这些奇怪的非垃圾邮件的目的是什么?

信息安全 电子邮件 垃圾邮件
2021-08-17 08:14:52

一封邮件通过垃圾邮件过滤器,我想知道目的是什么。这不是垃圾邮件。追踪?但是怎么做?谁?为什么?在源代码中有这样奇怪的段落......

=EA=85=9F =EA=8F=92

谁受益如何?此电子邮件中没有其他链接。

浏览器中电子邮件的屏幕截图

Delivered-To: my@email.com
Received: by 10.28.158.140 with SMTP id h134csp1731559wme;
        Mon, 3 Aug 2015 04:22:13 -0700 (PDT)
X-Received: by 10.55.41.195 with SMTP id p64mr24023265qkp.5.1438600933481;
        Mon, 03 Aug 2015 04:22:13 -0700 (PDT)
Return-Path: <donallsutherland@yahoo.com>
Received: from nm38-vm9.bullet.mail.bf1.yahoo.com (nm38-vm9.bullet.mail.bf1.yahoo.com. [72.30.239.25])
        by mx.google.com with ESMTPS id j34si16595518qkh.82.2015.08.03.04.22.12
        for <my@email.com>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Mon, 03 Aug 2015 04:22:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of donallsutherland@yahoo.com designates 72.30.239.25 as permitted sender) client-ip=72.30.239.25;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of donallsutherland@yahoo.com designates 72.30.239.25 as permitted sender) smtp.mail=donallsutherland@yahoo.com;
       dkim=pass header.i=@yahoo.com;
       dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1438600932; bh=2Le9dnlRHEHV2DHi6g9XBTAZHFuEvLsr8SjC/C2a2+Y=; h=Date:From:Reply-To:To:Subject:From:Subject; b=ab5c6U0O35AE1JHNL7n1OB10kVvCjIPh5ilkWw5ct2nWs6w4b9CSkyaBQKibdqI3gbQB+NQo8/FINRQMjloHxunlRa91MRWQEZ48S3EUOH65D4b7tVMyfs4pB+VSJb/8ohLwDFs0nFS5V9S55M1DD3o+WqLOkwb49ijxE8J9enDY8jtLWaJ7RZ794nZcvRH3a3Y4r31Y3zahRUVmKQKc2vvPDOrEbncmu2PEJOhcJEELTQcc1MXtaVWHzspmyPZBuBVzvd4cvvYStguk7p5UL9kvyLWG3ZyhaPyDGfbt0egQcFropcb6Xw3ttdikVlC7YYVipZUgzp/IzajFZks6jw==
Received: from [66.196.81.170] by nm38.bullet.mail.bf1.yahoo.com with NNFMP; 03 Aug 2015 11:22:12 -0000
Received: from [98.139.212.241] by tm16.bullet.mail.bf1.yahoo.com with NNFMP; 03 Aug 2015 11:22:12 -0000
Received: from [127.0.0.1] by omp1050.mail.bf1.yahoo.com with NNFMP; 03 Aug 2015 11:22:12 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 627932.61631.bm@omp1050.mail.bf1.yahoo.com
X-YMail-OSG: V0Jf1mgVM1nboRi87_16P3wYo7hVU_Wr4wYa8QonNjb6jD1sZDPz1QMe5617lEj
 .KTslKteP6Aay2J5FC1JdWzUFlVlqBbvFsFsuumiJcZNTt05csrlKh1v3H5Gzb0ArIimMooZB3WF
 V4xucEAi6v6l.Dx4G6r66fHLgmvW_3nukrV5HBBj49nHgUkd6ZWNWvVJ..pnsjI3WTLyo_B3PKTC
 tvyVuliPBVKPv4oDLkFbiAcS6czdirjBw04SDlyXyz6zVVvgyrFQx8Jxu7Z0yEfA18KRNWlrn4kd
 Ozgpri8uHm.hdcj.DYlF5lVANlBACmDfsboQOL9Ma69nsNeWvRGVoDrxYGsXCfOT13yAfXLLdf_c
 KwEOEIXQcfnWY5tWHHqhLPaEJM36vGb7PrSVPjbGFvuGxO.a66wkphgI_Gn3rcXkXGBluiVveg5O
 _KFt15xpsEM1nd7kvyyBo2M2GJn_A_GuD_0KNoPKrk8Gtorh9Z7TdSW.0WtU80P8m6vsRydyp2u9
 7H14-
Received: by 76.13.27.197; Mon, 03 Aug 2015 11:22:12 +0000 
Date: Mon, 3 Aug 2015 11:22:11 +0000 (UTC)
From: Shawn <donallsutherland@yahoo.com>
Reply-To: Shawn <lvizzhgyrbpjoyce@yahoo.com>
To: <removed to protect privacy>
Message-ID: <16559779.120231.1438600931851.JavaMail.yahoo@mail.yahoo.com>
Subject: fdihkesdhlffljrks djssldhfvkljdelsfkah
MIME-Version: 1.0
Content-Type: multipart/alternative; 
    boundary="----=_Part_120230_1658237110.1438600931848"
Content-Length: 1531

