Archive for the ‘spam’ tag
I got an email this morning, which read, in part:
I’ve just looked through your photostream and think your photos are awesome!
Is there any chance you’d be interested in licensing some of them to me for a couple of months?
I’d pay cash and the photo would remain in your account. You will still own it 100%. All you would need to do is add/change the attribution link in the description for the month or two.
The reason I am interested in this is to get some clicks and links back to my site. Please reply if this sounds ok to you or you’d like some more details.
Hmmm. That sounds a bit sketchy, no? How would this contract work, exactly? If I requested $100,000 in cash, how would this guy provide it to me? He would send me unmarked bills in the mail? or more likely, rubles? And while I have accumulated nearly nine million views of my photos on Flickr, I doubt much of that traffic would be redirected to this dude’s sketchy website.
Yesterday, I logged on to my WordPress Dashboard to see if any upgrades were available. I usually log on a few times a week, depending upon how actively I’ve blogged, or if I know of a WordPress upgrade. Once I logged on, I got an odd message that my plugins didn’t load because something was wrong with their headers. I clicked the Plugins menu to see what was going on, and instead, there was a message saying “You do not appear to have any plugins available at this time.”
Earlier in the week, the same thing had happened to my photo blog – plugins suddenly were non-functional. I was in the middle of a work-related crisis, so asked my cousin, the WordPress expert who actually constructed the photo blog, to look into it. He found malware, restored the photo blog to an earlier version with a backup, and it seemed ok. Since I was still sweating out the work-related crises, I didn’t look deeper. The photo blog seemed to work ok.
But now my blog was doing the same thing, and I had some time to investigate. I logged in to my site via FTP, and looked in the plugins folder. Several plugins were there. I opened one plugin directory, and one PHP file1 at random: the first line was a long string of code, obviously some sort of malware. Ru-oh! I renamed the plugins folder, which rendered it unusable by WordPress, created a new folder called plugins, and quickly installed a fresh copy of Akismet, a spam comment blocker. In the 15 minutes or so it took from when I first encountered an error until when I reinstalled Akismet, I received 59 spam comments! Yeesh.
I looked at the various WordPress PHP files, bits of code that make the blog do what it does, every single one had the same piece of malware inserted in the first line. I reinstalled WordPress, which creates fresh copies of the majority of PHP files in wp-admin; in wp-includes and in the default WordPress directory. However, some files were not replaced, I had to open them manually and strip out the malware. Reinstalling WordPress does not touch anything in wp-content – themes, plugins, etc. I did not have backup copies of my Solipsism theme for some reason, so I had to clean several files here manually. Initially I mucked this procedure up by stripping out some good code as well, but eventually I figured out what was missing.2
I took a deeper look at my photo blog, and though the plugins were clean, and the theme files were clean, all other PHP files were corrupted. Again, I reinstalled a fresh copy of WordPress 4.1, and manually cleaned the remaining files (wp-config.php; wp-pass.php, wp-feed.php and so on).
You Do Not Have Any Plugins Available.PNG
I host a couple of subdomains3 which are static paged WordPress installations, both of these directories were full of the malware code. In fact, in the process of cleaning up, I discovered what the malware did. On both of these subdomains, there was a plugin directory called, innocuously enough, docs. I didn’t install this plugin, so I was curious what it did. I looked inside its directory, and found a directory called “cache”. In here were nearly 500 files with names like “29fb82abf5c8a42d970f94eed9d69ebf.dat”, and an XML file that indexed these pages using the subdomain’s URL. I opened one of these files with a text editor4 – it was a HTML-type page with the title of “Resume Writing Lookout Heights Kentucky KY 24/7 – Best Resume Writing Services”. The others were similar: “Cv Services Darwin * Best Resume Writing Services 2014 – Jake Bradshaw”; “Payday Loans Near Augusta Ga ! < 24/7 Online Payday Loans”; etc.
