Monday, October 23, 2006

l8tr.org gets an upgrade

My 'tell me later when this web site is available' server l8tr.org got an upgrade today. There are three things that are officially being released:

1. There's a l8tr.org bookmarklet which you can drag and drop to your toolbar. Just monitor a URL with l8tr.org and you'll be offered the bookmark customized to your email address. (Thanks for Iain Wallace for the code).

2. There's a l8tr.org Firefox extension that makes using l8tr.org a breeze. It's on the main l8tr.org page: click it to install it. Once configured with your email address a simply right-click on a link you want to monitor gives the option Monitor with l8tr. Click that and l8tr.org starts monitoring the link. (Thanks to Barrett for the code; he gets the $50 bounty).

3. l8tr.org's cache is now working. As well as checking to whether a site is available, l8tr.org caches the site's content and offers users both the original URL and the cached version.

In addition much has happened behind the scenes to make sure that site availability is correctly recognized.

Friday, October 20, 2006

Why OCRing spam images is useless

Nick FitzGerald forwards me another animated GIF spam that takes the animation plus transparency trick I outlined in the blog post A spam image that slowly builds to reveal its message to a new level. And it shows why spammers will work around OCR as fast as they can.

Here's what you see in the spam image:



Looks simple enough until you take a look at the GIF file that actually generated what you see. It's animated and it has three frames:





The first image is the GIF's background and is displayed for 10ms then the second image is layered on top with a transparent background so that the two images merge together and the image the spammer wants you to see appears. That image remains on screen for 100,000 ms (or 1 minute 40 seconds). After that the image is completely blanked out by the third frame.

My favourite touch is that it's not the entire image that's transparent, not even the white background, but just those pixels necessary to make the black pixels underneath show through. If you look carefully above you can see that some of pixels appear yellow (which is the background color of this site) indicating where the transparency is.

That is darn clever.

Monday, October 16, 2006

A spam image that slowly builds to reveal its message

Nick FitzGerald sent me a stunning example of lateral thinking on the part of a spammer. The spammer has taken a standard stock pump-and-dump spam image and split it horizontally into strips.



Each of the 17 horizontal strips cuts fairly randomly through the text making OCR on each strip not very useful. The spammer has then mounted each strip in its correct position on a transparent background and put each strip into an animated GIF. Here, for example, are a couple of strips:




The end result is that only once the entire image animation has completed is the complete spam visible making this a challenge for spam filters. And the spammer has thrown in a couple of frames at the end of the image, that get displayed after such a long delay (8 minutes) that they essentially never get shown. But those final frames are there just to throw off a spam filter trying to find the actual image.

Here's what gets displayed:



and here's the final image in the animation:



Very clever! (I'm calling this 'Strip Mining')

Wednesday, October 04, 2006

A peek inside ReadNotify

Recently the service ReadNotify has been in the news as it was used to track emails and documents sent during the recent HP spying scandal. I'd heard of ReadNotify before but never played with it, but since they offer free accounts I signed up and sent myself some emails. Here's what I found inside those messages.

Using ReadNotify couldn't be simpler. Once you've registered your From address with the service you can send email through it by appending .readnotify.com to the email of the person you are writing to. For example, to send a tracked email to me (XXX@gmail.com) you'd send it to XXX@gmail.com.readnotify.com. ReadNotify will add their tracking features to the message and forward it to the real recipient.

To test the service I sent the following email to a email address on Hotmail. The email was sent from my regular email address via ReadNotify. The email was composed in Mozilla Thunderbird which I have configured to send only plain text email. (Throughout this blog post I have obscured details in the messages by replacing private information with XXX or 123).

Original message:

Date: Tue, 03 Oct 2006 13:20:03 +0200
From: John Graham-Cumming <XXX@XXX.XXX>
Reply-To: XXX@XXX.XXX
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040208
Thunderbird/0.5 Mnenhy/0.6.0.104
MIME-Version: 1.0
To: XXX@hotmail.com.readnotify.com
Subject: A test of this email tracking service to a hotmail account
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I'd like to see how this works.

John.

