I’ve recently posted a rant about spam and today, I’m going to add another one. This one about a spammers trick that might fool a lot of people. Especially those people who don’t use a good spam filter. And I’m doing this because it might have fooled me, if there weren’t two flaws with it. First of all, it ended up in my spam folder, which suggests that something is wrong. Second of all, it was sent to the wrong email address.
First, let’s take a look at the spam itself:
Well, it looks good enough. LinkedIn does send these kinds of emails on a regular basis. I get plenty of those on my real LinkedIn account. But as I said, I received this one in my spam filter and on the wrong account. So, let’s look at the email a bit more, starting with the headers…
Delivered-To: firstname.lastname@example.org Received: by 10.14.174.6 with SMTP id w6csp66709eel; Wed, 29 Aug 2012 08:00:37 -0700 (PDT) Received: by 10.60.11.34 with SMTP id n2mr645244oeb.18.1346252436700; Wed, 29 Aug 2012 08:00:36 -0700 (PDT) Return-Path: <email@example.com> Received: from SNMZ227.leaseweb.com ([184.108.40.206]) by mx.google.com with SMTP id zm6si23150147obb.199.2012.08.29.08.00.35; Wed, 29 Aug 2012 08:00:36 -0700 (PDT) Received-SPF: neutral (google.com: 220.127.116.11 is neither permitted nor denied by best guess record for domain of firstname.lastname@example.org) client-ip=18.104.22.168; Authentication-Results: mx.google.com; spf=neutral (google.com: 22.214.171.124 is neither permitted nor denied by best guess record for domain of email@example.com) firstname.lastname@example.org Date: Wed, 29 Aug 2012 11:00:36 +0000 (UTC) From: LinkedIn Reminders <email@example.com> To: firstname.lastname@example.org Message-ID: <52203955.7448783.1913884201422.JavaMail.email@example.com> Subject: There are a total of 1 messages awaiting your response MIME-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit
I’ve replaced my address with firstname.lastname@example.org, a dummy address. But if I look at these headers I noticed that it’s sent from a leaseweb.com mail account, and not from LinkedIn itself. Leaseweb is a hosting provider with a bad reputation as being one of the worst hosts since they seem to host a lot of malware on their sites. So was the Bredolab botnet hosted on Leaseweb servers. Leaseweb also hosted part of MegaUpload. But Leaseweb is just one of the biggest hosts in Europe so it’s no surprise that you can find lots of malware there. Such sites are always a small percentage of sites for any host.
But why would LinkedIn use Leaseweb? Well, they would not! This is just another sign that this is a real spammer. But let’s look a bit further, which is the HTML code behind this email:
This shows the true intentions of this spam. The spammer wants to fool to visit some specific site. The site itself has nothing to do with the spam, except for the site has been hacked without the site owner knowing this. But it’s not a malware URL but a redirection to a Canadian pharmacy website. They want to sell Viagra and Cialis to the unsuspecting visitor. (Oh, dear! Those two words will most likely put this post in each and every spam filter!)
Well, not all spammers will send their victims to malware sites. In this case, they just want to get more visitors to buy little blue pills. They prefer to target American visitors since the sale of these pills are more limited in the USA than in Canada. In Europe, unknown to most, you can just buy similar products at the local pharmacy. That is, if you need them.
Anyways, the URL has the word “stupid” which tells us how the spammer thinks about those who are fooled by this. Well, I wasn’t fooled but instead I investigated it a bit and contacted the site where the redirect was hosted. I’ve warned them about this URL on their domain and I expect it to be gone within a few days. If not, they might be held responsible for this spam, and for the (illegal?) sale of these types of drugs. Since they are a clinic of some sorts, it could cost them their license if they don’t take additional steps against this.
But for now, let’s wait on their response on this post, and on my warning…