In several of the earlier chapters, I stressed the importance of unique text strings that can serve as signatures, or fingerprints, for a particular operation, whether it is a spam campaign, a phishing attempt, or some other scam. Finding the same signatures in other email messages or web sites may allow you to link two or more examples together and perhaps derive more information than each instance could provide by itself.
This chapter shows you some ways to discover good signatures, to search for them, and to use them to track patterns of activity.
A signature can be any unique feature that characterizes an email message, a web page, or a larger entity such as an entire web site. In almost all cases, signatures take the form of unique strings, such as a specific name or URL, but they can also be the organization of files in a directory or the structure of a URL. Strings are much easier to search for than these broader patterns, but both play a role in finding linked documents and sites.
Here are some examples of good signatures that illustrate their diversity:
An unusual name of a person or location, or a word from a language other than that used in a document. For example, the username “kentas” in the URL http://216.67.237.xxx/~kentas/aw-cgi/eBayISAPIdll/SignIn.php
Addresses are inherently specific, but they tend to be changed frequently in spam messages.
Although entire URLs may vary, the path to a document or the directory name may be conversed. For example, these two URLs use different hostnames but identical paths:
In spam messages, headers are often varied in order to
defeat filters, but similarities in their structure may define a
unique signature. In this example, the hash marks indicate
conserved characters in a set of Message-ID headers:
Message-ID: <011001c51913$abcb792a$ba934b39@mandate.nl>
Message-ID: <100101c51916$a7250710$b47397ef@st.vtu.lt>
Message-ID: <111001c51916$4eee0050$c74db867@antill.net>
Message-ID: <010101c5193f$bdf33582$fd56dd00@cactusbuilders.com>
###### # # #Any part of a block of encoded data can serve as a unique signature for that block. For example, this first line of an encoded GIF image from a mail message:
R0lGODlh4wBRAJEAAMwAAAAAzAAAAP///yH5BAAAAAAALAAAAADjAFEAAAL/1D6
The names and sizes of files within a specific directory can serve as a unique signature.
An unusual or incorrect phrase within a block of text can stand out as a signature for that document. For example:
We receive many complaints concerning unsunctioned [sic] taking the money off the balance of our users recently.