Sponsored by..

Showing posts with label Stupidity. Show all posts
Showing posts with label Stupidity. Show all posts

Monday 3 April 2017

borezo.info - spam selling anti-spam services

If you are in the business of selling spam filtering.. it is probably not a good idea to do it by sending out spam..

From:    Camille Arpaillange [contact@borezo.info]
To:    contact@[redacted]
Date:    3 April 2017 at 15:55
Subject:    [redacted] - Protect emails received on your domain name
Signed by:    sg.borezo.info

Discover our SaaS solution

Anti-Virus, Anti-Spam and Anti-Phishing SMTP Gateway
Try for free

Bonjour,

This email is intended for your IT service, if any. If you are working with an external partener, feel free to forward him this message.

Your current situation

Today, you are using your provider to handle incoming emails on [redacted].

Often, protection against viruses, spam, phishing and all other threats is not the strong point of this kind of solution.

Our proposal:

free trial without obligation

We offer you to try for free and without obligation our email filtering solution, compatible with your provider.

Easy setup

To filter your emails, you only have to update the MX entry in your DNS records, replacing entry of your provider by the one we will provide you after your subscription. Emails will then be filtered by our infrastructure, and then redistributed to your provider, so you can consult them like before.

Functions

Anti-Virus

You won't have to be afraid of ransomwares anymore

Anti-Spam

No more spam, and you stay in control of settings

Anti-Phishing

Your users will not be exposed to credentials theft

Services

Backup

Each user can access himself his personal backup

Statistics

You can have an overview of incoming email trafic

Settings

Anytime, you can change your filtering settings

Advantages

Simplicity

    No configuration change on your SMTP server or the one of your provider.
    No configuration change on users side.
    No maintenance on your side, we take care of everything (hosting, high availability, upgrade, etc.).

Protection

    Anti-Virus, Anti-Spam and Anti-Phishing protection, without raising the load of your infrastructure or the one of your provider.
    Content-Filtering feature, to filter attachments based on their type and/or extension.

Personalized

    For each domain, you can define options of each modules (Anti-Virus, Anti-Spam, etc.).

Security

    In case of unavailability of your SMTP server or the one of your provider, your emails are stored in security on our infrastructure, and delivred as soon as SMTP is back online.

Try for free

This email has been sent to contact@[redacted], click here to unsubscribe.

https://borezo.info/in-k/ - SIRET 53021905400026

Clicking on the link does appear to take you to some sort of business site at https://borezo.info/in-k/

Mail headers match the domain, borezo.info does seem to be the culprit..

Received: from dc3-1.borezo.info (dc3-1.borezo.info [212.83.146.78]) by [redacted] (Postfix) with ESMTP id 191E44A38D for <contact@[redacted]>; Mon,
  3 Apr 2017 15:55:08 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; s=dkim; d=sg.borezo.info; t=1491231308; h=from:subject:date: message-id; bh=IfD7xgIgVLQy8yLzdCSO+L7mXRn/PImws7LTh1D1pws=; b=j9sTfOH7r3XUTaSD5urHMd1b5EUDq1P9chByrurkie+ckpZjyHojSRUJKSF0lj7OvZ1ze2 Yjlsfl7Q/UQ+U+F2IlFrcMseqXbPLB8xhOVPPh3Ei39qNIgyO+MVApaxDt1WhXcf/npcle 6GjoCgCAGPXFLoTogZGqI3RBB5JBbdE=
Received: tmail deliverd remote 302c5d48ea2a327a67769562d3ece1ce930df6bd; 03 Apr 2017 16:55:08 +0200
X-Env-From: Ym91bmNlLTEtY29udGFjdEBkeW5hbW9vLmNvLnVr@sg.borezo.info
Received: from 212.83.146.78 (dc3-1.borezo.info.) (localhost) (authenticated
   as noreply@borezo.info) by 212.83.146.78 (dc3-1.borezo.info.) with ESMTPS TLS
   1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; tmail 0.1.7;
   4a5b9f00fa05b580ff586bd74659fbea91085dce; 03 Apr 2017 16:55:02 +0200
WHOIS details seem valid.

Registry Registrant ID: C199006566-LRMS
Registrant Name: Romain Lauret
Registrant Organization:
Registrant Street: office #855805
Registrant Street: c/o OwO, BP80157
Registrant City: Roubaix Cedex 1
Registrant State/Province:
Registrant Postal Code: 59053
Registrant Country: FR
Registrant Phone: +33.972101007
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: pwa3o3znv0b53h47bo8c@v.o-w-o.info


The "Camille Arpaillange" name in the email matches the imprint on the website..


Company registration data is here. I think I will pass on this particular offer..



25.0.0.0/8 is not your private network

A recent phishing email originating from an Office 365 caused some confusion.. apparently originating fom an address in the 25.0.0.0.8 range which according to a WHOIS lookup is the UK's Ministry of Defence.

