Spam Hunter

Viagra, penis enhancements, porn, mortgage rates, and much more are shoved into my inbox everyday. I'm not trying to win the spam war. I just like to vent by choosing one email a day, tracing down the jerk who sent it and publishing any antics that ensue.

Sunday, November 27, 2005

powerful enlargement

X-Account-Key: account2
X-UIDL: 1132365525.24507.victim.com,S=1554
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path:
Delivered-To: victim@4
Received: (qmail 24497 invoked from network); 19 Nov 2005 01:58:44 -0000
Received: from unknown (HELO zipmail.com.br) (60.171.109.114)
by victim.com with SMTP; Fri, 18 Nov 2005 20:58:44 -0500
Message-ID:
Date: Fri, 18 Nov 2005 07:32:47 +0800
From: "madonna black"
User-Agent: MOMENTUM (3.0 build(25) [Asynch])
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Victim Victim"
Subject: powerful enlargement
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Male enhancement is achieving your goals of becoming a better man

90% of males were interested in improving their sexual stamina,
performance, and the size of their manhood. Are you one of the 90%?

You guys have made my dreams come true. I have been self-conscience for as
long as I can remember. I did not want to shower with other guys growing up,
because I was embarrassed. Not only has your system increased the size of my
manhood while erect, but it has helped my size while flaccid as well. I hang
bigger, and I feel more like the man I should have been all these years. The
change is tremendous, I wanted to send you this note to let you know what it
has done for me, and of course to order more LONGZ! Leroy, Brooklyn

check out the only Male Enhancement formula with a free DVD

http://geocities.yahoo.com.br/clifton_smothers/?7=X2



not for you, then use link above




The President bowed gravely. This is your invention? he asked
No; I'm hardly equal to that



Please wait while the web page loads

In a market research, men identified three things
as essential elements of achieving a satisfactory erection, including:


  • The ability to attain an erection
  • Erection hardness
  • The ability to maintain it for satisfactory sex

Taken together these make up erection quality (EQ).


Many men have been, or will be, concerned with the
quality of their erection at some time in their life. It may be an occasional
difficulty in getting or maintaining an erection; it could be an erection that
is just not as hard as it once was; or it may be a consistent inability to
achieve an erection.


It is estimated that over 30 million men in the US have
experienced at least partial erectile dysfunction (ED). You are not alone if you
experience a loss of erectile function.


Fortunately, if you've noticed changes in your erection
there is something you can do about it, talk to your
doctor.



The technique used by this spammer is called obfusication and we have been talking about this a lot in this particular blog. A quick refresher for those who are a little rusty on the unescape javascript function can be found here

JavaScript unescape
Answer: To convert a string from URL-encoded form, use the JavaScript function
unescape(string) . This function works as follows: if the string contains ...
www.javascripter.net/faq/unescape.htm - 3k - Cached - Similar pages

