The “new shopping new life” spam

For about a year I have been receiving spam emails like this one below. They all look like they’ve been sent by private individuals somewhere in the world (usually from Yahoo or Hotmail accounts) but advertise companies in China:

hi:
New shopping new life!
How are u doing these days?Yesterday I found a web of a large trading company from china,which is an agent of all the well-known digital product factories,and facing to both wholesalers,retailsalers,and personal customer all over the world. They export all kinds of digital products and offer most competitive and reasonable price and high quality goods for our clients,so i think we you make a big profit if we do business with them.And they promise they will provide the best after-sales-service.In my opinion we can make a trial order to test that.
Look forward to your early reply!
The Web address: www.vanigo.com
E-mail: vanigo@188.com
MSN : vanigo@msn.cn

——————————————————————————–

FΓ₯ en billig laptop. Se Kelkoos gode tilbud her!

Looking at the mail headers, it had come from the mail account of a Danish Yahoo user, but originated from an IP address in China (details edited to protect the privacy of the account owner):

Received: from [124.118.179.157] by web26101.mail.ukl.yahoo.com
via HTTP; Wed, 11 Feb 2009 19:54:29 GMT
X-Mailer: YahooMailWebService/0.7.260.1
Date: Wed, 11 Feb 2009 19:54:29 +0000 (GMT)
From: uffe #####sen <uf###2@yahoo.dk>
Reply-To: uf###2@yahoo.dk
Subject: hi:
To: undisclosed recipients: ;

IP address 124.118.179.157 belongs to China Telecom:

inetnum: 124.118.0.0 – 124.119.255.255
netname: CHINANET-XJ
descr: CHINANET Xinjiang province network
descr: China Telecom
descr: No1,jin-rong Street
descr: Beijing 100032
country: CN

What appears to have happened is that spammers know the passwords to these mail accounts and are using them to send that spam to everyone in the mail account’s address book.

This is a very effective way to get through spam filters, as many recipients are likely to also have the sender in their address book and address book entries are automatically whitelisted by many spamfilters.

If you receive an email like that, alert the “sender” that their account has been compromised. They need to immediately change their email password to something more secure.

This abuse of stolen passwords illustrates the potential of password harvesting scams such as this one I documented in August 2008, which is still going on.

Here are some Google searches related to the hacked webmail spam:

Here is a (probably incomplete) list of websites advertised this way:

  • gvccn.com
  • ibvcn.com
  • jvccn.com
  • tvtcn.com
  • szfac.com
  • cxkeg.com
  • yaier.com
  • mmhdf.com
  • ixicb.com
  • vanigo.com
  • wabada.com
  • bj-trade.com
  • store-168.com
  • ele-motors.com
  • electronics-brand.com
  • exciting-zone.com

Common subject lines:

  • New shopping new life
  • Good shopping good mood!
  • Good web site
  • Have a great shopping!
  • good website!
  • Hi,Thank you!
  • Hi,
  • Dear friend

Good passwords and bad passwords

A strong password should be the first line of defense against such criminals, but what makes a password good? It should contain a mixture of all of the following:

  • lower case letters
  • upper case letters
  • digits
  • at least one non-alphanumeric character

This makes it hard to break the password through brute force or through dictionary attacks.

Also the password should not be too short (8 characters or more) and should be reasonably easy to memorize, so you don’t have much need to write it down. Some examples:

  • 45Knife%Cabbage
  • 4F5g6H&j
  • J0hn1945-07-31

Bad choices are passwords that consist of any word found in a dictionary, proper names, digits-only dates, adjacent keys on the keyboard or repeated characters. Never use anything like these:

  • secret
  • qwerty
  • xxxx
  • john45

It is very important not to use the exact same password for different purposes.

If spammers manage to trick you into revealing your password for one site (e.g. by getting you to create a new account at a site they control or by breaking into the database of another site where you’re a customer) then you’ve effectively handed them the key to the candy store. They can get access to your email account, in which they may find login information, password reminders, etc. of many other sites you’ve signed up for. At the very least they can harvest all your email contacts.

Beyond using different passwords for every site and service, it’s also a good idea to use a different password schema for “core” sites that you trust and depend upon (such as your email provider and webhost) and another for sites to which you sign up more casually (such as various forums, online shopping, etc.). Thus if one of the latter is compromised, it does not give criminals any clues what your more critical passwords may look like.

Who is behind this spam?

