A blog reader has told me about strange email messages he receives occasionally. Does a reader know what they mean?

Source: Pixabay

The crypto mysteries I introduce on this blog are usually a few decades, if not centuries old. The one I am going to cover today is an exception. It represents an on-going phenomenon and I’m not sure whether it has to do with cryptography at all.

 

Strange emails

A few weeks ago, I received an email from blog reader Stefan Fendt. He wrote:

From time to time (the last interval was one year) I receive emails, such as the one attached. These mails contain groups of five, six, seven, eight (?) or nine letters. Sometimes, these letter groups show up in the email header, too.

These mails are short (usually 40-150 characters), text-only, and apparently sent to multiple recipients. In the mail attached, my address stood in the BCC field.

I can only speculate about the purpose of these mails. Here are two explanations I find unlikely:

  • Spam “ping” [i.e., the purpose of the mail is to test whether a recipient address exists]: This is unlikely because it requires too much effort. To check whether an email address exists, one can send the spam message itself instead of a test message. Apart from this, I have never received any spam after a mail of this kind arrived.
  • Botnet: A botnet is unlikely, as these mails are far too rare. Apart from this, it would be quite ineffective for botnets to communicate this way.

My speculative guess: These emails are used to hide some kind of internet communication. Most of the mails of this kind are meaningless, while there are some that contain a real message. The meaningless mails are the noise, in which the meaningful ones are hidden.

 

An example

Here’s one of the mails Stefan received (I have anonymized parts of it):

Return-path: <XXXXXXX@XXXXXXXX.art>
Envelope-to: stefan@localhost
Delivery-date: Thu, 28 Feb 2019 23:45:49 +0100
Received: from [::1] (helo=luna)
by luna with esmtp (Exim 4.86_2)
(envelope-from <XXXXXXX@XXXXXXXX.art>)
id 1gzUR3-0002Jc-PE
for stefan@localhost; Thu, 28 Feb 2019 23:45:49 +0100
X-Envelope-From: <XXXXXXX@XXXXXXXX.art>
X-Envelope-To: <stefan@XXXX.de>
X-Delivery-Time: 1551393211
X-UID: 42158
Authentication-Results: strato.com; dmarc=none header.from=XXXXXX.art
Authentication-Results: strato.com; arc=none
Authentication-Results: strato.com; dkim=none
Authentication-Results: strato.com; dkim-adsp=none header.from="XXXXXXX@XXXXXXX.art"
Authentication-Results: strato.com; spf=pass smtp.mailfrom="XXXXXXX@XXXXXXX.art"
X-RZG-Expurgate: clean/normal
X-RZG-Expurgate-ID: 149500::1551393211-00000737-90BDE70D/0/0
X-Strato-MessageType: email
X-RZG-CLASS-ID: mi00
Received-SPF: pass
(strato.com: domain XXXXXXX.art designates 88.99.174.226 as permitted sender)
mechanism=a;
client-ip=88.99.174.226;
helo="mail.XXXXXXX.art";
envelope-from="XXXXXXX@XXXXXXX.art";
receiver=XXXXXX.XXXXXX.de;
identity=mailfrom;
Received: from pop3.strato.de [81.169.145.131]
by luna with POP3 (fetchmail-6.3.26)
for <stefan@localhost> (single-drop); Thu, 28 Feb 2019 23:45:49 +0100 (CET)
Received: from mail.XXXXXXX.art ([XX.XX.XXX.XXX])
by XXXXX.XXXXX.de (RZmta 44.13 OK)
with ESMTP id e0b216v1SMXVP6n
for <stefan@XXXXXX.de>;
Thu, 28 Feb 2019 23:33:31 +0100 (CET)
Received: from XXXXXXX.art (unknown [XX.XXX.XXX.YY])
by mail.XXXXXXX.art (Postfix) with ESMTPA id EB8A02031CB;
Fri,  1 Mar 2019 00:03:56 +0200 (EET)
Message-ID: <d7ce01d4cfca$aaba5a70$bc4772f9@escujyv>
From: "azxowjd" <XXXXXXX@XXXXXX.art>
To: <mathias.XXXXX@XXXXXXXXXX.de>
Subject: ulqoqss
Date: Fri, 01 Mar 2019 01:04:05 +0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416
escetlz edleqdx

 

Can a reader help?

This email mystery reminds me of the meanwhile famous Webdriver Torso channel on Youtube. I introduced this story on this blog (in German) four years ago.


Source: Schmeh

The Webdriver Torso channel showcases hundreds of thousands of videos that all look very similar. They show red and blue rectangles in different sizes, accompanied by pure tones. There used to be a lot of speculation about the purpose of this channel. Some thought that these videos contained hidden messages for spies (which would mean that the Webdriver Torso channel is something like a modern numbers station), while others believed that extraterrestrials were behind these clips.

As it turned out, the truth was less spectacular: the Webdriver Torso channel is operated by Youtube itself, and the videos are used for quality testing. The uploaded videos are compared to the videos before they were uploaded, to see how much quality was lost.

I don’t think that the emails Stefan Fendt receives are used for quality testing, too, but who knows? Perhaps Stefan’s guess that their purpose is to create noise, in which meaningful information is hidden, is correct.

Does a reader have another idea, what these messages might mean?


Further reading: “Famous uncracked codes” video on YouTube receives over a million hits

Linkedin: https://www.linkedin.com/groups/13501820
Facebook: https://www.facebook.com/groups/763282653806483/

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Kommentare (3)

  1. #1 Magnus Ekhall
    Borensberg
    30. März 2019

    I agree: this looks like a case of some spammer trying to verify if the e-mail address is valid or not.

    There is a discussion on the same thing here:
    http://www.antispam-ev.de/forum/showthread.php?40473-Merkw%FCrdige-Spam-Mail

  2. #2 Tony
    30. März 2019

    Considering that spam emails must get through content-based filters, for example SpamAssassin https://en.wikipedia.org/wiki/Apache_SpamAssassin
    it would seem that a spammer might well want to test using random numeric content of random length, given that most content filters are based on offensive text.

  3. #3 Gert Brantner
    Berlin - Neukölln
    30. März 2019

    just sending an email successfully does not verify if an email address exists. there are a few other methods to verify an email-address without even sending an actual email – and countermeasures – all depending on the mail server software and configuration a provider uses. one possibility I can think of (boring, sorry): since “X-Mailer: Microsoft Windows Live Mail” is listed as the email client it could be something like this: “https://www.stephanpringle.com/microsoft-outlook-test-message/” – a cheap method to verify that the settings in _your email client are working. The outlook & live mail clients are same similar, and I heard they tend to be buggy.. anyways, interesting topic, thanks!