If you think there is a line that such scammers won’t cross, think again.

Here is an email soliciting donations on behalf of “HAITI CITIZENS LIVING IN THE UNITED KINGDOM” with relatives living in Haiti, but really originating from an IP address in Nigeria, West Africa:

PASTOR JOHN BROMA
HAITI CITIZENS IN UNITED KINGDOM
23 BEN AVENUE S/W,LONDON
UNITED KINGDOM

DEAR SIR/MADAM

WE ARE HAITI CITIZENS LIVING IN THE UNITED KINGDOM WHOM THEIR FAMILIES
ARE AFFECTED BY THE RECENT EARTQUAKE,WE HAVE BEEN TRYING TO RAISE MONEY
TO HELP THE HAITI CITIZENS WHO ARE WITHOUT FOODS,DRUG AND SHELTER,SO WE
PLEAD THAT YOU SUPPORT US WITH WHAT EVER YOU CAN.

ALL DONATIONS SHOULD BE SEND THROUGH WESTERN UNION MONEY TRANSFER
BECAUSE OF THE URGENT ATTENTION NEEDED.DO SEND IT TO THE INFORMATIONS BELOW.

PASTOR JOHN BROMA

HAITI CITIZENS IN UNITED KINGDOM
23 BEN AVENUE S/W,LONDON
UNITED KINGDOM

PLEASE MAKE SURE THAT YOU FORWARD THE WESTERN UNION INFORMATIONS SUCH AS
SENDERS NAME,AMOUNT SEND AND THE MTCN.WE PRAY THAT ALMIGHTY GOD WILL
BLESS AS YOU HELP THE SUFFERING HAITI CITIZEN.

THANKS FOR YOUR HELP

PASTOR JOHN BROMA(SECRETARY)

Looking at the message headers we see:

Received: from User ([82.128.33.35] RDNS failed) by mail.westnet.com
with Microsoft SMTPSVC(6.0.3790.3959); Fri, 15 Jan 2010 19:13:32 +0900
Reply-To: <pastorjohnbroma@yahoo.com>
From: HIATI CITIZENS IN UNITED KINGDOM<pastorjohnbroma@yahoo.com>
Subject: HELP FOR HAITI
Date: Sat, 16 Jan 2010 11:21:10 -0800

IP address 82.128.33.35 belongs to a cell phone provider in Nigeria:

inetnum: 82.128.32.0 – 82.128.63.255
netname: INET-MLTL
descr: CDMA 1x/EVDO Dial up pool
country: NG
admin-c: RIA27
tech-c: RIA27
status: ASSIGNED PA
mnt-by: MLTL-INT-MNT
mnt-lower: MLTL-INT-MNT
source: AFRINIC # Filtered
parent: 82.128.0.0 – 82.128.127.255

person: IP Admin-RIPE
address: Multilinks Telecommunications Limited
address: 231 Adeola Odeku Str.
address: Victoria Island, Lagos, Nigeria

The criminal who sent this mail must be one of their customers.

If you want to make a donation to help those affected by the disaster, send it to the Red Cross or another well established relief organization. Beware of any stranger who asks you to wire money by Western Union or MoneyGram, because these instant wire transfer services are essentially anonymous and untraceable and there are no safeguards whatsoever against abuse by criminal recipients, who can not be traced. That is precisely why scammers prefer you to send money that way.

If hell exists there must be a special place there waiting for these scammers, who even make money out of the orphans and dying in Haiti.

Link exchange spam, i.e. unsolicited offers to reciprocally create links to each other’s sites, has been around for many years. Recently I came across a new twist, broken link suggestion spam. You’ll receive a personal looking email like the following that tells you about a broken link on a page on one of your sites, with an suggestion for a replacement link target (boldface added by me):

Hi Joe!
Sorry to bother you, my name is Kate Austen, I’m a teaching assistant for a sociology class. I’ve been doing some research online for an upcoming lesson on the urban legends, myths, and hoaxes, and your page was very helpful. Thanks so much!

I noticed that on your page (http://www.joewein.de/hoax.htm) you have a broken link http://www.urbanlegends.com/index.html (an old page about urban legends)… May I offer a thought on a possible replacement? http://www.costumesupercenter.com/csc_inc/html/static/btarticles/urbanlegendsandmyths.html It has some great information about several urban legends and myths. I found it to be a great resource during my research, and it would be a great fix to your broken link. I’ve added it to my bookmarks, along with your site

Just thought I’d let you know

Take Care,
Kate
kate@professor-research.org

I plugged some phrases from the above email into Google and it found the following similar email (boldface also added by me, please compare the two):

Crystal Sawyer
crystal@studentresearchers.org

Hi!
Sorry to bother you, my name is Crystal Sawyer, I’m an education major from upstate New York. I’ve been doing some research online for a class project and your pages were very helpful. Thanks so much

