I bet my aunt called in the hit

From a Hungarian mail server whose security is presumably not all it might be:

Date: Sun, 3 Feb 2008 17:41:17 +0100 (CET)
Subject: BE MORE CAREFUL
From: "BE MORE CAREFUL" <restinpeac@yahoo.com>
To: undisclosed-recipients:;

I am very sorry for you, is a pity that this is how your life is going to
end as soon as you don't comply. As you can see there is no need of
introducing myself to you because I don't have any business with you, my
duty as I am mailing you now is just to KILL you and I have to do it as I
have already been paid for that.

Someone you call a friend wants you Dead by all means, and the person have
spent a lot of money on this, the person also came to us and told me that
he want you dead and he provided us with your name ,picture and other
necessary information's we needed about you. So I sent my boys to track
you down and they have carried out the necessary investigation needed for
the operation on you, and they have done that but I told them not to kill
you that I will like to contact you and see if your life is Important to
you or not since their findings shows that you are innocent.

I called my client back and ask him of you email address which I didn't
tell him what I wanted to do with it and he gave it to me and I am using
it to contact you now. As I am writing to you now my men are monitoring
you and they are telling me everything about you.

Now do you want to LIVE OR DIE? As someone has paid us to kill you. Get
back to me now if you are ready to pay some fees to spare your life,
$30,000 is all you need to spend You will first of all pay $15,000 then I
will send the tape to you and when the tape get to you, you will pay the
remaining $15,000. If you are not ready for my help, then I will carry on
with my job straight-up.

WARNING: DO NOT THINK OF CONTACTING THE POLICE OR EVEN TELL ANYONE BECAUSE
I WILL KNOW.REMEMBER, SOMEONE WHO KNOWS YOU VERY WELL WANT YOU DEAD! I
WILL EXTEND IT TO YOUR FAMILY, INCASE I NOTICE SOMETHING FUNNY.

DO NOT COME OUT ONCE IT IS 7:PM UNTIL I MAKE OUT TIME TO SEE YOU AND GIVE
YOU THE TAPE OF MY DISCUSSION WITH THE PERSON WHO WANT YOU DEAD THEN YOU
CAN USE IT TO TAKE ANY LEGAL ACTION. GOOD LUCK AS I AWAIT YOUR REPLY TO
THIS E-MAIL CONTACT

Name:william Agent
E-mail: william1111@live.com

These messages have been around for a while, but I don't think I've ever received one before. Plenty of ordinary Nigerian scams, but not the death-threat type.

Quick advice for those receiving mysterious messages promising wealth or making menaces: Search for a string out of the message, to see if lots of other people have received the exact same thing.

Are those people all now rich, or dead, or whatever else the message promises?

(Hint: They won't be.)

You may forego the above steps if you yourself have received 28 copies of whatever the message is, all nominally from completely different people but all strangely similar otherwise.

Rivalrous and commercioganic for Christ Ma'x!

I get a lot of commercial spam from Chinese manufacturers who're under the impression that I'm a "reseller" of just about anything I've ever reviewed. And then some.

These e-mails are usually not very literate, but sometimes they break through into unintentional poetry.

I just got two copies of this one:

From: "RISING TRADING CO"
Date: Thu, 6 Dec 2007 12:45:22 -0800
To: <cs@110220volts.com> [I presume my address was way down in the BCCs somewhere]
Subject: Christ Ma'x Promotion MP4

Dear Friend,

How are you doing? I hope that everything is good!
Are you searching the rivalrous and commercioganic products? Please have a look our this new model mp4 player, it has some rivalrous features in market:
1 : 1.8" TFT display + card reader function .
2 : Built in outside speaker
3 : Built in RF function(optional).
4 : With the good handle housing which use the flash metal facture.
Its picture and details information is as below,please reference:

[A picture of a Keepin' It Real Fake version of an iPod Nano was meant to be included here - but I had to dig the file out of my embedded directory and rename it to be able to see what the heck it was. It was originally called "ui=1&amp;attid=0.1&amp;disp=emb&amp;view=att&amp;th=1168aff0f2e8de23".]

