Hidden Messages in Spam

randomwalker writes "There was an extremely interesting presentation at the Blackhat Windows Security Conference in January by Dr Curtis Kret entitled Nobody's Anonymous. In his presentation he showed how information about spammers can be determined. In addition he showed that some spam is being used as a covert communication channel. This presentation demonstrates how to apply data forensics to spam in order to identify the sender of specific spam messages. Some senders can be identified by name, while others can be distinguished by attributes such as preferences, nationality, religion, and even left-handedness. Four spam categories are provided that classify spam by function, including List Makers, Scams, and Covert Communication channels. The examples provided include full-disclosure case studies: a phishing gang that targets bank customers with malware and impersonations, and an IRC group that uses spam as a covert communication channel."

Sublime!

This post contains a hidden message.

The next thing ...

[jobbegea]

The next thing they try to sell to you will be Tin Foil Hats

Spam = Covert communications

Are they covertly talking about getting V!agra or Cia|is? I hate that. Just send me a real letter asking!

Re:Spam = Covert communications

[AndroidCat]

So they have a covert communication channel to my /dev/null? I knew it! I'd better buy that software that promises to shred everything stored there.

Hidden food value in spam?

[Smallpond]

The Bible code was bad enough. Now we have people looking for messages in spam? Look! Played backwards it says "I buried Paul".

hidden message

[Allowee]

guess this is spammers language, hidden in spam

"mortal shut acrid crock cowl bawd hereditary devastate jellyfish brunette flog igor bonaparte tarry townsend discordant near aviv brigantine agnostic padlock cotangent roomy referee debater eve arlene can baroque conceptual italian congressmen infelicity modicum backplane antigen tie hilum seriate convent firewall "

Now this hidden message seems to be about a .. firewall?

Re:hidden message

[Bigman]

Hmm well dividing the message into groups of four, then using the initials of the first 3 words and the fourth word, we get:
MS a crock,
CB H devastate,
JBF Igor,
BTT discordant,
Nab agnostic
PCR referee
DEA can
BCI congressman
IMB antigen
THS convent
firewall

So the words say 'Firewall convent antigen, Congressman can referee agnostic discordant, Igor devastate Crock'. The first sentance says 'MS A crock' which sounds good to me, so maybe this secret group, the 'Firewall convent antigen' are being told by the congressman that they can referee the discord between the agnostic discordants and ensure 'Igor' (whoever that is) devestates Microsoft.

Or maybe I'm making it all up!

Secret messages in spam

Of course, there is spammimic which lets you encode a secret message in spam.

It's true.

[His+name+cannot+be+s]

It is quite true!

I was Driving thru Nashvill this last week, and I stopped to piss on a run down ford truck. This guy came up to me and said "Your taillight is broken"

Covert Messages

[dolo666]

I remember studying Thomas Pynchon in school, and upon hearing how his military records and university records were lost, I often wondered if his books were some kind of method of covert messaging, due to the code-like writing style he has, and the ominous history he has. Using spam as a method of communication is useful in the sense that it can be hard to tell who the real message is going to; making it impossible to identify the two points of connection, and therefore limiting accountability and obscuring who is doing the talking; so if Pynchon's books are like this... it would also be impossible to tell who the books were intended to (and therefore the US Mil could contact spies who could be in a tight spot, or informants who may be in a tight spot). The books could also contain a bunch of different messages using different cryptographies, in plain sight, to communicate with multiple agents. This is likely incorrect and way off the tin-foil-hat scale of reason, but the thought did occur to me when I read The Crying of Lot 49, and even more so when I read Mason and Dixon.

Re:Covert Messages

[sysjkb]

I often wondered if his books were some kind of method of covert messaging...

Around 1920 Edgar Wallace used this scheme in one of his thrillers about "The Four Just Men". One of the group has been captured, and given the high profile of his crimes, he is being held in solitary. In order to pass along the rescue plan to their imprisoned colleague, his compatriots write a travel book that contains the scheme encoded and arrange for it to be reviewed in enough major newspapers that the prisoner can legitimately request a copy.

Yours truly,
Jeffrey Boulier

Beat the Slashdot Spam Filter!

[CptChipJew]

What's the hidden message here?
--

Click here for free V1(4)gr[a]!

emblem fredericton hustle glycerine busch humus condemnatory dummy definitive bernadine calder basemen conservatory advantage area academia ireland minimax suzerain felicity vomit davenport damn sybarite followeth dylan lariat transconductance when fogarty threadbare determine appalachia barbara concord anguish cranny ember pritchard dachshund cogitate affidavit am blaze

-- Copied out of real spam message sitting in my box --

Re:Beat the Slashdot Spam Filter!

[Mr+Guy]

It's from your girlfriend. She says she's unsatisfied with your love life.

Al Qaeda!

[Xenna]

Great, now, if we can just prove it's being used by Al Qaeda to help the Jihad we may finally get some political support for getting rid of spammers!

X.

Where is the War On Terror when you need it?

[Mattintosh]

*** BEGIN KNEEJERK REACTION ***
Terrorists could use spam to send messages! Declare war on Hotmail! Nuke MSN! Hunt down the CEO of Yahoo! and tickle him until he talks!
*** END KNEEJERK REACTION ***

Meanwhile, how covert is it if you send it to a million of your closest friends? Heck, at that rate, you could use /. posts to send covert messages.

Dimple monkey twice the pudding octopi for tango man. Very blender shoe, cellular, scooter my daisy heads. Diddley day.

And all the rest of you can kiss your ass goodbye.

