At least they're consistent

1 November 2006 — dan

Today's "Significant message. You must to read" stock spam (sent to me, needless to say, from an XBL-listed chello.at IP address) was promoting Amerossi EC Inc, which it quoted at $2.05 with a five day target of $5.75.

As I write this, it's already at $1.65.

So now it must be on the cusp of a 3.5-times gain, not just the 2.8-bagger the spam promised! Wow!

Coincidentally, the other two stock spams I bothered to actually look at today are for "Tailor Aquaponics", current price 7 cents and target over the next "3-4 weeks" 26 cents (...or, in the same e-mail, "it will grow up to 70%", which would turn a seven cent price into only twelve cents, but who am I to question these brilliant and philanthropic investment counsellors), and for "Metropolis Technologies", currently 12 cents, target something-very-impressive on the strength of promised "HALLOWEEN DAY TRADE".

It would be churlish to point out that Tailor has actually already dropped to six cents and that Metropolis has fallen to ten, so I won't.

Besides, these insignificant drops are plainly just the calm before the storm. Everyone out there with an IQ of 50 and a stock trading account (apparently there are millions of you), get on the bandwagon now, before it's too late!!!1!

Posted in Money, Spam. 1 Comment »

Today's spam detective story

31 October 2006 — dan

I have, for maybe a week now, been receiving empty spams with the subject line "www.download.com brings Daemon Tools to you!".

Daemon Tools is, of course, real and useful and free, and popular with many disreputable people, which is no doubt why this spammer is pretending to be the also-perfectly-valid download.com to scam people into downloading Some Damn Thing under Daemon Tools' name.

But I couldn't figure out what the deal was with this particular empty-spammer, since I kept getting the messages, and they kept having no body.

Spams with no body are common enough. Along with the spams that have a subject line that says something like "Get bigger Peeniss %RANDWORD%" and a body that says "%RANDWORD% %BODY% %RANDWORD%", they're the result of spammers who haven't yet mastered their $2,000 WORTH OF FREE MARKETING SOFTWARE PLUS+PLUS 14.8 MILLION TARGETED, TRIPLE OPT-IN EMAIL ADDRESSES that they bought last week for $129.99. I guess those guys are often confused by the fact that their $2000 worth of software seemed to consist mainly of Sourceforge download links.

Even those guys generally sort it out after a little while, though. There's got to be a pretty small intersection between the sets of people smart enough to send mail at all and those so dumb that they don't notice they're sending a bunch of empty messages.

So why was I getting the same empty message over and over from this spammer?

When I looked closer, it all became clear. My last line of defense shows, as you'd expect, the subject line of an e-mail - but only one subject line. If an e-mail has a multi-line subject, complete with linebreaks, I only get to see the whole thing if I preview the message and click the View Source button.

Doing that with these "empty" spams revealed the subject line to be:

www.download.com brings Daemon Tools to you!
We provide you best software for free!\r\nCheck this one: newest Daemon Tools 4.0.6 AVAILABLE FOR DOWNLOAD NOW at http://woodpecker.host.sk/daemon406-x86.exe\r\nCheck more on http://www.download.com and register to obtain more outstaind links every day.

So there you go. It's not as bad as the spammers who, a couple of years ago, kept sending me messages with subject lines megabytes in size (which completely paralyse various mail-processing programs which expect a subject line download to take a trivially brief period of time), at least.

The daemon406-x86.exe file they're trying to get you to download, by the way, is 59 kilobytes bigger than the real one, and I don't know what it is. Trend didn't have anything to say about it.

It's got header data from the standard Windows CAB file extractor WEXTRACT.EXE, but Wextract is only 64 kilobytes, while this thing is 1,591,296 bytes, which suggests a large payload.

Actually, the spam-file has headers from the Polish 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) version of Wextract; perhaps that's bigger than the English one I've got here. It's the Polish version presumably because the spammer is Polish, a theory supported by the fact that this particular edition of the spam, at least, came from this IP. That's hosted by tpnet.pl, which is as I write this is number nine on the Spamhaus Top 10 List.

Posted in Spam. 1 Comment »

Spam subject of the day

30 October 2006 — dan

Today's spam subject line most suited to being made into a Spamusement cartoon:

"cant figure out what to get this christmas? amputate"

Posted in Spam. Leave a Comment »

More investment opportunities

24 October 2006 — dan

The "Very Important letter. You require to read"/"Significant letter. You need to read."/"Grand message. You should to read."/"Weighty letter..." spam-flow looks to be a stayer. It's moved on from TXHE (who have not, you'll be startled to learn, found a trillion barrels of oil under Louisiana) to MXXR, "Matrixx Resource Holdings".

The Stock Spam Effectiveness Monitor only looks at occasional examples from the cavalcade of pump-and-dumps, but there are several other places you can look if this area of human endeavour interests you.

Spamnation is another site that collects and talks about at least some of the non-stop torrent of penny stock spam; here's what they have to say about MXXR. Apparently the spamming's all a big surprise for some dude called Mike.

(It probably genuinely is a big surprise. Lame stock spam scams aren't usually run by people who have anything to do with the small-volume, low-value penny stocks involved. Oh, and you keep getting these things because they really can work. For the scammers, obviously, not for you.)

Stock scams are also but one of the entertainingly many tracked and discussed by Quatloos!.

