Spam Decoding

Spammers try to hide various aspects of how their operation is set up, using javascript, dns tricks, specially encoded characters and long streams of redirects - untangle their knots and deobfuscate their layers of misdirection with these tools and tips.

General Decoding
Listwashing Tokens
Untangling URLs
Sense of Scripting
MIME Encodings
Other Decoding Tools

General Decoding

“spamless@nil.nil” newsgroup posts - groups.google.com/group/news.admin.net-abuse.email/search?q=author%3Aspamless%40nil.nil

Spammer Techniques

Listwashing Tokens

Spammer sometimes encode the email addresses of recipients into part of their spam, so that complaints with the “to” addresses stripped out can still be matched up to a recipient.

Email Addresses Encoded into URLs - howardk.moonfall.com/encemail.html

Spambot Honeytokens

Untangling URLs

A URL is just so much gibberish?

URL Untangling Explained
URL Untangling Tools

URL Untangling Explained

How To Obscure Any URL - www.pc-help.org/obscure.htm
Link Based Tricks — URL obfuscation - www.contentverification.com/obfuscation-attacks/index.html

URL Untangling Tools

Feed scrambled URLs to one of these.

net.demon obfuscated URL Decoder - www.netdemon.net/decode.html
How To Obscure Any URL - www.pc-help.org/obscure.htm
Cloaked or spoofed HTML link checker - www.millersmiles.co.uk/Link-Checker.php
Deobfuscator for URL-Encoded Strings - spamwars.com/deobfuscator1.html

Sense of Scripting

If the source code of a webpage is hidden as chunks of unintelligible strings, try using one of these tools.

Decoding Scripting Explained
Browser Decoders
Online Script Decoder Pages

Decoding Scripting Explained

HTML/JS Obfuscation - www.websense.com/securitylabs/blog/blog.php?BlogID=86
HTML/JS Obfuscation Part II - www.websense.com/securitylabs/blog/blog.php?BlogID=98
Decoding Javascript - handlers.sans.org/dwesemann/decode/

Browser Decoders

View Rendered Source Firefox extension - jennifermadden.com/scripts/ViewRenderedSource.html

Drag either of these javascript links to your toolbar, or add them to your favourites. When you are viewing a page with source code that doesn't make sense, click on that link; the decoded source should appear in a new browser window, with luck.

view page code
view page code (2) - see: www.spamsites.org/decode.html

Online Script Decoder Pages

HayWyre Nullifyer - www.netdemon.net/haywyre/
Obfuscated-HTML De-obfuscation Tools - www.gooby.ca/decrypt/
spam-L toys - hesketh.com/schampeo/spam-l/
Windows Script Decoder - www.virtualconspiracy.com/?page=scrdec/intro
Online 'Windows Script Encoding' Decoder - www.greymagic.com/security/tools/decoder/

MIME Encodings

Get the plain text version of an email, undoing the MIME encoding the spammer used.

Downloadable MIME decoders
Web-based Base64 Decoders
Quoted Printable

Downloadable MIME decoders

Decode Shell Extension - www.funduc.com/otsoft.htm#decodeshellextension - Win
MPack - ftp://ftp.andrew.cmu.edu/pub/mpack/ - Unix
Decoder - etresoft.com/decoder.html - Win/Mac
UUDeview - www.fpx.de/fp/Software/UUDeview/ - Unix/Win
ungoopspam - www.unicom.com/sw/ungoopspam/ - Perl

Web-based Base64 Decoders

Base64 is an encoding defined in RFC 2045. You don't need to know that to decode it.

base64 decrypt - www.robietherobot.com/calc.htm
Base64 Encoder and Decoder - makcoder.sourceforge.net/demo/base64.php
Base64 and URL Encoding and Decoding - ostermiller.org/calc/encode.html
Decode BASE64 encoded text - www.toastedspam.com/decode64
Unpack base-64 - www.tipjar.com/nettoys/demimeulator.html
Base 64 Decoder - www.opinionatedgeek.com/dotnet/tools/Base64Decode/safedecode.aspx
Base64 Decoded - www.spywareinfo.com/tools/base64.php
base64 Decoder - spamwars.com/decoder.html
TRANSLATOR, BINARY - www.paulschou.com/tools/xlate/

Quoted Printable

Decode quoted-printable - www.toastedspam.com/decodeqp
Decode Quoted-Printable - www.fourmilab.ch/webtools/qprint/

Other Decoding Tools

UPX Decompression - upx.sourceforge.net/ - common executable file compression scheme
Unpackers - www.exetools.com/unpackers.htm - unpack file packers
DataCompression.info - datacompression.info/
ASCII, ROT13, %HEX, ... - nospam-pl.net/koduj.php - misc tools
Deobfuscator for "&#n;" Character References (Entities) - spamwars.com/deobfuscator2.html
swfdump - www.quiss.org/swftools/swfdump.html - Unix, decode Shockwave Flash
Flare - www.nowrap.de/flare.html - dump Shockwave Flash ActionScript
TRANSLATOR, BINARY - www.paulschou.com/tools/xlate/ - misc tools

everything you didn't want to have to know about spam

Hosted by spam.abuse.net, with help from Neil Schwartzman. Domain registration by Gregg DesElms. Logo by Art101.

This work is licensed under a Creative Commons License. SPAM is a trademark of Hormel Foods.

Page last updated: 10-Jul-2007