Main Function and features:

* Exquisite & fashionable flash metal and thin design;
* 1.8" TFT screen, 260K TRUE color display;
* Built-in FM radio & With FM recording function (optional) ;
* RF(Radio Frequency) transmit function ,the sigBnal can be accepted by your car FM, etc.(optional)
* Built-in outside speaker (optional);
* Support card reader function;
* Support DRM(digital right management)(optional).
* Built-in lithium battery .
* Capacity supported: 128MB to 4GB;
* Supports MP3, MP4, WMA, WAV, etc;
* Supports TXT electronic text reading ;
* Supports WAV recorder format;
* 7 EQ modes: moral , rock, pop, classic, soft, jazz, bass;
* Supports ID3 synchronous lyrics display;
* Support Multi-languages.(more than 20 kinds).

It went on, but that's the end of the funny stuff.

What do you imagine "moral" EQ does? I wasn't aware that you could make NWA sound like Perry Como just by changing a frequency response curve.

A link request from Spider-Man

Date: Tue, 4 Dec 2007 05:28:52 -0500 (EST)
Subject: Link Exchange Request
From: webmaster@creditreportkey.com
To: [my domain-registration contact address]

Hello buddy ,

Quality sites need to link together.. don’t you agree? I can give you a
high quality content page link from my site
(http://www.creditreportkey.com). In addition both our sites are
vertically related. I am sure you are aware of content page link plays a
major role in SEO.

Kindly add my link in your content pages other than the links page.your
site is a quality site hence I need a content link from your website.

If you said yes, then I need your link text and URL to get this started.If
no,I am really sorry to have been a disturbance.I promise,this will not
repeat.

We also offer free download of xp icons in our website. I hope this will
also be useful to you.

Link Title : Credit Report Key
Link Url : http://www.creditreportkey.com/

Awaiting for your word,
Peter parker

Wow - "free download of xp icons" from a site that also offers you the never-to-be-repeated opportunity to pay money for free credit reports and bogus credit repair services?

Why would anybody in the world ever need to visit any OTHER site?!

I'll link to nobody else, from now on!

(And don't worry, Peter - your super-secret's safe with me!)

And what's the deal with the "vertically related" part, anyway? The business-jargon usage of "vertical" is supposed to mean every stage of a business from production to distribution, hence the concept of vertical integration; "vertically related" businesses would be, say, a flour factory and a bakery. The word seems to have turned into cant, though; now it just means "stuff that's related to other stuff". So you get ad agencies spouting things like "high bidded content in your vertical", as if their purpose were not to actually communicate an idea but just to win a game of Scrabble.

The above missive arrived right next to this other magnificent creation:

From: Stephen <hotescortreviews@gmail.com>
To: dan@dansdata.com
Subject: I would like to exchange links with your site
Date: Tue, 4 Dec 2007 0:38:42 -0800

Dansdata, [I do love that personal touch!]

I visited your site today, and I enjoy the information your provide. I
run an adult site similar to yours, and I was wondering if you would
like to trade links with me? You can see my site at
"http://www.hotescortreviews.com". I ask for this link exchange because
I feel our sites are closely related in topic, and a link exchange
would benefit us both. My website also has a page rank of 2.

If you exchange links with me, I will list you on my site. I can put
your banner/link on my directory page
here:http://www.hotescortreviews.com/HERDirectory.html, and I can put
you in a category which is related to your site. Our site is gaining
more visitors by the week, and getting your link on my site guarantees
you future traffic and customers, which increases your bottom line.

Please let me know if you have any questions or comments. If you wish
to add my link, you can add the HTML code below to your site:

[link code redacted]

If you would prefer to exchange banners, you can find my banner on this
page:http://www.hotescortreviews.com/Links.html. You can just right
click on it and download.

Best regards,

Stephen

Posted in Scams, Spam. 9 Comments »

Fake marijuana botnettery continues

It would appear that the previously mentioned "herbal marijuana" business (which, as I explain in that earlier post, is probably actually just a scam to harvest credit card numbers) is burgeoning.

From: "Bud Shop" <dancitep_yzpsoy@gte.net>
Date: Fri, 16 Nov 2007 14:05:42 -0700
To: "dan" <dan@dansdata.com>
Subject: Smoke up the bud

Do You Smoke Big Buddha Bud Or Any Other Legal Bud To Go Crazy ?

http://shabaaloo.com

My buddy Mark stopped hanging out with me because he now works at the post
office and has to do a piss test every other week. Just last week though, i
see him sparking up. I'm like "Dude are you smoking bud again??" and he is
all "Yeah! i bought ONE POUND of Legal Bud at cheapestbuds.com and i dont
need to worry, this shit doesnt come up in piss tests and its some potent
shit!" cheapestbuds.com is too good to be kept a secret.

