Category: Spamming

Discussion of that Curse of the Internet, outing of spammers, deconstructions of typical spam messages and so on.

Another “clever” 419 in my mailbox

~ Inquisitor ~ 9 Comments

This one is new to me – it’s all done in Jesus’ name! So of course I had to do another deconstruction.

Dear in Christ,

Well, I’m not “in Christ”, so there’s a hit right away. Hell, I even link to Pharyngula on my linkbar. Obviously has just bought a mailing list from one of the other scumbags in the area.

Calvary greetings in the name of our Lord Jesus Christ. I am Deacon George Useh, a member of Day Spring Ministry, basically a Prayer and deliverance Ministry.During a Prayer and fasting session in my Ministry, I asked our Lord Jesus Christ to give me the opportunity to redeem my life and purify what remains of my wealth, God delivery revealed to me to Invest in His Kingdom through you and your
 Ministry.

Jesus told me to, uh, “Invest in His Kingdom” by scamming the unbelievers out of their savings! Wow, how cynical.

As the bible says\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"Go to the world,preach the gospel,spread his words,heal the sick............\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"

…and scam all the mugus? Oh, not there in my copy, but maybe Nigeria’s translation is different. I have no idea.

I got your email when i was lead by the spirit to be in search of the man of god on Christan search on the Internet.Like i have told you earlier in my last email that the lord minister to me to give to charity.

Well, except for the inconvenient fact that I’m somewhat lacking in religon and I’ve never seen any email from this known 419er before…

The first link on Google for the name, by the way, is a police blotter in Chatanooga which features someone who’d received fake money orders from the exact same scammer earlier this year – this particular variant has been operating for a while. You’d have thought a spammer would make sure that he was using names that couldn’t be zeroed out by a run on Google, but there you go.

I am not interested in the Earthly commissions as my rewards is from the Heaven above.I and my institution are blessed to help the needy and not after the rewards of the world as the bible says if not the lord that buideth the house the laborer labour but in vain...........

…and then the labourer sent out a mass spam campaign to a bought-in list of email addresses and rolled in it for a few years.

Nice spelling issue there – “laborer labour”. It does look like there’s more than one hand in this letter from the fluctuations in spelling and capitalisation, one American English speaker and one UK English speaker at least.

I will like to donate to you/ministry and i will like to donate through a money order of 6,500 dollars for him to cash.Better still,i have some other charities which i wants to donate funds to and i will wants oncashing the cheque to help me donate some part of the money to the other charities or needies as well.

And now we get the money order element of the scam. $6500 seems awfully small for a scammer to use, but it would be big money in Lagos.

I am giving you 2,000 dollars out of the money and i wants you on cashing the cheque to help me donate the remaining 4,500 dollars to some other charities or needies whose in formations i will give you when the cheque is cashed in the cash stores.I will want you to furnish me with the following in formations below:
(1)Name which you wants the check to be addressed
(2)Address where you wants me to send the cheque to(NOT P.O BOXES)
(3)Your Mobile telephone number for prompt communication.

Wow, nice way to have enough information to steal someone’s identity. This scam could be extremely lethal:

  • “I want your bank account number for security” or
  • “Can you send me a photocopy of something with your address on it so I can verify?”
  • Hence, identity theft for credit card applications/loans/bank accounts/passport applications/so on and so forth

But because the scammers are thick, this is probably just a cheque cashing scam (and notice this uses both British and US spellings in different parts of the email again). You cash the cheque, the scammers receive $4500 in the post and then the local cheque cashing place calls up demanding all their money back when it comes through as fraudulent.

That NOT PO BOXES thing is probably to catch out scambaiters, but I’m not entirely sure on that one. Maybe there is an ID theft element here of some sort, but I can’t be certain.

The ending is quite something:

As soon as i received this informations,i will go ahead to send you the check.After the successful completion of this first phase of the lords works with you then i can go ahead to send you another cheque and hence the continuous works of the lord.