What Hotmail received:

Received: from esmtp.emsvr.com ([208.185.251.19]) by
bay0-mc3-f7.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Tue, 3 Oct 2006 04:21:24 -0700
Received: from esmtp.emsvr.com (localhost.localdomain [127.0.0.1])
by esmtp.emsvr.com (8.13.6/8.12.11) with ESMTP id k93BKLB1030009
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <XXX@hotmail.com>; Tue, 3 Oct 2006 11:20:22 GMT
Received: (from mail@localhost)
by esmtp.emsvr.com (8.13.6/8.12.11/Submit) id k93BKLoY030003
for XXX@hotmail.com; Tue, 3 Oct 2006 11:20:21 GMT
Resent-Date: Tue, 3 Oct 2006 11:20:21 GMT
Resent-Message-Id: <200610031120.k93BKLoY030003@esmtp.emsvr.com>
Resent-From: XXX@XXX.XXX.ddntqqiabybpiiv.emsvr.com
Received: from [66.249.92.168] by emsvr.com [208.185.251.19]
for <XXX@hotmail.com>
on-behalf-of XXX@gmail.com; Tue Oct 3 11:20:19 2006
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168])
by esmtp (8.13.6/8.12.11) with ESMTP id k93BKDi8029929
for <XXX@hotmail.com>; Tue, 3 Oct 2006 11:20:14 GMT
Received: by ug-out-1314.google.com with SMTP id t30so548551ugc
for <XXX@hotmail.com>; Tue, 03 Oct 2006 04:20:07 -0700 (PDT)
Received: by 10.67.121.15 with SMTP id y15mr3639480ugm;
Tue, 03 Oct 2006 04:20:07 -0700 (PDT)
Received: from ?192.168.1.2? ( [10.254.8.232])
by mx.gmail.com with ESMTP id e33sm6037799ugd.2006.10.03.04.20.05;
Tue, 03 Oct 2006 04:20:06 -0700 (PDT)
Message-ID: <45224763.50301@XXX.XXX>
Date: Tue, 03 Oct 2006 13:20:03 +0200
From: John Graham-Cumming <XXX@XXX.XXX>
Reply-To: "XXX@XXX.XXX" <XXX@XXX.XXX>
Usr-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040208
Thunderbird/0.5 Mnenhy/0.6.0.104
To: XXX@hotmail.com
Subject: A test of this email tracking service to a hotmail account
Sender: John Graham-Cumming <XXX@XXX.XXX>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Disposition-Notification-To: "them"
<XXX@XXX.XXX.ddntqqiabybpiic.emsvr.com>
X-Confirm-Reading-To: XXX@XXX.XXX.ddntqqiabybpiic.emsvr.com
Return-Receipt-To: XXX@XXX.XXX.ddntqqiabybpiic.emsvr.com
Notice-Requested-Upon-Delivery-To: XXX@XXX.XXX.ddntqqiabybpiiv.emsvr.com
Errors-To: XXX@XXX.XXX.ddntqqiabybpiiv.emsvr.com
X-Read-Notification: Courtesy of ReadNotify.com -
http://www.r7vkv5yav10gu1.ReadNotify.com
Return-Path: XXX@XXX.XXX.ddntqqiabybpiiv.emsvr.com
X-OriginalArrivalTime: 03 Oct 2006 11:21:24.0793 (UTC)
FILETIME=[0FBED290:01C6E6DE]

<HTML><HEAD>
<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</HEAD><BODY><DIV></DIV><DIV>I'd like to see
how this works.
</DIV><DIV>
</DIV><DIV>John.
</DIV>
<div alt="r7vkv5yav10gu1."><pre> </pre><pre>
<br><Img moz-do-not-send="true" border=0 height=1 width=3 alt=""
lowsrc=""
Src=http://www.r7vkv5yav10gu8.ReadNotify.com/nocache/r7vkv5yav10gu9/footer0.gif>
<Img moz-do-not-send="true" Border=0 Height=1 Width=2 Alt=""
Lowsrc=http://www.readnotify.com/ca/rspr47.gif ><BgSound volume=-10000
Alt='' Lowsrc=""
Src=https://tssls.r7vkv5yav10guv.ReadNotify.com/nocache/r7vkv5yav10guv/rspr47.wav>
</pre><table height=1 width=3 border=0><tr><td
background
=http://0320.185.64275/nocache/r7vkv5yav10guP/rspr47.gif> </td>
</tr></table>
<BODY bgColor="#ffffff;background-image:
url(http://www.r7vkv5yav10gum.ReadNotify.com/lis/r7vkv5yav10guq/rspr74.gif)" bgColor="#FFFFFF">
</div><div><title> A test of this email tracking service to
a hotmail account </title>
<title>&rlm;‏‌‌‎‎‍‍‏‎‏‎

