One more spammer: Adobe!

Posted on 2014/01/13 by W.A. ten Brink

I like to use email aliases for every online subscription and registration I have to fill out. I like this because it allows me to recognise if companies are going to spam me or not. I also make sure that any checkbox for extra mails that is checked will be unchecked. Unfortunately, not all companies care about that.

One of them is Adobe, well-known from it’s PFD reader but I also happen to use Adobe Lightroom, which requires an online registration. Which I had to fill in, else I would not be able to use the software properly. Okay, so I did. And I used an alias.

Today, I received an unreadable email because the images inside are blocked by my mail reader. They seem to have given or sold my address to kieseentablet.nl who likes to spam many people with all kinds of garbage. I think they’re trying to sell me a DVD box in this message, but I’m not sure and don’t want to know. Viewing those images would mean that my mail reader has to contact their servers with a special code, and that code will validate my address.

I have reported it to SpamKlacht and I hope they will take action against this spammer and against Adobe. Adobe is just as guilty for not keeping my address safe. They violated my privacy by sharing that address with others.

I will show the headers of this email, though. And I hope most spam-filters will pick this up and add this spammer to the blacklist. They should blacklist Adobe too, in my opinion, because this pisses me off! I expect some small internet-companies will leak my address but Adobe is supposed to be a serious, big international company. They just don’t care about their customers, that is clear…

Received-SPF: pass (google.com: domain of bnc-24-data_sendout_1389545845_715_57-74@bounce.kieseentablet.nl designates 178.32.7.217 as permitted sender) client-ip=178.32.7.217;
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_cc78254c8040f1935d8f257c8e3ed1ee"
From: "Welkomstgeschenken Kies een Tablet" <nieuwsbrief@kieseentablet.nl>
Reply-To: leden@kieseentablet.nl
Subject: U ontvangt de complete Penoza DVD box
To: xxxxxxxx@xxxxxxxx
Date: Mon, 13 Jan 2014 08:38:23 +0000
Message-ID: <1389602303-567845345AB@kieseentablet.nl>

One week of spam…

Posted on 2013/10/10 by W.A. ten Brink

Yesterday, I posted about comment spam in blogs. Today, I’m going to mention a few topics of spam messages I’ve received in just one week. Ti begin, I’ve received an email from the “Microsoft Partner Awareness Team” who doesn’t seem to have a Microsoft mail account but some address in Nicaragua. The topic is “Confirm Receipt” and in it they tell me that they celebrate some 30th anniversary and as a result, this team is giving away £1,864,000.00GBP to six lucky recipients. And I’m one of them and need to reply with name, address, telephone number, email address and nationality. A nice example of phishing.

Next, a message about Canadian Pharmacy Online, where I don’t need prescriptions. Well, I don’t need these drugs either.

And a message from “WhatsApp Messaging Service” notifying me about a new voicemail, even though I don’t have a WhatsApp account for this specific email address. Since the sender is from Russia, I’m not interested in listening. Even though they’ve sent me this message twice…

The next one is a very good one, since it’s from the Google+ Team and uses mail-noreply@googlemail.com as address. Seems legit, doesn’t it? Too bad Google Mail happens to be the same as GMail, so the spammer is using this free service to pretend to be Google. The attached PDF promises £ 950.000 to me as an award and all I have to do is fill in a form with name, address, telephone number, nationality, birth date, gender, occupation and email address. Definitely phishing!

Of course, most phishing emails will promise huge rewards to people, as the one I’ve received from Italy. Some investors have 375 million euro which they want to give away. These huge amounts just make it very clear it’s just fake.

Then some more pharmacy messages and other offers for all kinds of medicines and certain ‘blue pills’. Of course, this kind of spam is also very popular, apparently because one in a million people still decide to buy their drugs this way…

But there are more ways than offering money or selling drugs. I also received a spam message with a pretty woman in bikini. Her name is Valeriya and she lives in Russia and is rather shy at first. And she wants to be pen pals with me. Oh, my… Dating spam! Another trick to get people to offer personal details or even to trick them into sending money to this pretty girl. Or maybe just a fat guy who pretends to be a pretty girl, since that’s more common. Still, even if this girl was real, chances are that she’s just out to steal your wallet and everything else you have. By the way, Irina also wants to chat with me. She enjoys hiking and pottery.