Not Surprising

[Steve+B]

Wrapping hidden messages in spam is an obvious method of defeating traffic analysis (the gathering and use of information about who is talking to whom, without necessarily being able to read the content of the messages). I would be very surpised if terrorist organizations haven't been doing this ever since spam became voluminous enough to serve as an adequate noise background.

Really, the Feds ought to be hauling in spammers (for violations of all sorts of existing laws pertaining to fraud, computer cracking, etc) and anal-probing them for customer records, instead of wasting time on nonsense.

I already miss spam...

[heironymouscoward]

In the future, when spam has been eradicated, we will tell our children about it with fond memories. "Yes, we got messages like '1ncreas3 y3r p3ni5 5iz3!', and 'v14gr4 n0\/\/!'"

Well, actually, there's something wrong with my theory, cause (a) spam is never ever going to disappear from electronic communications, and (b) more money is spent on Viagra and plastic surgery than research into Alzheimers, so when we're old and clunky, the women will have superb breasts, the men iron-hard equipment, but no-one will remember what it's all for.

Re:I already miss spam...

[hacker]

(b) more money is spent on Viagra and plastic surgery than research into Alzheimers, so when we're old and clunky, the women will have superb breasts, the men iron-hard equipment, but no-one will remember what it's all for.

Actually, Viagra (sildenafil citrate) was originally an arrhythmia treatment (i.e. heart medicine, to help people with strokes and frequent heart attacks). ALL of the money that went into the research of (what is now called) Viagra was there to support a drug for cardiac patients.

Only when some of the clinical trials had less-than-optimal results as a cardiac treatment, and an additional "side effect" of erectile sustainment, was it recast as an erectile dysfunctant treatment. They weren't going to pour the millions they spent on researching the cardiac drug, down the drain, so they recast it as Viagra, and that is what you know today.

I know this, because I used to work with the group responsible for doing the purity/potency testing of this specific compound within $PHARMA.

Also, contrary to popular belief, Viagra does not produce erections . It increases blood flow (hence the original cardiac target). The increased bloodflow helps you sustain an existing erection longer than you normally could. It does not give you an erection.

Aha I knew it!

If you study those emails from Nigeria a secret message is revealed:

"Fat White suckers please hand over your money and I will laugh at you"

To reveal more secrets of spam please send me $200 to:

Mr Okilea Bessei
3 St Lener St
Abuja
Nigeria

Mozilla, it say...

"This document contains no data"

Oh the irony.

Why is this suprising.

[re-Verse]

One of the best methods of not having your communications snooped in on is to use a busy, noisy channel. Communications inside of malls, clubs, whatever. It makes perfect sense. People don't expect sensitive information in soe sort of public form, so they don't listen for it. We're all so sick of spam that we erase it on sight - so if someone wants to use it to communicate - its perfect. It draws a hell of a lot less attention to ones self rather than forming a whole new covert form of communication.

What looks more suspicious - A spam with some seemingly random keywords to throw off the filters at the bottom, or a highly encrypted data transmission on an obscure port. I know what one would make me take notice first.

Re:Why is this suprising.

[sartin]

perhaps i'm missing something here, but if someone wanted to send someone else an extremely covert message, why wouldn't they just encrypt it?

Traffic analysis. Since not all intercepted messages can be decrypted in a timely fashion, one way intelligence is gathered is by looking at the communication patterns independent of the content. Knowing that bad person A sent unknown person B some set of messages (and even moreso noting that they were strongly encrypted) yields a strong suspicion that person B is part of the same bad collective as person A. By sending many messages all over that are noise, the real communication is lost in the noise. Not just the data in the communication, but the data about the communication.

Steganography...

[Lord+of+Ironhand]

... is the technique of hiding certain information in other information. As opposed to encryption, which just makes the information unreadable without the correct key. Steganography & cryptography make a very nice combination since the random-like nature of encrypted data makes it easier to hide.

A google search for "steganography" yields a lot of useful documents on this.

Mirror

[arvindn]

*Sigh* I don't know what the editors are thinking when they post direct links to pdf files. Slashdotted instantly. Luckily, throwing the filename at google turned up a mirror.

Crazy

Messages in spam? That is just crazy.

Next time they start finding information in /. articles...

Steganography

[Alioth]

If you think of it, hiding messages in spam would make quite good steganography. Since pretty much most spam comes with a sizeable chunk of 'hashbusters' (random words on the bottom, random characters in the subject), you could hide your message quite easily in the hashbuster.

In regular email, just the fact a PGP encrypted message was sent by Alice to Bob would tip the authorities off that Alice and Bob were at least communicating; if they are both criminals for instance, just seeing the activity between Alice and Bob might be enough to alert the authorities to watch the pair a bit more closely because something's about to go down - even if they can't actually discover the message content.

However, if Alice and Bob are both spammers, and use the Windows worm du jour as their open spam relay, and each spam a few million email addresses, it's much harder to see that Alice and Bob are in fact conversing let alone find the actual message.

The TRUE hidden message...

[lacrymology.com]

There certainly is a hidden message contained in ALL of my spam:

YOU HAVE A SMALL DICK.

-m

Working URL for the Paper

[DaneelGiskard]

Server's down, here is another one ;-)

bh-win-04-kret.pdf

That's not what I heard.

[geekpuppySEA]

Played backwards it says "I buried Paul".

I heard "I enlarged Peter."

Re:Facts about spammers:

[fbform]

I applied this method to the lastest 100 spam mail and got the following results:

44.3% of the spammers want to get me rich, too.
32.2% want to enlarge my penis

Unbelievable! I never knew you could get 0.1% precision by analyzing a mere 100 discrete samples of email. Or does the 33rd spammer want to enlarge only 20% of your penis? Or is he only 20% sure that he wants to enlarge your entire penis?