Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers – is the security community’s go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Physical Address Strangeness in Spam

Tenyears ago, Congress passed the "CAN-SPAM Act" (also known as theYou-CAN-SPAM Act, since it defined legal spam and supersedes any stricter stateantispam laws). One of the provisions of the act is that there must be alegitimate physical address in the email. Spammers have long tried differenttactics to get around this. In a recentcourt decision, the District Court in Utah determined, as one part of theiropinion, that an email marketer that used remotely-hosted images to show theirphysical address did not meet this requirement.

As the court noted:

In a commercialcommunication through an electronic medium "clear and conspicuous" is definedas follows: the "disclosure must be unavoidable . . . [and][a]ny visual messageshall be of a size and shade, with a degree of contrast to the backgroundagainst which it appears, and shall appear on the screen for a duration and ina location sufficiently noticeable for an ordinary consumer to read andcomprehend it."


The questionpresented to the Court in this case is whether Required Content provided in theemails through a remotely hosted image is clearly and conspicuously displayed.This Court determines that it is not.

So,if remote images are illegal, then spammers ought to put real text addresses intheir emails (though the court said nothing about inline images). This is agood thing, as we can use those addresses to filter spam out of our inboxes.Many spammers actually do include a street address already in order to appearto be CAN-SPAM compliant (note that being CAN-SPAM compliant does not precludeit still being spam, only if it's legal or illegal). While legitimate onlinecompanies and brick-and-mortar stores will include addresses in a form that'srecognizable as an approved Post Office style, many spammers will use aless-recognizable form. Worried about content filters, they try to obfuscatethe address in various ways. This obfuscation can be useful in determining therelative spamminess of a message. This post will look at various examples ofthis.

Somespammers will add their address without obfuscation, and to those, I say thankyou, as the person adding to the content filters. Others opt for only slight obfuscation.One example is to replace whitespace with punctuation, like this address:


It's stilllegible to the human eye, which is what a lot of obfuscation counts on. For amachine though, the possibility of punctuation must be taken into account. Notethat there is still a space in this example, so we must also take into accountthe possibility of spaces in some places and punctuation in others. Besidesperiods, underscores and dashes are also popular space replacements as in theseexamples:

6538 Collins_Avenue #95 _Miami Beach, Florida 33141_-
3000F Danville Blvd. #_151

Note inthe last example that there is one space before "Danville", but twospaces before "Blvd.". Extra whitespace is another trick often used.Here's a more extreme example of that:

P O B o x 29 5 02#6 1 1 4 5 | Las Vegas, nv

The humanbrain can easily remove the extraneous whitespace, compressing the letters intoa legitimate address, but a computer doesn't know how to do that as well. Notethe box number, "29502", has spaces between some numbers, but notbetween others. The example also uses a vertical bar symbol instead of a commabefore the city, a common, though not Post Office-approved use of punctuation.

The statein this example illustrates another obfuscation tactic, the gratuitous use oflowercase letters. Two-letter state abbreviations should always be uppercase.As another example of gratuitous lowercasing, there is this:

5482 WiIshireBoulevard #239 la, ca 9OO36

Here,"Los Angeles, California" has been shortened to "la, ca".Looking closely at this example, we see another spammer tactic in use, letter substitution.While many people have heard of "Wilshire Boulevard" in Los Angeles,"Wilshire" is not normally spelled with a capital 'I' in place of thelowercase 'l'. Lowercase 'l' is also often replaced with a '1' (one) or '|'(vertical bar). While the following are technically all different, the brainstill reads "Wilshire" for all of them in the context of an address.


The samespammer has also used the following obfuscations for the same address:

5482 WilshireBI\Ivd. #239 LA, CA 90O36
5482 Wilshire.Blvd #239 la,ca-9OO36

Note boththe substitutions in Blvd and the gratuitous back-slash in the first example.The second also has a period after "Wilshire", but not after theabbreviation "Blvd".

Othersubstitutions are also common. A favorite is to replace a capital 'o' with azero ('0'), since they are so close in appearance in most fonts, but aretotally different when a computer reads it. This is especially popular in"P0ST 0FFICE" in all caps, when listing a PO box number. Sometimesit's a little more obvious, as in the following example:

P0st 0ffice. B0x803338 #85663
Chicago, IL 6O680

Sometimes,if a spammer thinks his emails aren't going through, they'll further obfuscatethe address to ridiculous extremes, even to the point of illegibility, as inthe following examples:

427 N. Tatnall
Street Suite4-8?5/.4.8
Wilmington, DE1-9?8/0.1

427 N. Tatnall/StSuite 4-8?5/.4.8
Wilmington, DE1-9?8/0.1

PO Box 2:9.5/0'2#.4_8-5)4>8
Las Vegas, NV8:9-1\2/6

28720RoadsideDr.#198Agoura HIllsCA91301

Note themisspelled state names in the following two examples:

2885 Sanford AveS0uth-West ,
Unit #-25434
Mlchlgan 4 9 4 18


Anotherfavorite trick is spelling out the street number in any combination of upper orlower case:

Thirteen hundredS. Neil St.--Champaign, IL

It seemsthat observing increasing levels of obfuscation in addresses can be a fairlyreliable indicator in determining the level of spamminess of an email. In aneffort to get around being blocked, spammers can give away their desperation. Thesespammers will resort to a combination of tactics, including both extrawhitespace and punctuation, and letter substitution, as in these examples:

2 8 8 5 S a n f or d - A v e
S . W e s t ,# - 2 5 4 3 4
G r a n d v l I Ie,

2 8 8 5 S a n f o r d A v e n u e
S o u t h - We s t -
# - 25 4 3 4
G r a n d v i l le , M I 4 9 4 1 8

2 8 8 5 S A N F 0 R D A v e n u e ( S W ) . # 24 5 3 4

4 5 3 1 0 a k C r e e k C t N 0 r t h E a s t
C e d a r R a p l d s , I 0 w a 5 2 4 1 1

I oftensee these increasing levels of obfuscation in many spammer addresses, whileAmazon and other legitimate businesses don't need to resort to suchtactics.

A totally differenttrick is to present a physical address that isn't really an address. Welcome tothe world of virtual offices. There are companies that will provide you withnot only a physical address you can use as your own, but even telephoneanswering and snail-mail forwarding services. All without you ever having to beanywhere near that address! While I suppose there may be legitimate businessneeds for such a thing (for example, someone who runs a business out of theirhome), it's definitely something spammers like to abuse. The Sanford Avenueaddresses in Grandville, MI above are examples of this. I've recorded tencurrent or former spammers at this address, ranging from injury lawsuitspammers, coupon spammers, and penny stock spammers, to spammers who spam multipleproducts and are extremely prolific volume-wise. These virtual office spamaddresses are another useful gauge of spamminess. If you're too cheap to payfor the whole virtual office setup, you can also just rent a mailbox at a UPSstore or Mailboxes, Etc. type place. Change the box number to "Suite" and itlooks like you have an office (unless you Google it.Google maps, especially Street View can be invaluable for checking what anaddress really is). If you spam from yourapartment, changing the apartment number to a "Suite" also looks classier thanit is.

So, to sumup, physical addresses are required byCAN-SPAM. If you want to at least appear to be legitimate, you have to includeone. Including one, whether it really is yours or not, is another piece that can be used in anti-spamcontent filters. This is one place CAN-SPAM can actually be useful. Knowing thetricks spammers use to make them hard to parse by machines, yet still(somewhat) legible to the human eye, you can stay one-step ahead in the spamarms race.

Recent SpiderLabs Blog Posts