Then an email in the German language offering me a method to win at roulette in some online casinos. Ah, the old gambling site spam. Fits with the other spam message which is written in Dutch and offers me a chance to win the jackpot. They even promise me 100 euro as a bonus when I subscribe. Or the one where they’ll give me 20 free lottery tickets while they claim I’ve officially subscribed to their mailing lists in the past. (Which I never did, since the specific account that received the spam isn’t used to subscribe to anything.)

Then some message which advises me which stocks I should buy on the stock market, since they’re about to become valuable. Sure, for the person who is selling them right now! If plenty of people start bidding, the price will go up from nearly worthless to a few pennies per stock. If they then manage to sell a million stocks, it’s easy money with a huge profit, in a way that’s mostly legal.

And sometimes you receive an email that looks just a bit gibberish, yet makes you curious. People tend to reply to those kinds of messages, asking the sender what’s going on here and what they meant by this message. And thus they confirm their email address is correct. And since many people add a signature to their emails, the sender will get to know a bit more about the recipient. If the recipient happens to work for some company and the company adds signatures, then the spammer might have enough information to pretend he’s that employee!

The emails from “USA TODAY News” are also interesting. Sent from an outlook.com address, it provides me information about losing weight. Apparently I’ve subscribed to their newsletter too (NOT!) and I can unsubscribe and thus confirm the correctness of my email address. Strangely enough, the unsubscribe link points to a Russian website. USA Today seems to be in Russia?

In short, I have three email accounts on my domain and an infinite number of aliases on my domain and a few other domains. I also have two old GMail accounts that I barely use but in total, I receive about 20 spam messages per day over all accounts, which Google nicely detects and filters for me. They’re annoying but Google takes much of the annoyance away. Handy, because I also receive about 60 to 100 legitimate emails per day, mostly from mailing lists.

All these spam messages were easily detected by Google and you can wonder if spam is really as profitable as it seems. But it’s the magic of big numbers that’s in the favor of spammers. If they’re sending one million messages, and only one percent reads the message then it’s still read by ten thousand people. If only one percent of those are responding with some information then they’ve collected the information of 100 people. And if one percent of those fall for their traps and the spammers earns a few thousands of euro’s then they’ve probably made a nice profit.

Basically, people should not respond to spam. They should recognise what spam looks like, which is why I’ve written this post. Do not even open spam just to check the contents since your mail reader might already offer spammers with some information. I am a trained professional and I know what I’m doing when I check spam. My browser is set up in a secure way, my antivirus software is always up-to-date and I am really careful with spam messages and I avoid mail readers that might send information back to the sender. Then again, I have more than 20 years of experience dealing with malware, viruses and spam. Don’t expect that you can do that even someone with 20 years of experience tries to avoid! Because I think education is important but I would have preferred to throw away all those messages without even a single look!

And another stupid spammer…

Posted on 2013/10/09 by W.A. ten Brink

Many people complain about all the spam in their mailboxes but when you’re running a blog, forum or even a simple contact page where visitors can leave messages, you can still receive spam in some other forms. With Facebook and Twitter, for example, you might get invitations by people you don’t even know. With LinkedIn, this is a bit more difficult but it still has people attempting to connect to you so they can make all kinds of “interesting” offers to you.

But today I’ve received a comment spam on my post called “Dealing with deadlines” and it started like this:

{I have|I’ve} been {surfing|browsing} online more than {three|3|2|4} hours today,
yet I never found any interesting article like yours.
{It’s|It is} pretty worth enough for me. {In
my opinion|Personally|In my view},if all {webmasters|site owners|website owners|web
owners} and bloggers made good content as you did, the {internet|net|web} will be {much more|a
lot more} useful than ever before.|
I {couldn’t|could not} {resist|refrain from} commenting.
{Very well|Perfectly|Well|Exceptionally well} written!|
{I will|I’ll} {right away|immediately} {take hold of|grab|clutch|grasp|seize|snatch} your {rss|rssfeed} as I {can not|can’t} {in finding|find|to find}
your {email|e-mail} subscription {link|hyperlink} or {newsletter|e-newsletter} service.
Do {you have|you’ve} any? {Please|Kindly} {allow|permit|let} me {realize|recognize|understand|recognise|know}
{so that|in order that} I {may just|may|could} subscribe.

Well, that’s an interesting comment. (Full text here…) Basically, this is a script file that’s used by spammers to create random comments for blogs and forums. And normally, spammers will just use a selection of words and sentences from these script files to generate something a visitor might have written. And the many variants make it harder to detect as spam. Unless you’re giving the master script, of course, like this stupid spammer has done.