------=_Part_120230_1658237110.1438600931848
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

dolomite fiddle armpits moribunditygNIt's=EA=85=9FShawn=EA=80=BCby=EA=8F=92=
the=EA=87=91way.famished nonsalaried artichokes deadlockingAaI'm=EA=87=8Bex=
cited=EA=8D=BEabout=EA=91=8Fyour=EA=89=AFanswer))symbiotes perspire
------=_Part_120230_1658237110.1438600931848
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"background-color:#ccdd15;display:block;color:#ccd=
d15;"><div style=3D"font-family: Unfeignedly, Gascony, Pancakes;font-size:5=
px;">dolomite fiddle armpits moribundity<div>gN<div style=3D"font-size:20px=
;color:#455e81;display:inline-block">It's</div>=EA=85=9F<strong style=3D"fo=
nt:20px normal;color:#455e81">Shawn</strong>=EA=80=BC<div style=3D"color:#4=
55e81;font-size:20px;display:inline-block">by</div>=EA=8F=92<em style=3D"fo=
nt:20px normal;color:#455e81">the</em>=EA=87=91<em style=3D"font:20px norma=
l;color:#455e81">way.</em></div>famished nonsalaried artichokes deadlocking=
<div>Aa<i style=3D"color:#455e81;font:20px normal">I'm</i>=EA=87=8B<span st=
yle=3D"color:#455e81;font-size:20px">excited</span>=EA=8D=BE<big style=3D"f=
ont-size:20px;color:#455e81">about</big>=EA=91=8F<strong style=3D"font:20px=
 normal;color:#455e81">your</strong>=EA=89=AF<i style=3D"color:#455e81;font=
:20px normal">answer))</i></div>symbiotes perspire</div></div></body></html=
>
------=_Part_120230_1658237110.1438600931848--
2个回答

垃圾邮件——但可能垃圾邮件发送者不太擅长发送垃圾邮件。

'=EA' 位是Quoted-Printable,将字节编码为 ASCII 字符。因此,'=EA=85=9F' 依次代表值 0xEA、0x85 和 0x9F 的字节;这是 'ꅟ' 的 UTF-8 编码(即 U+A15F YI SYLLABLE NDEX,Yi 脚本的符号之一)。发送该电子邮件的人希望您的邮件阅读器软件不包含 Yi 字体,从而将字符显示为空格。

使用这些符号的目的是试图混淆反垃圾邮件过滤器:过滤器可能会尝试对句子“It's xxx by the way”做出反应(对于随机名称而不是“xxx”);多余的字符可能会使此过滤器失败。很有可能,百万人发送的垃圾邮件将使用来自不寻常集合的随机字符(如 Yi 字形)。随机词(“fiddle”、“armpits”...)具有相同的目的:逃避检测,尤其是贝叶斯垃圾邮件过滤器请注意,额外的单词在 HTML 视图中是“隐藏的”,以非常小的字体显示,并且与背景颜色相同。

所有这一切都是非常垃圾的,因为你的垃圾邮件过滤器让邮件流动,那么垃圾邮件发送者实际上赢得了这一轮:他的规避策略奏效了,你的垃圾邮件过滤器被打败了。

现在,这一切的意义何在?垃圾邮件的目的是触发垃圾邮件发送者的一些反应。这可以是“点击链接”,但也可以是“发送电子邮件作为回应”。我可以做出几个猜想:

  • 已经指出(例如在本研究中),大多数垃圾邮件发送者的商业模式需要精确定位愚蠢的人。对于垃圾邮件发送者来说,发送数百万封垃圾邮件几乎没有成本;然而,当垃圾邮件发送者回答时,垃圾邮件发送者的人工代理必须阅读和响应,而垃圾邮件发送者的代价会变得非常昂贵。因此,垃圾邮件发送者真正想要的是,真正迷上初始垃圾邮件的少数人准备好相信最奇幻的故事。

    根据这个假设,您收到的垃圾邮件可能是一种找到愚蠢到相信发件人真的叫 Shawn 并准备与 Shawn 交谈的人的方法。

  • 垃圾邮件发送者(从技术上讲)是人类,具有由此带来的所有缺陷。垃圾邮件发送者使用垃圾邮件工具,但可能不擅长使用它。我经常收到以“Hello %RANDUSER”打招呼的垃圾邮件,这种情况只能由应该阅读其垃圾邮件工具文档的垃圾邮件发送者来解释。

此电子邮件绝对是垃圾邮件(除非您知道发件人和/或索要此邮件)。这些奇怪的字符串是混淆技术,是垃圾邮件的明显标志。有关更多信息,请参阅Tom Leek 的答案

这封电子邮件有三种可能的解释:

  1. 这是试图让你做出回应;线程建立心理信任,可以更好地设置诈骗
  2. 这是试图弄乱你的过滤器(例如贝叶斯中毒......这是行不通的)
  3. 垃圾邮件发送者搞砸了,忘记了有效载荷

我倾向于它既是#1又是#2。

(那里的字体不错!font-family: Unfeignedly, Gascony, Pancakes,很好的贝叶斯分词器学习的素材。)

其它你可能感兴趣的问题
上一篇微软的“密码禁令”列表是否不安全地存储用户密码? 下一篇勒索软件如何获得加密磁盘的权限?