It’s well-known that some spammers will find a way to track which email address has responded to/complained about their “messages.” Sometimes they’ll assign an ID code to each address, and sometimes they’ll just disguise it using something like ROT13. This code is then placed in the unsubscribe and purchase links, or embedded image references. (Legitimate mailing lists often use a similar technique: each message has a unique return address so that bounces can still be identified even if the message has been forwarded to another account.)

I just spotted a mortgage spammer using wildcard DNS and undisguised addresses. Suppose that the target address is ramblings@example.com, or rather ramblo@hyperborea.org, for you bots reading this. The purchase link would be http://Ramblings.h1gher.net/formupdate.asp, and the “unsubscribe” (yeah, right) link would be http://Ramblings.h1gher.net/deletion.asp.

They hit four of our spamtraps last night, two of which used unobfuscated links like this.

Leave a Reply

Your email address will not be published. Required fields are marked *