The HTML was horribly mangled, I would be surprised if it did anything, but maybe it would be enough if Google indexed a link pointing to some schmoe who paid a consultant for Search Engine Optimization. But maybe not.
For instance, a portion of that particular spam page opened in a web browser looks exactly like this:
Create alert Self experiencing problems with problem with your consult an experienced for example, an e-mail, which is suitable day work. Diamond Call Ross on employer should protect a union, they but it would. Kentucky Diamond View all Altisource Vacations Worldwide jobs jobs Learn more about working at Altisource You can below, together with spending 2-6 hours a day at home This work can be done Colleges Equal Opportunity Williamsburg, Virginia – be at least High School diploma. Diamond
Whatever. I deleted these as soon as I could, shaking my fist at the evil spammer.
I found a few PHP files in my root level directory, I deleted these or cleaned them as needed.
I had tried to install a Drupal blog a while ago, before abandoning it as a futile, frustrating endeavor, but the files were still residing on my server, and all its PHP files were compromised.
I put in a tech-support request to Pair.com, my web-host, asking them to double check if any PHP files remained that were corrupted, I haven’t yet heard back from them. But I think I cleaned up all the malware, all it took was eight hours of work on a Saturday night…
Today I’m planning on looking deeper into the MYSQL databases, and see if there are any unknown users or other oddnesses, and maybe change all my passwords. I’m not sure how the evil spammers were able to insert the malicious code, but I don’t want to have to go through all this again. Oh, and make backups! and backups of the backups!Footnotes:
Amusing spam I received today via
smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [184.108.40.206])
I was wondering if you could send me quotes for the attached, I will be in United States of America Chicago – 60629, next month, and i will be visiting your office for further discussion about these orders, i hope your office is still located at 6933, S Rockwell,.
I respectfully request that you treat this inquiry with utmost importance I look forward to your response soon, take care.
Warm Regards Ragesh.
Also attached was an Excel document that I opened in Preview. There was text:
As for the above inquires, please do not forget to include the following.
Payment terms, preferably TT
30% after i come to your office and 70% upon completion
How long before delivery
There also looks to be five macros. I couldn’t exactly see what the macros included did, but it looked as if they would take multiple files off of my desktop, if I ran Windows, and send them somewhere. Not worth investigating further.
The .de domain looks to be from the Federal Republic of Germany, and .dr is allegedly from somewhere called the Deltoran Republic, which looks to be a made-up country with its own domain. Weird, really, try searching for it yourself, you’ll be amused.
If you know Chicago at all, the idea of me having an office located at 6933 S. Rockwell is amusing. I guess there could be a home office of some sort, but looks to me to be a two-story building in the Chicago Lawn neighborhood, not a typical business address, and especially not a manufacturing concern. This seems like such a random place to direct spam towards. The quotation never says exactly what is being quoted, but I guess if you are actually a business located at 6933 S. Rockwell in Chicago Lawn, you already know what it is you manufacture, and if you are willing to accept Telegraphic Transfer of bank funds.
The Nigerian scam may seem like a scourge of the Internet age, but it actually predates email. Before we started getting all-caps proposals in our inboxes, con men in West Africa plied their trade by fax and paper letter. Some of the first scams to make their way to Western Europe arrived by telex in 1989 and 1990, when businessmen in Britain started hearing that a wayward tanker of Nigerian crude could have its cargo claimed for bargain prices — in exchange, of course, for some cash upfront. Before then, Nigerian fraudsters aimed their grifts at locals. One scheme was the “wash-wash,” a literal money-laundering in which the mark is shown a valise of supposed bills blackened with Vaseline and iodine and promised a cut if he pays for an expensive cleaning agent.
(click here to continue reading Who Made That Nigerian Scam? – NYTimes.com.)
The scam is even older than that:
“Some of these guys came out and started perpetrating fraud,” says Andrew Apter, an Africa historian at U.C.L.A. “They used the language and insignias and letterhead of financial offices to lure people in.”