One warning though, Dont drive with this potent bud.
My friend blasted up before going on his mailing route and he ended up
crashing the postal truck LOL.
Oh and he still smokes up the Legal Bud!

http://www2.shabaaloo.com

OR

http://3I.shabaaloo.com

The shabaaloo.com site being promoted here looks exactly the same as the previous thebudshop.net. Note also the mention of "cheapestbuds.com", which was perhaps an earlier URL for the same scammers. That's dead now, but all of the other ones are still up. The "www2" and "3I" subdomains spread the botnet hosting out even further.

Once again, these sites are all shuffling from one home broadband IP address to another, a technique I now know is called "fast-flux", which was apparently originally used to hide spam mail servers. Their nameservers occasionally seem to be pointing more than one domain at the same IP address - both shabaaloo.com and thebudshop.net were at 69.141.166.10 (someone's virus-infected PC on a Comcast address) when I first checked. Mere moments later shabaaloo had moved to 75.22.25.116 (another zombie, this time connected via AT&T) and thebudshop had moved to 63.131.13.17 (Choice One Communications). Then shabaaloo was 82.10.184.121 (NTL Internet, a UK ISP) and thebudshop was 70.92.159.113 (Road Runner). The subdomains all have their own separate changing addresses, too.

Thebudshop's nameservers are still ns1.b4cf5f189.com and ns2.b4cf5f189.com; those are currently at 68.16.9.22 (AT&T) and 75.66.195.228 (Comcast), respectively. NS1 has stayed the same since I first checked four and a half days ago, but NS2 has changed at least twice since then.

The DNS entry for shabaaloo.com lists no fewer than five nameservers - four is the usual limit. It's got NS1 through NS5.b4cf5f189.com. As I said in the comments for the previous post, that probably makes it virtually invincible, at least by spam-site-hosting standards.

When botnets first hit the news, many people (me included) had some difficulty figuring out what they were for, exactly. Yes, you could use them to send spam, or to launch denial-of-service attacks, or as your own personal massively parallel supercomputer for cracking encryption or something. But none of those features sounded hugely marketable.

Bulletproof hosting for any site you want is different, though. There are plenty of people who already pay big bucks for that.

I think we'll be seeing a lot of spam-scam sites shifting to botnet hosting soon. Perhaps that'll be what it takes to get the major ISPs to start actually disconnecting people whose computers are part of a botnet. Thus far they've resisted taking such action, despite being urged to do so by such minor entities as the US Government for going on three years.

One might cynically surmise that the lack of action is because there's no money to be made in disconnecting zombies. Actually, there's money to be lost; even if all you do is direct all of the customer's Web requests to a "you've been quarantined" page with information about antivirus software, you're still going to get irate support calls that'll rapidly eat up every penny the customer's paying you. If you cut 'em off altogether, they'll probably tell all of their friends that you're a terrible ISP, and may file complaints with their credit card company. It's a nightmare.

And botnet members don't generally actually use a whole lot of the ISP's precious bandwidth, either. J. Random Hacker with his squeaky-clean computer that's downloading TV all day is the user an ISP really wants to cut off.

And if every ISP doesn't adopt a no-zombies policy, at least some disgruntled customers are not going to actually put their house in order - they'll just switch to an ISP that'll let their lurching zombie of a PC onto the Internet.

Here's a good article about the current sad state of affairs. Busting the people who set up the botnets seems to be the most promising course of action. That strategy hasn't exactly stamped out spam so far, though.

More tales from the online Wild West

Everything old is new again. It's been years since I got any spam trying to sell me legal herbal smoking mixtures, but here they come again. But, this time, there's a lot more to the scam than meets the eye.

"Legal weed" concoctions seldom have any more actual effect than does snorting a fat line of baking powder. They invariably, however, have names that make them sound as if just opening the bag and taking a sniff would blow Bob Marley's head clean off.

This time, the spam's trying to sell "Big Buddha Bud".

Or, as I discovered when I searched for that string, perhaps it isn't!

It would appear that the Big Buddha Bud spams were, a week or three ago, promoting thebudshop.hk. That server had a protean IP address, shifting from one address that resolved to a home broadband provider to another, minute by minute if not second by second.

That could only mean that the site was being served by a botnet.

And that, in turn, probably meant that the site's only purpose was to harvest credit card numbers.

If, after all, you've got an online shopping site that can only be traced to countless virus-infected home PCs, why on earth should you bother actually sending anybody anything they've bought from you?