I Am Yours In Christ,
Deacon George Useh
E-MAIL: Gospelpromoters001@yahoomail.fr

Look! A promise for more! And a disposable Yahoo France email address! Look at the confidence engendered by this guy.

And the ‘Lord’ has “continuous works”! Well, this scammer certainly does, that’s for sure. At the very least, however, we can be assured that if the Christian God, or for that matter a Jewish or Muslim God really does exist he’s going to hell – that’s at least four commandments right there (the third and eight through ten), and you could push for six (one and two, because as a 419er and as a scammer he obviously idolises Mammon.) I think nothingness is probably better, but who’s to say?

In a way, it proves that we’re working

~ Inquisitor

419eater and scamwarners are currently being DDoSsed by what may be the Storm/Zhelatin gang, Russians for hire with a botnet comparable to military supercomputers. Apparently CastleCops et al are being hit as well.

So the Russians are into 419 scamming as well. I should really be more surprised…

World’s dumbest scammers #2, and a rant

~ Inquisitor ~ 1 Comment

My inboxes seem to be magnets for new viruses, 419 scams, stock spam with images or .pdfs and occasional phishing attempts for banks I don’t even belong to. I seem to get all the dumb ones; or at least, only the dumb ones get through my regularly updated Bayesian-trained SpamAssassin setup to my main inbox folders.

The lotto scam is of course a variant of the traditional 419: the main difference is that people who get taken in should be treated a bit more sympathetically (but only a bit more) than those who get done by the standard 419 as they don’t think they’re doing anything illegal. This one ticks all the moron boxes, however.

It was sent from another hacked/dodgy American Linux webserver, which means I think it’s from the same or a related gang to the one that sent the phishing scam I mentioned a few days ago. The domain name resolves to “host4seo.com”, which appears to be a spam nest. Looking at the webserver mentioned, it’s a default Apache with cpanel.

FROM: THE LOTTERY DIRECTORINTERNATIONAL PRIZE AWARD DEPT NL.21 NIN NAMARAL SRAATWEG 5009 GL.
GL.GTI 1815GA AMSTERDAM,
Amsterdam,Netherlans.

Hmm, “Netherlans”. That sure sounds legitimate.

PRIZE AWARD DEPT. REF No: 9590 ES 9414BATCH No: 573881545-NL/2007TICKET No:PP 3502 /8707-01
SERIAL No: 05908 LUCKY No: 9-43-97
[FOR CATEGORY "A" WINNER ONLY]

See the random numbers! SEE THEM! They mean.. Uh. What do they mean?

ATTN: LOTTERY WINNER.We wish to congratulate you over your email success in our computer balloting sweepstake held in Netherlands.

At least they can spell it right this time.

This is a millennium scientific computer game in which email addresses were used.

A “millennium scientific computer game”. Whew, I feel reassured already.

What are 419 scammers actually on in order to think that people will be taken in by this crap? You’d surely have to be thicker than the spammers themselves to fall for that one.

It is a promotional program aimed at encouraging internet users,therefore you do not need to buy ticket to enter for it. You have been approved for the star prize of $1,500,000.00 (One Million,Five Hundred Thousand Dollars) To claim your winning prize you are to contact the appointed agent as soon as possible for the immediate release of your winnings, with your Full Names, Contact Telephone Numbers (Home, Office and Mobile Number and also Fax Number)and also with your winning informations via email to process the immediate payment of your prize.The Validity period of the winnings is for 7 working days hence you are expected to make your claims immediately, any claim not made before this date will be returned to the MINISTERIO DE ECONOMIA Y HACIENDA.

I assume seven days is the usual length of time it takes Netcollection to cancel email accounts for sub-moronic Dutch 419ers.

I like the fact that this has obviously been edited from a version of the lotto scam relating to the Spanish lottery (notoriously big, hence the original target of the lotto-scam 419 variant) and they’ve forgotten to correct the name of the ministry. Very “professional” work from these losers.

