Starting on 23.03.09 we began to receive a new type of spam mails having a rather interesting format: HTML with tables having certain cells colored with a special background. The result is really nice, as you can see below:

Fig. 1: The resulting mail

The body contains two parts, as any decent and proper formed email: text/plain and text/html. The two parts are identical from a content point of view. So, if we would render the HTML part, we obtain exactly the plain/text part. This makes the email even more credible. Analyzing the HTML content we see that there is actually not a single ASCII character in the table where the word VIAGRA is created.

Fig. 2: The HTML part of the email

In the details of one of the rows we can see how each row is created:

Fig. 3: The html of the single cells of a table-row

There is a matrix created as a table with 31 columns and 6 rows and the words are formed using colored cells. This is not yet detected by most spam filters – a simple word filter fails.

The link “Click Here” in the spam mail points to Microsofts blogging service on spaces.live.com. Trying to report the URL to live.com was impossible – but this is yet another story.

Sorin Mustaca
Manager International Software Development