I noticed that on your page (http://www.apfn.org/apfn/mmm.htm) you have a broken link http://www.nara.gov/exhall/charters/declaration/decmain.html (an old page about science projects)… May I offer a thought on a possible replacement? http://legalmetro.com/library/historic-us-documents-the-charters-of-freedom.html It has some great information about teaching children how to do experimental science projects. I found it to be a great resource during my research, and it would be a great fix to your broken link. I’ve added it to my bookmarks, along with your site

Just thought I’d let you know

Take Care,
Crystal
crystal@studentresearchers.org

The number of identical phrases is far to high to be a coincidence. Looking at the sender domains professor-research.org and studentresearchers.org, the registrant on both is hidden behind the anonymization service domainsbyproxy.com.

I would say chances are good that both “Kate” and “Crystal” are the same person and that this person works for a company offering paid search engine optimization (SEO) services to boost their customers’ website rankings. They add some editorial contents to the customer website and then deceptively ask owners of sites with a high Page rank (PR) to replace broken links with links to these new pages by posing as students and researchers with no obvious commercial interest in the link target site.

If you receive any email that mentions any +4470 phone number, do not reply to it! You can submit the body of any suspicious email message to www.scamomatic.com for instant feedback about what kind of scam it might be.

These +4470 numbers are a gift to online scammers by British phone regulators. They are primarily owned by obscure British phone companies offering an anonymous call forwarding service. The economic model of these services is simple: The caller dials a rather expensive UK number and the UK service provider forwards the incoming call to a somewhat less expensive to call international number (for example a Nigerian mobile phone, which remains hidden from the caller), pocketing the difference between the call rates. For example, the caller might pay 50 cents per minute to call a +44 70 number and the call will then be forwarded to a Nigerian mobile phone that costs 25 cents per minute, leaving 25 cents per minute as a net margin for the service operator. The more successful the scammers are, the more money the phone company makes. Who ever said crime doesn’t pay?

These UK phone numbers are very attractive to scammers: When people can be made to believe that they are dealing with a bank, lawyer or government official in London, UK when they’re actually talking to a scammer on his cell phone in an Internet cafe in Lagos, Nigeria then they are much more easily defrauded by criminals.

As far as I can tell these numbers aren’t really being used for any other purpose than to enable international online crimes to be committed. In some nine years of tracking Nigerian scam emails, I have yet to come across a single legitimate user of a +44 70 number. I really don’t understand why the British government has allowed those services to continue to operate.

Now, of course the service operators can claim that they don’t know that their services are being used for criminal purposes unless someone tells them about it. On the other hand, they are not exactly making it easy to report abuse and the high prices of these services means that it’s unlikely that they’ll get much legitimate use, if any.

There are several ways to curb abuse, other than suspending +44 70 numbers altogether and I would encourage the UK government to seriously consider them:

• The UK regulators could make it a requirement that calls via this service either originate in the UK or terminate in the UK, i.e. to prevent unrestricted global relaying, with say calls from India or the US being forwarded to Nigeria or Côte d’Ivoire.
• The UK regulators could require service providers to announce the country name of the phone number to which the call is being forwarded if the destination number is not a UK number.
• The UK regulators could require service providers to block forwarding to mobile phone numbers in certain countries, e.g. Nigeria

Below is a sample list of +44 70 numbers that appeared in Nigerian scams reported to Scam-O-Matic over the course of the last seven days. These roughly 60 phone numbers per day are only the tip of the iceberg:

+447005801505
+447005802020
+447005810692
+447005934945
+447005942459
+447005963237
+447005977097
+447006001100
+447006002121
+447006002413
+447006029116
+447006062478
+447010023307
+447010027439
+447010027978
+447010027983
+447010028455
+447010030769
+447010285923
+447010306559
+447010476294
+447010786457
+447011120379
+447011120510
+447011120524
+447011121450
+447011121596
+447011128170
+447011129280
+447011129286
+447011129446
+447011130062
+447011130670
+447011130769
+447011131077
+447011131152
+447011133259
+447011140499
+447011140945
+447011140989
+447011146747
+447011146830
+447011147295
+447011149054
+447011152991
+447011153129
+447011162749
+447011163186
+447011163846
+447011164243
+447011182522
+447011183455
+447011184113
+447011196412
+447011197245
+447011197787
+447014225697
+447014232391
+447014232411
+447014232442
+447014236733
+447014244984
+447014275175
+447014275728
+447017026507
+447017430128
+447017769494
+447017848035
+447023011587
+447023056559
+447023058575
+447023069806
+447023086665
+447023087509
+447023092593
+447024010876
+447024010915
+447024011554
+447024012660
+447024013770
+447024014859
+447024016712
+447024017968
+447024018504
+447024018707
+447024018725
+447024018963
+447024019584
+447024019588
+447024021204
+447024021389
+447024023138
+447024023643
+447024024530
+447024024914
+447024024938
+447024025942
+447024028606
+447024029852
+447024032255
+447024033542
+447024034362
+447024034768
+447024035958
+447024036606
+447024037907
+447024038051
+447024038950
+447024041571
+447024041989
+447024042397
+447024043571
+447024045842
+447024046548
+447024047607
+447024047708
+447024051081
+447024051604
+447024053655
+447024054764
+447024056650
+447024056684
+447024057656
+447024057695
+447024059725
+447024061362
+447024061659
+447024061805
+447024062162
+447024063633
+447024063645
+447024064180
+447024065549
+447024066713
+447024066858
+447024067752
+447024068617
+447024069933
+447024070671
+447024071597
+447024071804
+447024071867
+447024072603
+447024072995
+447024073988
+447024074220
+447024074568
+447024074742
+447024075722
+447024075954
+447024077025
+447024078351
+447024079530
+447024079908
+447024080526
+447024080571
+447024080634
+447024082668
+447024082680
+447024082728
+447024083093
+447024083705
+447024084762
+447024084918
+447024084994
+447024086967
+447024087401
+447024087599
+447024087905
+447024091678
+447024091701
+447024091706
+447024092775
+447024092795
+447024092863
+447024095774
+447024095778
+447024095878
+447024096802
+447024096869
+447024097854
+447024098802
+447024098874
+447024099606
+447031740924
+447031742574
+447031744227
+447031744980
+447031744994
+447031745967
+447031746067
+447031746887
+447031747046
+447031747509
+447031749721
+447031801246
+447031801866
+447031803498
+447031803820
+447031808512
+447031809778
+447031814575
+447031814720
+447031815436
+447031816735
+447031818230
+447031821851
+447031822608
+447031823431
+447031824330
+447031825003
+447031826670
+447031830878
+447031833248
+447031833760
+447031834660
+447031835615
+447031835762
+447031837227
+447031843396
+447031844360
+447031845639
+447031846542
+447031850801
+447031851126
+447031855107
+447031855527
+447031858919
+447031859268
+447031859327
+447031859972
+447031861174
+447031861534
+447031865718
+447031877392
+447031877975
+447031880502
+447031885537
+447031890014
+447031891762
+447031894541
+447031898197
+447031903871
+447031906765
+447031908701
+447031909751
+447031911974
+447031913322
+447031915331
+447031918554
+447031918592
+447031918698
+447031918840
+447031920863
+447031928723
+447031930960
+447031931805
+447031934581
+447031938867
+447031940670
+4470319419882
+447031943771
+447031954666
+447031956661
+447031958680
+447031960513
+447031964131
+447031971731
+447031971766
+447031972833
+447031972850
+447031973785
+447031974969
+447031978795
+447031979858
+447031982694
+447031983660
+447031983882
+447031984862
+447031988864
+447031993596
+447031993967
+447031996818
+447032334576
+447035900183
+447035900344
+447035900914
+447035901588
+447035902188
+447035902683
+447035910276
+447035911140
+447035912873
+447035913994
+447035915768
+447035922616
+447035923742
+447035924448
+447035927916
+447035928180
+447035931142
+447035937446
+447035939194
+447035939320
+447035940617
+447035944729
+447035944779
+447035947431
+447035950853
+447035951254
+447035951405
+447035954295
+447035955376
+447035956312
+447035959966
+447035960942
+447035965038
+447035966176
+447035966188
+447035966289
+447035966480
+447035968588
+447035969249
+447035969496
+447035969754
+447035969801
+447035969823
+447035972572
+447035973164
+447035973821
+447035977317
+447035978042
+447035978343
+447035978550
+447035983963
+447035988651
+447035988847
+447035989086
+447035992118
+447035996148
+447035997215
+447035997533
+447035998886
+447035999080
+447040110515
+447041743214
+447045702581
+447045704323
+447045704570
+447045705126
+447045705374
+447045706975
+447045707234
+447045707660
+447045708253
+447045709129
+447045709292
+447045710531
+447045710917
+447045711325
+447045712243
+447045712434
+447045712662
+447045712816
+447045712993
+447045713815
+447045714219
+447045719541
+447045720546
+447045721125
+447045721617
+447045722125
+447045724094
+447045725176
+447045727388
+447045729804
+447045733035
+447045733518
+447045736862
+447045742669
+447045743467
+447045747569
+447045748609
+447045754338
+447045759317
+447045767521
+447045768060
+447045770961
+447045776356
+447045780693
+447045782120
+447045783777
+447045785147
+447045785239
+447045790181
+447045791709
+447045795051
+447045798638
+447045799030
+447053491702
+447053492393
+447075158182
+447092849621
+447092861761
+447092864823
+447092980578
+447092981646
+447092981769
+447092982175

We are interested to buy your domain name YOUR-DOMAIN-HERE and offer to buy it from you for 80% of the appraised market value.

