Worm related spamming

Posted on August 25, 2005 by Sam

I got an email this morning from “Daphne Jacobsen”, a marketroid at a CD/DVD company that shall not be getting any plugs here. She claimed that someone from my company had mailed them requesting prices last week but that their servers had become infected with one of the many worms on the lose recently and that the message had been lost (but obviously not completely lost, otherwise where did she get the email address?) Her message ended:

In case you need more information, our company web site is [DELETED] where you can see we are a complete “one stop shop” for DVD, CDROM, printing, packaging, and fulfillment services.

If you need, please call me TOLL FREE at [DELETED].

Obviously spam. The mail was sent to an email address that I’ve never used at a domain I’ve only ever used for personal purposes. Interesting, though. The mail was obviously carefully written to sound genuine and unique. Hand-wringing over the problems caused by the “worm” ties it in nicely with current events on the internet and might make a receipient feel sympathetic to the sender. At first glance, not your usual spam – possibly different enough to not only escape spamtraps (it slipped past two to get to me) but to snare a few more unwary punters than usual. I’ve never received anything quite so carefully crafted before (if you exclude some of the better phishing emails).

BOFRA: email link virus

Posted on November 12, 2004 by Sam

The BBC covered this today. Here’s a Clue: don’t use HTML for email. Look at any links you are sent in emails very carefully before loading them in a browser – not at the text used to display the link, but at the actual address targeted. Disabling the display of HTML in your email client should reveal this information to you. You should already be doing this anyway if you’ve been paying attention to the recent phuss about phishing.

Keeping out the idiots

Posted on November 10, 2004 by Sam

Still got the comments disabled at the mo. I haven’t had the time to make the necessary changes to the code, but it’s pretty high on my list.

Grepping through the referrer logs shows that there’re still a lot of unwelcome visitors. I suppose that we should take some slight satisfaction in noting that the spambots aren’t at Turing level just yet, and have to reply on brute force. Wankers.

I have made a bit of a start by introducing some filters into my .htaccess file. I’ll post these in due course if they seem to do any good, but when both the IPs the spammers use and the site addresses they promote change so fast it’s a bit of a losing battle. Still, there are definite patterns to the domains so that gives us somewhere to start.

Anyone surfing past this post with any helpful suggestions or comments is especially encouraged to mail me. Cheers.

More comment spam

Posted on November 7, 2004 by Sam

This is getting ridiculous. I just deleted several hundred more comment spams by restoring from a week-old backup, so apologies if you’ve left a legitimate comment in that time. I just don’t have the time to be more selective right now.

I have some potential solutions in mind, but they require some coding to get working. In the meantime, you’re better off sending me email than leaving comments.

Ebay phishing attempt

Posted on October 19, 2004 by Sam

I received an email today purporting to be from the ebay security team requesting that I access my account. The email, in HTML format, kindly provided a link to a page hosted at disguised as a link to ebay’s site. Since my mail client displays messages as plaintext (making it obvious where links actually go), this was a pretty obvious phishing attempt. (Hey! Another argument against HTML email, as if we needed one.)

In addition to this and the fact that I’m paranoid at the best of times, something else helped me spot that this was a fake: I don’t even have an ebay account, and never have. So I forwarded it to spoof@ebay.com, where they recommend you send abuse reports of this kind. If you’re interested in seeing what the fake site looked like, here’s a screenshot – it’s a pretty good likeness.

Note that on the fake page, they say that you can use your “registered email” address instead of your ebay ID, which differs somewhat from the real ebay sign-in page. There are a few other minor differences, but even so when you compare the two they do look very similar. Beware!

Comment Spam

Posted on September 14, 2004 by Sam

Been hit by a nasty dose of this highly irritating plague recently. One thing to say to these idiots: GO AWAY. (I’d be more explicit, but I’d like to check this site from work and there’s an evil proxy guarding our network.) Neither I nor my readers want your crappy diet pills, prescription drugs or online gambling opportunities. And this blog is so rarely visited it’s hardly going to do your pagerank any good. (No one’s listening, but I don’t care.)