Contact Person
Mr.Leonaert Bramer
Fax: +31-847-368-137
Tel: +31-614-797-465
Email: mail@adminclaimsdeptnl.netcollection.co.uk

Incredibly, these numbers are actually in the Netherlands (although the email is with a UK ISP who should hopefully cancel the bastards). The fax number has been around for months, the telephone number only shows a Google hit on 419eater.

Of course, sending hundreds of large pages of alternating dark greys interspersed with a decent greyscale representation of a certain notorious goat-related shock site image to the fax number via, say, tpc.int and a disposable webmail account in order to clog up their fax machine and stop them receiving messages from victims would somehow be very very wrong. Christ knows why, of course, these are Bad Guys and they need to be taken down, but because I know that vigilantism doesn’t actually work I won’t descend to their level.

(Besides, it’s probably a computer anyway, and the phone is probably voicemail.)

Which of course means letting them get away with scamming people until someone with authority actually does something other than cut off their email dropbox. It’s a great ethical dilemma which exists with regard to scambaiting and scambusting: the law is currently completely ineffective at punishing people like these, whether it’s 419ers, eBay scammers, fake “I’m from the water board” guys doorstepping OAPs, or to be honest most other white collar offences.  The laws are on the books already, there just isn’t the enforcement power. Jail isn’t generally even offered to these people, and the fines given are miniscule – especially for big companies scamming, who can get away with murder (amount earned by ITV scamming X Factor red button voters out of 15p a vote, £250,000; Ofcom fine, nilch – amount earned by the BBC from the Blue Peter screwup, nilch; Ofcom fine £50,000. Should have been the other way round, I think.)

These people must do a tremendous amount of damage. 419ers wreck lives. They’re just like bogus callers; in the case of the lotto scams, there was recently a local news story in my area about a pensioner who got done by a lotto scam, just like this one but handled entirely over the phone. I want to wreck their life for once. Why the hell can’t the Dutch do anything? The Netherlands have been 419 central for years. I simply cannot believe that these aren’t the same people.

Part of the problem why nobody does anything about scammers is local corruption, of course, which works in Nigeria where the kind of money brought in by 419 scamming can shut up even the highest up of prosecutors, but not nearly as much here or in the Netherlands. The main problem is tying them down, and this requires work – worse, the kind of work that is in a very grey legal area, that is sending the scammer an affirmative to see whether he’ll come out in the open. There’s so much 419 spam and so few legal investigators that only a token effort can ever be made, and as a result people will continue to be conned by them.

All we can do without becoming like them is to keep deconstructing their schemes, putting them out in the open,  and occasionally lead them along entertaining garden paths. The more the average person knows about scam-spotting, the less likely they are to be taken in; what is needed is a heavy bout of publicity, which we could have if Panorama or Tonight with Trevor McDonald go back to their consumer protection roots instead of just making up scare stories about Wi-Fi. Hopefully, with a bit of luck, the 419ers, spammers and all the other scumbags who scam over the net will find their mark supply dried up with no possible replacement. That will be a joyous day. In the meantime, we just have to keep working at it.

World’s dumbest phishers

~ Inquisitor

X-Spam-Status: No, score=4.6 required=5.0 tests=BAYES_40,HTML_50_60, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,REPLY_TO_EMPTY autolearn=no version=3.1.7
Subject: Ensure The Integriety Of Your Online Banking
From: Royal Bank Of Scotland <digitalbanking@rbs.co.uk>
Banking Online with Bank Of Scotland is about to become even more secure!As a valued Bank Of Scotland and Halifax Bank customer, the security of your identity and personal account information is extremely important. We are installing Enhance Online Security as an additional way of protecting your Bank Of Scotland online access.

Yes – a Bank of Scotland phishing email that claims to be sent by RBS. I got one from obviously the same gang with an HSBC “from” line and NatWest graphics. I love phishers that make spelling errors – it should hopefully mean that they don’t get that many marks.