Apter has traced this sort of misuse of official iconography as far back as a century. When Nigeria was established as a colony under British rule in 1914, its first governor cracked down on scammers in fake uniforms who claimed to be collecting taxes on behalf of the empire. The advance-fee scam itself — whereby payments are extracted from a sucker who hopes to gain an enormous treasure — seems to have originated elsewhere. According to Robert Whitaker, a historian at the University of Texas, an earlier version of the con, known as the Spanish Swindle or the Spanish Prisoner trick, plagued Britain throughout the 19th century.
(click here to continue reading Who Made That Nigerian Scam? – NYTimes.com.)
The Spanish Prisoner is a confidence trick originating in the late 16th century.
In its original form, the confidence trickster tells his victim (the mark) that he is (or is in correspondence with) a wealthy person of high estate who has been imprisoned in Spain under a false identity. Some versions had the imprisoned person being an unknown or remote relative of the mark.
Supposedly the prisoner cannot reveal his identity without serious repercussions, and is relying on a friend (the confidence trickster) to raise money to secure his release. The confidence trickster offers to let the mark put up some of the funds, with a promise that he will be financially rewarded when the prisoner returns, and perhaps also by gaining the hand of a beautiful woman represented to be the prisoner’s daughter. After the mark has turned over the funds, he is informed that further difficulties have arisen and more money is needed. With such explanations, the trickster continues to press for more money until the victim is cleaned out or declines to put up more funds.
(click here to continue reading Spanish Prisoner – Wikipedia, the free encyclopedia.)
Every deed and action that humans have done to each other has already been done in prior centuries…
Quite the offer here from Rev Kenneth, who claims to be in Florida despite his email being routed via Urbanphilly.com, via a bad English translator. Rev Kenneth is quite the renaissance man, a reverend who works for a charity organization with the best of names, and owns an art gallery that is nameless.
My name is Rev Kenneth, I work for the charity Organization based in Florida. I am 60 years.
I am looking for someone That can handle my business errands falling on his or her spare time (I own an Art Gallery)
I need your services because i am Constantly traveling abroad to supporting the charity Organization. We work in over 190 countries helping children survive, Protecting em from harm and getting ’em to school.
Manage my business errands today and earn yourself not less than $ 600 weekly. You are not required to travel abroad or inter state. Your errands are simple and straight
1. Receive my email and drop ’em off at the post office or shipping center.
2. Pick up my items at your Florida post office at your convenience.
3. When you get my email or package, Would you email all items to Where I want em shipped. All dйpenses and shipping costs Will Be covered by me.
The contents of the packages are mostly art materials and paintings. In addition, there Will Be clothing I need for business and personal letters. No heavy packages is Involved
please read the employment requirements listed below.
A. You are an honest and trustworthy citizen.
B. You need to be able to check your EMAIL 2 times daily.
THE WEEKLY PAY IS $ 600 and you are entitle to a brand new car Effective 2weeks if you are hardworking and honest with me, WHICH IS NOT A BAD OFFER.
In closing, I have a pair of questions for you.
First, If I were to mail you money to do my shopping over an upfront payment for your service Where would you want it mailed to?
Second, how would you like for your name APPEAR on any package feels to you?
Apply Below & send your information to Kenneth.firstname.lastname@example.org
Home Address: PO BOX IF AVAILABLE
Hope all is clear?
Waiting to hear from you & I look forward to Establish long-term business relationship with you.
You see, he needs someone to pick up his email, and then drop it off at a post office. Presumedly the email didn’t come in a self-addressed stamped envelope (??).
Also, although the salary is only $600 a week, after two weeks, you’ll get a brand new car. You know, the kind of brand new car you can purchase with $1,200. I guess if you work for a company that goes by the name, Organization, you’ll need help from strangers. Strangers gullible enough to respond with their address and cellphone numbers…
Sorry, Rev Kenneth, your offer doesn’t sound to enticing to me.
