A database, a spammer and a botnet all walked into a bar…

We all love those funny stories about the incompetence of spammers, and if I were given a dollar every time I saw one of their broken campaigns, I probably wouldn’t be writing this now. Fortunately, for you, I am writing this and I can regale you with yet another tale of a spammer getting it wrong.

We’ve known for some time that the majority of spammers utilize botnets to distribute their spam. For spamming to be effective, spammers must have a way of reacting quickly to anti-spam techniques. Often the relevant information such as URLs and “hash buster” paragraphs are randomly taken from a pre-determined list of strings contained within the offending piece of ratware (spamming tool).

While this technique is effective in the short term, many anti-spam solutions will be able to detect and stop this campaign within minutes of seeing the first samples. One of the more interesting alternatives involves retrieving this information from a remote database. This offers the spammer greater flexibility in terms of spam content, as well as the ability to react faster to anti-spam updates. However, what many spammers fail to realize is that this introduces another point of failure into a chain that’s already fraught with weak links.

The following image is an example of spam email generated using this technique.

Broken MySQL spam

Upon first inspection, this message does not appear to be broken. However, a closer look at the URL anchored to the text “P.E.P.” shows us that the ratware responsible for this message queried a remote SQL database via PHP for the URL. How do we know this? A quick glance of the HTML code behind the message reveals the answer:

<a href="<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Can't connect to MySQL server on '**.**.***.***' (4) in <b>/usr/home/******/public_html/actual/settings.inc.php</b> on line <b>45</b><br />" target="_blank">P.E.P.</a>

This error message will be immediately familiar to anyone who has used the PHP programming language. It basically tells us that the MySQL server is no longer responding to connection requests.

Obviously, this spammer hasn’t considered one important question: what happens when your database host falls over unexpectedly?

The answer? Millions of broken emails that require a multi-layered approach to stop and for the spammer absolutely no profit.