Identity Theft : 2006

Spammers routinely forge the From: line in their junk emails, causing the inevitable flood of bounces, auto-acknowledgements and complaints to land in some innocent third-party's inbox. Like so many other domain names, obliquity.com is sometimes used in these forgeries.

January (8 bounces)

First bounce: January 24 10:34:24 (GMT)
Last bounce: January 25 04:45:44 (GMT)
Forged address: A recognisable word or name followed by two random letters
Bounces: 8

May (16 bounces)

Several unrelated spam runs? The same pattern continued into June.

First bounce: May 4 07:08:20 (GMT)
Last bounce: May 31 14:03:18 (GMT)
Forged address: A recognisable word or name followed by a random letter
First name followed by a full stop (period) followed by a last name
Random letters
Bounces: 16

June (33 bounces)

Several unrelated spam runs?

First bounce: June 1 01:55:48 (GMT)
Last bounce: June 21 20:19:25 (GMT)
Forged address: Same as May
Bounces: 33

August (17195 bounces)

At the beginning of this spam run, bounces were arriving at an average of eight per second. This spam run continued into the beginning of September with several fresh attacks in October, November and December.

First bounce: August 15 21:01:04 (GMT)
Last bounce: August 29 13:51:19 (GMT)
Forged address: First name followed by one or more random letters or numbers followed by a last name
Sample subject lines: Beginning with "Fwd:" or "Re:" and followed by a blank or (more usually) one of the the following expressions (with varying capitalisation):
about, answer, business, change, deal, hello, help, hey, hi, hi!, hi}, important, info, information, letter, more, notice, password, private, question, read, reply, susie?, warning, your letter, ?, !, .., ..., [one- or two-digit number]
Bounces: 17195

September (2063 bounces)

There were at least two separate spam runs this month, the first one related to the August debacle. Bounces from the main spam run began at 11:41:08 (GMT) on 23 September, with 1797 arriving in the first 20 minutes. That is an average of more than one bounce per second.

First bounce: September 1 08:29:29 (GMT)
Last bounce: September 30 14:57:29 (GMT)
Forged address: Same as August
Sample subject lines: Same as August
Bounces: 2053

A second, probably unrelated, spam run began at the end of the month and continued into October.

First bounce: September 28 23:16:37 (GMT)
Last bounce: September 30 23:42:24 (GMT)
Forged address: Random letters
Sample subject lines: Random words
Bounces: 10

October (8003 bounces)

The spam runs from August and September continued this month. The "random letter" address spammer started another campaign on 8 October with the bounces beginning at 10:05:39 (GMT).

First bounce: October 1 01:14:16 (GMT)
Last bounce: October 30 17:24:50 (GMT)
Forged address: Random letters
Sample subject lines: Random words
Bounces: 228

The August spammer returned this month too. A few bounces trickled in during the first few days of the month. The first new spam run commenced on 12 October at 14:36:07 (GMT) with 569 bounces arriving in the first ten minutes (an average of nearly one per second). The second larger run started on 14 October at 03:30:06 (GMT) with 2208 bounces in the first ten minutes (an average of over three per second). Later that same day (at 23:46:57 (GMT)), a third spam run resulted in 1539 bounces in the first ten minutes (an average of over two per second). Bounces from a fourth spam run began arriving at 12:01:27 (GMT) on 22 October, with 943 arriving in the first ten minutes (an average of more than one bounce per second).

First bounce: October 1 03:01:35 (GMT)
Last bounce: October 30 08:41:49 (GMT)
Forged address: See August
Several random words strung together along with one or more random letters or numbers
Sample subject lines: See August
Bounces: 6076

Another spammer, using the address "obliquity" in the obliquity.com domain, began shilling diet pills (Anatrim) on 7 October. This spammer has used the same tactic (using a From: address in the form example@example.com) against a large number of other domains. This spammer's tactics changed slightly as the month wore on, sending out forgeries in the form lettersexampleletters@example.com. Many more domains were abused in this manner.