% Abuse contact for '25.0.0.0 - 25.255.255.255' is 'hostmaster@mod.uk'

inetnum:        25.0.0.0 - 25.255.255.255
netname:        UK-MOD-19850128
country:        GB
org:            ORG-DMoD1-RIPE
admin-c:        MN1891-RIPE
tech-c:         MN1891-RIPE
status:         LEGACY
notify:         hostmaster@mod.uk
mnt-by:         UK-MOD-MNT
mnt-domains:    UK-MOD-MNT
mnt-routes:     UK-MOD-MNT
mnt-by:         RIPE-NCC-LEGACY-MNT
created:        2005-08-23T10:27:23Z
last-modified:  2016-04-14T09:56:26Z
source:         RIPE

organisation:   ORG-DMoD1-RIPE
org-name:       UK Ministry of Defence
org-type:       LIR
address:        Not Published
address:        Not Published
address:        Not Published
address:        UNITED KINGDOM
phone:          +44(0)3067700816
e-mail:         mathew.newton643@mod.gov.uk
admin-c:        MN1891-RIPE
abuse-c:        MH12763-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        UK-MOD-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         UK-MOD-MNT
created:        2004-04-17T12:18:23Z
last-modified:  2016-10-06T11:09:40Z
source:         RIPE

person:         Mathew Newton
address:        ISS Design Directorate, Joint Forces Command
address:        UK Ministry of Defence
phone:          +44 (0)30 677 00816
e-mail:         mathew.newton643@mod.gov.uk
abuse-mailbox:  hostmaster@mod.uk
notify:         mathew.newton643@mod.gov.uk
nic-hdl:        MN1891-RIPE
created:        2005-03-18T10:42:04Z
last-modified:  2016-12-20T10:33:13Z
source:         RIPE
mnt-by:         UK-MOD-MNT
In this case the connection appeared to come from dm5pr17cu002.internal.outlook.com which does indeed resolve to 25.173.128.134.. which would place it in the MoD's address range. Yes?

Well.. no, because the 25.0.0.0/8 range isn't routable. You can't send traffic to it from the Internet. But it isn't a "private" IP range, it is allocated to the MoD. But it does seem that some companies are taking advantage of this and are using 25.0.0.0/8 for internal networks (much the same as 10.0.0.0/8) when it isn't designed for that.

Of course you can make a DNS record point to anything, it doesn't mean that the server will resolve. A look at all the hosts in 25.173.0.0/16 reveals these apparently active servers:

blserver.net
www.blserver.net
blog.blserver.net
imap.blserver.net
mwhpr13cu002.internal.outlook.com
dm5pr17cu002.internal.outlook.com

25-173-116-219.1334762f6da5400c9f4cbba603d6c121.plex.direct
25-173-129-6.114b489248be4a2489583682ee5d5f3c.plex.direct
sql.engormix.com
has-on.info

In the case of the outlook.com servers the DNS has been misconfigured. What should resolve only PRIVATELY to an 25/8 address is resolving PUBLICALLY to an address in that range. Of course, the servers never respond.And note that this is just one /16, not the whole /8 (reverse DNS for the whole /8 is insane).

The upshot is that the MoD get a lot of abuse calls for bad things that people think originate from their network, but it isn't actually happening.

If you are going to use blocks like 25.0.0.0/8 for internal uses, I would suggest that you take great care not to expose the internal IPs to the outside world. I'm sure the poor people at the MoD would appreciate it.

Wednesday 24 February 2016

Malware spam FAIL: "Thank you for your order!" / DoNotReply@ikea.com

This fake financial spam is not from IKEA, but it instead a simple forgery. I can only assume that it is meant to have a malicious attachment, but due to a formatting error it may not be visible.

From:    DoNotReply@ikea.com
Date:    24 February 2016 at 09:56
Subject:    Thank you for your order!
IKEA
IKEA UNITED KINGDOM

Order acknowledgement:


To print, right click and select print or use keys Ctrl and P.

Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
£122.60
Delivery date:
24-02-2016
Delivery method:
Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number:
607656390
Order time:
8:31am GMT
Order/Invoice date:
24-02-2016
Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy
This is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.
The intention here is either to drop the Dridex banking trojan or Locky ransomware. If you see an attachment, do not open it. The attachment is currently being analysed.

UPDATE

Third-party analysis confirms that the attachments are broken and will not work in many mail clients. However, if they did the payload would be identical to this.

Wednesday 20 January 2016

Malware spam FAIL: "Your compliment (ref: 398864)" / Rachael Love [env9729health@aylesburyvaledc.gov.uk]

This spam is not from Aylesbury Vale District Council but is instead a simple forgery with a malicious attachment.
From     Rachael Love [env9729health@aylesburyvaledc.gov.uk]
Date     Wed, 20 Jan 2016 13:28:21 +0430
Subject     Your compliment (ref: 398864)
I was not able to access the body text of this message. Note that the sender's email address varies slightly from message to message.

Attached is a file 398864 - Letter to recipient@domain.doc which contains the intended victim's email address. However - due to an error by the bad guys -  none of the samples I have seen are downloadable.

The intended payload is probably the Dridex banking trojan, much like this.

Malware spam FAIL: "Emailed Order Confirmation - 94602:1" / "DANE THORNTON" [dane@direct-electrical.com]

This fake financial spam is meant to have a malicious attachment.

From     "DANE THORNTON" [dane@direct-electrical.com]
Date     Wed, 20 Jan 2016 16:31:21 +0800
Subject     Emailed Order Confirmation - 94602:1

--
DANE THORNTON
Attached is a file Order_94602~1.doc which in all the samples I have seen has been attached incorrectly to the email, and it will either appear to be zero length or garbage. The payload is meant to be the Dridex banking trojan, but this is the latest of several incidents lately where the bad guys have screwed up. Shame.