Thebudshop.hk is gone now, but thebudshop.net is alive and well. And its shifting IP address remains.

When I looked at it it a few minutes ago it was at 75.208.93.134, an address in Verizon Wireless's allocation. Then it changed to 76.188.169.229, which is a Road Runner address. Then it was 63.131.13.17; that belongs to ChoiceOne, a bank! And less than a minute later, it resolved to 76.15.25.162, an Earthlink address. And then 76.247.75.67, which is AT&T. I doubt any US ISP will be left out, if I keep on checking.

(If you manually point a Web browser at any of the botnet IP addresses, by the way, you get an interesting little page that says "Coming Soon! Please check us back later... Ddos Protection by the leet boys ;)". This is an interesting thread to tug on, if you're after more information on this particular botnet.)

I had no idea it existed until this moment, but it turns out that this "botnet hosting" is a known phenomenon. It's a brilliant idea, too! Why use your army of zombified home PCs only to send spam, when you can also use it to host the super-dodgy sites you're promoting?

Botnet hosting seems to have taken great strides, as well. Sites like this are supposed to be flaky, but thebudshop.net looks rock solid (not to mention professionally designed!) to me. This botnet seems to be delivering the kind of super-distributed redundancy that major Internet companies dream about.

Another glimpse of the Dark Side

My spam had two high points today.

One of them was not the terrible news that the invaluable link directory at teksavers.com was REMOVING MY LINK OMG from their site because I had failed to respond to their repeated unsolicited requests for a link from this ancient motherboard review to http://www.teksavers.com/, with the title "Buy Sell Refurbished Cisco".

I simply cannot figure out why I haven't done that. Too late now!

Spam high point one was brought to me by the new wave of random-subject-lined replica watch ads, which seem to be sourcing their random words from a much more awesome dictionary than most.

My favourite so far is today's masterpiece, "Rainbow Kaleidoscope Ice-cream Egg Magnet".

I opened that message, hopeful to be given the opportunity to purchase this wonderful-sounding product. But all it contained was the usual link to an odd-named and inaccessible server where, I fear, no Rainbow Kaleidoscope Ice-cream Egg Magnet would be on sale anyway.

(The next one to arrive had the subject "Solid Prison Post-office Necklace Fan", which sounds much less appealing.)

Later in the day, I received this pearler:

Date: Sat, 10 Nov 2007 19:04:47 +0200
From: "Igal K." <igalkr@013.net>
Subject: Article contribution proposal to www.dansdata.com
To: dan@dansdata.com

I've stumbled across your site - www.dansdata.com and
I want to make you an offer regarding contributing uniquely
written Insomnia & Sleep Problem related articles to your site.

As you know - Creating unique content for your site is the only
way to get high rankings in Google and other Search Engines.
Copying Articles from Article Directories became obsolete
now that Google is penalizing sites with Duplicate content.

This is where we can help each other in a win-win partnership - I
have a staff of skilled writers creating articles about subjects
such as ( Just to to name a few ) :

      Insomnia Treatment Tips
      What Are Sleep Disorders
      Chronic Insomnia Treatment
      Sleep Aid Guides
      Sleep Disorders
      Sleeping Pills Help

The articles that I'm offering will be unique and were never
published on any articles directory or website, therefore you will
have the full benefits of a unique content that is published only on
your website - in Addition you have full rights to edit and tailor those
articles to your own liking and your website needs.

The only thing I want in return are 2 links pointing back to my
Insomnia Related site at the bottom of each published article.

So if you're interested in my unique win-win proposal please let
me know so we can start helping each other get Higher Rankings
in Google.

Igal K.

You know how sometimes you click on a result for some obscure search or other, and then find yourself on a site with a buggerload of Google ads and some real actual readable text... but that text doesn't contain any valuable information at all?

In fact, the text looks as if it could be customised, with a quick search and replace, to apply to any subject?

I'm betting that this is the sort of "content" that Igal's "staff of skilled writers" are offering my poor little site, which with its miserable thousand or so articles and laser-like focus on sleep disorders is clearly in need of Igal's assistance.

(Amazingly enough, I don't think dansdata.com contains even a passing reference to insomnia at the moment. Usually, subject-specific spam like this comes to me because someone found the word "sauna" on my site somewhere and decided that I therefore must be interested in ordering a few container-loads of Chinese pre-formed hot tubs. Heaven knows how Igal came up with the insomnia connection, in the absence of such an obvious link.)