As of now we accept appraisals from either one of the following leading appraisal companies:

- fleos.com
- sedo.com

If you already have an appraisal please forward it to us.

As soon as we have received your appraisal we will send you our payment (we use paypal for amounts less than $2,000 and escrow for amounts above $2,000) as well as
further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Yours truly,

Mark Evans

The offered percentage or the alias of the sender may be different. The list of appraisal companies may vary too and the catch is in the requested appraisal: Whereas sedo.com is a well established company dealing in domain resale and appraisal, domains fleos.com, flyrating.com and others are new:

Domain Name: FLEOS.COM
Registrar: WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNIC.CC
Whois Server: whois.webnic.cc
Referral URL: http://www.webnic.cc
Name Server: NS1.EZYDOMAIN.COM
Name Server: NS2.EZYDOMAIN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 04-jul-2009
Creation Date: 04-jul-2009
Expiration Date: 04-jul-2010

Registrant Contact:
Modern Outlook Sdn Bhd
Modern Outlook Sdn Bhd (reg_460127@whoisprotection.cc)
Lot 13-01A, Level 13 (East Wing) Berjaya Times Square, No.1, Jalan Imbi
Kuala Lumpur, Wilayah Persekutuan, Malaysia 55100
P: +603.21491999 F: +603.21431685

This one was used earlier than in the above sample:

Domain Name: FLYRATING.COM
Registrar: WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNIC.CC
Whois Server: whois.webnic.cc
Referral URL: http://www.webnic.cc
Name Server: NS1.EZYDOMAIN.COM
Name Server: NS2.EZYDOMAIN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 26-may-2009
Creation Date: 26-may-2009
Expiration Date: 26-may-2010

Registrant Contact:
Modern Outlook Sdn Bhd
Modern Outlook Sdn Bhd (reg_449229@whoisprotection.cc)
Lot 13-01A, Level 13 (East Wing) Berjaya Times Square, No.1, Jalan Imbi
Kuala Lumpur, Wilayah Persekutuan, Malaysia 55100
P: +603.21491999 F: +603.21431685

Notice how they’re both registered via the same registrar. If anyone checks out the fees they’ll find that not coincidentally these no-names charge less than Sedo.com for their service, so they might easily get picked by domain owners hoping to make quick cash.

Your guess is as good as mine who sends out those buy offer spams that drive business to those cookie cutter domain appraisal firms, who take $22.95 from anyone falling for this scam.

Unless you enjoy getting scammed, avoid any domain purchase offer in which the would be buyer does not come up with an offer price on his own but asks you to get an appraisal from a third party and promises to pay you a percentage of the appraised value!

Other “appraisal company” domains used:

• nameorange.com
• pedma.com
• pozde.com
• podzz.com
• domainexplorer.org
• pddomains.com

See also:

• pedma.com domain appraisals? (dynamoo’s blog)
• Piradius.net / Yohost.org – black hat hosting? (dynamoo’s blog)

Last updated: 2009-08-10

Because of my volunteer work against online scams, some email accounts of mine end up in address books of thousands of people who over time have forwarded me samples of questionable mails. Consequently, I also receive a lot of requests to join online networking and other websites, many of which make it too easy to invite everyone in your address book to join a particular service when you join. One mail folder that I keep exclusively for such invitations from people I don’t recognize currently contains over 1,100 examples.

When I received another SiliconIndia invitation yesterday, I decided to take a closer look and a very interesting picture evolved. I had 42 invitations going back to February 2008. Nine of them (originating with three indivuals) did not include a photograph and almost all of those were from the first month. They may have been real invitations. The interesting thing about the other 33 invitations was that the senders were all female. Not one guy! 23 of these were sent from Gmail accounts and 10 from AOL or AIM accounts. One picture I received from both a Gmail and an AOL account. It wasn’t just that these emails had AOL or Gmail sender addresses, they also did not come from a SiliconIndia mail server as one might expect for regular “tell a friend” invitations. All were sent from regular personal Gmail and AOL accounts through the respective mail servers.

What this tells me is that someone is manually making up invitation mails, using pictures of pretty women to attract mostly male job seekers to join that service. And somebody somewhere is making money out of people who respond.