Monday 18 January 2016

Malware spam FAIL: "Statements" / Alison Smith [ASmith@jtcp.co.uk]

This fake financial email does not come from J Thomson Colour Printers but is instead a simple forgery with a malicious attachment.
From     Alison Smith [ASmith@jtcp.co.uk]
Date     Mon, 18 Jan 2016 18:27:36 +0530
Subject     Statements

Sent 12 JAN 16 15:36

J Thomson Colour Printers
14 Carnoustie Place

Glasgow

G5 8PB

Telephone 0141 4291094
Fax 0141 4295638
Attached is a file S-STA-SBP CRE (0036).xls which is actually corrupt, due to a monumental failure by the bad guys. The payload is meant to be the Dridex banking trojan, but since Friday the attachments have been messed up and will either appear to be garbage or zero length. The payload itself should look similar to this one, also spoofing the same company.

Malware spam FAIL: "Water Cooler World Invoice" / tom.thomson@watercoolerworld.com

This fake invoice is not from Water Cooler World but is instead a simple forgery with a malicious attachment. I was not able to capture the body text.
From     =?iso-8859-1?B?IlRvbSBUaG9tc29uIFdhdGVyIENvb2xlciBXb3JsZCI=?= [tom.thomson@watercoolerworld.com]
Date     Mon, 18 Jan 2016 18:35:14 +0700
Subject     Water Cooler World Invoice
Attached is a file INVOICE_F-160003834.doc which will appear to be corrupt because the MIME attachment is malformed (it will either appear to be zero length or it will be garbage). This is the second corrupt spam run today, it was meant to be delivering the Dridex banking trojan. A fuller analysis of the attempted payload can be found here.

Malware spam FAIL: "Invoice January" / "A . Baird" [ABaird@jtcp.co.uk]

This fake financial spam does not come from J. Thomson Colour Printers but is instead a simple forgery with a malicious attachment.

From     "A . Baird" [ABaird@jtcp.co.uk]
Date     Mon, 18 Jan 2016 16:17:20 +0530
Subject     Invoice January

Hi,

We have been paid for much later invoices but still have the attached invoice as
outstanding.

Can you please confirm it is on your system and not under query.

Regards


  Alastair Baird
  Financial Controller

 [cid:image001.png@01CEE6A0.2D48E1B0]
  Registered in Scotland 29216
  14 Carnoustie Place
  Glasgow G5 8PB
  Direct Dial: 0141 418 5303
  Tel: 0141 429 1094
  www.jtcp.co.uk

 P Save Paper - Do you really need to print this e-mail?
Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday [1] [2] [3]. The payload is meant to be the Dridex banking trojan.

If you can get hold of the original message, then it should be possible to locate the faulty Base 64 section which has a leading space in it. Removing the space and decoding the Base 64 would generate the intended malicious message. Obviously, I don't recommend doing that unless who want to decode the malware..

UPDATE

A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:

emirelo.com/786585d/08g7g6r56r.exe
esecon.com.br/786585d/08g7g6r56r.exe
outago.com/786585d/08g7g6r56r.exe


This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54. The same source identifies the following C2 servers whcih are worth blocking:

192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)


Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173



Friday 15 January 2016

Malware spam FAIL: "Statement" / Kelly Pollard [kelly.pollard@carecorner.co.uk]

This fake financial spam is meant to have a malicious attachment, but it is corrupt:

From     Kelly Pollard [kelly.pollard@carecorner.co.uk]
Date     Fri, 15 Jan 2016 13:56:01 +0200
Subject     Statement

Your report is attached in DOC format.

Kelly Pollard
Marketing Manager
Tel: 01204 89 54 10    Fax: 01204 89 54 11

[final care corner logo]
The attachment is named Statement 012016.doc but due to an error in the email it is corrupt, and is either zero length or will produce garbage. If it were to work, it would produce a payload similar to that found here and here, namely the Dridex banking trojan. This is the third corrupt Dridex run today. Shame.

Malware spam FAIL: "Reservation Confirmation Number79501" / reservations@draytonmanorhotel.co.uk

This fake hotel reservation is meant to have a malicious attachment, but it is corrupt and you cannot download it.

From     [reservations@draytonmanorhotel.co.uk]
Date     Fri, 15 Jan 2016 16:21:55 +0530
Subject     Reservation Confirmation Number79501

We are pleased to confirm the attached booking at Drayton Manor Hotel.

Should you have any queries, please do not hesitate to contact us. We look
forward to welcoming you to Drayton Manor Hotel.

Kind Regards

Harry Ashbolt
Reservations
The attachments (in the format uk_conf_email_2012_dmh562810.xls) appear to be corrupt because of an error in the MIME attachment in the email, so they will either be zero length or appear to be garbage. I haven't seen any non-corrupt versions of the attachment at all. This is the second corrupt Dridex spam run today (this is the other one).

A source tells me that when repaired, the documents attempt to download a malicious binary from:

hotyo.1pworks.com/786585d/08g7g6r56r.exe
members.chello.nl/~h.pot2/786585d/08g7g6r56r.exe
w04z5e8ry.homepage.t-online.de/786585d/08g7g6r56r.exe


The payload is the same one as found here with a detection rate of 6/55. I would recommend blocking the IPs I mentioned in that post too.