I suppose it's possible that Igal really does have writers on staff. If that's the case, I imagine they're the inexpensive and quirky kind.

Igal's a wily one, too; he doesn't mention the URL of his special insomnia site in his spam.

But I'll betcha any of you unfortunate enough to be searching for information on sleep disorders will be seeing Igal's site soon. At least until Google catches on, yet again.

The cause and the cure

Another outstanding piece of mystifying spam:

Join the Thousands of Americans GETTING OUT OF DEBT!

Be DEBT FREE in as little as 12 MONTHS.

Please visit the link below and get a free debt consultation today. NO OBLIGATION!

http://eurocasinobj.com/indexd.html

Euro. Casino. BJ?!

Why, that's exactly the sort of URL at which I'd expect to find sensible debt reduction advice!

If you go to the root of http://eurocasinobj.com/, you find exactly what you'd expect to find - a casino site offering you a no doubt completely kosher $555 Welcome Bonus as long as you run the SetupCasino.exe file they want you to download.

http://eurocasinobj.com/indexd.html, on the other hand, redirects to the similarly mystifying URL http://heroesthai.com/, which is a generic Web-2.0-looking "Goodbye Debt" site.

And which, of course, is probably also a big fat scam.

It's an example of the peculiar rule of thumb which states that people with little money are easier to scam out of that money than rich people. Actually, "debt elimination" scams take it even further - they screw money out of people who have less than no money to start with!

A search of the Federal Trade Commission's site for "unsecured debt" is enlightening.

Sometimes the scammers claim that they'll negotiate with creditors in some special magical way that a normal customer couldn't, accept payment for doing so, and then just don't do anything. Genius!

The more creative scammers come up with a line of bull akin to that spouted by "tax protesters". There are a bunch of peculiar arguments in this category. Generally, they all assert that widely-held assumptions - like, for instance, the notion that it is legal to lend money at interest, or that when a person borrows money he personally now owes it to the lender, or that civilian courts are not military courts - are not true.

These arguments also have in common the fact that not a one of them holds more water than a tea bag.

The FTC's actual advice to people who're knee deep in debt is also useful. They advise debtors to seek out cheap-to-free credit counselling, and specifically avoid one-size-fits-all expensive "debt reduction" outfits.

Especially the ones with weird URLs.

A link-spam star

Herewith, another of my half-ridicule, half-public-service posts about Lousy Spam Offers.

And yes, it's yet another link-trading deal, with the usual complete lack of any trace of relevance between the sites the spammer would like linked. But this one has some special extra garbage all its own!

From: john@antique-engagement-rings.info
Date: Tue, 6 Nov 2007 09:06:38 -0500
To: dan@dansdata.com
Subject: dansdata.com....Link Exchange Request + Free Software Worth $200

Hi,

We at Antique Engagement Rings (http://www.antique-engagement-rings.info) would like to exchange links with
http://www.dansdata.com.

We have already placed a link to your site and your link can be found here:
null [not linked to anything]
As you know link exchanging is an excellent way to increase your overall profile and strength within the Internet community.

As an added incentive I have arranged with one of our sister sites (who specialize in Internet Marketing) to GIVE you software worth over $200, just for swapping links!

Please go to this page here to add your link:
[link starting with http://antique-engagement-rings.info:8080 ; the server doesn't answer requests on that port]

If you do not want to receive any further emails from us please click on the link below:
Click Here [another useless antique-engagement-rings.info:8080... link]

Best Regards,
John
antique-engagement-rings.info.

PS Details of the f-ree software, worth $200, can be found here:

http://www.internet-marketing-sense.com/1-2-3-in-just-6-weeks/

This also includes a f-ree course on how to get your sites to positions 1,2 and 3 in just 6 weeks.

I had to tidy this up a bit, since "John" is a big fan of using the <br> element for formatting.

But that "f-ree software" must be a big winner, too.

As I write this, a Google search for "antique engagement rings" turns up antique-engagement-rings.info not as result 1, 2 or 3, as you'd expect if they were using their own "f-ree software" and it worked, but as result... nineteen (for separate words or the phrase "antique engagement rings"), despite the fact that this exact search is a perfect match for their domain name.

This, and antique-engagement-rings.info's PageRank of zero, could be in some way connected to the fact that their site is self-evidently useless.

Posted in Scams, Spam. 8 Comments »