My Current strategy is a low-tech one, and I’ll turn off comments while I work out a higher tech solution if it continues. Comment spam is a real problem, as it can completely ruin a weblog by clogging up the discussion with rubbish. Plus, there’s something unpleasant about it – it feels like a bit of a personal attack. I’ve been quite surprised at just how angry it’s made me.

txt spam

Posted on August 28, 2003 by Sam

If the email spam plague and the sobig virus weren’t enough, the quantity of unsolicited txt msgs I receive on my mobile phone seems to be creeping up recently. For example, I got this last night:

From: 6655442

As a valued customer, I am pleased to advise you that following recent review of your Mob No. you are awarded with a £1500 Bonus Prize, call 09066364589

Sent: 27-Aug-2003 22:41:04

09* Numbers are Premium Rate, and cost £££ to call, and I’m sure I remember a factoid that this information had to accompany any solicitation to call one. No such information in this message. Also, the ‘From:’ number looks forged to me, but I didn’t dare call it. If this were an email, we’d call it spam, because that’s what it is. I think that this kind of promotion of premium rate services is underhand – I can’t believe the claims that I’ve won lots of cash from someone who doesn’t even have the courtesy to identify themselves. It’s clearly an attempt to get me to call their expensive phoneline. Now I wouldn’t usually bother, but it annoyed me enough to make me want to complain to someone.

I should probably start by informing my service provider, mmO2. A bit of digging through their website brings up some advice on how to deal with nuisance calls, which seems to cover text messages as well. Searching for ‘spam’ brings up nothing. Before calling customer care, I’m going to do a bit more checking around.

I recall seeing something on this topic at the BBC recently, and a search over there pulls up an item discussing measures being taken by vodafone to combat txt spam. Not much use for me, but they also mention the ICSTIS (the Independent Committee for the Supervision of Standards of Telephone Information Services (phew!)) – which is “the industry-funded regulatory body for all premium rate charged telecommunications services”. Looks good, so let’s surf on over.

The ICSTIS FAQ on unsolicited promotions (PDF) states clearly that:

Call charge details and any other information, which is likely to affect a decision to
participate, should be clearly stated. In the case of text messages, information required
under the Code of Practice should be stated before the premium rate number.

So I filled in their online complaint form. Wonder if that’ll do any good? They say it might take up to 12 weeks to reply! I’ll probably never find out, because I gave ‘em my work email, and I’m gone in five weeks… Still, it’s the thought that counts.

(Hmm. Interesting way to spend one’s lunch break.)

Scammin’

Posted on March 27, 2003 by Sam

I got one of those dodgy emails about vast fortunes found in African bank accounts today. I can’t believe that someone’s still doing this – surely everyone knows this is a scam? (As if anyone even needs warning anyway, it’s just so utterly ridiculous). And why does this guy feel the need to SHOUT?

From felix_lamine@libero.it  Thu Mar 27 17:13:00 2003
Return-Path: 
Delivered-To: sgp@localhost.domus.local
Received: from localhost (localhost [127.0.0.1])
	by domus.local (Postfix) with ESMTP id 9E8E91E856
	for ; Thu, 27 Mar 2003 17:13:00 +0000 (GMT)
Received: from mail.btinternet.com [194.73.73.90]
	by localhost with POP3 (fetchmail-5.9.13)
	for sgp@localhost (single-drop); Thu, 27 Mar 2003 
Received: from smtp1.libero.it ([193.70.192.51])
	by uranium.btinternet.com with esmtp (Exim 3.22 #24)
	id 18yUjQ-0006bo-00
	for sagepe@btopenworld.com; Thu, 27 Mar 2003 10:35:36 +0000
Received: from libero.it (193.70.192.62) by smtp1.libero.it (6.7.015)
        id 3E68E7F1001892A1; Thu, 27 Mar 2003 11:33:53 +0100
Date: Thu, 27 Mar 2003 11:33:52 +0100
Message-Id: 
Subject: from_lamine
MIME-Version: 1.0
X-Sensitivity: 3
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
From: felix_lamine@libero.it
X-XaM3-API-Version: 3.2 R29 (B54 pl1)
X-type: 0
X-SenderIP: 213.136.97.64
To: undisclosed-recipients:;

DEAR,

I AM THE DIRECTOR OF BILLS AND EXCHANGE AT THE FOREIGN REMITTANCE 
DEPARTMENT OF OUR BANK HERE IN ABIDJAN COTE D'IVOIRE.

IN MY DEPARTMENT WE DISCOVERED AN ABANDONED SUM OF US$12.500,000.00 
(TWELEVE. FIVE MILLION USD ONLY) IN AN ACCOUNT THAT BELONGS TO ONE OF OUR 
FOREIGN CUSTOMERS WHO DIED ALONG WITH HIS ENTIRE FAMILY IN NOVEMBER 1999 
IN A PLANE CRASH.