Malware spam: "Scanned image from MX-2640N" / cm_sharpscan@yahoo.co.uk

This fake document spam is meant to have a malicious attachment, but all the versions I have seen are corrupt.
From:    cm_sharpscan@yahoo.co.uk
Date:    15 January 2016 at 10:12
Subject:    Scanned image from MX-2640N

Reply to: cm_sharpscan@yahoo.co.uk [cm_sharpscan@yahoo.co.uk]
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set

File Format: DOC (Medium)
Resolution: 200dpi x 200dpi

Attached file is scanned image in Microsoft Word format.
The attachment is meant to be in the format username@domain.tld_201601151152_097144.doc but due to an apparent error in the MIME formatting, saving it results in a file in the format _username@domain.tld_201601151152_097144.doc_  0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA.doc_0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA instead

The next problem for the bad guys is that they have added a leading space to the Base 64 encoded section with the attachment in. This means that unless the mail client somehow fixes the error, the attachments are harmless (VirusTotal results [1] [2] [3] [4]).

Now, not many people are going to wade in and fix the malicious attachments, but I did and I got three unique files (VirusTotal results [1] [2] [3]).

Analysis of these documents is pending, but the payload is probably meant to be the Dridex banking trojan.

UPDATE

I managed to coax a Hybrid Analysis of two of the documents [1] [2] showing download locations of:

nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe


This executable is the same one dropped in this spam run. It currently has a VirusTotal detection rate of 6/54.

Ironically, that Ukrainian site is on 91.217.91.18 (PE Ivanov Vitaliy Sergeevich, Ukraine) and it is the only time I have seen a legitimate site in the block.. and it has been hacked. In any case, I would recommend blocking the entire 91.217.90.0/23, legitimate sites or not.

Those two Hybrid Analysis reports give a whole bunch of callback IPs between them:

88.208.35.71 (Advanced Hosters B.V., NL)
216.117.130.191 (Internet Technologies Inc., US)
116.12.92.107 (Lanka Comunication Services, Sri Lanka)
46.32.243.144 (Heart Internet VPS, UK)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
161.53.144.25 (Veleuciliste U Sibeniku, Croatia)
41.38.18.230 (TE Data, Egypt)


Despite the fact that the attachments aren't working, I would expect to see those IPs in use for other badness and I would recommend blocking them.

Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230

Friday 18 September 2015

E.ON "You've got mail" spam

I haven't used E.ON for a couple of years, and I no longer have an account with them. So I was surprised to get this E.ON-themed spam. Is it malware? No, it really is E.ON spamming me..

------------
From:    E.ON Energy [eon@eonenergy.com]
Reply-To:    "E.ON Energy" [eon@eonenergy.com]
Date:    17 September 2015 at 19:02
Subject:    You've got mail

You've got mail.
If you are having trouble viewing this email, you can view it here.

E.ON

You've got mail

Dear Conrad Longmore

Thanks for letting us know you'd like us to send you information by email.

What does this mean for me?
You'll receive contact from us by email instead of through the post. We're introducing our emails gradually, so you'll still get a few things through the post until we're all up and running.
What kind of things will you send me?
We'll only send you important information that you need to know about your account, including:



  • Changes to Direct Debit payments, if you've chosen to pay this way.



  • Asking for meter readings



  • Reminding you about any appointments you have  with us.



  • Reminding you about paying for the energy you've used, if you haven't already told us when
  • you're going to pay.



  • Anything else we think you'll need to know about your service from us.
  • Don't worry, we won't send you information to sell you anything, unless you've already told us we can.
    What if I change my mind?
    Visit our website and let us know.
    If you change your mind, we'll still send you reminders by email if you've not paid us what you owe.
    As you're an online customer, we'll also still send you an email when your bill is ready to view and other emails related to your online account you automatically get when you've signed up online.
    If you've got questions about your account or anything else, click here. You won't get through to us by replying to this email.
    Yours sincerely

    E.ON Customer Services


    Helping our customers. We're on it. E.ON

    twitter
    Facebook
    Follow us on Facebook and Twitter and keep up to date.


    Disclaimer Notice
    This email has been sent by E.ON Energy Solutions Limited. While we have checked this email and any attachments for viruses, we cannot guarantee that they are virus-free. You must therefore take full responsibility for virus checking.

    This message and attachments are confidential and should only be read by those to whom they are addressed.
    If you are not the intended recipient, please contact us, delete the message from your computer and destroy any copies. Any distribution or copying without prior permission is prohibited.

    Internet communications are not always secure and therefore E.ON does not accept legal responsibility for this message. The recipient is responsible for verifying its authenticity before acting on the contents. Any views or opinions presented are solely those of the author and do not necessarily represent those of E.ON.

    Registered Address
    E.ON Energy Solutions Limited. Registered office: Westwood Way, Westwood Business Park, Coventry, CV4 8LG. Registered in England and Wales No. 3407430.

    CONSENT CSS

    Ooookay. So it's a phish or malware, right? Well, in this case floating over the links clearly shows an eonenergy.com domain, rather than something malicious. And at least E.ON have shown good practice by using their own domain rather than some random tracking domain that others do.

    It's been a long time since I logged onto E.ON because these days I generate all my electricity from a secondhand Russian nuclear reactor plucked from a rusty submarine that I have buried under the lawn.

    Logging on to my account gives this message..

    And from that point onwards there is nothing at all that I can do. I can't turn off the E.ON spam because I don't have an account with them!

