Prompted by a message from a researcher at NCFTA, I took another look at the mysterious 'poison spams' that I've been receiving. It turns out that they're not part of some fiendish plot to poison Bayesian filters after all. They're just another spammer misconfiguration.

The spams are sent as multipart messages. The first part of the message, sent with a content type of 'text/plain' and 'quoted-printable' encoding, consists of 'hashbuster' text - randomly-generated text intended to hide the spam from statistical filtering techniques. The second part of the message, whose content type is also 'text/plain', contains the payload, which is a standard stock puff. The stocks promoted currently include 'usual suspects' VNBL.OB and PPTL.PK.

The messages appeared more mysterious than they really were because when viewed with a MIME-savvy email client - Eudora, in my case - only the hashbuster text showed up. It appears that if a message contains two 'text/plain' content sections, Eudora simply drops the second and displays the first: in this case, the meaningless random text. Eudora apparently isn't the only email client to behave this way so the spammer may not be getting much return on his investment.

The spammer may have finally noticed that something is wrong. Recently, he's switched to sending spams where the second part is sent as 'text/html' instead. These variants display correctly, but are still easy to filter using basic keyword matching.

"Never attribute to malice that which can adequately be explained by stupidity."