Instead of the expected information I found myself on a scareware site called defend6-pc.com that was then trying to coerce me into downloading and installing their fake security software. A pop-up dialog asked me whether I wanted to scan my computer with their software. It didn’t matter if I clicked OK or Cancel, a download would always start. Only by closing the browser Window could I get rid of their nasty popup dialogs.

I’m using Mozilla FireFox, which does not offer to run downloaded EXEs directly. I did not click on the downloaded “Vir7remover_2009_b2.exe”, instead I ran it through the VirusTotal.com online malware scanner (highly recommended!) and products by four companies diagnosed it as malicious or suspicious:

• Microsoft (1.5605) says it’s a “Trojan:Win32/FakeXPA”
• Sophos (4.52.0) says it’s “Mal/FakeAV-CX”
• VBA32 (3.12.12.4) says it’s “BScope.Trojan.MTA.0157″
• Panda (10.0.2.2) calls it a “”Suspicious file”

“Mal/FakeAV-CX” indicates “scareware“, software that pretends to be an anti-virus / malware scanner that scares you with bogus alerts of malware on your harddisk into installing and or purchasing the software. Such software can include Trojans (as you would suspect from “Trojan:Win32/FakeXPA” and “BScope.Trojan.MTA.0157″) that take over your machine and can give someone else full control over your machine for malicious activities.

The following domains are all hosted on the same server as defend6-pc.com (IP address 93.174.95.154) and this list probably is not complete. I definitely would not recommend installing any software from any of these sites:

• 10scanantispyware.com
• 20scanantispyware.com
• 2scanantispyware.com
• 30scanantispyware.com
• 3scanantispyware.com
• 50virus-scanner.com
• 5scanantispyware.com
• 60scanantispyware.com
• 7scanantispyware.com
• 80scanantispyware.com
• 8scanantispyware.com
• 90virus-scanner.com
• antispy-scan200.com
• antispy-scan400.com
• antispy-scan600.com
• antispy-scan700.com
• antispy-scan800.com
• antispywarehelp002.com
• antispywarehelp004.com
• antispywarehelp008.com
• antispywarehelp010.com
• antispywarehelp022.com
• antispywarehelpk0.com
• antispywarehelpk2.com
• antispywarehelpk4.com
• antispywarehelpk6.com
• antispywarehelpk8.com
• antivirus-inet01.com
• antivirus-inet31.com
• antivirus-inet41.com
• antivirus-inet51.com
• antivirus-scan200.com
• antivirus-scan400.com
• antivirus-scan600.com
• antivirus-scan700.com
• antivirus-scan900.com
• antivirus-test88.com
• antivirus10scanner.com
• antivirus900scanner.com
• av-scanner200.com
• av-scanner300.com
• av-scanner400.com
• av-scanner500.com
• av-scanner700.com
• defend-computer10.com
• defend-computer30.com
• defend-computer50.com
• defend-computer70.com
• defend-computer82.com
• defend-computer83.com
• defend-computer84.com
• defend-computer85.com
• defend-computer86.com
• defend-computer88.com
• defend-computer90.com
• defend-pc100.com
• defend-pc130.com
• defend-pc150.com
• defend-pc170.com
• defend2-pc.com
• defend5-pc.com
• defend6-pc.com
• inetproscan001.com
• inetproscan031.com
• inetproscan061.com
• inetproscan081.com
• inetproscan091.com
• insight-scan20.com
• insight-scan40.com
• insight-scan60.com
• insight-scan80.com
• insight-scan90.com
• insight-scanner2.com
• insight-scanner5.com
• insight-scanner7.com
• insight-scanner8.com
• insight-scanner9.com
• internet-scan020.com
• internet-scan040.com
• internet-scan050.com
• internet-scan070.com
• internet-scan090.com
• internet-scanner020.com
• internet-scanner030.com
• internet-scanner050.com
• internet-scanner070.com
• internet-scanner090.com
• net-02antivirus.com
• net-04antivirus.com
• net-05antivirus.com
• net-07antivirus.com
• net001antivirus.com
• net011antivirus.com
• net021antivirus.com
• net111antivirus.com
• net222antivirus.com
• novirus-scan00.com
• novirus-scan01.com
• novirus-scan22.com
• novirus-scan31.com
• novirus-scan33.com
• novirus-scan41.com
• novirus-scan55.com
• novirus-scan61.com
• novirus-scan81.com
• novirus-scan88.com
• spyware-stop01.com
• spyware-stopb1.com
• spyware-stopm1.com
• spyware-stopn1.com
• spyware-stopz1.com
• spyware200scan.com
• spyware500scan.com
• spyware800scan.com
• spyware880scan.com
• spywarescan010.com
• spywarescan013.com
• spywarescan015.com
• spywarescan017.com
• spywarescan018.com
• stop-all-virus1.com
• stop-all-virus3.com
• stop-all-virus6.com
• stop-all-virus9.com
• stop-virus-01a.com
• stop-virus-01b.com
• stop-virus-01d.com
• stop-virus-01e.com
• stop-virus-01f.com
• stop-virus-03b.com
• stop-virus-03u.com
• stop-virus-03y.com
• stop-virus-03z.com
• stop-virus-040.com
• stop-virus-070.com
• stop-virus-090.com
• stop-virus-091.com
• stop-virus-099.com
• stopvirus-scan11.com
• stopvirus-scan13.com
• stopvirus-scan16.com
• stopvirus-scan18.com
• stopvirus-scan33.com
• stopvirus-scan66.com
• stopvirus-scan88.com
• stopvirus-scan99.com
• virus77scanner.com
• virus88scanner.com