eval(unescape("\x76\x61\x72\x25\x32\x30\x55\x52\x49\x25\x33\x42\x25\x30\x44\x25
\x30\x41\x76\x61\x72\x25\x32\x30\x53\x43\x52\x49\x50\x54\x5F\x4E\x41\x4D\x45\x25
\x33\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32\x30\x51\x55\x45\x52\x59\x5F
\x53\x54\x52\x49\x4E\x47\x25\x33\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32
\x30\x5F\x47\x45\x54\x25\x33\x44\x6E\x65\x77\x25\x32\x30\x41\x72\x72\x61\x79\x25
\x32\x38\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x66\x75\x6E\x63\x74\x69
\x6F\x6E\x25\x32\x30\x5F\x63\x67\x69\x5F\x70\x61\x72\x73\x65\x5F\x61\x72\x67\x73
\x25\x32\x38\x25\x32\x39\x25\x37\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x76\x61
\x72\x25\x32\x30\x69\x25\x32\x43\x74\x6D\x70\x25\x32\x43\x74\x6D\x70\x32\x25\x32
\x43\x74\x6D\x70\x33\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x74\x72\x79
\x25\x37\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x55\x52\x49\x25\x33\x44\x6C\x6F
\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x25\x33\x42\x25\x30\x44\x25\x30\x41
\x25\x30\x39\x74\x6D\x70\x25\x33\x44\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x73\x65
\x61\x72\x63\x68\x2E\x73\x75\x62\x73\x74\x72\x25\x32\x38\x31\x25\x32\x43\x6C\x6F
\x63\x61\x74\x69\x6F\x6E\x2E\x73\x65\x61\x72\x63\x68\x2E\x6C\x65\x6E\x67\x74\x68
\x2D\x31\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x74\x6D\x70
\x32\x25\x33\x44\x74\x6D\x70\x2E\x73\x70\x6C\x69\x74\x25\x32\x38\x25\x32\x32\x25
\x32\x36\x25\x32\x32\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39
\x66\x6F\x72\x25\x32\x38\x69\x25\x33\x44\x30\x25\x33\x42\x69\x25\x33\x43\x74\x6D
\x70\x32\x2E\x6C\x65\x6E\x67\x74\x68\x25\x33\x42\x69\x2B\x2B\x25\x32\x39\x25\x37
\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x25\x30\x39\x74\x6D\x70\x33\x25\x33\x44
\x74\x6D\x70\x32\x25\x35\x42\x69\x25\x35\x44\x2E\x73\x70\x6C\x69\x74\x25\x32\x38
\x25\x32\x32\x25\x33\x44\x25\x32\x32\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30
\x41\x25\x30\x39\x25\x30\x39\x5F\x47\x45\x54\x25\x35\x42\x74\x6D\x70\x33\x25\x35
\x42\x30\x25\x35\x44\x25\x35\x44\x25\x33\x44\x74\x6D\x70\x33\x25\x35\x42\x31\x25
\x35\x44\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x25\x37\x44\x25\x30\x44
\x25\x30\x41\x25\x30\x39\x25\x37\x44\x63\x61\x74\x63\x68\x25\x32\x38\x65\x25\x32
\x39\x25\x37\x42\x61\x6C\x65\x72\x74\x25\x32\x38\x65\x2E\x64\x65\x73\x63\x72\x69
\x70\x74\x69\x6F\x6E\x25\x32\x39\x25\x33\x42\x25\x37\x44\x25\x30\x44\x25\x30\x41
\x25\x37\x44\x25\x30\x44\x25\x30\x41\x5F\x63\x67\x69\x5F\x70\x61\x72\x73\x65\x5F