I wonder how often normally careful people fall for requests like this one I received early this morning:
Your mailbox has exceeded the storage limit of 10GB, which is as defined by the administrator, you are currently running on 10.9GB, you may not be able to send or receive new messages until you re-validate your mailbox . To re-validate your mailbox, send the following information below:
If you fail to re-validate your mailbox, the mailbox will be disabled!
thank you System Administrator
especially when all the header information is usually hidden by most email clients. Suspicious stuff like email routed from Brazil or Thailand which would be a red flag is normally not displayed.
Received: from localhost (localhost [127.0.0.1]) by email.hujm.ufmt.br (Postfix) with ESMTP id B1DF2389C0B; Sun, 24 Nov 2013 11:03:45 -0300 (AMST) Received: from email.hujm.ufmt.br ([127.0.0.1]) by localhost (email.hujm.ufmt.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hTusU-YxVjDd; Sun, 24 Nov 2013 11:03:45 -0300 (AMST) Received: from [220.127.116.11] (unknown [18.104.22.168]) by email.hujm.ufmt.br (Postfix) with ESMTPSA id B61E7389BF7; Sun, 24 Nov 2013 11:03:28 -0300 (AMST) Content-Type: text/plain; charset=”iso-8859-1″ MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Description: Mail message body Subject: ATTENTION To: Recipients email@example.com From: “System Administrator” firstname.lastname@example.org Date: Sun, 24 Nov 2013 09:03:19 -0500 Reply-To: email@example.com X-Mailer: TurboMailer 2 Return-receipt-to: firstname.lastname@example.org Message-Id: 20131124140329.B61E7389BF7@email.hujm.ufmt.br
I am the System Administrator for several domains, so I knew this mailbox limit was not accurate, but prior ISPs I’ve used did have a storage limit, and I did open this email almost by habit based on the subject line alone. If I was a less-savvy recipient, would I think it strange that my SysAdmin was asking for my user name and password? Maybe not.
In a long running series, I occasionally republish spam email that I receive so you can laugh as well. Today’s edition comes from our buddies at the Italian Association International Headquarters in Rome, via their friends at mail.muniindependencia.gob.pe (Country Code pe = Peru, by the way), via their friends at 8ta-150-62-148.telkomadsl.co.za (Country Code za = South Africa). The Italian Association International Headquarters is such a small organization, they haven’t had the time to create a website yet, nor even get mentioned by any other agency that Google indexes, other than variants of this email.
Their request reads (all errors as in original):
Italian Association International
Headquarters: Via Vittorio Veneto 121- 00187
To Whom it may Concern/
My name is Giovanni Alessandro and I work for Italian Government in Milan. I will love to pass this information to you and I hope you are the honest one That
is really willing to take good care of 7 years old girl-whom her mother Came from an unknown area in Poland and they live in Italy the mother was one Of the
four victims who were killed by recent Flood That hit Tuscany and Venice.
We hope you will be so honest to accept this little girl and train her like Your own daughter, the victim left the sum of €1.5 million Euro in her account and this
fund has automatically for the little girl and the amount Will be to pay her in full.
We shall love a good honest female or male interpreter who can accept the Kid and take good care of her and every twelve months the government Milan Will
always come to check her and after longer available That person will be Given the €1.5 Million Euro to take good care of the kid. Please write me back if you are
Interested So THAT we can contact the bank where the money is deposited As Soon As Possible And Also contact the Milan government so they can sign and
Agreed That the kid to go with you and the money.
Google Maps isn’t always accurate, but on a whim, I looked up the above referenced address. Looks to me like this is a hotel, or on the other side of the street, the United States Embassy, neither of which would be a good place to send money. Maybe because Sig Giovanni Alessandro is actually from Milan, he got the Roman address wrong. I’m sure if you email him, he’ll set you straight.
…not to mention, what recent flood that hit Venice? The one that occurs seemingly every day? Or the one that happened in 2012 and took the life of a 73 year old man and three employees of Enel, Italy’s biggest electricity company? Amazing how progressive Ente Nazionale per l’energia ELettrica is to hire recent Polish immigrants, and even give them company vehicles.
