Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Spam email contining only image (or hyperlink)

Go to solution
ALF28
Super solver

‎24-04-2022 10:42 - edited ‎24-04-2022 10:56

DATING EMAILS

I have had 4 of these, they are sent to a group of people usually up to 20 at a time.

They contain a link and an inline embedded  image which shows as a block of text in a foreign language, as I do switch off images and html. They contain base 64 encoding.

The sender uses a host in the netherlands.

As the emails are repeated many times over a number of days,the object may be to deliver malware using the embeddded html content -

The embedded content/image would get through normal image blocking, but I read in text format with html unticked, it at least prevents any  obcene images getting through.

see

Using Base64 for malware obfuscation - Infosec Resources (infosecinstitute.com)

The good news is that virgin are detecting these emails as spam. Base 64 encoded content (Embedded content) is is a common method of adding inline images which converts binary to html text and the email size  can be very small or very large. I have had one that cause buffer overflow with many images.

I am not sure why I am a target for dating emails as I am too old and have never used such sites, but do regularly get a spate of such emails which usually have images of people.

The alternative is to use attached images which need to be clicked on, but by embedding the image it enforces the reader to see the image as an inline image which is part of the email.

alf28

 

 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Travis_M
Forum Team (Retired)
Forum Team (Retired)
In response to ALF28

on ‎26-04-2022 14:38

Hi @ALF28

 

Thanks for posting on our community forum

 

Sorry to hear about this, everything we can offer around spam filtering and our email security can be found here - I understand you've found a few workarounds which is great and thank you for the insightful post also.

 

Regards

Travis_M
Forum Team

New around here? Check out the do's and don'ts, in our Community FAQs

See where this Helpful Answer was posted

21 REPLIES 21

Go to solution
ALF28
Super solver

‎24-04-2022 14:55 - edited ‎24-04-2022 14:59

solution- I have myself attempted a solution as some in the past did get past spam filtering

I have filtered these out I hope using a header-

header -name- Content-Transfer-Encoding: 

-header -matches- base64

Past experience has shown header filters may not work so I willl test it out.

As emails containing base64 encoding are very rare to my virgin inbox, I may have to wait a while, have only had 10 in 4 years dating back to 2018, usually they are dating scam emails mainly or tv licence expired scams.

I have set up a filter folder purely for emails containing embedded images using  base64 encoding, not many use this and it requires some knowledge by the scam email sender.It may be the same scammer using this method and dating back over 4 years, like a trademark and some are sent to me but others go to a group of people.

alf28

0 Kudos

Go to solution
ALF28
Super solver
In response to ALF28

on ‎24-04-2022 20:42

Auto Forwarding of emails-sometimes fails.

I have a auto forward email set up from my virgin primary email address to my virgin secondary email address, this acts as a backup of my emails.

Most emails forward no problem, but some emails which have embedded content (base64 encoded) will not forward for some reason, just the odd one gets through.

The spam tag does not usually affect forwarding, so may be the email for some other reason will not forward.

An example of this is 4 dating emails which started on 17/4/2020 all failed to forward.

It particularly the base 64 content emails that can fail to forward, this means my backup emails are not complet but missing some emails.

One email did get through which was a money scam. (base64 email)

I am not sure if virgin block some emails from forwarding or if the email is set up so it can not be forwarded- which is it?

I do not manually foward embedded base 64 emails as this overides the text only version and switches on the embedded image/html content which will suddenly appear when you select forward.

I prefer to work all the time with text emails only as they are simpler and safer, however when needed to I do send images myself when needed, but only as attachment, (not embedded.)

alf28

0 Kudos

Go to solution
ALF28
Super solver
In response to ALF28

‎25-04-2022 12:54 - edited ‎25-04-2022 13:01

correction wrong date

An example of this is 4 dating emails which started on 17/4/2022 all failed to forward.

-------------------------------------------

base64 encoded emails-

I looked at these emails and the sender domains are various such as my.com, attivamail.com, gmail.com, hotmail.com, tvlicence.co.uk, gmx.de, outlook.com & also some unknown domains consisting of numbers only.

There are probably a lot more I have not found yet. As some are not common domains they are easy to block with filtering

The emails have little or no text, just  link or attachment, some are just empty emails.

The subjects vary, some are unclear.

2 were spoofed from past contacts I know (fake) with no message

1 was for a money scam mozambique, elaborate money scam

6 were dating emails some with images embedded.

1 was a tvlicence scam

1 was  miracle gummies

16 were blackmail emails

-------------------------------------------

The base 64 encoded email seem to be the more dangerous type of scam email with hidden content and need scareful handling or deletion.

I also had one from the same  spoofed contact that showed up in antivirus scans later connected to a trojan 

They are often sent to a wide group of people including virgin email addresses  mixed in with others such as vodaphone, yahoo.sky etc.

alf28

0 Kudos

Go to solution
Travis_M
Forum Team (Retired)
Forum Team (Retired)
In response to ALF28

on ‎26-04-2022 14:38

Hi @ALF28

 

Thanks for posting on our community forum

 

Sorry to hear about this, everything we can offer around spam filtering and our email security can be found here - I understand you've found a few workarounds which is great and thank you for the insightful post also.

