Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

Spam or Not Spam?

Take a close look at the message below, and then continue reading:

Is this message spam or not? It looks related to a well-known brand, and looks fairly innocuous–submit a survey, get a gift card. It does sound a bit too good to be true, and the mailing address for the unsubscribe link looks a bit strange.

The things that make the message definitely 100% spam are the things you can’t see. In several different ways the spammer sending this message is using techniques to circumvent spam filters, including the following:

  • Sending from an IP address that has never sent mail before. Using a brand new IP address circumvents real time IP blacklists and exploits default throttling policies that can allow a spammer to send many messages before being blacklisted.
  • The html message content includes meaningless word salad in several blocks of html comments. This is usually an attempt to confuse Bayesian spam filters that use word frequencies to determine spam/legit status.
  • The message contains raw non-ascii characters in an attempt to confuse spam filters that treat messages as null-terminated strings.
  • The message contains several meaningless href= links surrounded by css markup that makes them invisible in an attempt to confuse spam filters looking for a mix of links as an indicator of legit status.
  • The visible href= links in the message use numeric IP addresses instead of hostnames.
  • The IP addresses in the href links are represented in a legal-but-obfscuated format in an attempt to defeat url parsing code. Here’s what the href= link looks like (the IP address has been changed)
<a href="http://10.000000204.00000044.000031/axkdt/nsn/?clk=...">
  • All of the readable “text” in the message is actually an image. Attempting to click on the unsubscribe link (or anywhere else around it) sends you to a questionable-looking unsubscribe page.

It can actually be really tough to determine whether a message is spam or not. Just because an email refers to well known brands doesn’t make it legitimate. Subway most likely doesn’t even know that these spam messages are being sent, even though it has the potential to hurt their image. The best advice is that if it seems too good to be true, it probably is…and/or if you didn’t sign up for messages from the organization, no matter how reputable they are, it may be spam. Other steps you can take are:

  • If possible, configure your email client to not show remote content such as images.
  • Look for unsubscribe links. If the message doesn’t have one, it’s probably not from a well-behaved sender who is adhering to good sending practices.

2 thoughts on “Spam or Not Spam?”

  1. Could you post the entire source of the message for review? This post is much appreciated, but just describing what’s inside the message doesn’t help anyone, neither does security by obscurity as I’m sure you know already. I’m sure many people besides myself would appreciate the opportunity to analyze the full raw content of the message, however redacting identifying information, by changing ip addresses to nonsense numbers etc, is fine.

  2. Hi, thanks for the interest. Unfortunately, we can not give out or post the message source. Our privacy policy and contracts prevent us from providing any data that might possibly identify our customers, reporters, or spamtraps.

Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2019 Cloudmark, Inc.