Garcinia Cambogia weight loss spam from hacked Yahoo accounts

I’m seeing another round of weight loss spam that abuses third party Yahoo accounts for sending. It is similar to the earlier “Raspberry Ultra Drops” weight loss spam that also used compromised Yahoo accounts.

Here is one of the advertised domains, which is hosted on many different servers: 1439 IN A 1439 IN A 1439 IN A 1439 IN A 1439 IN A 1439 IN A 1439 IN A 1439 IN A 1439 IN A 1439 IN A 1439 IN A 1439 IN A

The domain is registered through Ukrainian registrar using forged WHOIS contact details.

The buy link on that site redirects to, a domain registered last July, with the owner hidden behind a WHOIS proxy.

Other domains hosted on the same servers, some of which are part of the “Work from home mom” scam series:

The “work at home mom” scam series also used hacked Yahoo accounts for advertising websites that are made to look like network TV news sites, so these scams are probably related.

The spam senders are often abusing mail interfaces meant for mobile phones. The Yahoo message IDs of the spams contain some of these strings:


Probably “.androidMobile” is for use by the Yahoo Mail for Android app, though the spam is not necessarily sent from Android phones. More likely it is just using the servers provided for Android, but accessing from a PC.

The “BPMail” IDs are an interesting one. I suspect the “_noncarrier” variants involve IP addresses not connected to one of the phone carriers that bundle Yahoo mail with their service, while the “_carrier” variants mean the IP address is part of the provider’s address pool, though it could be used by a PC accessing via a wireless broadband modem.

“High” and “low” could be an internally assigned spam rating, though that is mere speculation. However, “.BPMail_high_noncarrier” is the most common Google hit of these 4 that comes up when searching for information about this type of spam. When investigating a pool of spam samples, this was the order of declining frequency: “.BPMail_high_noncarrier” was by far the most frequent, followed by “.BPMail_high_carrier” and finally relatively small numbers of “.BPMail_low_noncarrier” and “.BPMail_low_carrier”.

The spam recipients (common numbers: 1, 3, 9 or 10) tend to include the last addresses the legitimate owner of the Yahoo account has emailed. So perhaps the spammers are harvesting email addresses from the “Sent” folder of the Yahoo account after gaining access to it.

I find it amazing that Yahoo has yet to find a away to close the vulnerability that allows this spam and fraud to continue, despite the months and years since it was first observed.

4 thoughts on “Garcinia Cambogia weight loss spam from hacked Yahoo accounts

  1. Yes, I do see this type of spam with MSN/Hotmail accounts too, and AOL accounts too, but the volume for those is much, much lower.

    For example, during one sample interval, one spam trap received one Hotmail spam and one AOL spam but 18 Yahoo spams. There must be something about Yahoo’s mail system that makes it particularly attractive/vulnerable to spammers.

  2. April 2013

    My girl friend, and some friends (contacts) and I, has also been victims of this kind of scams about/from “Garcinia Cambogia”.

    They first usurp and/or theft the yahoo e-mail address of my girl friend, and use it to send spam e-mail to some contacts she have in her e-mail contacts of her android tablet.

    Then, the e-mail contain a link ( of an hacked domain account ? ) that is redirect to the following :

    “” (* No longer available after march 31, 2013) but similar to “” you have noted, that it seems nether no longer available.

    Self question: Does they use Apps they deliver through Google Play (Android apps) to get e-mails address from android apps users for malicious use ?

    If you wish to get more info, you can reply at my e-mail address by using [419] to the subject line. I have get the entire e-mail header of the spam.

    Best regard,

    Quebec, Canada

  3. More weight lose / fake job spam domains:


Leave a Reply

Your email address will not be published. Required fields are marked *