    It's probably 15 years or so since I registered on E.ON.. when I registered it was part of TXU, then PowerGen which then became E.ON. So if you have registered an account with any of those companies in the past decade and a half, then you might get this spam from E.ON, even if you closed your account a long time ago..

    UPDATE:
    E.ON have posted some information about the cock-up and an apology here.

    Thursday 9 April 2015

    Namailu.com spam

    This spam has been appearing in my inbox for several days now:

    From:    Shana Felton [9k7bf-2976014268@serv.craigslist.org]
    Date:    9 April 2015 at 19:10
    Subject:    New commitment invitation - [redacted]

    Hi Namailu User,
    You have a commitment invitation from Sarah Smith. To view your commitment invitation please follow this link:
    Copyright © 2015, Namailu Online Ltd
    |
    |
    |

    I've never heard of Namailu so I assumed that it was a virus. I couldn't detect a malicious payload though, and further investigation indicates that this is a wannabe dating site that appears to be promoting itself through spam.

    Clicking through the link leads to https://www.namailu.com/Smith.Sarah.206

    Obviously we are lead to believe that the girl in the picture is sending the message.

    Reverse image search comes up with no matches, unusually. Goodness knows how many people there are called "Sarah Smith" in New Zealand. Probably quite a lot.

    The spam messages come from a range of IPs that are also used to spam out promotional material for a site called dirtyemojis.com (using a redirector of dirtyemojis.ru). The spam is sent from a range of Chinese IP addresses, including:

    115.221.50.15
    115.221.50.179
    115.221.51.238
    115.221.53.228
    115.221.54.15
    115.221.55.46
    115.221.56.29
    115.221.60.212
    115.221.63.38

    In each case the "From" address is fake, for example:

    Shana Felton [9k7bf-2976014268@serv.craigslist.org]
    Nestor Blackwell [orders@floristexpress.com.au]
    Shirley Webb [rio@e-mail.com]
    Mauricio Lundy [marilyndukacz@aol.com]
    Edward Ybarra [v.wittke@schafmail.de]

    A quick search of the body text of the message shows that it has been spammed out quite widely.

    Although the site uses HTTPS, there is no ownership information. The WHOIS details are also anonymised, which is always a red flag for anything handling your personal data.

    There are no contact details on the website, but the "User Agreement" page says that it is owned by Namailu Online Limited of New Zealand. It turns out that the New Zealand Companies Office offers very good information, and this is actually a real company.

    The two directors listed are:

    Philipp Rudolf RIPA
    26 Whitehills Road, Rd 1, Silverdale, 0994 , New Zealand

    Rudolf SAYEGH
    111 Pilkington Road, Panmure, Auckland, 1072 , New Zealand

    Incidentally, if you want to serve legal papers then the Pilkington Road address is the one to use. There aren't many people by the name of "Philipp Ripa" or "Rudolf Sayegh" in New Zealand, that is for sure.

    A look at their Facebook page shows some information about the product being in development, but no other real details. Their spares Twitter page at @namailu shows they have four followers. I am one of them.


    I'm going to be charitable and suggest that the people running Namailu have contracted another party to do the spamming and are possibly unaware of what is going on.

    However, this clueless approach does not bode well for a site that deals in highly personal data and my personal opinion would be to give this particular outfit a very wide berth.

    Saturday 14 February 2015

    Spammer: Brad Smith / Unicore Health / unicorehealth.net / unicorehealth.com

    This slimed its way into my mailbox:

    From:    Brad Smith [sales@unicorehealth.net]
    To:    Morgan Stanley [mstanley@redacted]
    Date:    11 February 2015 at 15:24
    Subject:    Morgan, HR related question

    Hi Morgan, could you let me know a time we could talk in the next few days? For HR managers we measure and video the essential functions and physical requirements of each key job so that clients like Coca-Cola and Publix can reduce their hiring risk and job injury risk. I thought you would like to quickly view the process, some interesting examples, and how to use them in your role. Just let me know a time that works in your schedule and I will confirm back, talk then!


    Regards,
    Brad Smith
    VP, Product Management
    Unicore Health
    sales@unicorehealth.net
    www.unicorehealth.net

    This message is confidential and intended only for the original recipient. If you have received this message in error, please delete it or mail us back with re move in the sub ject. If any follow-up is needed I show your contact information as Morgan Stanley, mstanley@redacted   and our address if needed is 3200 Downwood Circle, Ste 410, Atlanta, GA, 30327. Thank you.
    Morgan Stanley? They must mean this Morgan Stanley. How did they confuse me with Morgan Stanley? Because I mention them on my website here. Now, I only know of one company that sends spam like this.. but more about them later.

    Let's check the veracity of the message.. first, the mail headers.

