2

Monday morning, and I've opened my company email box to find this an e-mail with the following message (no HTML, just text/plain - it was sent to a distribution group).

Some of the headers:

X-Mailer: Labourism v0.42
To: Keren [suppressed] <webteam@[suppressed]>
From: Fae [suppressed] <stilts@[suppressed]>
Subject: gold of the t
MIME-Version: 1.0

Note: The To name does not work here or has never worked here. There is no "Keren" in the webteam distribution group.

gold of the t

Osed to yield what is believed to be the only truth consistent with an intelligent conception of a just, loving, and wise God. The immediate cause of this determined conflict is found in Professor Briggs' recent address on the authority of the Holy Scriptures, delivered at his inaugural as Professor of Biblical Theology in the Union Theological Seminary of New York. In this notable address he maintai

Since it's not phishing for anything, what is the purpose of this? It's obviously spam, but why send it if there is no purpose - and notice it's not asking directly or indirectly for a reply to check if the receiving inbox is monitored.

hd.
  • 158
  • 9
  • No tracking code? Some autoresponder or SMTP service nowadays provides a tracking code for their analytics features, checking the percentage of mails delivered and opened. Could be a "response test" if there's one. But if no tracking code there, maybe it's just someone has sent to a wrong email address. – Kertiyasa Mandala Oct 03 '16 at 07:58
  • 3
    Perhaps a test message. The spammer might be just testing out a new mailing script or something. A quick google on some of that text shows that it's from a book called "The Arena" written in 1891. It is most likely used as generic placeholder/testing content. – user1751825 Oct 03 '16 at 08:00
  • @RikkyYoelandaPutra Would the tracking code be in the e-mail headers? If it's in the body - then no, no tracking code. – hd. Oct 03 '16 at 08:07
  • @user1751825 seems like it could be it, but would they know it's been or opened? Or would they not be testing for that (do you think)? – hd. Oct 03 '16 at 08:08
  • I'm sorry but I'm not too sure about how it works since I'm just using that kind of mailing service just for playing around. This post may have a clue about it, I'm using their service before : https://blog.mailchimp.com/measuring-transactional-email-performance-with-mandrill/ – Kertiyasa Mandala Oct 03 '16 at 08:13
  • @RikkyYoelandaPutra That's ok - thanks for the link! – hd. Oct 03 '16 at 08:15
  • Looks like a spam script gone wrong or a poor attempt at validating email domains. – Julian Knight Oct 03 '16 at 09:31
  • 2
    @hd. They wouldn't be getting paid for this, as it's not advertising anything, so they're probably not interested in open stats. Open stats are very unreliable anyway, unless people click on links. Possibly the strange content was just to confuse spam filters, so the spammer can check the bounce rates. – user1751825 Oct 03 '16 at 10:27
  • @hd. Have you checked the original/source code of the email? It could contain scripts/tracking pixels/CSRF attack stuff/malformed data to exploit email clients, etc. – billc.cn Oct 03 '16 at 13:38
  • @billc.cn checking now. There is a `X-Brightmail-Tracker` header with a base64 string. That's the only thing that looks suspicious. The e-mail passed messagelabs checks with a score of 0.3 in regards to spam – hd. Oct 03 '16 at 13:42
  • oh, `X-Brightmail-Tracker` is part of symantec - nevermind. – hd. Oct 03 '16 at 13:49
  • There might have been a payload or tracking object embedded when it was sent, but some corporate email gateways and email clients will surreptitiously strip that stuff out without informing you. – Ivan Oct 03 '16 at 18:20

2 Answers2

2

This is an attempt at Bayesian poisoning, a technique designed to fool machine-learning spam filters. It does not work, but spammers keep trying it anyway.

Quotes from (and about) scripture are rather common in Bayes poisoning for whatever reason, even though their maximum potential would be to confuse only filters that see a lot of similar text in legitimate mail, and even then Bayes is smart enough to know the difference.

Adam Katz
  • 10,418
  • 2
  • 22
  • 48
  • Interesting points, thanks! This is also [the accepted answer to the marked duplicate](http://security.stackexchange.com/questions/12589/what-is-the-point-of-gibberish-spam) so thank you `:)` – hd. Oct 04 '16 at 07:40
1

I would say user1751825 is correct. This could likely be a 'test'. The mail could have been sent with a parameter that it send a 'recieved' mail back to the sender. Now the sender knows that yours is a legitimate email address. If you work somewhere that you may or anyone there may have access to sensitive information of any kind the next email would certainly be phishing and more than likely would look less suspicious. Even though the sender obviously included this apparently fake person in the 'To' line ""Keren" in the webteam distribution group." that is already very suspicious. They will likely next time include a link or a .PDF if the mail in question did not already include something like. All, you would need to do is click on any such links or files and your system then the network could be compromised. Of course I don't know where you work so don't know what you may have access to but that sounds like what I would do during a Pentest.

Delivery Status Notification: http://www.sendmail.org/~ca/email/dsn.html

Raincity Redteam
  • 29
  • 2
  • Most email servers won't send success notifications. However most still send failure notifications, if the email is not flagged as spam. This will help a spammer sanitise their list, which is particularly important if the list contains a lot of auto-generated email addresses. – user1751825 Oct 04 '16 at 05:02
  • Some interesting points, thanks! Though Adams answer I think answers it better and is backed by the [marked duplicate answer](http://security.stackexchange.com/questions/12589/what-is-the-point-of-gibberish-spam) – hd. Oct 04 '16 at 07:41