How to Spot a Psychopath

I have, for maybe a week now, been receiving empty spams with the subject line "www.download.com brings Daemon Tools to you!".

Daemon Tools is, of course, real and useful and free, and popular with many disreputable people, which is no doubt why this spammer is pretending to be the also-perfectly-valid download.com to scam people into downloading Some Damn Thing under Daemon Tools' name.

But I couldn't figure out what the deal was with this particular empty-spammer, since I kept getting the messages, and they kept having no body.

Spams with no body are common enough. Along with the spams that have a subject line that says something like "Get bigger Peeniss %RANDWORD%" and a body that says "%RANDWORD% %BODY% %RANDWORD%", they're the result of spammers who haven't yet mastered their $2,000 WORTH OF FREE MARKETING SOFTWARE PLUS+PLUS 14.8 MILLION TARGETED, TRIPLE OPT-IN EMAIL ADDRESSES that they bought last week for $129.99. I guess those guys are often confused by the fact that their $2000 worth of software seemed to consist mainly of Sourceforge download links.

Even those guys generally sort it out after a little while, though. There's got to be a pretty small intersection between the sets of people smart enough to send mail at all and those so dumb that they don't notice they're sending a bunch of empty messages.

So why was I getting the same empty message over and over from this spammer?

When I looked closer, it all became clear. My last line of defense shows, as you'd expect, the subject line of an e-mail - but only one subject line. If an e-mail has a multi-line subject, complete with linebreaks, I only get to see the whole thing if I preview the message and click the View Source button.

Doing that with these "empty" spams revealed the subject line to be:

www.download.com brings Daemon Tools to you!
We provide you best software for free!\r\nCheck this one: newest Daemon Tools 4.0.6 AVAILABLE FOR DOWNLOAD NOW at http://woodpecker.host.sk/daemon406-x86.exe\r\nCheck more on http://www.download.com and register to obtain more outstaind links every day.

So there you go. It's not as bad as the spammers who, a couple of years ago, kept sending me messages with subject lines megabytes in size (which completely paralyse various mail-processing programs which expect a subject line download to take a trivially brief period of time), at least.

The daemon406-x86.exe file they're trying to get you to download, by the way, is 59 kilobytes bigger than the real one, and I don't know what it is. Trend didn't have anything to say about it.

It's got header data from the standard Windows CAB file extractor WEXTRACT.EXE, but Wextract is only 64 kilobytes, while this thing is 1,591,296 bytes, which suggests a large payload.

Actually, the spam-file has headers from the Polish 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) version of Wextract; perhaps that's bigger than the English one I've got here. It's the Polish version presumably because the spammer is Polish, a theory supported by the fact that this particular edition of the spam, at least, came from this IP. That's hosted by tpnet.pl, which is as I write this is number nine on the Spamhaus Top 10 List.