Out of curiosity I joined the service under an assumed identity. The profile for the person who had invited me the day before had a list of 456 “friends”. If she were to “stay in touch” with all of them as it said in the invitation, she’d be a pretty busy lady. So next time you get an invitation to join SiliconIndia to connect with some pretty woman, don’t delude yourself. Most likely some guy somewhere is being paid a few rupees to mail pictures of pretty girls to thousands of guys in order to drive traffic to a commercial website.

hi:
New shopping new life!
How are u doing these days?Yesterday I found a web of a large trading company from china,which is an agent of all the well-known digital product factories,and facing to both wholesalers,retailsalers,and personal customer all over the world. They export all kinds of digital products and offer most competitive and reasonable price and high quality goods for our clients,so i think we you make a big profit if we do business with them.And they promise they will provide the best after-sales-service.In my opinion we can make a trial order to test that.
Look forward to your early reply!
The Web address: www.vanigo.com
E-mail: vanigo@188.com
MSN : vanigo@msn.cn

——————————————————————————–

Få en billig laptop. Se Kelkoos gode tilbud her!

Looking at the mail headers, it had come from the mail account of a Danish Yahoo user, but originated from an IP address in China (details edited to protect the privacy of the account owner):

Received: from [124.118.179.157] by web26101.mail.ukl.yahoo.com
via HTTP; Wed, 11 Feb 2009 19:54:29 GMT
X-Mailer: YahooMailWebService/0.7.260.1
Date: Wed, 11 Feb 2009 19:54:29 +0000 (GMT)
From: uffe #####sen <uf###2@yahoo.dk>
Reply-To: uf###2@yahoo.dk
Subject: hi:
To: undisclosed recipients: ;

IP address 124.118.179.157 belongs to China Telecom:

inetnum: 124.118.0.0 – 124.119.255.255
netname: CHINANET-XJ
descr: CHINANET Xinjiang province network
descr: China Telecom
descr: No1,jin-rong Street
descr: Beijing 100032
country: CN

What appears to have happened is that spammers know the passwords to these mail accounts and are using them to send that spam to everyone in the mail account’s address book.

This is a very effective way to get through spam filters, as many recipients are likely to also have the sender in their address book and address book entries are automatically whitelisted by many spamfilters.

If you receive an email like that, alert the “sender” that their account has been compromised. They need to immediately change their email password to something more secure.

This abuse of stolen passwords illustrates the potential of password harvesting scams such as this one I documented in August 2008, which is still going on.

Here are some Google searches related to the hacked webmail spam:

• “New shopping new life”
• “good company who trades mainly in electornic products”

Here is a (probably incomplete) list of websites advertised this way:

• gvccn.com
• ibvcn.com
• jvccn.com
• tvtcn.com
• szfac.com
• cxkeg.com
• yaier.com
• mmhdf.com
• ixicb.com
• vanigo.com
• wabada.com
• bj-trade.com
• store-168.com
• ele-motors.com
• electronics-brand.com
• exciting-zone.com

Common subject lines:

• New shopping new life
• Good shopping good mood!
• Good web site
• Have a great shopping!
• good website!
• Hi,Thank you!
• Hi,
• Dear friend

Good passwords and bad passwords

A strong password should be the first line of defense against such criminals, but what makes a password good? It should contain a mixture of all of the following:

• lower case letters
• upper case letters
• digits
• at least one non-alphanumeric character

This makes it hard to break the password through brute force or through dictionary attacks.

Also the password should not be too short (8 characters or more) and should be reasonably easy to memorize, so you don’t have much need to write it down. Some examples:

• 45Knife%Cabbage
• 4F5g6H&j
• J0hn1945-07-31

Bad choices are passwords that consists of any word found in a dictionary, proper names, digits-only dates, adjacent keys on the keyboard or repeated characters. Never use anything like these:

• secret
• qwerty
• xxxx
• john45

It is very important not to use the exact same password for different purposes.

If spammers manage to trick you into revealing your password for one site (e.g. by getting you to create a new account at a site they control or by breaking into the database of another site where you’re a customer) then you’ve effectively handed them the key to the candy store. They can get access to your email account, in which they may find login information, password reminders, etc. of many other sites you’ve signed up for. At the very least they can harvest all your email contacts.

Beyond using different passwords for every site and service, it’s also a good idea to use a different password schema for “core” sites that you trust and depend upon (such as your email provider and webhost) and another for sites to which you sign up more casually (such as various forums, online shopping, etc.). Thus if one of the latter is compromised, it does not give criminals any clues what your more critical passwords may look like.

Who is behind this spam?

The sites advertised from the hacked email accounts constantly vary. They usually have been created only a few weeks or months earlier. For example, the domain in the above example was created two months ago:

Domain name: vanigo.com

Registrant Contact:
wuxianj
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Administrative Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Technical Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Billing Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

DNS:
ns1.4everdns.com
ns2.4everdns.com

Created: 2008-12-08
Expires: 2009-12-08

Considering the highly illegal way the companies advertised, what are the chances that any order you make at those sites would ever get shipped to you? For sure, they will gladly take your cash by (untraceable, unsafe) Western Union or take your credit card number, expiration date and security code. Never use Western Union to send money to people you don’t know from real life in person. Never enter your credit card on a site that doesn’t have SSL access (indicated by a URL starting with https:// and a padlock icon in the browser status bar) with a proper certificate.