hello：
Please forgive us to disturb your valued time.
This is a big wholesale company in china, sell electronic products to all the world,such as laptop, camera, phone and so on. We can offer the low price and high quality to you. If you have free time, please to visit our official website: http://lezucker.com
if you have any other questions, please be free contact us by email or msn at any time.
Yours Sincerely,

——————————————————————————–
Not got a Hotmail account? Sign-up now – Free

The emails accounts appear to be accessed from IP addresses in China such as these:

• 60.4.32.231 (3220 emails)
• 116.7.20.191 (1974 emails)
• 121.35.79.35 (1865 emails)
• 60.4.153.48 (326 emails)
• 121.35.79.16 (265 emails)

The email counts are for a period of about 60 hours and are only for my spam traps and external spam feeds, not the total sent from those addresses. What’s more, it’s not just a large number of emails per IP address but also per mail account (full address obscured for privacy reasons):

• XXamari35@hotmail.com (2645 emails)
• XXpsychling@hotmail.com (1994 emails)
• XXishacarroll@hotmail.com (1215 emails)
• XXbgreene27@hotmail.com (671 emails)
• XXedina723@hotmail.com (575 emails)
• XXgmo@hotmail.com (326 emails)
• XXroxd1@hotmail.com (294 emails)

I find it surprising that Hotmail would allow a single free mail account to send out thousands of spams a day without getting it shut down. I can only guess what the total number is, as the above are only spam that I have received copies of. Clearly Microsoft will have to improve its mechanisms to catch such abuse.

Here are some of the domains advertised via these scammers:

• lezucker.com (4189 emails)
• ebroun.com (2645 emails)
• hgbet.com (329 emails)

The IP address seem to be mostly but not exclusively from providers in the South of China, in Henan and Guangdong provinces:

inetnum: 115.48.0.0 – 115.63.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN

inetnum: 123.8.0.0 – 123.15.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN

inetnum: 123.52.0.0 – 123.55.255.255
netname: MAINT-CHINANET-HA
descr: CHINANET HENAN PROVINCE NETWORK
descr: henan Telecom Corporation
descr: 97# Zhongyuan Street, Zhengzhou,henan,Chinese
country: CN

inetnum: 121.32.0.0 – 121.35.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN

inetnum: 219.128.0.0 – 219.137.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN

inetnum: 123.112.0.0 – 123.127.255.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN

If you think there is a line that such scammers won’t cross, think again.

Here is an email soliciting donations on behalf of “HAITI CITIZENS LIVING IN THE UNITED KINGDOM” with relatives living in Haiti, but really originating from an IP address in Nigeria, West Africa:

PASTOR JOHN BROMA
HAITI CITIZENS IN UNITED KINGDOM
23 BEN AVENUE S/W,LONDON
UNITED KINGDOM

DEAR SIR/MADAM

WE ARE HAITI CITIZENS LIVING IN THE UNITED KINGDOM WHOM THEIR FAMILIES
ARE AFFECTED BY THE RECENT EARTQUAKE,WE HAVE BEEN TRYING TO RAISE MONEY
TO HELP THE HAITI CITIZENS WHO ARE WITHOUT FOODS,DRUG AND SHELTER,SO WE
PLEAD THAT YOU SUPPORT US WITH WHAT EVER YOU CAN.

ALL DONATIONS SHOULD BE SEND THROUGH WESTERN UNION MONEY TRANSFER
BECAUSE OF THE URGENT ATTENTION NEEDED.DO SEND IT TO THE INFORMATIONS BELOW.

PASTOR JOHN BROMA

HAITI CITIZENS IN UNITED KINGDOM
23 BEN AVENUE S/W,LONDON
UNITED KINGDOM

PLEASE MAKE SURE THAT YOU FORWARD THE WESTERN UNION INFORMATIONS SUCH AS
SENDERS NAME,AMOUNT SEND AND THE MTCN.WE PRAY THAT ALMIGHTY GOD WILL
BLESS AS YOU HELP THE SUFFERING HAITI CITIZEN.

