A blog reader has told me about strange email messages he receives occasionally. Does a reader know what they mean?
Source: Pixabay
The crypto mysteries I introduce on this blog are usually a few decades, if not centuries old. The one I am going to cover today is an exception. It represents an on-going phenomenon and I’m not sure whether it has to do with cryptography at all.
Strange emails
A few weeks ago, I received an email from blog reader Stefan Fendt. He wrote:
From time to time (the last interval was one year) I receive emails, such as the one attached. These mails contain groups of five, six, seven, eight (?) or nine letters. Sometimes, these letter groups show up in the email header, too.
These mails are short (usually 40-150 characters), text-only, and apparently sent to multiple recipients. In the mail attached, my address stood in the BCC field.
I can only speculate about the purpose of these mails. Here are two explanations I find unlikely:
- Spam “ping” [i.e., the purpose of the mail is to test whether a recipient address exists]: This is unlikely because it requires too much effort. To check whether an email address exists, one can send the spam message itself instead of a test message. Apart from this, I have never received any spam after a mail of this kind arrived.
- Botnet: A botnet is unlikely, as these mails are far too rare. Apart from this, it would be quite ineffective for botnets to communicate this way.
My speculative guess: These emails are used to hide some kind of internet communication. Most of the mails of this kind are meaningless, while there are some that contain a real message. The meaningless mails are the noise, in which the meaningful ones are hidden.
An example
Here’s one of the mails Stefan received (I have anonymized parts of it):
Return-path: <XXXXXXX@XXXXXXXX.art>
Envelope-to: stefan@localhost
Delivery-date: Thu, 28 Feb 2019 23:45:49 +0100
Received: from [::1] (helo=luna)
by luna with esmtp (Exim 4.86_2)
(envelope-from <XXXXXXX@XXXXXXXX.art>)
id 1gzUR3-0002Jc-PE
for stefan@localhost; Thu, 28 Feb 2019 23:45:49 +0100
X-Envelope-From: <XXXXXXX@XXXXXXXX.art>
X-Envelope-To: <stefan@XXXX.de>
X-Delivery-Time: 1551393211
X-UID: 42158
Authentication-Results: strato.com; dmarc=none header.from=XXXXXX.art
Authentication-Results: strato.com; arc=none
Authentication-Results: strato.com; dkim=none
Authentication-Results: strato.com; dkim-adsp=none header.from="XXXXXXX@XXXXXXX.art"
Authentication-Results: strato.com; spf=pass smtp.mailfrom="XXXXXXX@XXXXXXX.art"
X-RZG-Expurgate: clean/normal
X-RZG-Expurgate-ID: 149500::1551393211-00000737-90BDE70D/0/0
X-Strato-MessageType: email
X-RZG-CLASS-ID: mi00
Received-SPF: pass
(strato.com: domain XXXXXXX.art designates 88.99.174.226 as permitted sender)
mechanism=a;
client-ip=88.99.174.226;
helo="mail.XXXXXXX.art";
envelope-from="XXXXXXX@XXXXXXX.art";
receiver=XXXXXX.XXXXXX.de;
identity=mailfrom;
Received: from pop3.strato.de [81.169.145.131]
by luna with POP3 (fetchmail-6.3.26)
for <stefan@localhost> (single-drop); Thu, 28 Feb 2019 23:45:49 +0100 (CET)
Received: from mail.XXXXXXX.art ([XX.XX.XXX.XXX])
by XXXXX.XXXXX.de (RZmta 44.13 OK)
with ESMTP id e0b216v1SMXVP6n
for <stefan@XXXXXX.de>;
Thu, 28 Feb 2019 23:33:31 +0100 (CET)
Received: from XXXXXXX.art (unknown [XX.XXX.XXX.YY])
by mail.XXXXXXX.art (Postfix) with ESMTPA id EB8A02031CB;
Fri, 1 Mar 2019 00:03:56 +0200 (EET)
Message-ID: <d7ce01d4cfca$aaba5a70$bc4772f9@escujyv>
From: "azxowjd" <XXXXXXX@XXXXXX.art>
To: <mathias.XXXXX@XXXXXXXXXX.de>
Subject: ulqoqss
Date: Fri, 01 Mar 2019 01:04:05 +0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416
escetlz edleqdx
Can a reader help?
This email mystery reminds me of the meanwhile famous Webdriver Torso channel on Youtube. I introduced this story on this blog (in German) four years ago.
Source: Schmeh
The Webdriver Torso channel showcases hundreds of thousands of videos that all look very similar. They show red and blue rectangles in different sizes, accompanied by pure tones. There used to be a lot of speculation about the purpose of this channel. Some thought that these videos contained hidden messages for spies (which would mean that the Webdriver Torso channel is something like a modern numbers station), while others believed that extraterrestrials were behind these clips.
As it turned out, the truth was less spectacular: the Webdriver Torso channel is operated by Youtube itself, and the videos are used for quality testing. The uploaded videos are compared to the videos before they were uploaded, to see how much quality was lost.
I don’t think that the emails Stefan Fendt receives are used for quality testing, too, but who knows? Perhaps Stefan’s guess that their purpose is to create noise, in which meaningful information is hidden, is correct.
Does a reader have another idea, what these messages might mean?
Follow @KlausSchmeh
Further reading: “Famous uncracked codes” video on YouTube receives over a million hits
Linkedin: https://www.linkedin.com/groups/13501820
Facebook: https://www.facebook.com/groups/763282653806483/
Kommentare (3)