Joe Wein
Fighting spam and scams
on the Internet

Home / Blog / About us
Spam
419/Nigeria
Online fraud
jwSpamSpy
Contact

Email Spam Filter:
jwSpamSpy
Try it for free!

Google
 

Getting creative with spam

Today I received the following email (##### stands for a domain I administrate):

I was just doing some research about national household survey on drug abuse in Yahoo and found your domain, #####.org ranked 93...which got me thinking...

I published a informational site about Health - Home Tests. We've got a very strong following, primarily because we only produce informational content, since you also produce a quality site in this category, I'd like to exchange links with you. I get a pretty good amount of visitors to my property, so if I link up to your site you should benefit from a traffic standpoint.

Please take a look at my site when you get a chance -- I think you'll find it to be knowledgeable and useful. If you like what you agree, please link to it -- I'll send you all of my info on your request.

I've already linked to you to get the ball rolling. I'll keep it up a few days until I hear back from you.


Thanks for your time.

Jane Emile
RAC IM: 919879.

Actually, this didn't even make it into my Inbox, because my spam filter caught it first. This mail raised three major red flags for being sent from China, for missing a Date-header and for not specifying what mail client it was sent with. That combination was enough to get it tagged for inspection. The "To:"-address is the official contact address listed on my website, but the "Cc:"-address is made up from a non-existent generic local part plus the domain name.

As it turns out, this mail was sent by the same spammers described in the following interesting article:

Getting creative with spam

Here's the mail header for the spam (again, #### are items associated with the domain I administrate):

Return-Path: <jane@janeemile.com>
Received: from keywordconversions.com ([211.99.218.7])
          by ######.######.net (Post.Office MTA v3.5.3 release 223
          ID# 0-58414U4500L450S0V35) with ESMTP id net;
          Thu, 25 Mar 2004 12:32:37 -0800
Received: from ([127.0.0.1]) with MailEnable ESMTP; Fri, 26 Mar 2004 04:34:47 +0800
Message-ID: <30325919.1080246916859.JavaMail.Boyd@211.99.218.7>
From: Jane Emile <jane@janeemile.com>
To: #####@####.org
Subject: #####.org ranked # 93 in Yahoo for national household survey on drug abuse
Cc: info@#####.org
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
It appears that keywordconversions.com is the same spammer outfit as racsystems.com mentioned in the article. The letters RAC in the signature line of the mail were a giveaway.

"Jane Emile" doesn't seem to have a website, at least not www.janeemile.com, as one might guess from the email address used by her. According to a WHOIS lookup of the IP the mail came from, the address belongs to "Hengmei advertise Inc., Beijing, China".

Apparently, some people are doing automated Google- or yahoo-searches, then spider the resulting sites for contact addresses and spam those addresses (see "Link exchange offer spam" for more examples of this type of spam). The purpose is to get people to provide back links to sites suggested by the spammers, who get paid cash for that by the owners of those sites. If successful, this improves the value of the spammer's virtual real-estate in Cyberspace, such as his Google-ranking. This is what keywordconversions.com say about it on their site:

Through our vast Quality Content Network (QCN), we combine specialized Content-Targeted Advertising with keyword-specific Search Engine Placement. This unique, innovative approach to search engine marketing typically results in conversion rates that are 300% higher than Overture ... for 70% less!
(keywordconversions.com)
Well, it didn't work. Instead, keywordconversions.com joined my spammer blacklist.

Sorry, "Miss Emile" ;-)


Anti-Spam Resources:
jwSpamSpy is spam filtering software (currently in beta test, expected release: Spring 2004)
Anti-spam domain blacklist – list of domains that I refuse to receive mail from
Recent additions to domain blacklist (with whois details)
"419" scam sender/contact addresses ("Nigeria connection" address book)
DNS-based IP and domain name blacklists
Dynamic IP addresses (700 KB!)
Free email providers

How to trace senders of spam
Link exchange offer spam
Getting creative with spam
Smyrnagroup spammers (in German)

Lookup an IP address on blacklists (http://dnsbl.net.au/lookup/)
AOL dial-up address ranges and mail servers