If I would allow this message, someone with a Canadian IP address (142.4.208.160) would be able to add more comment spams on my blog and might even flood fill it with spam, once they got their first approval. Of course, the spammer also used an email account (augustuscolangelo@freenet.de) from the German provider called Freenet and they have been used many times by spammers. They’ve taken steps to prevent spammers to send mass emails but that doesn’t stop spammers from doing comment spams like this one.

Also interesting is the fact that the spammer added a link to foot-en-direct-gratuit.sixsigmadss.com (Links to main site, not the spammers blog) which happens to be some blog on the site of an Indian company called “Six Sigma”. I wonder if this company even knows about this blog, that’s written in French. I guess they don’t know about it, but that their DNS information has been hijacked. Or maybe their servers are hacked.

So, what I like to do is visit RobTex to collect more information about what I’ve found. So far, it’s an interesting international spammer. Mail in Germany, spamming from Canada with a web server that’s owned by a company in India. RobTex tells me the shared host they use for the site is Enzu in the USA, which provides cloud services and more. They also use the DNS services of GoDaddy which does confuse me a bit. Why not use the DNS servers of Enzu?

Well, some further research tells me why. While Six Sigma uses GoDaddy as their host, the spammers have instead used Enzu to create their own website, which makes them appear legitimate. They’ve also moved the regular site to Enzu, and are probably redirecting visitors from there to the original website. (Or Six Sigma is supporting the spammer, which is also an option. I just don’t want to accuse them of this crime.) When I visit the Six Sigma website, it does seem as if someone has taken over control over their site. Much of it looks disabled, as if the hacker is just misusing the site for their own purposes. It looks like it’s been taken over two days ago by the hacker, yet they did not detect the hack at this moment. I hope they will be able to fix this fast, though.

Of course, there’s an even bigger risk here. Since the spammer seems to have hijacked their home site, he can play a man-in-the-middle attack. Every customer of them who enters their credentials to log in will tell this hacker about their credentials too. This is a serious thing. Spammers are often trying to do more than just send spam. They will try to collect more information to allow them to hack even more accounts.

There are a few things here that worry me. First of all, this Indian company that doesn’t seem to realize their site is hacked. Also, GoDaddy, who is supposed to be their host, isn’t hosting their main site. Also, Enzu doesn’t seem to realize that they’re hosting a site for an Indian company that uses the French language for a blog that seems filled with random articles from French/Canadian news sites. You could wonder if hosting companies should be able to check if strange things are happening to the accounts of their customers.

Yeah, I think you can blame hosting companies for all the spam on the Internet, simply because they’re not pro-active when suspicious changes are made to the accounts of their clients. If hosting companies take more care in selecting their clients, validating any account changes and don’t even tell their customers when their accounts seem to be hacked, then spam will just continue to cause problems.

Continue reading →

Nigerian bankers are from China?

Posted on 2013/01/15 by W.A. ten Brink

I just can’t help posting one more spam message here, as an example of how spammers run. This time, a very well-known Nigerian 419 spam message where the spammer is trying to collect sensitive information about those whom he’s spamming.

Interestingly enough, many people tend to share this information freely on the Internet already. With sites as Facebook and LinkedIn I would think spammers would not even need this information. Well, except for the bank account numbers, of course. And maybe the phone number.

So let’s look at this message, that seems to be Nigeria. Or China. Or Russia, if I read the mail headers.Well, what does it say? It’s about a contract or inheritance file that’s at some desk in Nigeria. I don’t have a clue what it’s supposed to do there, but they have it. Who? Well, The Central Bank of Nigeria, of course. (Yeah, that link goes to the real site!) It seems that I am dealing with some non-officials about this case and that’s supposed to be illegal. The Board of Directors held a meeting to give me a solution, though. They’re willing to pay me the $950,000.00 that’s in some online account which is supposed to be mine. I need to give some details to them which would allow me to log in to my account so I can transfer the money to a different account. And I must stop discussing about this with anyone else, so this post on my blog must be illegal.

Okay, I’m not stupid. The fact that Google dumped this in my spam folder is the first warning. The red warning above the post is the second warning. Even if I’m a complete idiot (and I sometimes am one) then these two warnings should trigger plenty of alarm bells, making sure I won’t respond to this. But I’m interested in the mail header too.

Sure, first thing I’ve noticed is another warning: “domain of infocbn@cbn.com does not designate 178.75.0.110 as permitted sender“.

It was sent from Webasto, which happens to be a Russian company that creates air conditioning systems for automobiles. Maybe the Nigerian Board of Directors is in Russia?