\x61\x72\x67\x73\x25\x32\x38\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x76
\x61\x72\x25\x32\x30\x71\x25\x32\x30\x25\x33\x44\x25\x32\x30\x25\x32\x32\x37\x25
\x32\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x69\x66\x25\x32\x38\x5F\x47\x45\x54
\x25\x35\x42\x71\x25\x35\x44\x25\x32\x39\x25\x37\x42\x25\x30\x44\x25\x30\x41\x25
\x30\x39\x76\x61\x72\x25\x32\x30\x70\x72\x65\x66\x69\x78\x25\x32\x30\x25\x33\x44
\x25\x32\x30\x25\x32\x37\x68\x74\x74\x70\x25\x33\x41\x2F\x2F\x77\x77\x77\x2E\x25
\x32\x37\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x64\x6F\x63\x75\x6D\x65
\x6E\x74\x2E\x74\x69\x74\x6C\x65\x25\x33\x44\x25\x32\x32\x4C\x6F\x6E\x67\x25\x32
\x30\x4D\x61\x6C\x65\x25\x32\x30\x45\x6E\x68\x61\x6E\x63\x65\x6D\x65\x6E\x74\x25
\x32\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x76\x61\x72\x25\x32\x30
\x74\x64\x6F\x6D\x61\x69\x6E\x73\x25\x32\x30\x25\x33\x44\x25\x32\x30\x6E\x65\x77
\x25\x32\x30\x41\x72\x72\x61\x79\x25\x32\x38\x25\x32\x39\x25\x33\x42\x25\x30\x44
\x25\x30\x41\x25\x30\x39\x74\x64\x6F\x6D\x61\x69\x6E\x73\x25\x35\x42\x74\x64\x6F
\x6D\x61\x69\x6E\x73\x2E\x6C\x65\x6E\x67\x74\x68\x25\x35\x44\x25\x33\x44\x25\x32
\x37\x6C\x6F\x77\x70\x72\x69\x63\x65\x73\x6F\x6E\x70\x6C\x61\x74\x69\x6E\x75\x6D
\x73\x2E\x63\x6F\x6D\x2F\x6C\x7A\x25\x32\x37\x25\x33\x42\x25\x30\x44\x25\x30\x41
\x25\x30\x39\x74\x64\x6F\x6D\x61\x69\x6E\x73\x25\x35\x42\x74\x64\x6F\x6D\x61\x69
\x6E\x73\x2E\x6C\x65\x6E\x67\x74\x68\x25\x35\x44\x25\x33\x44\x25\x32\x37\x6F\x75
\x72\x62\x65\x73\x74\x70\x72\x6F\x6D\x6F\x74\x69\x6F\x6E\x73\x73\x69\x74\x65\x2E
\x63\x6F\x6D\x2F\x6C\x67\x25\x32\x37\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30
\x39\x76\x61\x72\x25\x32\x30\x64\x6F\x6D\x61\x69\x6E\x5F\x69\x6E\x64\x65\x78\x25
\x32\x30\x25\x33\x44\x25\x32\x30\x4D\x61\x74\x68\x2E\x66\x6C\x6F\x6F\x72\x25\x32
\x38\x4D\x61\x74\x68\x2E\x72\x61\x6E\x64\x6F\x6D\x25\x32\x38\x25\x32\x39\x25\x32
\x30\x2A\x25\x32\x30\x74\x64\x6F\x6D\x61\x69\x6E\x73\x2E\x6C\x65\x6E\x67\x74\x68
\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x76\x61\x72\x25\x32
\x30\x64\x6F\x6D\x61\x69\x6E\x5F\x74\x6F\x25\x32\x30\x25\x33\x44\x25\x32\x30\x74
\x64\x6F\x6D\x61\x69\x6E\x73\x25\x35\x42\x64\x6F\x6D\x61\x69\x6E\x5F\x69\x6E\x64
\x65\x78\x25\x35\x44\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x6C\x6F\x63
\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x25\x33\x44\x70\x72\x65\x66\x69\x78\x25
\x32\x30\x2B\x25\x32\x30\x64\x6F\x6D\x61\x69\x6E\x5F\x74\x6F\x25\x32\x30\x2B\x25
\x32\x30\x25\x32\x32\x2F\x25\x32\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x37
\x44"));