Even more basic: Never do business with spammers. By sending you spam, they have already proven to you that they lack any morals. You have no reason to trust them and every reason to be alert!

If you have received similar spams, feel free to post them below.

For over two years I’ve been receiving emails coaxing me to join a website called tagged.com, supposedly sent by people who consider me their “friend”, but who I invariably do not recognize. I suppose they have my email address in their address book because they probably reported Nigerian scams to me before (I collect several hundred reports per day, most of which get processed automatically), but I could not possibly have had a two way email exchange with more than a small fraction of them, let alone built a friendship.

Here is a typical example:

Firstname has added you as a friend on Tagged.

Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname may think you said no

Click here to unsubscribe from Tagged, P.O. Box 193152 San Francisco, CA 94119-3152

Invitation spam

The tagged.com mails are just one example of a category of what I consider invitation spam, because they server no real purpose other than getting me to join a website that I have no interest in joining. The supposed sender already has my address and can contact me any time if he has something to tell me and if we really were friends, chances are I would already have his email too.

What I find particularly annoying about the Tagged.com emails is how they try to pressure the recipient into clicking the “Yes” link by exploiting people’s considerate nature. Most of us don’t unnecessarily want to hurt other people’s feelings. Therefore this line gets really on my nerves:

Please respond or Firstname may think you said no

Interestingly, the same annoying phrase (either including the colon, left bracket frowning negative smiley or a positive smiley) started appearing in several other invitation spams that don’t mention Tagged.com:

From imvu.com, August 2007:

Hey Joewein,

Firstname has added you as a friend on IMVU.

Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname may think you said no

From MyYearBook.com, November 2007:

Firstname has added you as a friend
Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname will think you said no

Click Here to block all emails from myYearbook, 280 Union Square Dr., New Hope, PA 18938

From Yaari.com, February 2008:

Firstname Lastname wants you to join Yaari!

Is Firstname your friend?

Yes, Firstname is my friend! No, Firstname isn’t my friend.

Please respond or Firstname might think you said no

Thanks,
The Yaari Team

____
You are receiving this message because someone you know registered for Yaari and listed you as a contact.
If you prefer not to receive this email tell us here.
If you have any concerns regarding the content of this message, please email abuse@yaari.com.
Yaari LLC, 358 Angier Ave, Atlanta, GA 30312

To this day I am receiving a mix of Tagged.com, MyYearbook, Yaari and IMVU emails from various people.

The only party who really gets anything out of this type of (probably automated) email is the website owner. It actually doesn’t matter whether you click “Yes” or “No” on those spams, either way you’ll end up on a web form to provide personal details to join the site.

Many social networking sites ask for access to your Yahoo, Hotmail, Outlook or other address book when joining. They then send everyone in your address book invitations in your name. Thus the game continues as long as address books aren’t empty and at least some people click on either “Yes” or “No”.

When I receive such emails, I usually archive them to a folder in my mail cabinet that I named “Plaxo-Ringo” after the first two websites that spammed me like that in significant volume. I archive them for research purposes, but if you’re not a spam researcher like me you might as well delete them.

Just like on Facebook and MySpace I never act on “friend” invitations unless I have a genuine personal relationship with the sender, and neither should you. There is no need to feel guilty about discarding spam that is meant to sell commercial websites, even if it masquerades as something much more personal and precious, like friendship.

Such is the case with Spam URL Blacklists (SURBLs), which list domains advertised via spam. Spamfilters will intercept emails that mention blacklisted domains used in clickable links. The spammers can use fake sender addresses and send email from cracked hosts and cracked third party mail accounts, but they still get caught as soon as they mention their websites. This hurts spammers because they only make money when people go to their websites and hand over their credit card details to order fake Rolexes, pills, porn, etc.

To get around this, spammers have been using pages created at free webhosting services and other third party sites where content can be uploaded. The links only mention the free hosting site, which then redirects to the final spam site.

One service abused for this is Google Groups. Other services recently seen used are Google Docs, Microsoft Spaces Live and Geocities. In the case of Google Groups the spammers create mailing lists and upload a spam link to the home page of the new group. They never use the groups for their intended purpose, i.e. mailing lists. This effectively makes it impossible to report the abuse via Google’s abuse handling procedures: Any archived posting or uploaded document on the Google Groups service has an abuse reporting link, but the home page of the group itself does not! Obviously, Google never envisaged that spammers would create groups only to have one page of web content that can be advertised via spam.