First bounce: October 7 04:49:58 (GMT)
Last bounce: October 22 05:57:09 (GMT)
Forged address: obliquity
Sample subject lines: A simple and safe way to weigh less
Achieve picture perfect weight and enjoy
Anatrim will change your life
Be leaner and slimmer by next week
Become fit and happy again
Burn pounds off with Anatrim
Doctors and Celebrities endorse Anatrim
Easy and natural way to better health and weight
Get more energy and get rid of fat
Get out of the obese crowd
Get rid of extra pounds and enjoy life
Get rid of the pounds you hate
Get your ideal weight with this natural method
Getting thinner can be enjoyable
Join the Anatrim revolution
Join the thousands of people who got slim
Less weight - more pleasure and joy
Look in the mirror and enjoy the new you
Losing weight has never been so easy
Make yourself more attractive to others
Melt away fat easily
Melt away pounds with Anatrim
Obesity is dangerous, stop it
Pounds down, mood up
Say goodbye to extra pounds
Shed weight now and enjoy the process
Stop being obese and unhappy
Stop gaining weight and get the figure you want
Stop the painful craving for more food
Summer is almost here, be ready
Summer is coming, time to tone up
Try the new miracle weight loss herb
Women will love your new figure
Bounces: 1699

November (2377 bounces)

The spam runs from August, September and October continued this month. Bounces from the diet pill spammer still dribbled in.

First bounce: November 1 00:27:54 (GMT)
Last bounce: November 21 20:20:45 (GMT)
Forged address: obliquity
Sample subject lines: See October
Other sightings on the Internet: See October
Bounces: 11

The "random letter" address spammer also stayed busy.

First bounce: November 1 08:48:15 (GMT)
Last bounce: November 30 23:55:14 (GMT)
Forged address: Random letters
Sample subject lines: Random words
Bounces: 388

The August spammer returned on 3 November. In the first ten minutes of this spam run, 1703 bounces arrived, an average of nearly three per second.

First bounce: November 3 15:37:15 (GMT)
Last bounce: November 27 11:15:23 (GMT)
Forged address: See August
Sample subject lines: See August
Bounces: 1978

December (14475 bounces)

The "random letter" address spammer continued the attack.

First bounce: December 1 00:18:13 (GMT)
Last bounce: December 31 21:29:58 (GMT)
Forged address: Random letters
Sample subject lines: Random words
Bounces: 534

The August spammer also reappeared with a fresh spam run commencing 12 December. Within the first ten minutes 2989 bounces arrived, an average of nearly five per second.

First bounce: December 2 19:24:53 (GMT)
Last bounce: December 31 08:15:32 (GMT)
Forged address: See August
Sample subject lines: See August
Bounces: 3629

Another spammer, using the address "bobliquitye" in the obliquity.com domain, relentlessly advertised various pharmacy sites like

MyCanadianPharmacy
USDrugs

beginning 19 December with bounces continuing into the new year. This spammer has used the same tactic (using a From: address in the form bexamplee@example.com) against a large number of other domains.

First bounce: December 19 22:59:19 (GMT)
Last bounce: December 31 23:38:05 (GMT)
Forged address: bobliquitye
Sample subject lines: Either a name or one of the following:
As Christmas is coming up.
Discounts for the coming Christmas season.
Do you want to get a special Christmas discount on medications? It is easy.
Don?t forget to ask for discount!
Don't miss this unique chance.
Forget about fake medicines!
Get our medications at a special Christmas price.
Happy Holidays and good health to you!
Introduce special discounts for all our customers!
Men's Health Pharmacy at your service: Christmas discounts.
Men's Health Pharmacy bulletin: Christmas discounts.
Men's Health Pharmacy we recommend: Christmas discounts.
Merry Christmas and our best wishes for the coming year!
Merry Christmas and good health to you!
Must Have Pharmacy at your service: Christmas discounts.
Must Have Pharmacy bulletin: Christmas discounts.
Must Have Pharmacy we recommend: Christmas discounts.
Online store offers special Christmas discounts.
Order now and save on your medication!
Pharmacy at your service: Christmas discounts.
Pharmacy bulletin: Christmas discounts.
Pharmacy we recommend: Christmas discounts.
Read this special Christmas offer.
Special Christmas discount on medications.
Special Christmas discounts.
Special Christmas offer.
Special Christmas offer from our store.
Special discounts for all our customers!
Take advantage of our Christmas discounts.
The Christmas discounted price.
The start of the Christmas season.
This special pharmacy bulletin is dedicated to Christmas holidays.
We launch Christmas Campaign.
We wish you Merry Christmas and Happy New Year!
Wed like to present you a special offer.
We'd like to present you a special offer.
We´¡Çd like to present you a special offer.
Bounces: 10312