The sites advertised from the hacked email accounts constantly vary. They usually have been created only a few weeks or months earlier. For example, the domain in the above example was created two months ago:

Domain name: vanigo.com

Registrant Contact:
wuxianj
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Administrative Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Technical Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Billing Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

DNS:
ns1.4everdns.com
ns2.4everdns.com

Created: 2008-12-08
Expires: 2009-12-08

Considering the highly illegal way the companies advertised, what are the chances that any order you make at those sites would ever get shipped to you? For sure, they will gladly take your cash by (untraceable, unsafe) Western Union or take your credit card number, expiration date and security code. Never use Western Union to send money to people you don’t know from real life in person. Never enter your credit card on a site that doesn’t have SSL access (indicated by a URL starting with https:// and a padlock icon in the browser status bar) with a proper certificate.

Even more basic: Never do business with spammers. By sending you spam, they have already proven to you that they lack any morals. You have no reason to trust them and every reason to be alert!

If you have received similar spams, feel free to post them below.

“Please respond or Some Stranger will think you said no :(“

I never really got used to the idea of MySpace “friends” and Facebook “friends”, a concept that seems to appeal mostly to teenagers seeking peer-approval. Friends are not objects you collect like others collect postal stamps or or sports memorabilia. Real friends are there for each other when we need someone. With my friends, years may pass without us meeting, but when we see each other again we pick up just like we last saw each other only yesterday. I know them and they know me and we don’t have to explain much. I would never think of showing them off on a website like others show off their gold chains and SUV to boost their self image. This is not at all what friendship is about.

For over two years I’ve been receiving emails coaxing me to join a website called tagged.com, supposedly sent by people who consider me their “friend”, but who I invariably do not recognize. I suppose they have my email address in their address book because they probably reported Nigerian scams to me before (I collect several hundred reports per day, most of which get processed automatically), but I could not possibly have had a two way email exchange with more than a small fraction of them, let alone built a friendship.

Here is a typical example:

Firstname has added you as a friend on Tagged.

Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname may think you said no πŸ™

Click here to unsubscribe from Tagged, P.O. Box 193152 San Francisco, CA 94119-3152

Invitation spam

The tagged.com mails are just one example of a category of what I consider invitation spam, because they server no real purpose other than getting me to join a website that I have no interest in joining. The supposed sender already has my address and can contact me any time if he has something to tell me and if we really were friends, chances are I would already have his email too.

What I find particularly annoying about the Tagged.com emails is how they try to pressure the recipient into clicking the “Yes” link by exploiting people’s considerate nature. Most of us don’t unnecessarily want to hurt other people’s feelings. Therefore this line gets really on my nerves:

Please respond or Firstname may think you said no πŸ™

Interestingly, the same annoying phrase (either including the colon, left bracket frowning negative smiley or a positive smiley) started appearing in several other invitation spams that don’t mention Tagged.com:

From imvu.com, August 2007:

Hey Joewein,

Firstname has added you as a friend on IMVU.

Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname may think you said no πŸ™‚

From MyYearBook.com, November 2007:

Firstname has added you as a friend
Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname will think you said no πŸ™

Click Here to block all emails from myYearbook, 280 Union Square Dr., New Hope, PA 18938

From Yaari.com, February 2008:

Firstname Lastname wants you to join Yaari!

Is Firstname your friend?

Yes, Firstname is my friend! No, Firstname isn’t my friend.

Please respond or Firstname might think you said no πŸ™

Thanks,
The Yaari Team

____
You are receiving this message because someone you know registered for Yaari and listed you as a contact.
If you prefer not to receive this email tell us here.
If you have any concerns regarding the content of this message, please email abuse@yaari.com.
Yaari LLC, 358 Angier Ave, Atlanta, GA 30312

To this day I am receiving a mix of Tagged.com, MyYearbook, Yaari and IMVU emails from various people.

The only party who really gets anything out of this type of (probably automated) email is the website owner. It actually doesn’t matter whether you click “Yes” or “No” on those spams, either way you’ll end up on a web form to provide personal details to join the site.

Many social networking sites ask for access to your Yahoo, Hotmail, Outlook or other address book when joining. They then send everyone in your address book invitations in your name. Thus the game continues as long as address books aren’t empty and at least some people click on either “Yes” or “No”.

When I receive such emails, I usually archive them to a folder in my mail cabinet that I named “Plaxo-Ringo” after the first two websites that spammed me like that in significant volume. I archive them for research purposes, but if you’re not a spam researcher like me you might as well delete them.

Just like on Facebook and MySpace I never act on “friend” invitations unless I have a genuine personal relationship with the sender, and neither should you. There is no need to feel guilty about discarding spam that is meant to sell commercial websites, even if it masquerades as something much more personal and precious, like friendship.