THANKS FOR YOUR HELP

PASTOR JOHN BROMA(SECRETARY)

Looking at the message headers we see:

Received: from User ([82.128.33.35] RDNS failed) by mail.westnet.com
with Microsoft SMTPSVC(6.0.3790.3959); Fri, 15 Jan 2010 19:13:32 +0900
Reply-To: <pastorjohnbroma@yahoo.com>
From: HIATI CITIZENS IN UNITED KINGDOM<pastorjohnbroma@yahoo.com>
Subject: HELP FOR HAITI
Date: Sat, 16 Jan 2010 11:21:10 -0800

IP address 82.128.33.35 belongs to a cell phone provider in Nigeria:

inetnum: 82.128.32.0 – 82.128.63.255
netname: INET-MLTL
descr: CDMA 1x/EVDO Dial up pool
country: NG
admin-c: RIA27
tech-c: RIA27
status: ASSIGNED PA
mnt-by: MLTL-INT-MNT
mnt-lower: MLTL-INT-MNT
source: AFRINIC # Filtered
parent: 82.128.0.0 – 82.128.127.255

person: IP Admin-RIPE
address: Multilinks Telecommunications Limited
address: 231 Adeola Odeku Str.
address: Victoria Island, Lagos, Nigeria

The criminal who sent this mail must be one of their customers.

If you want to make a donation to help those affected by the disaster, send it to the Red Cross or another well established relief organization. Beware of any stranger who asks you to wire money by Western Union or MoneyGram, because these instant wire transfer services are essentially anonymous and untraceable and there are no safeguards whatsoever against abuse by criminal recipients, who can not be traced. That is precisely why scammers prefer you to send money that way.

If hell exists there must be a special place there waiting for these scammers, who even make money out of the orphans and dying in Haiti.

Link exchange spam, i.e. unsolicited offers to reciprocally create links to each other’s sites, has been around for many years. Recently I came across a new twist, broken link suggestion spam. You’ll receive a personal looking email like the following that tells you about a broken link on a page on one of your sites, with an suggestion for a replacement link target (boldface added by me):

Hi Joe!
Sorry to bother you, my name is Kate Austen, I’m a teaching assistant for a sociology class. I’ve been doing some research online for an upcoming lesson on the urban legends, myths, and hoaxes, and your page was very helpful. Thanks so much!

I noticed that on your page (http://www.joewein.de/hoax.htm) you have a broken link http://www.urbanlegends.com/index.html (an old page about urban legends)… May I offer a thought on a possible replacement? http://www.costumesupercenter.com/csc_inc/html/static/btarticles/urbanlegendsandmyths.html It has some great information about several urban legends and myths. I found it to be a great resource during my research, and it would be a great fix to your broken link. I’ve added it to my bookmarks, along with your site

Just thought I’d let you know

Take Care,
Kate
kate@professor-research.org

I plugged some phrases from the above email into Google and it found the following similar email (boldface also added by me, please compare the two):

Crystal Sawyer
crystal@studentresearchers.org

Hi!
Sorry to bother you, my name is Crystal Sawyer, I’m an education major from upstate New York. I’ve been doing some research online for a class project and your pages were very helpful. Thanks so much

I noticed that on your page (http://www.apfn.org/apfn/mmm.htm) you have a broken link http://www.nara.gov/exhall/charters/declaration/decmain.html (an old page about science projects)… May I offer a thought on a possible replacement? http://legalmetro.com/library/historic-us-documents-the-charters-of-freedom.html It has some great information about teaching children how to do experimental science projects. I found it to be a great resource during my research, and it would be a great fix to your broken link. I’ve added it to my bookmarks, along with your site

Just thought I’d let you know

Take Care,
Crystal
crystal@studentresearchers.org

The number of identical phrases is far to high to be a coincidence. Looking at the sender domains professor-research.org and studentresearchers.org, the registrant on both is hidden behind the anonymization service domainsbyproxy.com.

I would say chances are good that both “Kate” and “Crystal” are the same person and that this person works for a company offering paid search engine optimization (SEO) services to boost their customers’ website rankings. They add some editorial contents to the customer website and then deceptively ask owners of sites with a high Page rank (PR) to replace broken links with links to these new pages by posing as students and researchers with no obvious commercial interest in the link target site.

If you receive any email that mentions any +4470 phone number, do not reply to it! You can submit the body of any suspicious email message to www.scamomatic.com for instant feedback about what kind of scam it might be.