    Received: from [63.134.229.186] (port=1355 helo=mail.unicorehealth.net)
        by [redacted] with esmtp (Exim 4.80)
        (envelope-from <sales@unicorehealth.net>)
        id 1YLZ9H-0001CT-C2
        for mstanley@redacted; Wed, 11 Feb 2015 15:24:20 +0000
    Received: from 31617334.unicorehealth.net
            by mail.unicorehealth.net (Right Sender 3.3) with ASMTP id YRJ55117
            for <mstanley@redacted>; Wed, 11 Feb 2015 10:24:17 -0500
    Message-ID: <20150211102412.2e7c8b6c6f@6e5d>
    From: "Brad Smith" <sales@unicorehealth.net>
    To: "Morgan Stanley" <mstanley@redacted>
    Subject: Morgan, HR related question
    Date: Wed, 11 Feb 2015 10:24:12 -0500
    X-Priority: 3
    X-Mailer: SMTP-Mailer 3.4
    MIME-Version: 1.0
    Content-Type: text/plain;
        charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    Received-SPF: pass ([redacted]: domain of sales@unicorehealth.net designates 63.134.229.186 as permitted sender) client-ip=63.134.229.186 envelope-from=sales@unicorehealth.net helo=mail.unicorehealth.net
    X-BlackCat-Spam-Score: -10
    X-Mythic-Debug: Threshold =  On =
    X-Spam-Status: No, score=-1.1
    We can see that the SPF record for unicorehealth.net matches it to 63.134.229.186. The domain unicorehealth.net is also hosted on the same IP, so we can be reasonably assured that this is not a forgery. Let's look at the WHOIS details for that domain..

    Registrant Name: Brad Smith
    Registrant Organization: Unicore Health
    Registrant Street: 3200 Downwood Circle
    Registrant Street: Suite 410
    Registrant City: Atlanta
    Registrant State/Province: Georgia
    Registrant Postal Code: 30327
    Registrant Country: United States
    Registrant Phone: +1.6785226363
    Registrant Phone Ext:
    Registrant Fax:
    Registrant Fax Ext:
    Registrant Email: bsmith@unicorehealth.com


    This links unicorehealth.net with unicorehealth.com. Indeed, we can find "Bradley Smith" on the unicorehealth.com web site.


    I emailed Mr Smith back twice and asked him how he came across the email address. He didn't bother to reply.

    Previously I mentioned that I have seen this type of spam before from one particular company, BizSummits, run by Michael Price. In particular, they look for potential names on a website and then spam them, a technique that is highly inaccurate but does seem to be relatively successful nonetheless.

    Now, Unicore Health is not BizSummits. But they both use a virtual office address in Altanta, about ten miles apart. So perhaps there is some personal connection between the two businesses or the people behind them.

    One of Mr Price's other businesses is called PlugMeIn  (plugmein.com), which claims to reveal the email addresses of key people on certain websites. If this uses the same approach as the BizSummits spam, then it might well be just as inaccurate. And perhaps Unicore Health is using PlugMeIn technology to find email addresses.

    But since Brad Smith didn't bother to reply to me, I can't tell if this spam was the result of faulty software, a bad email address list or just plain stupidity. Personally, I won't be buying anything from them soon.

    UPDATE - January 2017

    For various reasons, I ended revisiting this post and discovered that unicorehealth.net now displays a site "Hartford HR Summit" which is definitely a BizSummits / Michael Price site.


    Wednesday 14 January 2015

    Isabella Rossellini falls on hard times, starts sending SEO spam

    Now, I enjoyed Isabella Rossellini very much in Blue Velvet ..


    But it seems that she must have fallen on hard times and has started spamming for some Indian SEO outfit..

    From:    Isabella Rossellini [isabellarosselliniwebmaster@hotmail.com]
    Date:    14 January 2015 at 11:30
    Subject:    SEO Package Get 25% Discount

    Hi,

    My name is Isabella Rossellini and working with a reputed leading S.E.O. Company in INDIA having the experience of getting our customer’s websites top in Google, Yahoo, and Msn and other search engine rankings producing high revenue with top page rank.

    We provide a S.E.O. Special Offer going for the following package.

    Monthly task and Responsibilities:-

    1. 150 Directory submissions
    2. 10 Social Bookmarking Submissions
    3. 10 Article Submissions (1 article x 10 article directories)
    4. 10 Press Release Submissions (1 press release x 10 press release websites)
    5. Google Submissions
    6. 1 unique, 400 word article written
    7. 1 unique, 400 word press releases
    8. 15 One Way back links with mix PR
    9. Meta tags changes suggestions
    10. Keyword research
    11. Competitor Analysis
    12. Heading tag changes
    13. Alt tag changes
    14. Interlinking wherever required.
    15. Keyword Density in site content.
    16. HTML Site Map
    17. XML site map and Submission in webmaster tool
    18.Search Engine Submission
    19.Content Optimization
    20.Deep linking submission

    Wish u a happy,healthy,peaceful & prosperous 2015!!!

    Let me know if you are interested and I would happy to send you more details on this.

    Kind Regards

    Isabella Rossellini
    Online Marketing Executive
    I suppose it is marginally possibly that this isn't the same "Isabella Rossellini" or indeed that the name is completely made up. Anyway, I think I will give this SEO spammer a wide berth.

    Monday 1 December 2014

    Q:is sync.audtd.com a virus? A:probably not.

    One of those things that makes you go "hmmm".. I kept seeing a lot of suspect looking traffic from Russian sites to sync.audtd.com, with strings like this:

    http://sync.audtd.com/match/rambler/?uid=0123456789abcdef0123456789abcdef

    audtd.com is parked on a Voxility IP of 5.254.113.29. I block large swathes of Voxility IP space because it has bad reputation, but it does have some legitimate customers. The domain registration details are hidden:

    Registrant City: Nobby Beach
    Registrant State/Province: Queensland
    Registrant Postal Code: QLD 4218
    Registrant Country: AU
    Registrant Phone: +45.36946676
    Registrant Phone Ext:
    Registrant Fax:
    Registrant Fax Ext:
    Registrant Email: contact@privacyprotect.org
    Registry Admin ID:


    However, sync.audtd.com is hosted on three completely different IPs:

    148.251.87.17
    148.251.81.131
    148.251.81.140

    These are hosted by Hetzner in Germany. Not exactly a squeaky clean network either, but they do have a lot of legitimate customers in addition to some evil ones.