First Let's break apart the text glob into individual characters:


my $text = '\x76\x61\x72\x25\x32\x30\x55\x52'; ##snipped for formatting
my @characters = split(/\\x/,$text);

foreach my $char (@characters)
{
        print "$char ";
}

this will give us something like this
76 61 72 25 32 30 55 52 49 25 33 42 25 30 44 25 30 41 76 ...

Notice that $text is using single quotes and not double. Using double quotes will interpret some of the results for us but not all.

old value: 'var%20URI%3B%0D%0Avar%20SCRIPT_NAME%3B%0D%0Avar%20QUERY_STRING%3B%0D%0Avar
%20_GET%3Dnew%20Array%28%29%3B%0D%0Afunction%20_cgi_parse_args%28%29%7B%0D%0A
%09var%20i%2Ctmp%2Ctmp2%2Ctmp3%3B%0D%0A%09try%7B%0D%0A%09URI%3Dlocation.href
%3B%0D%0A%09tmp%3Dlocation.search.substr%281%2Clocation.search.length-1%29%3B
%0D%0A%09tmp2%3Dtmp.split%28%22%26%22%29%3B%0D%0A%09for%28i%3D0%3Bi%3C
tmp2.length%3Bi++%29%7B%0D%0A%09%09tmp3%3Dtmp2%5Bi%5D.split%28%22%3D%22%29%3B
%0D%0A%09%09_GET%5Btmp3%5B0%5D%5D%3Dtmp3%5B1%5D%3B%0D%0A%09%7D%0D%0A%09%7Dcatch
%28e%29%7Balert%28e.description%29%3B%7D%0D%0A%7D%0D%0A_cgi_parse_args%28%29
%3B%0D%0Avar%20q%20%3D%20%227%22%3B%0D%0Aif%28_GET%5Bq%5D%29%7B%0D%0A%09var
%20prefix%20%3D%20%27http%3A//www.%27%3B%0D%0A%09document.title%3D%22Long
%20Male%20Enhancement%22%3B%0D%0A%09var%20tdomains%20%3D%20new%20Array%28%29
%3B%0D%0A%09tdomains%5Btdomains.length%5D%3D%27lowpricesonplatinums.com/lz
%27%3B%0D%0A%09tdomains%5Btdomains.length%5D%3D%27ourbestpromotionssite.com/lg
%27%3B%0D%0A%09var%20domain_index%20%3D%20Math.floor%28Math.random%28%29%20*
%20tdomains.length%29%3B%0D%0A%09var%20domain_to%20%3D%20tdomains%5Bdomain_index
%5D%3B%0D%0A%09location.href%3Dprefix%20+%20domain_to%20+%20%22/%22%3B%0D%0A%7D'

Ok on second thought it may be better to just enclose them in double quotes and get it over with. The unpacking reveals the same code. It's early for me.


use strict;
my $text=''; ### stuff the hex encoded values from earlier in here 
my @characters = split(/\\x/,$text);

foreach my $char (@characters)
{
     print pack("C", hex($char))
}

I output the results into a file called spam.decoded.htm

There is a location.href in there which will take us to the target spam sites. The double coding is starting to annoy me so let's get everything "rendered"

PERL is powerful for it's simple elegance. If you ever feel that the solution is getting to complicated it likely IS.


use strict;

open(SPAM,"< spam.decoded.htm");
my $text = <SPAM>;
close(SPAM);

$text=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
print $text;


This produces the raw code that the spammer tried so hard to hide from prying eyes.
For a javascript redirect it's fairly complex. 

var URI;
var SCRIPT_NAME;
var QUERY_STRING;
var _GET=new Array();
function _cgi_parse_args(){
        var i,tmp,tmp2,tmp3;
        try{
        URI=location.href;
        tmp=location.search.substr(1,location.search.length-1);
        tmp2=tmp.split("&");
        for(i=0;i<tmp2.length;i++){
                tmp3=tmp2[i].split("=");
                _GET[tmp3[0]]=tmp3[1];
        }
        }catch(e){alert(e.description);}
}
_cgi_parse_args();
var q = "7";
if(_GET[q]){
        var prefix = 'http://www.';
        document.title="Long Male Enhancement";
        var tdomains = new Array();
        tdomains[tdomains.length]='lowpricesonplatinums.com/lz';
        tdomains[tdomains.length]='ourbestpromotionssite.com/lg';
        var domain_index = Math.floor(Math.random() * tdomains.length);
        var domain_to = tdomains[domain_index];
        location.href=prefix + domain_to + "/";


this may end up as a two part post so I can spend some more time analyzing the javascript above. I dug into the domain names presented and here is what I found








Domain name: LOWPRICESONPLATINUMS.com
Status:lock

Registrant:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Administrative Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Technical Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Billing Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN



Nameserver Information:
ns1.lowpricesonplatinums.com
ns2.lowpricesonplatinums.com

Create: 2005-11-03 14:26:47
Update: 2005-11-16
Expired: 2006-11-03


Domain name: ourbestpromotionssite.com
Status:lock

Registrant:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Administrative Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Technical Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Billing Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN



Nameserver Information:
ns1.ourbestpromotionssite.com
ns2.ourbestpromotionssite.com

Create: 2005-11-03 14:26:58
Update: 2005-11-16
Expired: 2006-11-03


I become very sad once I see it's a Chinese site involved. I know there is essentially nothing that can be done at this point. No point in even trying to track down Zhang Yong Qi
The syndey_heartilly@yahoo.com address is likely a throw away account but send a note anyway to let Yong Qi know that Spam sucks.

posted by djuti @ 08:07 0 comments