[snipped 10s of lines like this]

&rlm;‎‌‌‎‎‏‏‌‎‏‎‎
<title> A test of this email tracking service to a hotmail account
</title>
</div alt="r7vkv5yav10gu1."></BODY></HTML>

Not only has my little plain text email become an HTML mail but there's a whole lot of additional stuff in the message that enables ReadNotify to track my receipt and opening of the message.
  1. The message headers contain no less than six different requests that receipt of the message be reported back to ReadNotify. Specifically, it contains the header Disposition-Notification-To, X-Confirm-Reading-To, Return-Receipt-To, Notice-Requested-Upon-Delivery-To, Errors-To and X-Read-Notification. All of these go to the address XXX@XXX.XXX.ddntqqiabybpiic.emsvr.com where the XXX@XXX.XXX is my obscured email address and the ddntqqiabybpiic is a unique string generated for just this message.

  2. That seem unique address also appears in the Return-Path and Resent-From header. All these headers mean that ReadNotify can watch the progress of my message as it passes from server to server just because the servers will be checking information from these headers thus acting as a beacon showing which IP addresses looked at the message.

  3. The message body contains four separate web bugs using a standard image, a background sound, a background image on a table and a background image on the body using CSS.

    The background image is <img send="true" alt="" lowsrc="" src="http://www.r7vkv5yav10gu8.ReadNotify.com/" border="0" height="1" width="3" /> where the r7vkv5yav10gu8 is unique to this message.

    The background sound is <bgsound volume="-10000" alt="''" lowsrc="" src="%20https://tssls.r7vkv5yav10guv.ReadNotify.com/ nocache/r7vkv5yav10guv/rspr47.wav">. Notice the volume being set to -10000 so that there's no sound at all and the same unique string in the path to get the sound.

    The table contains a <td> tag with a background image using the same unique string: <td background= http://0320.185.64275/nocache/r7vkv5yav10guP/rspr47.gif>

    Finally, the same unique string appears in the <body> tag using CSS <BODY bgColor="#ffffff;background-image:url(http://www.r7vkv5yav10gum. ReadNotify.com/lis/r7vkv5yav10guq/rspr74.gif)" bgColor="#FFFFFF">

  4. Finally, there's that large block of stuff at the end written using HTML entities. In fact it consists of preciesly four different invisible HTML entities repeated over and over again: &rlm; (right-to-left-mark), &rlm; (left-to-right-mark), &zwnj; (zero-width non-joiner) and &zwj; (zero-width joiner). There's clearly a pattern there, but I'm not sure of its purpose, perhaps it's yet another unique identifier on the message.
It's also possible to send the message via .silent.readnotify.com. I tried that too, with the same message. The only differences are that the return receipt headers are missing (which means that the person receiving the message will not be notified by their mail client of a return receipt) and that the entire message had been base 64 encoded (I wonder why? I assume ReadNotify is trying to hide something from either a mail server or mail client). Unencoding the message revealed that it contained essentially the same HTML as above with a different unique string (since this was a different message).

Going over to the ReadNotify UI shows the two message that I sent and when they were last opened.



Clicking on one of the messages gives details of when and where the message was opened. The physical location was absolutely correct.



The company can also track attachments such as Microsoft Word documents and PDF files with similar accuracy.

Introducing l8tr.org

My latest little venture is a free service called l8tr.org. It's for all those times when you want to visit a web page but can't because the web page is running too slowly, or is completely overloaded, or you are in the middle of your work day and the page is NSFW.

Just type in the URL of the web page, and your email address. l8tr.org will check the availability of the web site and once it becomes available you'll receive an email.

That means there's no need to be frustrated when you can't get to a web site. l8tr.org will watch it for you and send you a simple email reminder.

Monday, October 02, 2006

Ye Olde OCR Buster

Regular spam-correspondent Nick FitzGerald writes with an example of a spam that he believes is trying to get around both hash busting and OCR in an image.



The image has random dots in the bottom left hand corner to mess up hashing of the GIF itself, and the fonts used are badly rendered unusual fonts.