    Some Googling around and poking about at the very bottom of the search results reveals a possible lead in a Russian-language privacy policy [pdf] on a domain tbighistory.com. There was an English-language version that has since been deleted which read:


    Privacy Policy
    The Big History is an online technology company, Headquartered in the Russian
    Federation. This Privacy policy relates to our technology service that our company provides
    to online advertisers, web sites owners and other businesses that use our services.
    OUR BUSINESS
    We collect non-personally identifiable information regarding offline collected attributes and digital usage patterns of users of mobile devices and computers. In this policy, we refer to this non-personally identifiable information, together with other non-personally identifiable information that we obtain from third parties in order to influence which types of marketing messages and other content are displayed to you, as "Preference Data". We use Preference Data to prepare groups of users, referred to as "segments," based upon their behavior and preferences. We give our customers a limited right to use a user's membership in a segment as a basis for displaying advertisements and other content that are intended to reflect the user's preferences. We also collect non-personally identifiable information for other purposes: for example, to provide aggregate statistics for market research and analytics programs.

    WHAT WE COLLECT
    Non-PII includes but not limited to your IP host address, the date and time of the ad
    request, pages viewed, browser type, the referring URL, Internet Service Provider, and your computer's operating system.

    HOW WE COLLECT
    We use non-personally identifiable data, including "cookies", "pixel tags," and in some
    instances, statistical ID's, to collect and store Preference Data. We do not use flash cookies.
    Cookies are small text files that contain a string of characters and uniquely identify a
    browser. They are sent to a computer by Web site operators or third parties. Most
    browsers are initially set up to accept cookies. You may, however, be able to change your
    browser settings to cause your browser to refuse third-party cookies or to indicate when a
    third-party cookie is being sent. Check your browser's "Help" files to learn more about
    handling cookies on your browser. The Big History cookies will expire after 24 months from the date they are created.

    Pixel tags are small strings of code that provide a method for delivering a graphic image on a Web page or other document. Pixel tags allow the operator of the Web page or other
    document, or a third party who serves the pixel tag, to set, read, and modify cookies on,
    and to transfer other data to, the browser used to view the Web page or other document.
    Pixel tags may also be used to obtain information about the computer being used to view
    that Web page or other document. The entity that sends the tag can view the IP address of
    the computer that the tag is sent to, the time it was sent, the user's operating system and
    browser type, and similar information.

    INFORMATION SHARING
    Collected Non-PII processes into targeting data segments, nevertheless it cannot be broken into segments of users that is small or unique enough for the users to be identified
    personally.

    All of the information we collect or record is restricted to our offices or designated sites.
    Only employees who need the information to perform a specific job are granted access to
    our data.

    Collected data is processed into targeting data segments and then used by advertisers,
    publishers and content providers to enhance users experience. TBH could share collected
    and processed data with partners, based on that collected information could be used for
    third party advertising purpose.

    All of the information we share is transferring via secured protocol excluding non granted access.

    OPT OUT
    If you’d like to opt-out from having The Big History collect your Non-PII in connection with our Technology, please click here http://sync.audtd.com/optout. When you opt out, we will place an opt-out cookie on your computer. The opt-out cookie tells us not to collect your Non-PII to tailor our online advertisement campaigns. Please note that if you delete, block or otherwise restrict cookies, or if you use a different computer or Internet browser, you may need to renew your opt-out choice.

    CHANGES TO OUR POLICY
    Our company could revise and change this website policy at any time, so we advise you to
    check it periodically to always have up-to-date version.

    CONTACT
    If you have any questions about this website policy please feel free to contact us by email
    info@tbighistory.com
    Last Update: 5 September 2014

    This site is called "The Big History" and it belongs to a clearly identified Russian company called Auditorius.

    So, in fact Auditorius do fully spell out what they are doing in their privacy policy.. but the problem is that it isn't on the audtd.com domain itself, and rather stupidly they are using anonymous WHOIS details (plus some questionable websites). I think the lesson is that if you ARE involved in a legitimate tracking activity, then you must make sure that it is obvious and people can find out what is happening easily. If you don't people will just assume that is a virus.


    Friday 14 November 2014

    Dear spammers.. alotbqobutarkwqechsdovmzfwa to you too.

    Dear spammers,

    Sending links out like this to drive people to your fake meds site does not work.