These +4470 numbers are a gift to online scammers by British phone regulators. They are primarily owned by obscure British phone companies offering an anonymous call forwarding service. The economic model of these services is simple: The caller dials a rather expensive UK number and the UK service provider forwards the incoming call to a somewhat less expensive to call international number (for example a Nigerian mobile phone, which remains hidden from the caller), pocketing the difference between the call rates. For example, the caller might pay 50 cents per minute to call a +44 70 number and the call will then be forwarded to a Nigerian mobile phone that costs 25 cents per minute, leaving 25 cents per minute as a net margin for the service operator. The more successful the scammers are, the more money the phone company makes. Who ever said crime doesn’t pay?

These UK phone numbers are very attractive to scammers: When people can be made to believe that they are dealing with a bank, lawyer or government official in London, UK when they’re actually talking to a scammer on his cell phone in an Internet cafe in Lagos, Nigeria then they are much more easily defrauded by criminals.

As far as I can tell these numbers aren’t really being used for any other purpose than to enable international online crimes to be committed. In some nine years of tracking Nigerian scam emails, I have yet to come across a single legitimate user of a +44 70 number. I really don’t understand why the British government has allowed those services to continue to operate.

Now, of course the service operators can claim that they don’t know that their services are being used for criminal purposes unless someone tells them about it. On the other hand, they are not exactly making it easy to report abuse and the high prices of these services means that it’s unlikely that they’ll get much legitimate use, if any.

There are several ways to curb abuse, other than suspending +44 70 numbers altogether and I would encourage the UK government to seriously consider them:

• The UK regulators could make it a requirement that calls via this service either originate in the UK or terminate in the UK, i.e. to prevent unrestricted global relaying, with say calls from India or the US being forwarded to Nigeria or Côte d’Ivoire.
• The UK regulators could require service providers to announce the country name of the phone number to which the call is being forwarded if the destination number is not a UK number.
• The UK regulators could require service providers to block forwarding to mobile phone numbers in certain countries, e.g. Nigeria

Below is a sample list of +44 70 numbers that appeared in Nigerian scams reported to Scam-O-Matic over the course of the last seven days. These roughly 60 phone numbers per day are only the tip of the iceberg:

+447005801505
+447005802020
+447005810692
+447005934945
+447005942459
+447005963237
+447005977097
+447006001100
+447006002121
+447006002413
+447006029116
+447006062478
+447010023307
+447010027439
+447010027978
+447010027983
+447010028455
+447010030769
+447010285923
+447010306559
+447010476294
+447010786457
+447011120379
+447011120510
+447011120524
+447011121450
+447011121596
+447011128170
+447011129280
+447011129286
+447011129446
+447011130062
+447011130670
+447011130769
+447011131077
+447011131152
+447011133259
+447011140499
+447011140945
+447011140989
+447011146747
+447011146830
+447011147295
+447011149054
+447011152991
+447011153129
+447011162749
+447011163186
+447011163846
+447011164243
+447011182522
+447011183455
+447011184113
+447011196412
+447011197245
+447011197787
+447014225697
+447014232391
+447014232411
+447014232442
+447014236733
+447014244984
+447014275175
+447014275728
+447017026507
+447017430128
+447017769494
+447017848035
+447023011587
+447023056559
+447023058575
+447023069806
+447023086665
+447023087509
+447023092593
+447024010876
+447024010915
+447024011554
+447024012660
+447024013770
+447024014859
+447024016712
+447024017968
+447024018504
+447024018707
+447024018725
+447024018963
+447024019584
+447024019588
+447024021204
+447024021389
+447024023138
+447024023643
+447024024530
+447024024914
+447024024938
+447024025942
+447024028606
+447024029852
+447024032255
+447024033542
+447024034362
+447024034768
+447024035958
+447024036606
+447024037907
+447024038051
+447024038950
+447024041571
+447024041989
+447024042397
+447024043571
+447024045842
+447024046548
+447024047607
+447024047708
+447024051081
+447024051604
+447024053655
+447024054764
+447024056650
+447024056684
+447024057656
+447024057695
+447024059725
+447024061362
+447024061659
+447024061805
+447024062162
+447024063633
+447024063645
+447024064180
+447024065549
+447024066713
+447024066858
+447024067752
+447024068617
+447024069933
+447024070671
+447024071597
+447024071804
+447024071867
+447024072603
+447024072995
+447024073988
+447024074220
+447024074568
+447024074742
+447024075722
+447024075954
+447024077025
+447024078351
+447024079530
+447024079908
+447024080526
+447024080571
+447024080634
+447024082668
+447024082680
+447024082728
+447024083093
+447024083705
+447024084762
+447024084918
+447024084994
+447024086967
+447024087401
+447024087599
+447024087905
+447024091678
+447024091701
+447024091706
+447024092775
+447024092795
+447024092863
+447024095774
+447024095778
+447024095878
+447024096802
+447024096869
+447024097854
+447024098802
+447024098874
+447024099606
+447031740924
+447031742574
+447031744227
+447031744980
+447031744994
+447031745967
+447031746067
+447031746887
+447031747046
+447031747509
+447031749721
+447031801246
+447031801866
+447031803498
+447031803820
+447031808512
+447031809778
+447031814575
+447031814720
+447031815436
+447031816735
+447031818230
+447031821851
+447031822608
+447031823431
+447031824330
+447031825003
+447031826670
+447031830878
+447031833248
+447031833760
+447031834660
+447031835615
+447031835762
+447031837227
+447031843396
+447031844360
+447031845639
+447031846542
+447031850801
+447031851126
+447031855107
+447031855527
+447031858919
+447031859268
+447031859327
+447031859972
+447031861174
+447031861534
+447031865718
+447031877392
+447031877975
+447031880502
+447031885537
+447031890014
+447031891762
+447031894541
+447031898197
+447031903871
+447031906765
+447031908701
+447031909751
+447031911974
+447031913322
+447031915331
+447031918554
+447031918592
+447031918698
+447031918840
+447031920863
+447031928723
+447031930960
+447031931805
+447031934581
+447031938867
+447031940670
+4470319419882
+447031943771
+447031954666
+447031956661
+447031958680
+447031960513
+447031964131
+447031971731
+447031971766
+447031972833
+447031972850
+447031973785
+447031974969
+447031978795
+447031979858
+447031982694
+447031983660
+447031983882
+447031984862
+447031988864
+447031993596
+447031993967
+447031996818
+447032334576
+447035900183
+447035900344
+447035900914
+447035901588
+447035902188
+447035902683
+447035910276
+447035911140
+447035912873
+447035913994
+447035915768
+447035922616
+447035923742
+447035924448
+447035927916
+447035928180
+447035931142
+447035937446
+447035939194
+447035939320
+447035940617
+447035944729
+447035944779
+447035947431
+447035950853
+447035951254
+447035951405
+447035954295
+447035955376
+447035956312
+447035959966
+447035960942
+447035965038
+447035966176
+447035966188
+447035966289
+447035966480
+447035968588
+447035969249
+447035969496
+447035969754
+447035969801
+447035969823
+447035972572
+447035973164
+447035973821
+447035977317
+447035978042
+447035978343
+447035978550
+447035983963
+447035988651
+447035988847
+447035989086
+447035992118
+447035996148
+447035997215
+447035997533
+447035998886
+447035999080
+447040110515
+447041743214
+447045702581
+447045704323
+447045704570
+447045705126
+447045705374
+447045706975
+447045707234
+447045707660
+447045708253
+447045709129
+447045709292
+447045710531
+447045710917
+447045711325
+447045712243
+447045712434
+447045712662
+447045712816
+447045712993
+447045713815
+447045714219
+447045719541
+447045720546
+447045721125
+447045721617
+447045722125
+447045724094
+447045725176
+447045727388
+447045729804
+447045733035
+447045733518
+447045736862
+447045742669
+447045743467
+447045747569
+447045748609
+447045754338
+447045759317
+447045767521
+447045768060
+447045770961
+447045776356
+447045780693
+447045782120
+447045783777
+447045785147
+447045785239
+447045790181
+447045791709
+447045795051
+447045798638
+447045799030
+447053491702
+447053492393
+447075158182
+447092849621
+447092861761
+447092864823
+447092980578
+447092981646
+447092981769
+447092982175

We are interested to buy your domain name YOUR-DOMAIN-HERE and offer to buy it from you for 80% of the appraised market value.

As of now we accept appraisals from either one of the following leading appraisal companies:

- fleos.com
- sedo.com

If you already have an appraisal please forward it to us.

As soon as we have received your appraisal we will send you our payment (we use paypal for amounts less than $2,000 and escrow for amounts above $2,000) as well as
further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Yours truly,

Mark Evans

The offered percentage or the alias of the sender may be different. The list of appraisal companies may vary too and the catch is in the requested appraisal: Whereas sedo.com is a well established company dealing in domain resale and appraisal, domains fleos.com, flyrating.com and others are new:

Domain Name: FLEOS.COM
Registrar: WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNIC.CC
Whois Server: whois.webnic.cc
Referral URL: http://www.webnic.cc
Name Server: NS1.EZYDOMAIN.COM
Name Server: NS2.EZYDOMAIN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 04-jul-2009
Creation Date: 04-jul-2009
Expiration Date: 04-jul-2010