Sent from an obviously hacked freenix box (“ftp” user on a web server) in South Africa. Phishing site on another similar hacked box in Argentina. Can people just upgrade their systems already?

Persistent spam campaign on WP.com right now

~ Inquisitor

One of my XBMC posts is continually being hit by someone posting identical spam messages: the text of the post consists entirely of

<a></a>

i.e. a blank anchor. Akismet doesn’t detect this and WordPress’ blank post filter obviously doesn’t hit it, so for a time these posts were getting through to actual comments page. This is basically designed to have their name hyperlink to one of a series of semi-randomly named .biz domains which, incredibly, don’t have DNS right now. Each message is being posted by a different IP from various consumer DSL IPs around the world, so almost certainly a botnet; I am getting an identical post once every two-three hours. I’ve heard that this is how a lot of scumware purveyors work right now – send out the spam, appears blank to start with, and then have the domains pointing at various botnet servers triggering the conversion of more machines into botnet servers.

I have added this blank anchor tag into my moderation list, but can’t bring myself to put it into the automatic blackhole list (because it is a genuine mistake people can make), so it’s merely downgraded from visible to you to just an annoyance for me. I would recommend other wordpress.com bloggers do the same until Akismet fix it.

Sent to my university email box…

~ Inquisitor ~ 3 Comments

A customised “scholarship award” 419 scam! Let’s deconstruct it, shall we…

FROM: THE DESK OF THE VICE PRESIDENT MR.AUSTIN THOMAS.(TRANSNATIONAL
AWARD INTERNATIONAL) PRIZE AWARD DEPT.
REF NO: 12/0078/IPG
BATCH NO: EGS/ 20054117/08

Generated randomly, probably.

ATTN: WINNER.

RE: SCHOLARSHIP AWARD NOTIFICATION, FINAL NOTICE.

We are pleased to inform you, that as a result of our RECENT LOTTERY DRAWS HELD ON THE 28TH DECEMBER 2006. Your e-mail address attached to ticket number:021-7276083-04 with serial number:31270-0 drew lucky numbers:05-06-12-14-38 which consequently won in the 5th category. You have therefore been approved for a lump sum pay of (FIVE HUNDRED THOUSAND US DOLLARS) in cash credited to file with REF:.EGS/3662367114/13

Oh, look, is that a different random batch number? Note the amateurish nature of the scam. I’m amazed anyone gets taken in by these things, but they do.

Note that all participants in this lottery program have been selected randomly through a computer ballot system drawn from over 20,000 Officials and 30,000,000 individual email addresses from all search engines and web sites,from Asia, Australia, NewZealand, Europe, North and South America, Middle East and Africa, as part of our International Promotions Program.This promotional program takes place every year, and is promoted and sponsored by eminent personalities like the Sultan of Brunei and other corporate organizations. This is to IMPROVE THE LEVEL O!
F EDUCATION WORLDWIDE and to ENCOURAGE THE USE OF INTERNET AND COMPUTERS WORLDWIDE.

“30,000,000 individual email addresses” obviously means “dictionary attack on .edu and .ac.uk”. This appears to be a fill-in-the-blank lotto scam – with the reasons for it just entered in by the scammer in particular depending on his run. Also, that O!<carriage return>F is in the actual email. Brilliant.

Your fund is now deposited with EcoBank and insured in your name For security purpose and clarity, we advise that you keep your winning information confidential until your claims have been processed and your money remitted to your account.

Nah, I don’t think I’m going to do that.

This is part of our security protocol to avoid double claims and unwarranted abuse of this program by some participants. We look forward to your active participation in our next 4 million dollars slot.

This of course is the hook for the scam – there’s 4M available if you phone in. Shame the scam’s so bloody obvious, and the hook is too well hidden in the long paragraphs.