And I need to send a reply back to an email address provided by the email services of the Chinese Yahoo website.

Also, even though they knew my email address (helpdesk@~~example.com~~), they did not know my name. Or anything else, even. But they seem to know that I’m dealing with non-officials, though.

So, am I dealing here with Russian Nigerians who live in China? Or Chinese Nigerians living in Russia? I don’t know. This is just spam and it’s too ridiculous to even consider believing it. I can’t understand that anyone would be fooled by something stupid like this, yet it happens. At least, it happens often enough for these spammers to continue their attempts. Just send a million of these messages and hope that an Idiot will respond to it. If one in a million people are idiots, they tend to have a reasonable chance of success.

Also interesting is the reference to CBN, which isn’t the Central Bank of Nigeria. It’s the Christian Broadcasting Network. Close enough, I guess.

The true Central Bank of Nigeria has an official warning about 419 scams on their website. A check with RobTex seems to confirm this site is the real website. The fact that it’s a .ORG domain still makes me a bit suspicious but fortunately, there’s also an official gov.ng site, which happens to be a bit slower. All this spam isn’t just annoying for me and other recipients, it’s also bad for the Nigerian government and their bank.

It amazes me that these Nigerian 419 scams still continue for more than a decade. Especially since these emails seem to be so extremely fake that I just wonder if people are just fooled by these spammers simply because they try to scam the spammers themselves. And in trying to do so, they just happen to give away too much real information.

The best response to these kinds of emails is to either ignore them or by warning others about these kinds of emails.

Spam: Once more, with feelings…

Posted on 2012/12/12 by W.A. ten Brink

Sometimes, a spam message can look very tempting to the reader. I recently received the following message that’s just too good to be true. Fortunately, my spam filter did move it to spam already…

Dear Friend,

This is a personal email directed to you.

I and my wife won a EuroMillions Jackpot Lottery of Ј148m EuroMillions in August.
We have decided to donate the sum of Ј2,000,000.00 Pounds to you as part of our own
charity project to improve the life of 5 lucky other individuals all over the world.

All you have to do is get back with us so that we can send you details to the payout bank.

You can verify this via the two link below.

http://www.dailymail.co.uk/news/article-2187999/
http://www.national-lottery.co.uk/player/p/goodcausesandwinners/winnersgallery.ftl

Adrian And Gillian Bayford
Email: adriangillian-bayfords@maildx.com

Strangely enough, the sender happens to be adrian.gillian.bayforddonationdesk@hotmail.co.uk but the email in the message claims otherwise. A check of that MailDX address shows that it’s just another free email provider, like Hotmail, Yahoo or GMail. Since the sender is also a free mail account, I just consider these throw-away accounts. They use it to get your attention and they hope to collect enough information before the free providers will close the account again. And, the trick here is that they use two providers, so one account is closed for sending spam reasonable fast, but the other will continue to work a bit longer. A simple trick, but reasonable effective.

Also interesting is that they did not include any fake URL’s or made up a fake story. The real Adrian And Gillian Bayford did win a nice amount in the national lottery. A nice 148 million in British pounds. Not bad! And sure, they could decide to give away a small part of that amount to a few lucky others, but how would they chose those people? Ask yourself: if you would give away a large sum of money, how would you decide the person who should receive it?

Right! You would not pick a random person from a mailing list. Especially not when that mailing list happens to be used by spammers to spam people. I know it’s on a spam list since I tend to receive several other spam messages on the specific mail alias that has received this message. Anything I receive on that list is most likely spam anyways. Doesn’t bother me, though. My mailbox has a powerful spam filter and the account is just an alias that I can close and discard. It’s just fun to see the kind of tricks spammers will use. And some of their tricks are very sophisticated! Besides, it helps me to recognize those spammers.

So, except for the fact that it was already marked as spam, what other things told me it was spam? And most likely a phishing mail? Well, first of all it sounded too good to be true. Also, a quick Google-search revealed an article on SpamFighter warning people about this message! It never hurts to just search on Google to check if some message is spam or not! The two different email accounts also warned me, especially since both are free accounts. Registering a domain name is not expensive. And by using Google Apps you can also add a mailbox with unlimited aliases to your domain, again for a low price. So this couple could have easily created a real domain with extra information for those people with whom they would share their price.

Also, the lack of the British Pound symbol in the email was a clear clue, since it’s supposed to be British. It tells me that it was sent by someone with a non-British keyboard! That’s very common outside the UK but people inside the UK prefer to type the proper symbol for their currency.