SINCE WE GOT INFORMATION ABOUT HIS DEATH, WE HAVE BEEN EXPECTING HIS NEXT 
OF KIN TO COME OVER AND CLAIM HIS MONEY BECAUSE WE CANNOT RELEASE IT 
UNLESS SOMEBODY APPLIES FOR IT AS NEXT OF KIN OR RELATION TO THE DECEASED 
AS INDICATED IN OUR BANKING GUIDELINES.

UNFORTUNATELY WE LEARNT THAT ALL HIS SUPPOSED NEXT OF KIN OR RELATIONS 
DIED ALONG WITH HIM AT THE PLANE CRASH LEAVING NOBODY BEHIND FOR THE CLAIM.

IT IS THEREFORE UPON THIS DISCOVERY THAT I AND ONE OF THE OFFICIALS IN THE 
DEPARTMENT NOW DECIDED TO MAKE BUSINESS WITH YOU AND RELEASE THE MONEY TO 
YOU AS THE NEXT OF KIN OR RELATIONS OF THE DECEASED FOR SAFETY AND 
SUBSEQUENT DISBURSEMENT SINCE NOBODY IS COMING FOR IT AND WE DON'T WANT 
THIS MONEY TO GO DISBURSEMENT ACCOUNT AS UNCLAIMED BILL.

THE BANKING LAW AND GUIDELINES HERE STIPULATED THAT IF SUCH MONEY REMAINED 
UNCLAIMED AFTER FOUR YEARS THE MONEY WILL BE TRANSFERRED INTO FEDERAL 
GOVERNMENT ACCOUNT AS UNCLAIMED FUND. THE REQUEST OF A FOREIGNER AS NEXT 
OF KIN IN THIS BUSINESS IS OCCASIONED BY THE FACT THAT THE CUSTOMERS WAS A 
FOREIGNER AND AN IVORIEN CANNOT STAND AS NEXT OF KIN TO A FOREIGNER.

WE AGREE THAT 15% OF THIS MONEY WILL BE FOR YOU AS FOREIGN PARTNER AND 5% 
FOR EXPENSES INCURRED DURING THE COURSE OF REMITTANCE. THEREAFTER TO THE 
PERCENTAGES INDICATED.

THEREFORE TO ENABLE THE IMMEDIATE TRANSFER OF THE FUND TO YOU AS ARRANGED. 
YOU MUST APPLY FIRST TO THE BANK AS A RELATION OR NEXT OF KIN OF THE 
DECEASED INDICATING YOUR BANK ACCOUNT NUMBER AND LOCATION WHERE IN THE 
MONEY WILL BE REMITTED . UPON RECEIPT OF YOUR REPLY I WILL SEND TO YOU THE 
TEXT OF THE APPLICATION. AS SOON AS YOU RECEIVE THIS LETTER, YOU SHOULD 
CONTACT ME IMMEDIATELY AND INDICATE YOUR DIRECT AND CONFIDENTIAL TELEPHONE/
FAX NUMBERS FOR THE EFFECTIVE COMMUNICATION REQUIRED.

TRUSTING TO HEAR FROM YOU IMMEDIATELY ON TELEPHONE NUMBER 0022507822694.

YOURS FAITHFULLY,

FELIX LAMINE
 FOREIGN OPERATIONS

The computer virus

Posted on January 28, 2003 by Sam

This perennial favourite has been back in the news lately with last weekend’s M$ SQL worm which apparently nearly brought the net to it’s knees. Can’t say that I noticed, and I spent a lot of time online over the weekend.

On a related note, the BBC website ran this article on the possibility that as mobile telephone technology advances those pesky viruses will start infesting our handsets. This inspired me to do a little surfing, and although it seems that warnings of this sort of thing on the past have been largely groundless (discussion here and here, via a post at epicycle) , it now appears to be a lot more feasible.

This bout of surfing also brought to my attention vmyths.com, who have this to say about themselves:

Vmyths fights computer security hysteria with a comprehensive A-Z list of popular virus hoaxes. We also tackle persistent virus myths. And we dispel misconceptions about real viruses…

Brilliant. I’m sure that if you’re like me you regularly receive email from people warning you against one or other hysterical virus-related panic and possibly even advising you to delete files like jdbgmgr.exe or sulfnbk.exe. Here’s a potential resource for dealing with that, independent from the anti-virus software vendors who have allegedly behaved questionably in the past. vmyths.com certainly qualify for a spot on my links list, anyway.

Random and Irrelevant

Sam Pearson's weblog – irrelevant content randomly updated

Tag Archives: Spam