Registrant Contact:
Modern Outlook Sdn Bhd
Modern Outlook Sdn Bhd (reg_460127@whoisprotection.cc)
Lot 13-01A, Level 13 (East Wing) Berjaya Times Square, No.1, Jalan Imbi
Kuala Lumpur, Wilayah Persekutuan, Malaysia 55100
P: +603.21491999 F: +603.21431685

This one was used earlier than in the above sample:

Domain Name: FLYRATING.COM
Registrar: WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNIC.CC
Whois Server: whois.webnic.cc
Referral URL: http://www.webnic.cc
Name Server: NS1.EZYDOMAIN.COM
Name Server: NS2.EZYDOMAIN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 26-may-2009
Creation Date: 26-may-2009
Expiration Date: 26-may-2010

Registrant Contact:
Modern Outlook Sdn Bhd
Modern Outlook Sdn Bhd (reg_449229@whoisprotection.cc)
Lot 13-01A, Level 13 (East Wing) Berjaya Times Square, No.1, Jalan Imbi
Kuala Lumpur, Wilayah Persekutuan, Malaysia 55100
P: +603.21491999 F: +603.21431685

Notice how they’re both registered via the same registrar. If anyone checks out the fees they’ll find that not coincidentally these no-names charge less than Sedo.com for their service, so they might easily get picked by domain owners hoping to make quick cash.

Your guess is as good as mine who sends out those buy offer spams that drive business to those cookie cutter domain appraisal firms, who take $22.95 from anyone falling for this scam.

Unless you enjoy getting scammed, avoid any domain purchase offer in which the would be buyer does not come up with an offer price on his own but asks you to get an appraisal from a third party and promises to pay you a percentage of the appraised value!

Other “appraisal company” domains used:

• nameorange.com
• pedma.com
• pozde.com
• podzz.com
• domainexplorer.org
• pddomains.com

See also:

• pedma.com domain appraisals? (dynamoo’s blog)
• Piradius.net / Yohost.org – black hat hosting? (dynamoo’s blog)

Last updated: 2009-08-10

Because of my volunteer work against online scams, some email accounts of mine end up in address books of thousands of people who over time have forwarded me samples of questionable mails. Consequently, I also receive a lot of requests to join online networking and other websites, many of which make it too easy to invite everyone in your address book to join a particular service when you join. One mail folder that I keep exclusively for such invitations from people I don’t recognize currently contains over 1,100 examples.

When I received another SiliconIndia invitation yesterday, I decided to take a closer look and a very interesting picture evolved. I had 42 invitations going back to February 2008. Nine of them (originating with three indivuals) did not include a photograph and almost all of those were from the first month. They may have been real invitations. The interesting thing about the other 33 invitations was that the senders were all female. Not one guy! 23 of these were sent from Gmail accounts and 10 from AOL or AIM accounts. One picture I received from both a Gmail and an AOL account. It wasn’t just that these emails had AOL or Gmail sender addresses, they also did not come from a SiliconIndia mail server as one might expect for regular “tell a friend” invitations. All were sent from regular personal Gmail and AOL accounts through the respective mail servers.

What this tells me is that someone is manually making up invitation mails, using pictures of pretty women to attract mostly male job seekers to join that service. And somebody somewhere is making money out of people who respond.

Out of curiosity I joined the service under an assumed identity. The profile for the person who had invited me the day before had a list of 456 “friends”. If she were to “stay in touch” with all of them as it said in the invitation, she’d be a pretty busy lady. So next time you get an invitation to join SiliconIndia to connect with some pretty woman, don’t delude yourself. Most likely some guy somewhere is being paid a few rupees to mail pictures of pretty girls to thousands of guys in order to drive traffic to a commercial website.

hi:
New shopping new life!
How are u doing these days?Yesterday I found a web of a large trading company from china,which is an agent of all the well-known digital product factories,and facing to both wholesalers,retailsalers,and personal customer all over the world. They export all kinds of digital products and offer most competitive and reasonable price and high quality goods for our clients,so i think we you make a big profit if we do business with them.And they promise they will provide the best after-sales-service.In my opinion we can make a trial order to test that.
Look forward to your early reply!
The Web address: www.vanigo.com
E-mail: vanigo@188.com
MSN : vanigo@msn.cn

——————————————————————————–

Få en billig laptop. Se Kelkoos gode tilbud her!

Looking at the mail headers, it had come from the mail account of a Danish Yahoo user, but originated from an IP address in China (details edited to protect the privacy of the account owner):

Received: from [124.118.179.157] by web26101.mail.ukl.yahoo.com
via HTTP; Wed, 11 Feb 2009 19:54:29 GMT
X-Mailer: YahooMailWebService/0.7.260.1
Date: Wed, 11 Feb 2009 19:54:29 +0000 (GMT)
From: uffe #####sen <uf###2@yahoo.dk>
Reply-To: uf###2@yahoo.dk
Subject: hi:
To: undisclosed recipients: ;

IP address 124.118.179.157 belongs to China Telecom:

inetnum: 124.118.0.0 – 124.119.255.255
netname: CHINANET-XJ
descr: CHINANET Xinjiang province network
descr: China Telecom
descr: No1,jin-rong Street
descr: Beijing 100032
country: CN

What appears to have happened is that spammers know the passwords to these mail accounts and are using them to send that spam to everyone in the mail account’s address book.