Sending the spam to my honey pot mail account was also a dumb move.

Blog spammers

Posted on 2012/11/28 by W.A. ten Brink

I’m having a late lunch break and started to check all comments that needed to be moderated for my blog. And as usual, there’s a lot of spam between those comments! Fortunately, this blog is hosted by WordPress.com and they know how to detect those spammers easily! So all I have to do is empty the spam folder once in a while. It’s great! But just for the fun of it, let’s look at a few of those. 🙂

Yeah, there it is… My spam folder. I had 56 spam messages in it and was just deleting them one by one, since it’s fun seeing how spammers tend to operate. (And educational too.) But I decided at one point that it could be educational for others too, so here it is.

One thing you will notice is that most spammers will include hyperlinks to some other site. These could be malicious sites or just some obscure web shop that needs free advertisements. Most of it is in English, which makes sense since most of this blog is in English. But the Russian post in this list is noteworthy!

Another post I’ve noticed says: “Hi there would you mind letting me know which hosting company you’re using? I’ve loaded your blog in 3 different web browsers and I must say this blog loads a lot quicker then most. Can you suggest a good web hosting provider at a honest price? Thanks a lot, I appreciate it!” Definitely noteworthy since it seems to be a valid request. I do wonder why it’s considered spam. But I’m smart so I’ve Googled for that remark and it happens to appear on dozens and dozens of other websites, where webmasters have allowed the comment to pass their filters! That’s not a wise move since approving such messages means that the sender is often approved for sending more comments too. Allowing this message might mean that he will follow-up with all kinds of spam, probably trying to sell Viagra or penis enlargement herbs. So, it’s spam. The spammer tries some innocent-looking message just so I would let my guards down and approve him as a valid commentator. Well, too bad he did not fool the WordPress filter. (Most likely because they’ve recognized his IP address.) The blog he’s included in his profile is most likely just a random blog post that he misuses to make things look even less suspicious.

I also tend to get a lot of compliments from spammers, probably hoping to play with my ego and confusing me to allow those messages. Again, WordPress isn’t fooled by them! One such spam message said: “Hey there, just became alerted to your blog through Google, and found that it is truly informative. I will be grateful if you continue this in future. Numerous people will be benefited from your writing. Cheers!” which sounds nice. It’s linked to this post where I show a CGI image I’ve just created. Didn’t consider that post very informative, though. Just fun, and a follow-up on a earlier post that was more informative. The praise is nice, but just too generic to be considered real.

One more, as a comment on my post about Stupid Spammers: “In the event you suffer from any of these circumstances or injuries, it is worth taking the time to seek advice from your physician or physical therapist concerning the use of [SNIP! Spam-link!]” I don’t see any relation between this comment and the topic of my post, except that this too happens to be a dumb spammer. Many spam comments are like this. They are often not related to the topic you’re discussing or very generic by nature. When the comment isn’t on-topic, be aware!

Anyway, one thing that most of those comment spam have in common is that they’re trying to promote all kinds of medication. Then again, that’s also true for many normal spam. But if you want to fight blog spam in your own blog then make sure that any commentator is moderated for at least a month, or 10 comments, whatever is more. Be aware of their posts and if those comments are too generic, it’s most likely that he commentator isn’t really reading your blog but just wants to get more rights to comment without moderation. (And once they can do that, they will fill your blog with a lot of spam, just before you’ll notice what they’re doing and can put a stop to them!)

Blog spam can destroy any blog, make them unreadable for the regular visitor while also helping spammers to have their spam be found by various search engines. If I would allow spam in my blog, people who would look for common words in my blog (CGI, Poser, Grepolis, etc.) will find my blog but when visiting it, they would see just spam. So, bloggers should have a very good reason to block blog spam, or else no one will follow their blogs…

Spammers learn new tricks…

Posted on 2012/09/01 by W.A. ten Brink

I’ve recently posted a rant about spam and today, I’m going to add another one. This one about a spammers trick that might fool a lot of people. Especially those people who don’t use a good spam filter. And I’m doing this because it might have fooled me, if there weren’t two flaws with it. First of all, it ended up in my spam folder, which suggests that something is wrong. Second of all, it was sent to the wrong email address.