To begin the processing of your prize you are to contact your claims agent through our accredited Prize Transfer agents as stated below:

Name..Rev Paul Edward

Oh, a “reverend”. How trustworthy.

TEL: +234-80-3819 1724 CALL HIM IMMEDIATELY WITH HIS ABOVE DIRECT PHONE NUMBER IF YOU ARE CALLING FROM (USA) THIS IS HOW YOU DIAL 011-234-80-3819 1724 BUT IF YOU ARE CALLING FROM ANY OTHER COUNTRY,THIS IS HOW TO DIAL +234-80-3819 1724

They obviously think we’re that dumb that we don’t know how to dial an international number. Oh, and +234 is, of course, the international calling code for Nigeria; it is a mobile phone on the MTN Nigeria network.

Googling on the telephone number for the scammer has cropped up someone on Livejournal who’s received the scam from the same people; the name given in his scam email is “Rev Frank Ive”.

You are also advised to provide your claim agent with the under listed information as soon as possible send it to his two email addresses below,YOUR CLAIM AGENT E MAIL ADDRESSES BELOW,

E MAIL: pauledward1616@yahoo.com
E MAIL: pauledward555@myway.com

The same email providers were used for Frank Ive, presumably because these are the easiest free email providers to automate account creation for (and slowest to terminate people for 419 scamming.)

1. Name in full
2. Address
3. Nationality
4. Age
5. Occupation
6. Phone/Fax
7. Batch Number
8. Serial Number

All winnings must be claimed not later than one month after the date of this notice. Please note,in order to avoid unnecessary delays and complications,remember to quote your Batch number and Serial numbers in all orrespondence.Furthermore,should there be any change of address do inform our agent as soon as possible.Congratulations!!!once more and thank you for being part of our promotional program. Bear in mind that 10% of your fund will be going to the lottery organization that played the lottery with peoples name and email addresses that should be after you most have received the fund in your account,the 10% would have been given to them,just because the fund has been insured and will not be removed till you receive the fund in your account.

This of course is the trick to confuse people into not reporting their scamming until it’s way, way too late. Oh, and “orrespondence”? Tee hee.

Sincerely,

MR.AUSTIN THOMAS
VICE PRESIDENT.
TRANSNATIONAL AWARD

The same name was used on the Livejournal recipient’s mail too.

So what we’ve got here is a scam that is cleverly targeted but still misses the mark by a very long distance, not least because it got picked up by my university’s SpamAssassin system and was marked with a spam warning, but also because of what it lacks in spelling, grammar, good sense and layout. The question of course is why so many people get stung by 419 scams after this long and why they are allowed to just keep on going. It’s the money, isn’t it?

Telemarketers, scum of the earth

~ Inquisitor ~ 4 Comments

I’ve just been called for “market research” again and am frustrated to find out that the TPS complaints form requires you to find out the name and address of the scumbag who’s tried to call you (I have no doubt that if I actually trawled for such information, they’d hang up on me.) Since I hang up immediately on all such calls, I don’t have it – however, they did leave their number on 1471.

So, whatever firm of “market research” droids it is at 0870 220 9317 ignores the TPS. And is probably responsible for my silent calls and recorded message telespam too.

It’s nowhere on Google and I’m not going to call it (it’s the principle of the thing, I’m not paying call charges just to talk to them again and I recommend no-one else does the same), but if anyone on the ‘net has any more information about who owns this I would appreciate it greatly. There used to be a page somewhere listing 0870 numbers by the licensing operator; I can’t find it again, but if it’s still there it would be very useful for hunting these pricks down.

Dear wordpress.com…

~ Inquisitor

Don't suppose you could block the Ukrainian hacked box at [195.225.177.81] that has been putting 20 spam comments a day on my blog for a while? Sure, all the drug-and-links-pages adverts have been going into akismet anyway, but it's obvious there's nothing but bad stuff coming from there and it would probably be worth blitzing.

May I suggest IP banning for the next round of upgrades? Just a thought.