Here is an example of a spam:

Received: from host34.net215.omkc.ru (HELO host34.net215.omkc.ru) [217.25.215.34]
by mymailhost (mx077) with SMTP; 21 Jan 2009 04:21:47 +0100
Message-ID: <47940FC9.1016287@verizon.net>
Date: Mon, 21 Jan 2008 03:21:45 GMT
From: arturo <arturo.matthews1@verizon.net>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: mymailbox
Subject: Brighten Your Day
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

After trying out tooth whitening system AT NO COST TO YOU you’ll realize that your smile is irresistably contagious!

http://groups.google.com/group/fkvrqzzzjckhj

(Add S+H)

The page advertises “Click Here – Free Credit Score & Debt Help” which is a spam link using the domain white-teeth2009.com hosted on IP address 220.164.144.205 in China. It is listed on four sub-lists of SURBL (WS, OB, AB and JP). Its name servers are ns1.dckfdc.com and ns2.dckfdc.com. Other domains by the same spammers are whiten-your-smile2009.com and smile-really-great.com.

At the very least Google should add an abuse reporting link to its Google Group pages. It would be even better if they were to check uploaded Google Group content and checked any URLs in it against spam blacklists such as SURBL. This would stop the spammers in their tracks.

Here is one that I received on 2008-12-08, originating from IP 58.38.209.249:

From: “andy” <andy@asiaton.cn>
To: “joewein” <joewein@pobox.com>
Sent: Monday, December 08, 2008 14:11
Subject: Urgent-Notification of intellectual property

Dear CEO,

We are Asiaton Network Service Co., Ltd, which is the Internet Trademark&domain name register center in China. I have something need to confirm with you. We have received an formal application. An international company named “ROB GmbH” wants to apply “joewein” for its own Internet Trademark and CN domain name on Dec 8, 2008 in china. We need to know your opinion because the Internet Trademark And CN domain name may relate to the copyright of your company name on internet. If your company do not intervene in it,we will formally consent their registration
because the registration principle is that “Every company or individual can register the domain name and Internet Trademark which is not registered,and who registers first who owns first.”
we would like to get the affirmation of your company. If you have any question,please contact us by telephone or email as soon as possible!

Best Regards !

Andy

Principal of Checking Department

Overseas Registration Organization

Tel:+(86)731-8187 729

Fax:+(86)731-8187 739

Mobile:+(86)731 6735 121

Skype:chinaregistry

E-mail:andy@asiaton.cn

web:www.asiaton.cn

2008-12-08

Such email solicitations are fraudulent, because you can safely assume that the same email, with other domains substituted for yours, has gone out to thousands of domain owners. I found an almost identical email (listing the same third party supposedly trying to register a domain) in another blog. Somebody obviously thinks being a registrar is a license to milk foreigners.

Don’t fall for this scam, they’re playing on fear.

If you own a .com, .net or national TLD (.co.uk, de., .fr, etc) domain but are not planning to set up a Chinese office or not even doing any business in China you have no reason to spend money on a domain registration with a Chinese registrar. Also, trademarks and domains are largely separate issues. You don’t become a trademark owner merely by registering a domain and vice versa.

The only domains that really count for your business are .com/.net/.org (depending on the nature of your organisation) and/or the country code top level domain (ccTLD, such as .co.uk or .jp) if you’re based outside the USA.

Below are other examples of domain registration spams / scams that I have received before. I am sure there are a lot more out there.

Received on 2008-03-18 from 221.221.167.121:

From: “Bruce.li” <Bruce.li@erimut.com>
To: “jwspamspy” <jwspamspy@pobox.com>
Sent: Tuesday, March 18, 2008 12:53
Subject: Jwspamspy Domain Name

Dear joewein.de LLC,

We are Beijing Erimut Network Information Technology Co., Ltd in China, which is the domain name registration centre here. A formal application from the company called ChengGuang Investment (China) Co.,Ltd is to register ” jwspamspy ” as their domain name and internet keyword on Mar 17th 2008. Since this involves your company name or trade mark, in no time do we inform you of this. Please contact us timely if a first registration is needed to protect the domain names and internet keywords.

Kind Regards
Bruce.Li

Tel: +86-10-62667420 ext.602
Fax: +86-10-62667460

Email: Bruce.li@erimut.com
Beijing Erimut Network Information Technology Co.,Ltd
Website: www.erimut.com

2008-03-18

Bruce.li

Received on 2008-7-30 from 123.127.123.173:

From: “thomas.zhang” <thomas.zhang@erimart-domains.com.cn>
To: “419″ <419@419scam.org>
Sent: Wednesday, July 30, 2008 12:55
Subject: Joewein Domain name & Internet keyword

July 30, 2008

Joewein

Domain name & Internet keyword

Dear Sir/Madam,

We are Beijing Erimart Network Service Co., Ltd which is the domain name register center in China. We received a formal application from a company who is applying to register “joewein” as their domain name and Internet keyword on July 27, 2008.Since after our investigation we found that this word has been in use by your company, and this may involve your company name or trade mark, so we inform you in no time. If you consider these domain names and internet keyword are important to you and it is necessary to protect them by registering them first, contact us soon. Thanks for your co-operation and support.