First, let’s take a look at the spam itself:

What the spam looks like

Well, it looks good enough. LinkedIn does send these kinds of emails on a regular basis. I get plenty of those on my real LinkedIn account. But as I said, I received this one in my spam filter and on the wrong account. So, let’s look at the email a bit more, starting with the headers…

Delivered-To: address@example.com
Received: by 10.14.174.6 with SMTP id w6csp66709eel;
        Wed, 29 Aug 2012 08:00:37 -0700 (PDT)
Received: by 10.60.11.34 with SMTP id n2mr645244oeb.18.1346252436700;
        Wed, 29 Aug 2012 08:00:36 -0700 (PDT)
Return-Path: <heemali@snmz227.leaseweb.com>
Received: from SNMZ227.leaseweb.com ([82.192.78.107])
        by mx.google.com with SMTP id zm6si23150147obb.199.2012.08.29.08.00.35;
        Wed, 29 Aug 2012 08:00:36 -0700 (PDT)
Received-SPF: neutral (google.com: 82.192.78.107 is neither permitted nor denied by best guess record for domain of heemali@snmz227.leaseweb.com) client-ip=82.192.78.107;
Authentication-Results: mx.google.com; spf=neutral (google.com: 82.192.78.107 is neither permitted nor denied by best guess record for domain of heemali@snmz227.leaseweb.com) smtp.mail=heemali@snmz227.leaseweb.com
Date: Wed, 29 Aug 2012 11:00:36 +0000 (UTC)
From: LinkedIn Reminders <reminders-noreply@noreply-linkedin.com>
To: address@example.com
Message-ID: <52203955.7448783.1913884201422.JavaMail.app@ela4-app2581.prod> Subject: There are a total of 1 messages awaiting your response MIME-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

I’ve replaced my address with address@example.com, a dummy address. But if I look at these headers I noticed that it’s sent from a leaseweb.com mail account, and not from LinkedIn itself. Leaseweb is a hosting provider with a bad reputation as being one of the worst hosts since they seem to host a lot of malware on their sites. So was the Bredolab botnet hosted on Leaseweb servers. Leaseweb also hosted part of MegaUpload. But Leaseweb is just one of the biggest hosts in Europe so it’s no surprise that you can find lots of malware there. Such sites are always a small percentage of sites for any host.

But why would LinkedIn use Leaseweb? Well, they would not! This is just another sign that this is a real spammer. But let’s look a bit further, which is the HTML code behind this email:

The source code behind the spam.

This shows the true intentions of this spam. The spammer wants to fool to visit some specific site. The site itself has nothing to do with the spam, except for the site has been hacked without the site owner knowing this. But it’s not a malware URL but a redirection to a Canadian pharmacy website. They want to sell Viagra and Cialis to the unsuspecting visitor. (Oh, dear! Those two words will most likely put this post in each and every spam filter!)

Well, not all spammers will send their victims to malware sites. In this case, they just want to get more visitors to buy little blue pills. They prefer to target American visitors since the sale of these pills are more limited in the USA than in Canada. In Europe, unknown to most, you can just buy similar products at the local pharmacy. That is, if you need them.

Anyways, the URL has the word “stupid” which tells us how the spammer thinks about those who are fooled by this. Well, I wasn’t fooled but instead I investigated it a bit and contacted the site where the redirect was hosted. I’ve warned them about this URL on their domain and I expect it to be gone within a few days. If not, they might be held responsible for this spam, and for the (illegal?) sale of these types of drugs. Since they are a clinic of some sorts, it could cost them their license if they don’t take additional steps against this.

But for now, let’s wait on their response on this post, and on my warning…

Fighting spam

Posted on 2012/08/28 by W.A. ten Brink

Spam is annoying us all and many people are looking for a solution that will reduce the amount of spam in their mailbox. Plenty of solutions exist, but I myself chose a very simple solution that will allow me to “name & shame” those companies that leak my email address to those spammers. And my solution also comes with a nice spam filter too, although it’s not free. I pay about 60 Euro’s per year for my solution, which is reasonable simple, provides me with web mail and a good spam filter plus nice, additional features that are very practical.

It starts by registering a domain name. In my case, it’s wimtenbrink.nl but for this discussion I will use the name example.com since this is a special domain name reserved for these kinds of examples. Registering a domain name costs between 5 Euro’s and 20 Euro’s, depending on your registrar. Since I live in the Netherlands, I chose VIP Internet to register this domain, since they provide me some easy options to set up my domain, allowing me to adjust several settings and changes I do to my domain name there are handled quite fast. Unfortunately, they’re also a bit expensive (EUR 19,95 per year) but they offer a good quality.

