Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hidden Messages in Spam

Posted by michael on from the enlarge-your-inbox-now dept.

randomwalker writes "There was an extremely interesting presentation at the Blackhat Windows Security Conference in January by Dr Curtis Kret entitled Nobody's Anonymous. In his presentation he showed how information about spammers can be determined. In addition he showed that some spam is being used as a covert communication channel. This presentation demonstrates how to apply data forensics to spam in order to identify the sender of specific spam messages. Some senders can be identified by name, while others can be distinguished by attributes such as preferences, nationality, religion, and even left-handedness. Four spam categories are provided that classify spam by function, including List Makers, Scams, and Covert Communication channels. The examples provided include full-disclosure case studies: a phishing gang that targets bank customers with malware and impersonations, and an IRC group that uses spam as a covert communication channel."

12 of 232 comments (clear)

  1. font size. by Stud1y · · Score: 3, Interesting

    i like the new spam that has all of the size .5 font text at the bottom. i always have to read it.

  2. Covert Messages by dolo666 · · Score: 5, Interesting

    I remember studying Thomas Pynchon in school, and upon hearing how his military records and university records were lost, I often wondered if his books were some kind of method of covert messaging, due to the code-like writing style he has, and the ominous history he has. Using spam as a method of communication is useful in the sense that it can be hard to tell who the real message is going to; making it impossible to identify the two points of connection, and therefore limiting accountability and obscuring who is doing the talking; so if Pynchon's books are like this... it would also be impossible to tell who the books were intended to (and therefore the US Mil could contact spies who could be in a tight spot, or informants who may be in a tight spot). The books could also contain a bunch of different messages using different cryptographies, in plain sight, to communicate with multiple agents. This is likely incorrect and way off the tin-foil-hat scale of reason, but the thought did occur to me when I read The Crying of Lot 49, and even more so when I read Mason and Dixon.

    1. Re:Covert Messages by sysjkb · · Score: 5, Interesting
      I often wondered if his books were some kind of method of covert messaging...

      Around 1920 Edgar Wallace used this scheme in one of his thrillers about "The Four Just Men". One of the group has been captured, and given the high profile of his crimes, he is being held in solitary. In order to pass along the rescue plan to their imprisoned colleague, his compatriots write a travel book that contains the scheme encoded and arrange for it to be reviewed in enough major newspapers that the prisoner can legitimately request a copy.

      Yours truly,
      Jeffrey Boulier

  3. Not Surprising by Steve+B · · Score: 4, Interesting
    Wrapping hidden messages in spam is an obvious method of defeating traffic analysis (the gathering and use of information about who is talking to whom, without necessarily being able to read the content of the messages). I would be very surpised if terrorist organizations haven't been doing this ever since spam became voluminous enough to serve as an adequate noise background.

    Really, the Feds ought to be hauling in spammers (for violations of all sorts of existing laws pertaining to fraud, computer cracking, etc) and anal-probing them for customer records, instead of wasting time on nonsense.

    --
    /. If the government wants us to respect the law, it should set a better example.
  4. Steganography by Alioth · · Score: 4, Interesting

    If you think of it, hiding messages in spam would make quite good steganography. Since pretty much most spam comes with a sizeable chunk of 'hashbusters' (random words on the bottom, random characters in the subject), you could hide your message quite easily in the hashbuster.

    In regular email, just the fact a PGP encrypted message was sent by Alice to Bob would tip the authorities off that Alice and Bob were at least communicating; if they are both criminals for instance, just seeing the activity between Alice and Bob might be enough to alert the authorities to watch the pair a bit more closely because something's about to go down - even if they can't actually discover the message content.

    However, if Alice and Bob are both spammers, and use the Windows worm du jour as their open spam relay, and each spam a few million email addresses, it's much harder to see that Alice and Bob are in fact conversing let alone find the actual message.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  5. Plaintext reading by Animaether · · Score: 2, Interesting

    Time to default reading your e-mail in plaintext, perhaps ?
    If the e-mail doesn't offer a plaintext counterpart, then most likely it's not worth reading anyway - lest it's an HTML newsletter that you actually signed up for, but that should be obvious to spot.