Posted in Money, Spam. Leave a Comment »

Der Schpamfest continues

20 October 2006 — dan

I wonder if any valid Web sites have ever, in the entire history of the world, been hosted at pochta.ru or mujweb.cz.

I suppose a non-spam e-mail must have been sent from a 163.com server at some point, too.

Bonus points went to the mujweb.cz phish that had a header line that said "X-Mailer: cup 12 bodice rippers".

I also rather liked the one with the subject line "[PHISHING] If we had to write down all the privileges of Viagra Pro, there would be no forests left in the world".

Now, I of course in no way object to being given the opportunity to purchase Vuaeogra, Lioitra, Giaolis, Fermeine, Troepocia, Ambion, Valoyum, Xanax (wow! A correctly spelled one!) or Soaeomme. It's the bracketed part at the beginning of the subject line that interested me.

None of the mail filters at my end add those [SPAM] or [PHISHING] bits to the fronts of subject lines, so I suppose it's possible that the spammers' own SMTP server did it. However, I think it's just as likely that the spammers did it deliberately, for some reason known only to the bean-like brains of petty online criminals.

Given that this was indeed a Viagra spam, not a phishing attempt, deliberately labelling it as phishing is kind of like some dude coming out of your house carrying your TV and saying "Hey, man - I know what it looks like, but I'm actually setting fire to your car!"

The single spam I feel most privileged to have received in the somewhat recent past, however, was definitely "Your Computer It Is In Ouer Base Of Dates".

We will not see its like again.

(Steven Frank seems to have summoned the energy to start updating Spamusement again, by the way. Hurrah!)

Posted in Spam. 2 Comments »

Poor little phishies

19 October 2006 — dan

Along with mail from those people who think recipients will not find it odd that they're being e-mailed by someone called "Sealant L. Circulating" (I suppose there are some people who'll fall for anything), and the joyous news that I've won the "MICROSOFT WORD LOTTERY, UK", I get, you'll be astounded to learn, a lot of phishes.

One eBay phisher kept spamming me over and over and over again about my alleged failure to send him a "K - SWISS Verstad, BRAND NEW, UK Size 9.5, Color NAVY"; I've also received numerous identical phishes from someone claiming that I've bought "1915 Amatuer SG Photo BATON ROUGE LA. Capitol Bldg", and from someone else who keeps pretending to be an eBay user called "nascar*stuff*".

Perhaps repeating the spams in these situations actually helps, since if someone really did have a financial dispute with you then you could expect them to keep complaining. But sending the exact same spams to many recipients is, like sending variations of the one spam to a single recipient, a less clever move.

Anyway, back in the mists of time, I used to submit the spam I received to SpamCop. I've long since stopped doing that, since even direct e-mail submission took too much time (though it did provide occasional amusement - somewhat NSFW, I should think...). I used the Blue Frog auto-submitter in MailWasher until the bad guys won; now I just delete what spam makes it through the ISP filters.

I have, however, been submitting phish to an online reporting service for a while now. I've been using CastleCops' Fried Phish/PIRT for long enough that most of their four digit captchas are already in the drop-down autocomplete menu (boy, that's helpful!), and just the other day discovered the brand new PhishTank, as well.

PhishTank is meant to allow easy community-based evaluation of the phishiness of URLs, as opposed to CastleCops' cabal of "Handlers"; deem usual Britannica-vs-Wikipedia argument to have been included here.

I agree with the Schneier on Security commenters who say that competition isn't a good thing in this situation, but fortunately PhishTank openly thank CastleCops for their free bad-URI list (I wonder if they'll work with URIBL too?).

So I presume that, in due course, the CastleCops and PhishTank databases will be more or less as one, and we can all get down to the important business of helping out those nice people at "The Paypal Department".

Posted in Spam. Leave a Comment »

Today's addlepated spam

18 October 2006 — dan

This day, I have received a bunch of spams that are all from a dictionary-chosen firstname and lastname with a randomcharacters@randomdomain.com e-mail address, with the subject "Firstname Lastname wrote:", and the body

hi Firstname i hope this is your e-mail.
I was glad to see you the other day. I expect you was excited about   New York.
So much so much happening all the time, lots of great opportunities.
And speaking of opportunities, the deal I was speaking you about yesterday included a company
known as Tex-Homa (TXHE).
It's already growing up, but the big announcement isn't even
out yet, so there's still time. I have got this shares already and made
2000. I recommend you to do the same today.

Hope this helps you out. I'll see you this weekend.
Yours Firstname Lastname

Note that the spams are all, according to them, sent from someone to themselves. Which would appear to somewhat sabotage their value as "accidental" mails that someone meant to send to someone else. And then there's the fact that I've received six of them, all "from" different people, but otherwise identical.

This sounds like a job for... the Stock Spam Effectiveness Monitor!

(Oh, and it's good to see that other people have been getting the same steady flow of thesaurusised "Very important note. You have to read." spams for GDKI.PK that I have.)

Posted in Spam. 5 Comments »

Spam-bits

17 October 2006 — dan

The award for Spam Subject Line That Sounds Most Like An Academic Paper Title, Shame About the Spelling, goes to...

"Towards Healthy Spermatazoa"

And the winner of the hotly contested Trophy for the Least Appealing Subject Line Ever:

"buttmunch628@aol.com wants to 3D Chat with you!"

I thank you.

Posted in Spam. 1 Comment »
« Older posts
Newer posts »