Next, I’ve purchased a Google Apps for Business account for my domain name. This is free for individuals and small teams but I decided to buy the more expensive package which costs US $ 50 per year per user. With just one user, this costs me $ 50 per year. And it removes the advertisements in my mailbox. Plus, my mailbox is 25 GB in size instead of the standard 10 GB for individuals.

Next, the technical part. You’ll need to connect your domain to your Google Apps account. This will require some knowledge and experience with the Domain Name Service of the internet, or short: DNS. Using the tools provided by your registrar you will have to set up Google Apps as your mailbox. This probably means that you will have to remove a few DNS entries and add a few new ones. This isn’t very complex but if you mess it up, your domain cannot be reached anymore. So, be careful, try to get some basic knowledge about DNS first. (Although you can always fix problems later.)

You can also connect more things from Google to your domain name. You could, for example, generate special URLs on your domain name that will point to your Google Calendar or your Google Drive. And Google provides plenty of other practical tools that you can use and connect to your domain, including the hosting of a few simple webpages.

Once you’ve connected both, you will have your own, personal domain name with a single email address. Let’s say you’ve registered example.com and your new address is admin@example.com. Your Google Apps account will provide you with a web mail interface that is very similar to GMail itself. But without the advertisements for me. But Google Apps will allow you do even more, like creating multiple aliases for your email address. In my case, I could create the alias wim@example.com and use that as a mail address that I share with friends and family. For companies, I generally create an alias on the fly starting with the name of the company and ending with my domain name. Thus, if I provide Microsoft with an email address of mine, that would be microsoft@example.com.

And yes, creating email aliases on the fly is simple. Someone asks for an address, I just think of some random code to put in front of the @ sign and then append my domain name. It does require me to do one more thing, though. I need to set Google Apps up to use my admin@example.com address as a catch-all for all incoming email addresses on my domain name. Once I’ve done this, it doesn’t matter what’s in front of the @ because anything will be sent to this single email address.

But how does this stop spammers? Well, it doesn’t stop them but it tells me where the spammer retrieved my email address. For example, my email address for LinkedIn was something like linkedin@example.com. However, earlier this year LinkedIn was the victim of a hacker who managed to collect a whole database from their user database, including a lot of email addresses. One of those addresses was mine. And when I noticed that I started to receive spam at linkedin@example.com I immediately realized that LinkedIn had a huge problem with their security. It gave me a very early warning and told me who was responsible for leaking my email address.

There have been more companies who have leaked my email address to spammers, but because those email addresses tell me which company leaked my email address, I can just change my address for that company to e.g. linkedin-2@example.com and create a filter in my Google Apps account which will just drop anything that is sent to the old email address. Thus, the spam is gone but my contact with the company is still available.

I still receive about 10 spam messages every day but the Google spam filters are excellent in recognizing them, although they do have the occasional “false positive”. Checking my spam filter is therefore still important. But those addresses that are ‘contaminated’ by spammers are just filtered away, thus keeping my mailbox very clean. Only drawback is that some spammers realize that my domain has a catch-all mail account and thus they make up random names to get past the filters that I’ve set up, only to be caught by the Google spam filter.

As I said, Google Apps is also available in a free version and registering domain names can be done a bit less expensive. Finding a good domain name to use for this purpose is a bit more complex though, and I was lucky that my name was still available for me. Other people who happen to share my name will have to look for something different. I’m just paying more because of some additional bonuses provided by my registrar and by Google, which I use a lot.

Stupid spammers…

Posted on 2012/08/28 by W.A. ten Brink

For some time now, I am receiving about 5 spam messages per day for some weird job offerings that could earn me 22 to 65 Euro’s per day. And all I have to do for this “job” is to answer questions from some health clinic and answer some easy questions. They’d like me to do this about 2 to 12 hours per day and all I have to do to join is send them the following information: name, phone number, age and the city where I live.

Of course, this is spam and most people would just ignore such things but I started to investigate a bit. The sender always seem to be a different person but the domain it originates from is careersholland.com. However, the DNS information for this site is gone which means that you cannot reply anymore. The domain is gone, but the spammer just continues to send these messages.

There is another site, however, that happens to be legitimate and whose domain name looks closely to this spammer. They’ve posted this article to their site to warn people about these spammers. That’s because this is a phishing attack, where the spammer is trying to collect as much information about you for their own criminal intentions. These criminals are looking for “Money mules” and for this they need as much personal information as they can collect from you. Be aware that if you respond to such an email then you can become part of some criminal activities and it will be hard to prove your innocence. And yes, these spammers might even actually pay you for your “services” but in the end, it will cost you a lot more than you’ll earn from this. Worse, if it can be proven that you’re willingly participated to this scheme, you could even end up doing time in jail in the Netherlands, although that would still be very unlikely. It’s more likely that you’ll end up with a huge debt which you’ll have to pay for a very long time.

