« A Tech Support Dialog | Main | Pump-And-Dump Techniques »

June 15, 2006

Don't you just hate it when a spammer/scammer misconfigures his botnet so that only a tantalizing bit of the message comes through without the full payload? Call me crazy, but I like to see what scams these jerks are trying to pull off.

The message in question originated from a server in China (duh), but contains forged parts of the header to make it look as though it came from a U.K. company in the pneumatic tools industry (the domain has been registered since 1997, so it's not bloody likely that this company has anything to do with the message).

The part that got my initial attention was:

Subject: Danny Goodman Administrator has been fired

It's hard to tell what this is supposed to mean. Have I been fired? Did I fire my Administrator?

One of the nice things about being self-employed (for the last 25 years, thank you), is that I know everything about my operation. (The bad thing is that my boss is a slave driver and my employee is a lazy bum.)

In any case, in the context of my "organization," this subject makes no sense.

The body of the message is no more revealing:

{%BEGIN_SPLIT76%}
Danny Goodman, Our Company

That first bit is either a placeholder for a mail-merge type of insertion or other directive that the bot should be using to help compose the body. But then it gave up the ghost.

If this doofus fixes his problem, and I receive his result, I'll update this posting. I'd actually prefer that he believe the messages went out correctly and led to ZERO RESPONSE—my favorite result.

UPDATE (16 June 2006): From some additional samples I've seen, this spam was nothing more than a misconfigured mortgage spam. The model is confirmed in a properly configured message that used the same techniques. Subject: Danny Goodman Boss will be fired and then Danny Goodman, Our Office spoke last week,. The rest is standard mortgage spam fare. At least now I have something to report to the FTC.