Kind Regards,

Thomas.Zhang

Tel: +86-10-62961631-8017

Fax: +86-10-82780671

Email: thomas.zhang@erimart-domains.com.cn

Beijing Erimart Network Service Co, Ltd

http://www.erimart.com

2008-07-30

thomas.zhang

Received on 2008-11-07 from IP 58.38.209.249:

From: “jackey.zhuang” <jackey.zhuang@hongkongnet.org>
To: “419″ <419@419scam.org>
Sent: Friday, November 07, 2008 18:10
Subject: 419scam Notice

Dear Sir/Madam,

We are Hong Kong Network service Company Limited, the an official domain name registration center.

On Nov 06, we received an application from another company for the domain names “419scam” , but later we found your company is their original owner and this may involve your company name or trade mark and this may cause confusion between your products and others’ , and bring about negtive effect on your company.

Therefore we decided to inform you of this and check out your attitude toward thismatter.That is, do you want to protect these domain names by registrering them ahead or not? We would appreciate if you can spare some precious time to settle this issue.

Thank you for your cooperation and looking forwards to your early reply.

Kind Regards,

Jackey.zhuang

Tel: +852-31757930 ext.8012

Fax:+852-31757932

Email:jackey.zhuang@hongkongnet.org

Hong Kong Network Service Co. Ltd

Website:www.hknsc.hk

Sehr geehrter Nutzer,

heute möchten wir Sie zu unserem Aktuellen Betatest des neuen Kaspersky© 9.5.710 einladen.
Unser neues Produkt besticht durch seine überarbeitete Scanroutine sowie die schnelle und effektive
Aufspürung von Viren, Trojaner und anderer böswilliger Maleware.

Für ihren persönlichen Zugang haben wir ihnen ein Beta Account eingerichtet welchen Sie bei der
Installation angeben müssen, um den Webinstaller sowie das Programm an sich nutzen zu können.

Benutzername: kis_aX9535
Passwort: c3VF5gg8

Diese Daten werden bei der Installation abgefragt. Notieren Sie sich diese Daten bitte genau,
da diese auch für ihren Zugang auf unserer Seite erforderlich sind.

Zum Ende des Betatests bekommen Sie eine Volllizenz und können somit Kaspersky© ein
Jahr kostenlos für ihre Sicherheit nutzen.

Sollten Sie Fragen oder Probleme haben, so schreiben Sie und eine Mail an: beta-team@kaspersky.de

Wir wünschen Ihnen nun viel Spass mit unserem neuem Produkt und hoffen auf eine Positive Wertung
von ihnen auf unserer Website.

Mit freundlichen Grüßen
Ihr Kaspersky Beta Team

Copyright © 1997 – 2008 Kaspersky Lab

Industry Leading Antivirus Software

Message headers:

Received: from mo-p05-ob.rzone.de (mo-p05-ob.rzone.de [81.169.146.182])
by mail.joewein.net (Ogose Mail Daemon) with ESMTP id 818CC10DCC78
for <419@419scam.org>; Sun, 21 Sep 2008 21:43:45 +0000 (UTC)
X-RZG-CLASS-ID: mo05
X-RZG-AUTH: :L2MKYUGrb9+s7Ys+/C6cdNboKaxR22vZQHQdVrAeYnDdBsCFdpW1J0sdHw==
Received: from [77.21.44.13] ([62.159.230.93])
by post.webmailer.de (fruni mo40) (RZmta 17.4)
with ESMTP id L03273k8LKd8yb for <419@419scam.org>;
Sun, 21 Sep 2008 23:43:17 +0200 (MEST)
(envelope-from: )
Date: Sun, 21 Sep 2008 23:40:54 +0200
Mime-version: 1.0
Subject: [PR] Kaspersky Betatester Programm
From: Matthias Franken
To: <419@419scam.org>
Message-Id: <9212340.EDWNJLIN@kaspersky.de>
Original-recipient: rfc822;419@419scam.org
Content-Type: multipart/mixed; Boundary="--=BOUNDARY_9212340_SIIK_IDLO_OFNM_KSKB"


At the time of writing this blog posting, Kasperksy’s online malware scanner did not yet recognize the Trojan Kaspersky.9.5.7.1.exe in archive file Kaspersky.9.5.7.1.rar.

As I already stated in my posting about the fake Google Chrome installer, do not install software attached to or linked from emails you didn’t request.

The real Kaspersky software is highly regarded and trial versions are available on the Kasperky website.