One of the original spam messages looks like this, and I’ve removed my personal information from it. It’s in Dutch, though. It is targetting Dutch people, mostly.

Delivered-To: helpdesk@example.com
Received: by 10.50.42.196 with SMTP id q4csp8656igl;
        Mon, 27 Aug 2012 23:10:28 -0700 (PDT)
Received: by 10.14.223.9 with SMTP id u9mr5532200eep.10.1346134228048;
        Mon, 27 Aug 2012 23:10:28 -0700 (PDT)
Return-Path: <neuralgiag5@realliving.com>
Received: from [190.43.101.99] ([190.43.101.99])
        by mx.google.com with ESMTP id e9si13429791eep.46.2012.08.27.23.10.23;
        Mon, 27 Aug 2012 23:10:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of neuralgiag5@realliving.com designates 190.43.101.99 as permitted sender) client-ip=190.43.101.99;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of neuralgiag5@realliving.com designates 190.43.101.99 as permitted sender) smtp.mail=neuralgiag5@realliving.com
Received: from apache by qbqgghfhehsvvbsvwi.deltamar.net with local (Exim 4.67)
	(envelope-from <<helpdesk@example.com>>)
	id OWG4MX-L13X05-EZ
	for <helpdesk@example.com>; Tue, 28 Aug 2012 01:10:24 -0500
To: <helpdesk@example.com>
Subject: We nodigen u uit in uw vrije tijd te verdienen
X-PHP-Script: qbqgghfhehsvvbsvwi.deltamar.net/sendmail.php for 190.43.101.99
From: <helpdesk@example.com>
X-Sender: <helpdesk@example.com>
X-Mailer: PHP
X-Priority: 1
Content-Type: text/plain; charset="Windows-1252"
Message-Id: <ANP530-V0ONDJ-VW@qbqgghfhehsvvbsvwi.realliving.com>
Date: Tue, 28 Aug 2012 01:10:24 -0500

Beste dames en heren,

We beiden goedbetaalde baan aan: de website LEZER.

Uw functie:
Bezoeken van de website van een Gezondheidskliniek en daarna eenvoudige vragen te beantwoorden.

Bijvoorbeeld: was het gemakkelijk om een aanvraag te doet, is er niet te veel van de rode kleur,
is de tekst duidelijk op de aanvraagpagina.

We vragen dat om te bepalen of de website gemakkelijk is voor onze klanten.
Dit is zeer belangrijk want een eenvoudige website kan wist ervan 3-5 keer vermeerderen.
U kan dit doen in uw vrije tijd, ongeveer  van 2 tot 12 uur per week.

De prijs is van 25 tot 67 euro per uur, de vaste prijs wordt bepaald naar het interview.
De tewerkstellingperiode is van 3 tot 6 maanden, tijdens de Nederlandstalige website portaal ontwikkeling van de kliniek.
Indien u het goed doet zullen we u uitnodigen voor de andere gelijkaardige projecten.

De betaling gebeurt dagelijks of maandelijks per overschrijving op uw bankrekening van onze vennootschapsrekening.
U kan in uw vrije tijd verdien van 1512 tot 3612 euro per maand.
Als u het verschil kan zien tussen eenvoudige en ingewikkelde website, dan gaat u erin slagen.

Voor de aanvraag, stuur de volgende gegevens op:
1. Uw naam
2. Telefoon nummer
3. Leeftijd
4. Verblijfsstad

Aandacht! De gegevens moeten verstuurd worden op de volgende email:  Jaime@careersholland.com.

Aanvragen die op het andere email worden verstuurd kunnen niet behandeld worden
Zodra ik uw gegevens heb ontvangen neem ik contact met u op.

Met vriendelijke groeten,
Afdeling Personeelsaangelegenheden van “Geincorporeerde Gezondheidsinstellingen”

Wim ten Brink

Software engineering and CGI art

Category Archives: Spam

One more spammer: Adobe!

One week of spam…

And another stupid spammer…

Nigerian bankers are from China?

Spam: Once more, with feelings…

Blog spammers

Spammers learn new tricks…

Fighting spam

Stupid spammers…

Software engineering and CGI art

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: