Examples of Bad Email Messages

On the theory that a picture is worth a thousand words, the following are examples of different types of "bad" email messages. It's a dangerous world on the Internet.

Topics Below:
Virus Cat and Mouse  | Phishing | Classic Scam | Spam  | Bounced Emails


Virus Cat and Mouse

For a virus to infect your computer, you have to run it. Most often, the virus attaches itself to an email message and usually (but not always) just viewing the email message is safe. However, that starts a cat and mouse game with the virus writer saying anything and everything he/she can think of to trick you into opening the attached file and thus running the virus and infecting your computer. 

Here are some examples of the ploys used to get you to open an attached file. In these cases the messages came from someone unknown to the recipient, but be aware that the FROM address of an email message is very easily forged. Don't treat a message with less suspicion because it seems to have come from someone you know. Also, see the note at the end of this topic; you may not be seeing the full file name of attached files.


My Comments Sample Virus Infected Emails 
You didn't ask for this file, but perhaps think you did or you are curious as to whether it's an honest mistake. It's not. Also, never open a file of type ".pif". Subject: Re: Your product 
From: arielb@rice.edu 
    Here is the file.
Attachments: your_product.pif 23k
Lies, lies, lies, solely designed to get you to run the attached .EXE file. Here is the archive with those information, you asked
me. And don't forget, it is strongly confidential!!!
Seya, man.
P.S. Don't forget my fee ;) 
The W32.Sober.K@mm virus. Some viruses are hidden inside ZIP files. As usual, the FROM address is forged. Subject: You visit illegal websites 
From: Officer@FBI.gov
Dear Sir/Madam,
we have logged your IP-address on more than 40 illegal 
Websites. Important: Please answer our questions!
The list of questions are attached.
Attachments: indictment_cit2987.zip
You did not request the attached document, never open a .pif file and note that the message is RE a message you never sent in the first place. Subject: Re: Re: Thanks! 
From: jbmiklas@capousd.org 
   Your document is attached.
Attachments: document.pif 
Inside the .ZIP file was a single file, not two. The file was an .SCR file which is often used by the bad guys because most people don't know that this is an executable file, just like .EXE. Considering I run a few web sites, this one made me pause at first. Subject: Photo Approval Needed 
Date: Sep 29, 2005 7:01 PM
Hello,
Your photograph was forwarded to us as part of an article we are
publishing for our October edition of Web Review Monthly. Can 
you check over the format and get back to us with your approval
or any changes you would like. 
If the photograph is not to your liking then please attach a
preferred one. We have attached the photo and article here. 
Kind regards,
John Andrews
http://www.webreview.com/
Attachments: Photo + Article.zip  
No text in the body of the message is not uncommon. Never ever install any software without doing a background check on it. Subject: A special funny game
From: s.connetable@bio-inova.com   
Attachments: rock.exe
Don't look at the attached file, even if it is from someone you know (the FROM address might be forged). The two REs in the subject are phony. Subject: Re: Re: Thanks! 
From: mschaus@haverford.edu 
  Please have a look at the attached file. 
Attachments: document.pif 29 k 
Never trust an email message that tells you to do something regarding a virus infection. More below... Subject: something for you 
From: brendenxcort@hotmail.com 
  You are infected. Read the details!
Attachments: old_photos.rtf.scr 
The Sober virus, from April 2005, was a new wrinkle. Bad grammar, spelling and capitalization are often a clue to the fraudulent nature of the message.
The attached file is called: your_text.zip and it contains a copy of the virus in a file called mail.document.Datex-packed.exe Subject: I've_got your EMail on my_account!
Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient
are you. I have copied all the mail text in the windows 
text-editor for you and zipped then. Make sure that this mails
don't come in my mail-box again.
The messages below are particularly clever and are from a virus that first starting circulating in March 2004. In each case, the name "mikesdomain.org" is merely for illustrative purposes. For more on this particular tactic, see Viruses Try New Tactics by Lincoln Spector in PC World March 17, 2004.
Still another trick to get you to open (and thus run) the attached file. The FROM address here was forged. It came from a "bad guy" not from the staff running the web site mentioned. Again, the attached file is a .pif. Subject: Notify about your e-mail account utilization. 
Dear user, 
The management of Mikesdomain.org mailing system wants to
let you know our main mailing server will be temporary
unavailable for next two days, to continue receiving mail
in these days you have to configure our free auto-forwarding
service. Further details can be obtained from attached file.
Sincerely,
The mikesdomain.org team http://www.mikesdomain.org 
Attachments: TextFile.pif 16 k [ application/octet-stream ] 
The latest variation in this ongoing cat and mouse game. By compressing and password protecting the attached file, the virus writer is trying to prevent anti-virus programs from being able to read the file and detect the virus. Subject: Important notify about your e-mail account. 
Dear user of mikesdomain.org gateway e-mail server,
Your e-mail account has been temporary disabled because of
unauthorized access. Further details can be obtained from 
attached file. For security purposes the attached file is 
password protected. Password is "27815".
The Management,
The mikesdomain.org team http://www.mikesdomain.org
Attachments: Document.zip 16 k [ application/octet-stream ]
Yet another variation on the same theme. From the WinXPnews newsletterof March 23, 2004. Dear user of mikesdomain.org mailing system,
Our anti-virus software has detected a large amount of 
viruses outgoing from your email account. You may use 
our free anti-virus tool to clean up your computer 
software. For further details, see the attached.
The mikesdomain.org team 
Lies, lies, lies. This is the Beagle virus (according to Symantec). The attached file was TextFile.zip. The real sender was a computer named BigJim at IP address 24.184.215.163. Dear user,
the management of mikesdomain.org mailing system wants to
let you know that, Some of our clients complained about the
spam (negative e-mail content) outgoing from your e-mail
account. Probably, you have been infected by a proxy-relay
trojan server. In order to keep your computer safe, follow
the instructions. Pay attention on attached file. In order
to read the attach you have to use the following password:
88446. Cheers,
The mikesdomain.org team http://www.mikesdomain.org
 Other viruses also pretend to come from an official source.
I got this June 15, 2005. The incoming email virus scan done by my ISP did not detect this as a virus. It is. The attachment was account-details.zip. I run the JavaTester.org web site. The last two lines, about no virus found, are a total fraud. From: service@javatester.org 
Subject: Warning Message: Your services near to be closed.
Dear Javatester Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take
5-10 minutes out of your online experience and confirm the 
attached document so you will not run into any future problems
with the online service. If you choose to ignore our request,
you leave us no choice but to cancel your membership.
Virtually yours,
The Javatester Support Team
+++ Attachment: No Virus found
+++ Javatester Antivirus - www.javatester.org
 In January 2004, the MyDoom virus/worm did a great job of fooling people into opening the attachment  (Note: Symantec/Norton called this Novarg).
MyDoom's message body varied, two of them are shown here. They look very much like messages from your email program. Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent
as a binary attachment.
An actual MyDoom message with a third variation on the theme. Lurking in the .zip file is a virus. Subject: Status
From: szuccotti@compuserve.com
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.
Attachments: document.zip 30 k [ application/octet-stream ]

In the message above that says "You are infected. Read the details!", the attached file is "old_photos.rtf.scr". You should not open .scr files either, just like .pif files, Windows will try to execute them. The reason the file name has ".rtf" in it is to fool people who know not to open files that are executable. An .RTF file is not executable. There is a very bad default in Windows Explorer that hides the file extension of files of known types. I think this was done either to make Windows simpler for new users or to copy the Mac. It is a very bad way to go and all Windows users should change this option and force Windows to always show you the full file name. If your copy of Windows is not showing you full file names, you will see this attached file as "old_phots.rtf" and feel safe opening it.

Still another trick takes advantage of the fact that many email messages are scanned by anti-virus programs before they reach your inbox. The virus inserts a forged message at the bottom that looks like an anti-virus program scanned the email and gave it a good bill of health. For example:

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com

As a point of comparison, below is a legitimate message from a server-side anti-virus program that deleted a virus in an attachment:

++++++++++++++++++++++++++++++++++++++
 VIRUS BLOCKER MESSAGE STATUS
++++++++++++++++++++++++++++++++++++++
+ Virus successfully cleaned out of attachment:
+ Attachment(s) deleted due to virus:
+ 1. Readme.vbs: W32.Beagle.W@mm
++++++Powered by Symantec+++++++++++++++

For more examples of this and long list of cat and mouse tricks from the NetSky worm, see Virus Descriptions : NetSky.P from F-Secure. 

I don't have an example of this, but another common approach to trick you into opening/running an attached file is for the email message to appear to come from Microsoft. The message seems to be a warning that you you should update your security software. In reality, Microsoft never ever sends software via email. In fact, no legitimate organization will ever send you an executable file attached to an email message. Microsoft won't do it, Symantec won't do it, McAfee won't do it, Apple won't do it, Adobe won't do it, Macromedia won't do it, etc. etc. etc. These companies may send you a message announcing that a new patch or new software is available, but they will never send the program or patch as an email attachment. The only way to be sure that a program or patch comes from the company itself, is to go the company's web site and download it from there. 

This article (Worm Steals CNN Headlines To Stay Timely, Fool Users By TechWeb News January 21, 2005) describes another new tactic to fool you. The subject line and body of the virus-laden email message vary frequently and are copied from current news at CNN. Again, never click on a file attached to an email message. 


