[Spambayes] Have you ever....?

[T. Alexander Popiel]

In message:  <20020928104405.B5685@discworld.dyndns.org>
             Charles Cazabon <python-spambayes@discworld.dyndns.org> writes:
>> [T. Alexander Popiel]
>> > As far as I can tell, these are tags to indicate which email
>> > address is the hit when people respond to spam.  [...] so my
>> > best guess is that there are a handful of spam-blast software
>> > packages that compute these codes reproducably based on the
>> > email address.

>[...] you give spammers too much credit.  The strings at the end of
>the message [...] are only there to foil the DCC [...]

>Some spammers do include tags in the message to identify the recipient of the
>message, but they're much easier to pick out, and are normally either the
>email address of the recipient, or a single decimal integer.  I've been
>waiting for the spammers to get smarter about hiding these, but the best
>effort I've seen yet is putting them inside an HTML comment.

I'm obviously getting spam from different sources from you; one I just
received last night contained the line:

cbcvry^fahtuneobe(pbz

... which has appeared in 111 (of 2523) spam messages with radically
different text ranging from credit card offers to home based employment
to bestiality videos.

After looking at it a little more, I see that it's a simple cipher on
my email address:

  abcdefghijklmnopqrstuvwxyz @.
  nop r t v  yzabc ef h      ^(

A bit of interpolation shows that they're using an augmented rot13.
This is confirmed by doing a search on a slightly different form of
the address "cbcvry^jbysfxrrc(pbz" and getting another 12 hits in my
spam corpus.  (Those reading closely will discover that I've got
two domain names.)

Apparently the spammers are getting marginally better about hiding
the tracking info... at least they're enciphering it, now. ;-)

Uh, oh... I just cracked an encryption scheme used to protect
tracking data.  I better worry about the spammers suing me for
DMCA violations.

- Alex