Email Forgery
Spam 'n' Scam
Copyright © 2003 by David Harper and L.M. StockmanDesigned and maintained by Obliquity
http://www.obliquity.com/computer/spambait/theft2003.html
Spammers routinely forge the From: line in their junk emails,
causing the inevitable flood of bounces, auto-acknowledgements and complaints
to land in some innocent third-party's inbox. Like so many other domain
names, obliquity.com is sometimes used in these forgeries.
Bounced messages started filling up the inbox of one of our UK academic email addresses this month. They were undeliverable Base64-encoded junk emails advertising assorted domains selling Internet Investigator, a widely "spamvertised" piece of software.
This spammer also attacked Unixhub.com.
In each of the examples listed below, the spam originated in the CHINANET Shanghai province network (61.169.0.0 - 61.173.255.255). The URLs of the advertised sites were slightly obfuscated but turned out to be various files at these sites:
At the time of this spam run (early August 2003), both brightsunshine.net and domeafavor.net resolved to IP address 61.173.42.236 (again, located in the CHINANET Shanghai province network) and were registered to Alex Yang of Shanghai.
Interestingly, the source code of the order form at these web sites
contained the line
<input type="hidden" name="reseller" value="alex">
It would seem that the reseller's identity is "alex" which is suspiciously similar to the name of the registrant of the advertised domains.
Email addresses of innocent third parties have been deleted from these headers to preserve their privacy. (In actual fact, most of these email addresses no longer exist; hence the bounces.)
Received: from [deleted] ([61.171.255.241]) by
mc9-f5.bay6.hotmail.com with Microsoft
SMTPSVC(5.0.2195.5600); Thu, 7 Aug 2003 04:09:53 -0700
Message-ID: <339a01c35cc4$f5729b20$dae9dcbc@pys>
Reply-To: [our academic email address]
From: [our academic email address]
To: "a.kenney" [deleted]
Cc: [deleted],
Cc: [deleted],
Cc: [deleted],
Cc: [deleted],
Cc: [deleted],
Cc: [deleted]
Subject: nnkyq nzsbnhbng Use this cmpany whenever you need info
Date: Thu, 07 Aug 2003 05:19:09 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_F3D_E9EC_F84907B0.404C3806"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000
Return-Path: [our academic email address]
X-OriginalArrivalTime: 07 Aug 2003 11:09:56.0618 (UTC)
FILETIME=[6F45E6A0:01C35CD4]
Received: from simcoparts.com ([61.171.248.193]) by
rly-xh04.mx.aol.com (v95.1) with ESMTP id
MAILRELAYINXH45-4a13f3279e6139; Thu, 07 Aug 2003
12:10:19 -0400
Message-ID: <147d01c35cfb$794c0e00$d5e7cd17@fptvul>
Reply-To: [our academic email address]
From: [our academic email address]
To: "jonmalanga" [deleted]
Cc: [deleted],
Cc: [deleted],
Cc: [deleted],
Cc: [deleted]
Subject: txuojk gnjuzwebg Use these guys for all your data
collection
Date: Thu, 07 Aug 2003 21:49:23 +0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_5A0_F6C6_EABE9B95.F9F0FE5D"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000
X-AOL-IP: 61.171.248.193
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0
Return-Path: [our academic email address]
Received: from rly-xi01.mx.aol.com (rly-xi01.mail.aol.com
[172.20.116.6]) by rly-st01.mail.aol.com
(8.8.8/8.8.8/AOL-5.0.0) with ESMTP id TAA02660; Thu,
7 Aug 2003 19:56:45 -0400 (EDT)
From: [our academic email address]
Received: from email.msn.com ([61.171.255.178]) by
rly-xi01.mx.aol.com (v95.1) with ESMTP id
MAILRELAYINXI13-4bd3f32e71e169; Thu, 07 Aug 2003
19:56:22 -0400
Message-ID: <b0f401c35d3f$151ada30$9631ded5@papjudgh>
Reply-To: [our academic email address]
To: "klokan" [deleted]
Cc: [deleted],
Cc: [deleted],
Cc: [deleted],
Cc: [deleted],
Cc: [deleted]
Subject: lvclmt xbwaycicr Want to know about the people you
hire beforehand?
Date: Fri, 08 Aug 2003 02:53:21 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_931_A1E0_F51E3A17.FCFDF7D9"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-AOL-IP: 61.171.255.178
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0
Someone sent out junk emails advertising a web site at IP address 69.60.4.240 which resolved to MyPillsRx.com, a Florida-based online pharmacy. This spammer also attacked a number of other domains, including (but probably not restricted to) art101.com, jimmiespheeris.com, mrp3.com, porterfield.net, thrush.com, unicorn.com.us and whitis.com. Read more about it at Wired News.
At the time of this spam run, IP address 69.60.4.240 belonged to Internet America LLC which is associated with Boca Raton-based spammer Eddy Marin.
Email Forgery
Spam 'n' Scam
Copyright © 2003 by David Harper and L.M. Stockman