PhishingTOP

Report phishing emails to the Phishing Incident Reporting and Termination (PIRT) Squad
or to  Phish Tank

Phishing refers to fraudulent email messages designed to trick you into providing personal information. This information is typically used to buy merchandise via credit cards and stick you with the bill. Be wary of any email message asking for your credit card number, Social Security number, bank account number, phone number, mother's maiden name, etc. 

The typical ruse is that there is a problem with your account and you have verify or re-enter this personal information. To learn more about the problem of phishing see www.antiphishing.org

As part of the scam, the links in the email message do not take you where they appear to. Instead you are taken to a web site that looks real but exists on a computer controlled by the bad guys. I have more details on the technical tricks used to fool you in my Links That Lie page. 

Since a picture is worth a thousand words, here are pictures of some phishing email messages: 


The message shown at the right (click the image to see it full size) is a phishing email message. It was not from Chase bank, a bad guy sent it - the FROM address was forged. The link to "change your password" actually took you to: 

   chaseonline.chase.com.superclean-tech.com.tw/.usa/index.php?prospect_nfpb=
  trueportlet_change_1_actionOverrideFchaseonlineFchangeFverifyDetails_
  windowLabel_portlet_change_pageLabel_page_change

 The web site is "com.tw" in Taiwan. The bad English and spelling makes this one pretty easy to spot.


Below is an excerpt from a fraudulent email message made to seem as if it came from someone selling merchandise on eBay. Since eBay has over 50 million users, it is likely to be sent to many of them, purely by accident. I am not an eBay user, making the fraud obvious. However, someone who does use eBay could be very easily fooled.

For more, see the full email message and the phony web page that the email sends victims to.

There is no reason that the phony web page could not look exactly like a valid eBay web page. It even includes links to many valid eBay pages - all part of the scam. The only thing that gives it away is that the address of the web page (URL) is given as a number rather than as "ebay.com". For more on fraudulent URLs, see my Links that Lie page. When an eBay userid and password is entered on this fraudulent web page, the bad guy saves it and then transfers you to a real eBay login page - one that looks exactly like this page. The scheme is that you think the computer never got your eBay userid and password and then you enter it again and, lo and behold, you are logged in to eBay. 

The message shown at the right (click the image to see it full size) is also a scam. It was not from Citibank, a bad guy sent it. The FROM address "service@citibank.com" was forged. The link at the bottom actually took you to

        http://218.36.71.193:443/citi/

The logo was stolen from the real Citibank web site, a very common tactic.



Sample Phishing Emails

A sample phishing message directed to PayPal customers
Two things gave this away as the fraud it is. For one, I was not a PayPal customer at the time this message was sent to me. Secondly, the link did not go where it, at first, appears to go. Hovering the mouse over the link was all it took to see that it really takes you to thisismine.netfirms.com Subject: URGENT: Verify Your PayPal Account!
From: "PayPal" <security@paypal.com>
Dear PayPal User,
Due to the recent increase in online auction fraud it is now 
mandatory for you to verify your account before May 1, 2004 or
your account will be frozen and all funds forfeited. We are 
sorry for the inconvenience, but this is an important step in
stopping online fraud. Please take the time now to verify your
account at https://www.paypal.com/verify.htm
We hope you continue to use and enjoy the PayPal service.
Thank You,
PayPal Security Department
Another PayPal phishing scam
This was sent to someone who is not a PayPal customer, a hint that it might be fraud.  :-)  You should see a fairly obvious pattern to these phishing scams by now. Again, the visible link was not in fact the real link. Clicking on it sent you to puipa1.com The from address was forged, as usual. This scam had a happy ending. The web site was hosted at sprintserve.net and when they were alerted to the scam, they pulled the site. Subject: Urgent Regarding Your PayPal Account
From: "PayPal" <Security@PayPal.com>
Dear PayPal User,
It is mandatory for you to verify your account due to your
recent auction transactions. We are sorry for the inconvenience,
but this is an important step in stopping online fraud. Please;
take the time now to verify your account at
  https://www.paypal.com/verify/ Your account must be verified
by June 1, 2004 or your account will be frozen until further
action is taken.
Thank You,
PayPal Security
A sample eBay phishing scam
This scam took advantage of a bug in Internet Explorer which is used by both Outlook and Outlook Express when viewing HTML based email messages. The visible link was not in fact the real link. That is, you thought that clicking on the link would take you to one web site, when in fact, it took you to a different web site. For more on this scam see antiphishing.org Subject: NOTICE eBay Obligatory Verifying-Invalid User Information
From: S-Harbor@eBay.com
Dear Ebay user,
We regret to inform you that your home phone number had an error
on Ebay Inc. databases...
To provide us with your phone number, just click the link below
and please complete this form.
Regards,
Ian
eBay Safe Harbor Investigative Team
Targeting eBay again
Simple.
Clean.
Elegant.
Fraudulent.
From: Ebay Gift Support [mailto:ToryGriffith@melicerous.com] 
Subject: Ebay Customer - 187A1-167
----------------------------------------
Dear [email userid],
Your business is greatly appreciated and to show our thanks we would like
to simply go to the following website and fill our form out and we will 
award you a free gift.
http://www.protending.com/ebay/
Thanks Again and Enjoy!
Here is a (text-only) sample of another Citibank phishing scam
The From address was forged. The Reply to address was also forged. Clicking on the link sent you to citisupportteam.biz which is not associated with Citibank. The name is registered to Enom International Corp. JavaScript was used to display a fake address as the destination link. They wanted you to think that clicking on "here" sent you to
www.citizensbankonline.com
It did not.
Dear Citibank valued customer,
Citibank is committed to protecting the security of our 
clients’ personal information, including when it is 
transmitted online. Therefore our ATM services utilize 
advanced security technology to protect your personal 
financial information.
In order to be prepared for the smart card upgrade on
Visa and MasterCard debit and credit cards and to avoid
problems with our ATM services, we have recently introduced
additional security measures and upgraded our software.
This security upgrade will be effective immediately and
requires our customers to update their ATM card information.
Please update your information here
And yet another Citibank phishing scam