This is a very effective way to get through spam filters, as many recipients are likely to also have the sender in their address book and address book entries are automatically whitelisted by many spamfilters.

If you receive an email like that, alert the “sender” that their account has been compromised. They need to immediately change their email password to something more secure.

This abuse of stolen passwords illustrates the potential of password harvesting scams such as this one I documented in August 2008, which is still going on.

Here are some Google searches related to the hacked webmail spam:

• “New shopping new life”
• “good company who trades mainly in electornic products”

Here is a (probably incomplete) list of websites advertised this way:

• gvccn.com
• ibvcn.com
• jvccn.com
• tvtcn.com
• szfac.com
• cxkeg.com
• yaier.com
• mmhdf.com
• ixicb.com
• vanigo.com
• wabada.com
• bj-trade.com
• store-168.com
• ele-motors.com
• electronics-brand.com
• exciting-zone.com

Common subject lines:

• New shopping new life
• Good shopping good mood!
• Good web site
• Have a great shopping!
• good website!
• Hi,Thank you!
• Hi,
• Dear friend

Good passwords and bad passwords

A strong password should be the first line of defense against such criminals, but what makes a password good? It should contain a mixture of all of the following:

• lower case letters
• upper case letters
• digits
• at least one non-alphanumeric character

This makes it hard to break the password through brute force or through dictionary attacks.

Also the password should not be too short (8 characters or more) and should be reasonably easy to memorize, so you don’t have much need to write it down. Some examples:

• 45Knife%Cabbage
• 4F5g6H&j
• J0hn1945-07-31

Bad choices are passwords that consists of any word found in a dictionary, proper names, digits-only dates, adjacent keys on the keyboard or repeated characters. Never use anything like these:

• secret
• qwerty
• xxxx
• john45

It is very important not to use the exact same password for different purposes.

If spammers manage to trick you into revealing your password for one site (e.g. by getting you to create a new account at a site they control or by breaking into the database of another site where you’re a customer) then you’ve effectively handed them the key to the candy store. They can get access to your email account, in which they may find login information, password reminders, etc. of many other sites you’ve signed up for. At the very least they can harvest all your email contacts.

Beyond using different passwords for every site and service, it’s also a good idea to use a different password schema for “core” sites that you trust and depend upon (such as your email provider and webhost) and another for sites to which you sign up more casually (such as various forums, online shopping, etc.). Thus if one of the latter is compromised, it does not give criminals any clues what your more critical passwords may look like.

Who is behind this spam?

The sites advertised from the hacked email accounts constantly vary. They usually have been created only a few weeks or months earlier. For example, the domain in the above example was created two months ago:

Domain name: vanigo.com

Registrant Contact:
wuxianj
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Administrative Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Technical Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Billing Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

DNS:
ns1.4everdns.com
ns2.4everdns.com

Created: 2008-12-08
Expires: 2009-12-08

Considering the highly illegal way the companies advertised, what are the chances that any order you make at those sites would ever get shipped to you? For sure, they will gladly take your cash by (untraceable, unsafe) Western Union or take your credit card number, expiration date and security code. Never use Western Union to send money to people you don’t know from real life in person. Never enter your credit card on a site that doesn’t have SSL access (indicated by a URL starting with https:// and a padlock icon in the browser status bar) with a proper certificate.

Even more basic: Never do business with spammers. By sending you spam, they have already proven to you that they lack any morals. You have no reason to trust them and every reason to be alert!

If you have received similar spams, feel free to post them below.

For over two years I’ve been receiving emails coaxing me to join a website called tagged.com, supposedly sent by people who consider me their “friend”, but who I invariably do not recognize. I suppose they have my email address in their address book because they probably reported Nigerian scams to me before (I collect several hundred reports per day, most of which get processed automatically), but I could not possibly have had a two way email exchange with more than a small fraction of them, let alone built a friendship.

Here is a typical example:

Firstname has added you as a friend on Tagged.

Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname may think you said no

Click here to unsubscribe from Tagged, P.O. Box 193152 San Francisco, CA 94119-3152

Invitation spam

The tagged.com mails are just one example of a category of what I consider invitation spam, because they server no real purpose other than getting me to join a website that I have no interest in joining. The supposed sender already has my address and can contact me any time if he has something to tell me and if we really were friends, chances are I would already have his email too.

