The Curious Case of Spam Emails
A small look into some random spam emails
Why?
Spam emails have always interested me, the idea that a machine out there is just slinging out emails at light speed to try and get a bite. It seems like a dying breed of malicious activity with spam filters getting better over the years, and peoples internet literacy also improving.
So I have been curious as to why we still get so many. Somewhere out there, people are still falling for them and getting their details snatched, email compromised or their machine added to a bot net.
The above image is a few emails that I have collected from my own spam box that I thought I would take a look at in greater detail.
Exploration
Let’s have a little peak into the Lancôme Beauty Box (turns out its a box full of makeup).
Looking over the header of the email, there seems to be a few email/web addresses that could use a little research. Small note, they are using mailchimp to distribute.
quantumxshield.uk.com (from return path, 51.68.191.201)
mysticwanderer.it.com (from SPF record)Starting with quantumxshield.uk.com.
Press enter or click to view image in full size
Looks like the website was registered in Tangier-Tetouan, which according to Google is an administrative territorial entity of Morocco. It wasn’t registered too long ago either.
Press enter or click to view image in full size
This is what the website looks like on urlscan. It looks like we are a couple of years past due on the website, according to the timer. Very boiler plate template.
Looking further into the body of the email. It seems to be a very standard thing to do these days is to have any link present on the email, direct you to a Google bucket with a unique identifier in order to track who is clicking on the link. It seems like the bucket is still live as of writing this, however in the past I have seen many get deleted after a period of time.
https://storage.googleapis.com/htmpnclck/hatopnclick.html#UNIQUE_IDENTIFIERLaziness
Taking a look at some of the more strange spam emails, I find that they are quite lazy when it comes to execution. Although the old adage “spam is there to trick the most foolish” would check out here.
Most of the emails I am referring to have no subject and no body to the email. Their payload is a .docx attachment normally with the name invoice with some random numbers attached to it. Which will more often the not lead the user to enable macros in Microsoft word and then dump a payload via the said attached macro.
These are quickly Thanos snapped by any competent spam filters. One way the email tries to get around the spam filter it seems, is loading up the email with junk characters in the footer in the email. This makes the file a little bigger, I assume in order to avoid a scan from an email provider spam/phishing filter.
More Junk
Adding junk content to the email, whether that's in the footer, the body or subject line, is a common way for the spam emails to try and bypass filters. However it does make for some rather funny looking emails.
Press enter or click to view image in full size
Take the example above. This is all in the body of the email. There appears to be some sort of template for Enterprise the car rental company. Probably copy pasted from an email someone had received and altered slightly. Below that there is some broken ASCII art, then below that just a paragraph of text that lacks spaces between some words and overall doesn’t make sense in the slightest.
Press enter or click to view image in full size
There are so many emails just crammed into the body of the spam email. Every single one of them has the email/identifying information scrambled. The above image however was one of the more interesting ones, since it has a link to a demo meeting with the company.
So close to getting some sort of information, but sadly its scrambled.
Once again, after looking over the header, I found the email address/domain that sent the email. However it looks like the web address it down already.
Conclusion
It was fun looking over a few spam emails pop up from time to time in my spam inbox. Exploring the different ways in which they try and evade spam protection.
Last updated