0.vocalerformancare.com
ns1.vocalerformancare.com

::Dates & Status::
Created Date 2005-03-21 07:20:28 EST
Updated Date 2005-03-21 07:20:28 EST
Valid Date 2006-03-21 07:20:28 EST
Status ACTIVE

The 'contact info' page lists the address as:
Palm Grove House, P.O.Box 438, Road Town, Tortola, British Virgin Islands

There is a secure code field in the form so one can not spam them from the web form.
IS THIS IRONIC TO ANYONE ELSE?

It's like a mugger concerned about being pickpocketed. The system is retarded though.
The image is created by going to a page called secure.asp. This page takes a parameter which looks like MIME or something. This creates the same image everytime. So if one knows what the letters are encoded with then they will be able to "guess" the secret code by deriving it from the url supplied in the image.
Example:
http://www.bx.wc.com.bodpartatthe.com/aspx/secure.asp?text=UhYuh1t=
AB392

http://www.bx.wc.com.bodpartatthe.com/aspx/secure.asp?text=UTYuh1t=
Bb392

OK before breaking this .. well I guess it could be classified as crypto but that's sort of stretching the term... let's have some fun with their processes.
7 characters and we can just generate our own "image maker". It actually takes more then 7 digits. Since it's aspx (IIS6) there is a sanity checker on the length of the URI. So just putting a few thousand characters got this response:

Request-URI Too Large
The requested URL's length exceeds the capacity limit for this server.

request failed: URI too long


This one works though:




It takes a few seconds to generate too! Let's loop that a few times and see what happens.

OK that's looping. Now let's look at this wonderful crypto system. It's using an example pasted from the MSDN site on How to Store an Encrypted Connection
Essentially it's just base64 encoded with a cipher. So I know the input and output values and could just brute force my way through this. I'm going to investigate and see if there is a more elegant solution. Cryptanalysis is really not my strong suit.


UH OH!
.Error: 500 read timeout
Error: 500 Can't connect to www.bx.wc.com.bodpartatthe.com:80 (Bad hostname 'www.bx.wc.com.bodpartatthe.com')

I was probobly just firewalled off. Hey maybe that means I won't get anymore spam from them!! hooray!