    From: Tudu [tudu@tin.it]
    Sent: 15 November 2014 03:42
    To: bernie@nternet.net
    Subject:

    https://www.google.com/#&q=alotbqobutarkwqechsdovmzfwa&btnI=qysawyt

    Even if you stuff your page with what you think are unique keywords such as:



    njhzxtfnpvcqgoyuayuhvtsi
    dcyfwfcuiahjrifjmpxwlshj
    crulbvxcm
    ejerwja
    uxsiyulmkggsnwjdsujrq
    srpxkpnrzupqgfwzlkqonlhhrsk
    fcgfsrlomywpykhasppybuen
    svsoyteg
    yuezkbmsqyhpsicqslrwhvcru
    scveevyvstumdryosftulvn
    ocwpikfchbarwqinqdrorqiufsqp
    alotbqobutarkwqechsdovmzfwa
    esbmoulaj
    xfshvrgaeckuzhosymxzccjplpcwg
    ywifvjeikl
    qfwtytmfeeqzf
    aaosxoqtdcduwycjhyannf
    ybyqgfztbadtwbrvwhypbdjs
    xiitpggczmb
    nsjgtbsklpwpldu
    zvgpumys
    pthnpdo
    xaorfzpfgviomnbrcbasmfoormsr
    gxascwhwfbjdmpcgdey
    ykqlnxzt
    tdcgedlfvlleuyqn
    mgoozaxm
    mlrbtiyhpqdwthpdiqgvwkq
    uhcjljmguohkmywgylmin
    coxmfzumeftmqfczjvnols
    sitlhrcwzueprwfyxv
    ntxaawsgvdinzyhiylfdgd
    nvhwjvqwcxkovoitkxfkjbttfvr
    yimclbkcepmqhiec
    ebhnypr
    oezgaikkapwzthzkfbrtrowmu
    xyejkdaxhc
    iixpkiijdgrkvqrkngpmxrfwohwvr
    amgfgmedyl
    cqqbjakpkepaje
    hmibwgcdexsm
    rjmiavdxujexjktnmtp
    kvqthzutebojwnzpzvzhzbrfcb
    saeelzoemfcahrlzyllnugbwze
    jvnfagrti
    lvdycqtozmiwphqmpa
    pufhpiotdvdimlsp
    cimbmhkagoxnbaxngvxyfcrtlcnxc
    qbnuhspjgqawxrf
    jbhbhyqkurdqgktvvs
    frcmtegacgvxqshruzeakhxfzxq
    dtctnrkgwwvdg
    ajtnchnawtnrtnlvkxho
    yjyhzpenvqmgibef
    masyqrwqslofd
    khcldmiexfrrruq
    fvqadsbhetodzgqvywuxtowhwa
    ungrhogqrabqwzrajtjpomvcirxkfp
    nncneijcvcwwnyxxgowjvvm
    olwdtxqggnsudjtzhyt
    mhxmtdnkzseiiizpzmwjnpwtppp
    sihsozhgbpybvanyfrfttlk
    tkbjkzpdpyvylkon
    mmgaklau
    jtenvfqsybmghjcabaeetj
    fmjcfqmjzstssznbgdpqwaoc
    lhedbliildq
    qivwguigzmcwkdpezdds
    wllbbhjyrditsxzlunskabhqiedg
    niazkntdfyoncfgyzq
    ndwbqjjtbaoqgegxo
    ahjznanwpcmcpvrnsbmtxrssavfv
    gmgxhwptdawtd
    abwwkrykctoaywhhwrjofirpjfss
    oaxhwkodgnvmtmd
    dkligclavpa
    nsrquhibivbijwvgutozsh
    zhwsicrhehejyxggffcsebodxtpgtf
    ckrsugdugtefqlebtixupguhdcnmlx
    hitsfbk
    dilvysgqresg
    uqeguta
    xuivhwgnruxgnnyrilaxwkqnfv
    xuafdrsacr
    rkwxzzrmerkcyllbw
    qtvzkfzcfzukksxfnrmp
    xhkldsr
    clavwtpoujkmtbvmrhvqn
    oqszjgojzeqfijbpgvnhuqfck
    cuszgksdz
    czgukflpmspirlhvejmwwojwzgfhh
    zafgbpytcoehgeyfhwktqcwhpk
    zboupfxmctek
    upmihrmqu
    odtiuxpysrcozahkrvcr
    rkqfakqcwjwrks
    ycxkfqyydheisfwydapfrkraur
    wzunqlutibfsrrgxmnlqtevs
    vlsealvrrvboe
    asglyylkuscbammxtkdxornguidnd
    ytkcijrfpvj
    qaqjzhlprprjivzyrhpvhmenkzj
    ojgtgpajla
    lbccjwlyrwxd
    rolpcaytfijigoogljgzow
    zvclpenmm
    owitfuirvwlzz
    mitjvykqxhkkxirgzegyiddtj
    oabwjyjkrcbqxzzp
    auzidohkvsthbpduiakqn
    rvthoowlmrpkyvpijbidoamdaonie
    rybberhm
    rybuxcxehxiardpehok
    xwisbggcwxopkjyhpjq
    dhnebpfvpmpktdm
    nuowacsgolfcqvoohuasktwnyw
    ovxzcmcf
    ueqakehjhnpdajljlxn
    lehmezqstjowkzzykxgnvqzli
    kkiwyqlemxuksrbodhnyglijwcoml
    yduzveynpyktsewzrpqblaw
    flnxsjbelopudwaiuxod
    lbpwduzwwcoipfxqsgccnxjaoukgua
    rktlnsorbpfjgjqhq
    xnyezxt
    nqkqmewjrjiqckuaf
    vvbmbwfovoff
    iogxxkdqq
    ftcndjjdx
    glbhxwhj
    fxjocyuhsedsntabgoo
    uokhkuqvwrxrpijbdxfw
     
    ..it isn't going to stop awkward bastards like me from hijacking your search results.

    [FYI.. I did not send out the spam you clicked. Somebody sent out a spam advertising a fake meds site healthshdweb.com - I am merely hijacking their attempts to direct people to the site through superiour search engine optimisation]