Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« December 2009 | Main | February 2010 »

January 23, 2010

Knock It Off, "Mary" Permalink

For the past 10 days, I've seen a lot of spam claiming to come from someone calling her(?)self "Mary":

From: Mary <[variety of bogus email addresses]>
Subject: Hi remember me?

I've seen two separate campaigns using the same combination above. The first had the following message body:

Hi, I'm from Russia - a dream to live abroad, my name is Mary, can we get started? "I'm on this dating site - come in to me.

[various URLs removed]

The more recent of the two has the following body:

Hello my dear. Hey, want to marry a Russian beauty? I want you, my good man. Come to my profile - you'll get a surprise! You want what would you be good? Come to me.

[various URLs removed]

These types of things aren't anything new, to be sure. But the hazard for those of us who don't have visions of marrying a Russian spammer-bride is that any curious recipient may be putting a few kopeks into the spammer's pocket or G-string. All of the URLs I've seen have affiliate identifiers of some kind. So, whether the URL goes straight to the spamvertised web site, or if it first goes to a redirection page, a click might very well make the spam pay for itself (and then some). This only guarantees more of the same to follow — if not to you, then to millions of others whose addresses have been scraped over the years.

Imagine how angry the spammer would be if, upon mailing tens of millions of these messages, not a single recipient visited the site. That would be more effective than shutting down one of the botnets he uses to spew.

Apparently I have weird fantasies.

Posted on January 23, 2010 at 08:45 AM

January 14, 2010

What a Haiti Earthquake Charity Scam Looks Like Permalink

Major disasters bring out the best in people...but also the worst people. Look at this piece of email crap coming from a non-existent organization:

From: "Davis Pipe" <help-raise-haiti@apennyalife.org>
Subject: Lets help raise Haiti...

Good day,

I am Davis Pipe, the founder of A penny a life charity organisation, i'm sure everyone is aware and familiar with the Haiti Earthquake disaster. We at APAL Charity have decided to raise aid to the people of Haiti, the silence is leaving their country broken and we as human can stretch our hands and reach a life, nothing is too little.

So far we've been able to raise $2,650,819.68 from our online and phone donations. We decided to reach anonymously to people and see how further we can raise the donations to, if you feel it in your heart to make a donation please do and have it sent via Western Union to our Regional Oversea.

Name: Frank Bacon
Location: Atlanta, Georgia.

Please once donations are made, get back to us with the informations below;

Senders name:
Senders location:

If you choose to make anonymous donations, do contact me davispipe@[free email service domain removed].com.

Lets save a life today, God has been ever merciful keeping us out of harms way, lets return the favour.

Thanks and God bless.

Davis Pipe.
APAL Charity Foundation

There is no such organization, nor would any legitimate charity solicit funds in this fashion. Utterly despicable.

Posted on January 14, 2010 at 02:39 PM

January 10, 2010

The Spamit_New_Subj Flood Permalink

If you've been scratching your head over spam whose Subject: line reads:


I have some answers to the riddle.

When I saw the first instance in an inbox, I thought the message might have been relayed through a mail server that tagged the message as being spam. But the message's headers didn't reveal that to be the case. No, the message originated with that Subject: line.

The telltale marks of the underscore characters signified the likelihood that the text was a placeholder, which the bot software responsible for sending the message was supposed to replace with something else (meaningful or otherwise). Given the fact that the message bodies of all of these messages were simple text sentences relating to erectile dysfunction medz, I had my suspicions. And upon checking the HTML source code of the spamvertized web site, my suspicions were found to be accurate:

<img src="/themes/blue_light/img/logo.jpg" alt="Canadian Pharmacy" border="0">

Yes, it's our old friends, the Canadian Pharmacy morons. From additional research, Spamit appears to be a spamming affiliate business responsible for medz, warez, and Heaven knows what else over the years (although the name was new to me). Thus, we appear to have an affiliate (often also known as a wannabe spammer) who hasn't yet figured out how to work the system — or the software — to replace the Subject: line in the Spamit-supplied template.

But it's awfully nice of him to attach spam signal flares to the Subject: lines of his messages.

Posted on January 10, 2010 at 11:52 AM

January 03, 2010

New Year, New Phish Permalink

The PayPal phishermen are dropping their lines into the ice holes of northern hemisphere winter to try to snag some scrumptious login credentials and any money you might have hanging around in a PayPal account or bank account linked thereto.

Here's one that comes with a cute little seasonal PayPal logo, telling you that "You have 1 new Security Message Alert!". The automated bot that generated the message was even programmed to insert today's date into a gray small-type line at the top — presumably to make it look legitimate.

Seasonal PayPal phishing email message

As the link rollover shows, this crook has managed to plant his phony PayPal page and software on a hijacked mail server belonging to a small web services provider in New York state (oops!). All the goodies are quasi-hidden in a subdirectory whose name begins with a period, meaning that inexperienced admins may not see the directory if they view file lists without the right switch set.

As for regular users who might receive such phishing email messages, if you can't just let it go, then log into PayPay via your normal avenue — preferably a bookmark that you saved from a previous visit. If there are any problems with your account, you'll find out then. Chances are, you're in the clear.

Posted on January 03, 2010 at 01:19 PM