What I find particularly annoying about the Tagged.com emails is how they try to pressure the recipient into clicking the “Yes” link by exploiting people’s considerate nature. Most of us don’t unnecessarily want to hurt other people’s feelings. Therefore this line gets really on my nerves:

Please respond or Firstname may think you said no

Interestingly, the same annoying phrase (either including the colon, left bracket frowning negative smiley or a positive smiley) started appearing in several other invitation spams that don’t mention Tagged.com:

From imvu.com, August 2007:

Hey Joewein,

Firstname has added you as a friend on IMVU.

Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname may think you said no

From MyYearBook.com, November 2007:

Firstname has added you as a friend
Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname will think you said no

Click Here to block all emails from myYearbook, 280 Union Square Dr., New Hope, PA 18938

From Yaari.com, February 2008:

Firstname Lastname wants you to join Yaari!

Is Firstname your friend?

Yes, Firstname is my friend! No, Firstname isn’t my friend.

Please respond or Firstname might think you said no

Thanks,
The Yaari Team

____
You are receiving this message because someone you know registered for Yaari and listed you as a contact.
If you prefer not to receive this email tell us here.
If you have any concerns regarding the content of this message, please email abuse@yaari.com.
Yaari LLC, 358 Angier Ave, Atlanta, GA 30312

To this day I am receiving a mix of Tagged.com, MyYearbook, Yaari and IMVU emails from various people.

The only party who really gets anything out of this type of (probably automated) email is the website owner. It actually doesn’t matter whether you click “Yes” or “No” on those spams, either way you’ll end up on a web form to provide personal details to join the site.

Many social networking sites ask for access to your Yahoo, Hotmail, Outlook or other address book when joining. They then send everyone in your address book invitations in your name. Thus the game continues as long as address books aren’t empty and at least some people click on either “Yes” or “No”.

When I receive such emails, I usually archive them to a folder in my mail cabinet that I named “Plaxo-Ringo” after the first two websites that spammed me like that in significant volume. I archive them for research purposes, but if you’re not a spam researcher like me you might as well delete them.

Just like on Facebook and MySpace I never act on “friend” invitations unless I have a genuine personal relationship with the sender, and neither should you. There is no need to feel guilty about discarding spam that is meant to sell commercial websites, even if it masquerades as something much more personal and precious, like friendship.

Such is the case with Spam URL Blacklists (SURBLs), which list domains advertised via spam. Spamfilters will intercept emails that mention blacklisted domains used in clickable links. The spammers can use fake sender addresses and send email from cracked hosts and cracked third party mail accounts, but they still get caught as soon as they mention their websites. This hurts spammers because they only make money when people go to their websites and hand over their credit card details to order fake Rolexes, pills, porn, etc.

To get around this, spammers have been using pages created at free webhosting services and other third party sites where content can be uploaded. The links only mention the free hosting site, which then redirects to the final spam site.

One service abused for this is Google Groups. Other services recently seen used are Google Docs, Microsoft Spaces Live and Geocities. In the case of Google Groups the spammers create mailing lists and upload a spam link to the home page of the new group. They never use the groups for their intended purpose, i.e. mailing lists. This effectively makes it impossible to report the abuse via Google’s abuse handling procedures: Any archived posting or uploaded document on the Google Groups service has an abuse reporting link, but the home page of the group itself does not! Obviously, Google never envisaged that spammers would create groups only to have one page of web content that can be advertised via spam.

Here is an example of a spam:

Received: from host34.net215.omkc.ru (HELO host34.net215.omkc.ru) [217.25.215.34]
by mymailhost (mx077) with SMTP; 21 Jan 2009 04:21:47 +0100
Message-ID: <47940FC9.1016287@verizon.net>
Date: Mon, 21 Jan 2008 03:21:45 GMT
From: arturo <arturo.matthews1@verizon.net>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: mymailbox
Subject: Brighten Your Day
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

After trying out tooth whitening system AT NO COST TO YOU you’ll realize that your smile is irresistably contagious!

http://groups.google.com/group/fkvrqzzzjckhj

(Add S+H)

The page advertises “Click Here – Free Credit Score & Debt Help” which is a spam link using the domain white-teeth2009.com hosted on IP address 220.164.144.205 in China. It is listed on four sub-lists of SURBL (WS, OB, AB and JP). Its name servers are ns1.dckfdc.com and ns2.dckfdc.com. Other domains by the same spammers are whiten-your-smile2009.com and smile-really-great.com.

At the very least Google should add an abuse reporting link to its Google Group pages. It would be even better if they were to check uploaded Google Group content and checked any URLs in it against spam blacklists such as SURBL. This would stop the spammers in their tracks.