Some 200 people were evacuated in parts of Tuscany as heavy rains over the weekend left 70 percent of the city of Venice underwater, authorities said on Sunday. Sea levels peaked at 1.5 metres above normal levels before receding slightly. Floodwaters drenched most of the tourist destination of Venice and led to the evacuation of 200 people in Tuscany, as bad weather hit northern Italy at the weekend, authorities said Sunday. In Venice itself, heavy rains and winds from the south triggered “acqua alta” (high water) and 70 percent of the city was flooded, with sea levels reaching a peak of 1.5 metres (five feet) above normal before receding slightly, they said. In Tuscany, around 200 people were evacuated because of heavy rains which flooded homes and caused mudslides, local officials said. The most affected region was the province of Massa and Carrara, which produces the famous Carrara marble.
We apologize, but it seem so, that we not can deliver your package. One of our trucks is burned tonight. In attachment you can find a form for insurance. Please fill it out and send it us urgent, because we must told amount of damage to the Insurance company
Ok! I’ll get right on that.
Of course shady banks are involved in the worldwide spam scourge, otherwise there wouldn’t be any money generated for the spam-meisters sending their poorly crafted herbal viagra emails. What’s interesting is that there are so few banks involved.
For years, a team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, the billions of unwanted e-mail messages generated by networks of zombie computers controlled by the rogue programs called botnets. They even coined a term, “spamalytics,” to describe their work. Now they have concluded an experiment that is not for the faint of heart: for three months they set out to receive all the spam they could (no quarantines or filters need apply), then systematically made purchases from the Web sites advertised in the messages.
The hope, the scientists said, was to find a “choke point” that could greatly reduce the flow of spam. And in a paper to be presented on Tuesday at the annual IEEE Symposium (PDF) on Security and Privacy in Oakland, Calif., they will report that they think they have found it.
It turned out that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies — one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies.
The researchers looked at nearly a billion messages and spent several thousand dollars on about 120 purchases. No single purchase was more than $277.
If a handful of companies like these refused to authorize online credit card payments to the merchants, “you’d cut off the money that supports the entire spam enterprise,” said one of the scientists, Stefan Savage of the University of California, San Diego, who worked with colleagues at San Diego and Berkeley and at the International Computer Science Institute.
(click here to continue reading Study Says Spam Can Be Cut by Blocking Card Transactions – NYTimes.com.)
And you probably already realized this, but there is a lot of spam sent out, cluttering our email boxes with come-ons for boner pills and Cialis rip-offs…
Spam has proved notoriously difficult to defeat over the years, despite sophisticated filtering technologies and legal investigations and convictions. Seven years after the famous prediction by Bill Gates, then chairman of Microsoft, that spam would be eradicated in just two years, about 90 percent of all e-mail is spam.
An earlier study undertaken by the scientists showed that a single commercial spam e-mail campaign generated three messages for every person on the planet. That same study revealed that to sell $100 worth of Viagra, a spam provider needed to send 12.5 million messages.
Received an amusing email, spam presumedly, from a Hong Kong company re my domain name. Here it is in its entirety:
We are Hong Kong Network Service Company, Limited. which is the domain name register center in Asia. We received a formal application from a company who is applying to register “b12partners” as their domain name and Internet keyword on Dec 25, 2008.Since after our investigation we found that this word has been in use by your company, and this may involve your company name or trade mark, so we inform you in no time. If you consider these domain names and internet keyword are important to you and it is necessary to protect them by registering them first, contact us soon. Thanks for your co-operation and support.
In order to avoid the law problems invovled,we need to confirm with you first.If you consider these domain names are not important,please don’t reply this email,we will cooperate with the third company Kind Regards, Andy.liu
Hong Kong Network Service Company, Limited. Website: www.hknsc.hk
Yes, indeed, I’ll get right on that.
Especially since they are so serious about their claims