Your Next Purchase at McDonald's is FREE!

This is a great example of all the latest techniques used by spammers to get their unsolicited junk past your spam filter.

The first thing you'll notice is the strange subject line. Spammers love to encode their subject lines into a Base64 string, rather than displaying them in raw text. This is not necessarily very difficult to decode, but all it does is make your spam filter work harder to analyse the e-mail. If you decode the subject line, it reads: "Your Next Purchase at McDonald's is FREE!" The word "FREE" will increase the spam score of the e-mail and encoding the subject line increases its chances of getting past your spam filter.

The second thing you'll notice is the strange From address. Yes, spammers even encode the From address and the spamvertised link. This form of encoding is not that advanced either, but attempts to prevent the spam filter from detecting blacklisted domains and IP addresses. The spammer does not use a domain name, but rather an IP address. The IP address however, is not displayed in its more common, dotted-decimal format, but certain parts of the address are converted to hexadecimal and octal values. In the example above, the IP address 216.0xa.00000106.0126 translates to 216.10.70.86. 216 is already in decimal format, 0xa is hexadecimal for 10, 00000106 is octal for 70, and 0126 is octal for 86.

The spamvertised link in this example contained the IP address 216.0xa.00000106.0132, which translates to 216.10.70.90. The complete link basically points to a redirection script, combined with the e-mail address of the spam victim, in order to see who clicked the link. This enables the spammer to determine who responded to the spam and which e-mail addresses are active. So if you click on the link in the original e-mail, you basically subscribe to more spam.

The body of the original e-mail also contained a huge number of random words, cleverly hidden in an HTML <style> element. This is not visible to the spam victim, but is used to modify the hash sum of the spam e-mail (also called hash busting). At the bottom of the example you will see a so-called unsubscribe link. The text is hidden in an image, once again to prevent it from triggering a spam filter. Clicking the link takes you a confirmation page that actually tells you that you have successfully unsubscribed, but remember this is an "unsubscribe link" from a spammer and serves only one purpose, to confirm that your e-mail account is active and that you click on links in spam e-mails, which you must NEVER do. To make matters even worse, the images in the e-mail is not embedded into the e-mail itself, but they are remotely served via some ASP script. So, unless your e-mail client blocks remote images by default, you will signal the spammer that you have read the spam e-mail, just by opening it.

Oh, and what about the physical address in the image? Do you really think a spammer will leave you his/her address? No.6 Pioneer Walk, #04-00 Golden Logistics Hub, Singapore 627751, is most likely a fake address or the address of a poor victim who has nothing to do with the spam. This address is used in a LOT of spam e-mails, so this poor guy or organisation probably receives a lot of hate mail.

The spamvertised link redirects to the following sites, in the following order:
x3track.com
gtsmobi.com
engine.gtsmobidistributed.com
delivery.broker.to
traffic.broker.to
hit.trafficholder.com

Finally it redirects to a random porn site.

gtsmobi.com, gtsmobidistributed.com, and broker.to are all distributors of adult related content, specifically for mobile devices, so it has NOTHING to do with McDonalds and this is the last thing to take note of, the content of the e-mail. This is nothing new, most spammers prefer to use some enticing subject to lure their victims to the actual product, which is often not related to the content of the e-mail. In this example you think you are getting a free lunch, but you are bombarded with porn instead.

There ain't no thing as a free lunch my friend!