Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

2.4 Disguising the Subject: Header

It is tempting to examine the Subject: header to identify spam email. Unfortunately, the Subject: header is entirely under the spammer's control and thus can never be trusted.

But not all spam senders are created equal. Some will do everything possible to make the Subject: header appear benign, but others are inept and will provide clues in that header.

Clearly, it can benefit you to try to pick off these inept spammers. But first, understand that, by doing so, you run the risk of identifying good email as spam. To illustrate, consider the following examples of actual spam Subject: headers:

Subject: Learn how thousands are making a fortune with eBay...
Subject: Earn While You Learn  sjdv
Subject: Visit PlayboyPlus for New Playmate Pics
Subject: Discreet delivery
Subject: naked and cute. watch my movie.
Subject: ,^refina'nce now and ;save-    r
Subject: Extend your auto warranty, free quote
Subject:
Subject: Spring Special
Subject: <a href="http://www.example.com/mp/axis/">or not
Subject: get the edge
Subject: Re:  jock
Subject: V1AGR*A final1y fOund a t0ugh cOmpet1t0r -- CIAL1-S
Subject: Email Verification!Please take a look.  wyl
Subject: Celebrity Secret to looking young!
Subject: You've seen ads for Levitra on TV, Does it Work?i s k
Subject: Refinance your Home and skip a payment
Subject: Important notify about your e-mail account.

Although all of these appear to be spam Subject: headers, in actuality the two shown in bold were real email messages to users who wanted to receive them.

In general, it is unwise to employ a spam-screening strategy that examines only Subject: headers. Such screening is prone to errors, and as spammers mature, the use of such headers will likely decline. We expect spam email Subject: headers of the future to look more like these:

Subject: Yesterday was fun
Subject: Re: updating my address
Subject: Thanks again!
Subject: Email Statement
Subject: next appointment
Subject: I hope so

Another trick used by spam senders is to base64-encode the Subject: header. This has the advantage of making it hard for detection software to see the header, while still allowing the end user to see a readable subject line. Such base64 code might look like this:

Subject: =?iso-8859-1?b?OTAgZGF5cyB0byB5b3V0aA==?=

The end user will see this:

Subject: 90 days to youth

Unfortunately, however, base64 encoding of a Subject: does not always indicate a spam message, because it is also the only method that allows some foreign languages to insert legal headers into email. For example, in the United States a user might consider =?.GB2312? (which indicates simple Chinese) to be a solid indicator of spam email. But in China, that same encoding might indicate good email, whereas =?US-ASCII? might indicate spam. Thus, again, we recommend that you screen Subject: headers sparingly, if at all.

  • + Share This
  • 🔖 Save To Your Account