 

Regards

Travis_M
Forum Team

New around here? Check out the do's and don'ts, in our Community FAQs

Go to solution
ALF28
Super solver
In response to Travis_M

‎26-04-2022 15:43 - edited ‎26-04-2022 15:43

spam filtering and our email security

Thanks for the link, I have read the advice.

I have these observations-

The spam sender changes the sender address each time so hard to block unless the domain is blocked in filters which I do

The spammer sends a batch of emails over a period of a few days, they are wanting a response or to deliver malware- I just ignore them.

The IP address changes each time as they are using  a hosted server with a range of ip adresses.

On checking the ip address  reputations, the dating emails are sent from IP addresses which are used for hacking, port scanning  and brute force attacks.

I will see if my header filter for base 64 encoding works and report back if it does work, previous attempts to filter using headers did not work when I tried to block an ip address.

I suspect that by using base 64 which is encoded, the spam content may then get past spam filters, some do and some do not, it is mixed.

Still unusual that this type of base64 encoded email will not auto forward.

By not ticking Allow HTML formatted email messages in settings, this prevents the html and therefore blocks any images from showing

Each email provider, web mail or email client have there own rules regarding the display of  attached images and inline images, and usually by adjusting settings some images can be blocked, but inline images can bypass image blocking, in the case of virgin it dose block all images if the html is not selected in settings. Images can be a security risk so I always switch them off email, unless I do want the images I then turn them on for a wanted  email.

alf28

 

 

 

 

 

 

 

0 Kudos

Go to solution
ahrbee
Fibre optic
In response to ALF28

on ‎27-04-2022 09:00

I've received a couple of these scams lately but they have been automatically directed to 'Junk' where I've erased them without opening. I would rather these e-mails were blocked at source but, to me, the system is working well enough. It's not the old issue where scams landed in my 'Inbox'.

Go to solution
ALF28
Super solver
In response to ahrbee

‎30-04-2022 10:49 - edited ‎30-04-2022 11:19

Your method to ignore the scam emails files going to the spam folder and not open these type of dangerous emails  is wise.

In the spam folder the links are lined out offering some protection.

Recent spam detections are good, but the spam filter can still miss the odd one so it could end up in the inbox, I had a dating email on 29/4/2022 that was not detected as spam  for some reason so the spam detection is not reliable all of the time.

I would estimate 40% acuracy in detecting spam looking at a batch  (107) of base 64 encoded emails.

Normal emails do not contain base64 encoding, they are usually scam emails from hackers/phishing etc.

I experimented with filtering out base64 using headers, but this failed so there is no way to know if an email has base 64 encoding other than looking at the header in view source which will have the header. (so no way to detect/filter out base 64 encoded emails?)

Content-Transfer-Encoding:base64-

followed by pages of text which is the binary to html encoding.

The email size is normal but I have had some as large as 800kb.

Virgin does block autoforward of the "spam tagged" dating emails which is unusual, but the one that got through untagged was forwarded, so the spam tag may prevent some from auto forwarding to another email adddess.

Some of the dating emails have 3 lots of base64 in one email, so they may also contain hidden code for hacking purposes.

alf28

 

 

0 Kudos

Go to solution
ALF28
Super solver
In response to ALF28

‎30-04-2022 12:33 - edited ‎30-04-2022 12:35

EMAIL FILTERS IN SETTING

As the virgin spam filters <spam> tagging is generally good lately, but not 100%, I have spam from an unknown domain in the netherlands and most are tagged as spam, but the odd one from the same domain will not be picked up as spam.

One solution is to set up a filter for that domain and filter from contains @anamedwebsite.com, and action file to spam, or a folder or discard.

It will work untill the spammer changes the domain in the address.

This ensures these particualr emails from a particular email address "domain" are filtered out even if not tagged as spam.

alf28

 

0 Kudos

Go to solution
ALF28
Super solver
In response to ALF28

‎01-05-2022 12:47 - edited ‎01-05-2022 12:48

spam emails

I noticed that my virgin ntlworld.com email  gets "signed up" by others for all sorts of  spam emails selling products and they then keep repeating.

They usually have an unsubscribe link, but I do not click on any links intentionally as the web site are usually unknown/foreign, although it is easy to click on a link accidently and I have done that recently, but if you display the emails in the spam folder to check what they are, then the links are not active (lined out) offering some protection.

I get many scams including virgin bill scams, car scams, tax scams, credit card/bank scams, dating scams, finance, insurance etc.

It is wise to run antivirus scans if you have clicked on scam emails and linked to anything, I am running scans myself.

I have stopped using the ntlworld.com  email address now, as it gets too much spam.

alf28

0 Kudos
Top