  6. Just strip HTML out at the milter/MTA side by hacker · · Score: 2, Interesting
    If you don't want to get any of these annoying webbug/spam/trojans buried in HTML emails, simply strip them out at the MTA level, with procmail or your milter or whatever else you trigger them in.

    Safe for you, safe for your users, and brings email back the way it ought to be, 7-bit ascii text.

    use File::Slurp;
    use HTML::Parse;
    use HTML::FormatText;

    $file = "email.html";
    $html = read_file($file);
    $plain = HTML::FormatText->new->format(parse_html($html) );
    print $plain;

    I'll contine to take my webpages on port 80, and my mail on port 25, thank you very much.

  7. Re:Mistaken covert messages? by Steve+B · · Score: 2, Interesting
    With the volume of spam, how does a covert agent know he is getting a hidden message from his source?

    1. Set up a short list of words, one of which will appear in the subject line of each hidden message. (They need not be "spammy" words; random anti-filter(?) junk has been showing up in spam subject lines as well as the message body.)

    2. Brute-force the process by running all incoming mail through your stegonography program.

    --
    /. If the government wants us to respect the law, it should set a better example.
  8. If you use Spamcop, messages are bidirectional by Anonymous Coward · · Score: 1, Interesting

    It occurred to me also about the hidden communications channel in spam, but if you report the spam with Spamcop, it will send the spam report back to the domain it came from, furnishing a return communications channel.

    Modify the original spam a bit to encode your reply, and you have a bi-directional hidden communications channel. The return emails are hidden in the huge volume of spam reports from spamcop.

  9. Re:Al Qaeda! by Xenna · · Score: 2, Interesting

    Usenet would obviously be much preferable to spam for such purposes, that's why messages hidden in spam is such a silly subject. You'd have to be crazy to use spam for this.

    But, then again, some people are crazy!

    Some not-so-bright fellow in my country decided to extort a company by poisoning food (or something, I forgot). He had this great system devised for transferring the money (it involved sending out the data on a bank card's magnetic strip).

    Not bad, since that way he would be able to withdraw the money from ATM's (quite a job considering the maximum) without having to physically receive the card (which would leave him open to arrest).

    The moron instructed the company to use steganography to hide this data in a picture of a car. The company should post that picture on a second hand car site in Holland. Then the absolute nitwit used an anonymous proxy to access the data *from his home*!!!!!!!

    The anonymous proxy people were easily convinced to let the police have his IP address and that was the end of it.

    What he should have done is send them his public PGP key and let them post the encrypted data openly in a newsgroup (labeled as 'secret code for creating ransom bank pass' if necessary) in some popular nude binaries group.

    Using steganography in this case is ridiculous.

    Nobody can trace a usenet download (especially not in a popular nudies group).

    X.

  10. Re:Clancy by 1u3hr · · Score: 2, Interesting
    Or the not-so-hidden messages - like Tom Clancy's plot in which a hijacked (though by the pilot) airliner flies into a building...

    Not to mention the first episode of The Lone Gunmen where the CIA sends a plane on autopilot to crash into the WTC. I was somewhat amazed that I didn't see a word of commentary about this after the real event.

  11. Hidden messages to terrorists in spam by dav1ross · · Score: 2, Interesting

    I work in tech support for a small ISP in California. One day an elderly gentleman walked into our office and told me he was convinced that the spam he was receiving (especially the kind designed to poison bayesian filters) contained coded messages for al-Qaida terrorists, and that he had been forwarding them to the FBI! It took all my composure to assure him that this was not the case without busting up laughing in his face. We have yet to hear from the FBI, or from the local mental health clinic about this particular customer.