The link went to a web site at IP
address 66.98.211.105 which is
customflix.com in association
with breakdance.com
From: Citibank Online <online@citibank.com>  
Subject: Citibank Online Security Message
Dear Citibank Customer,
When signing on to Citibank Online, you or somebody else have
made several login attempts and reached your daily attempt 
limit. As an additional security measure your access to Online
Banking has been limited. This Web security measure does not 
affect your access to phone banking or ATM banking.
Please sign on and verify your information here. You will be 
able to attempt signing on to Citibank Online within 24 hours
after you verify your information. 
(You do not have to change your Password at this time.)
Citibank Online Customer Service
A Sun Trust phishing scam
The From address was forged. It was sent via jangae.bora.net. Clicking on the link sent you to a web page at IP address 220.82.29.51. This web site belongs to the DaeJeon Youth Counseling Center in Korea dycc.or.kr. Some youths there really do need counseling in the worst way. Dear SunTrust Bank customer,
Recently there have been a large number of identity theft
attempts targeting SunTrust Bank customers. In order to 
safeguard your account, we require that you confirm your 
banking details.
This process is mandatory, and if not completed within the
nearest time your account may be subject to temporary
suspension.
To securely confirm your SunTrust Bank account details
please click on the link below:
  https://www4.SunTrust.com/internetBanking/
  RequestRouterrequestCmdId=DisplayLoginPage

Thank you for your prompt attention to this matter and
thank you for using SunTrust Bank.
And finally, one for Washington Mutual customers
This one is particularly well written. If you hadn't reviewed the samples above, it could fool you.

The spelling errors in the next to last sentence are a big clue to the fraudulent nature of the message.

The link really went to: 218.236.31.212/.wamu/update.html which is in China
Washington Mutual is committed to maintaining a safe environment
for its community of buyers and sellers. To protect the security
of your account, Washington Mutual employs some of the most advanced
security systems in the world and our anti-fraud teams regularly 
screen the Washington Mutual system for unusual activity.

We recently have determined that different computers have logged 
onto your Washington Mutual Online Banking account, and multiple 
password failures were present before the logons. We now need you to
re-confirm your account information to us. If this is not completed
by 21 February, 2005, we will be forced to suspend your account 
indefinitely, as it may have been used for fraudulent purposes. 

We thank you for your cooperation in this manner.
In order to confirm your Online Bank records, we may require some 
specific information from you.
Please follow the link below and renew your account information:
https://login.personal.wamu.com/logon/logon.asp?dd=1&Update&Your&Info

Thank you for your prompt attention to this matter. Please 
understand that this is a security measure meant to help protect
you and your account.
We apologize for any inconvenience.
If you choose to ignore our request, you leave us no choise but 
to temporaly suspend your account.
Thank you for using Washington Mutual!

Gone Spear Phishing December 3, 2005. New York Times. A new type of phishing

Read Citibank Rejects Phishing Report As Spam By Ed Foster (August 23, 2004) for another Citibank problem.

Take The MailFrontier Phishing IQ Test to see if you would fall for a phishing scam.

AntiPhishing.org also has details on an "AOL Billing Center" scam (March 10, 2004) and a "Please verify your Wells Fargo account" scam (March 9, 2004). You can report phishing emails to them at reportphishing@antiphishing.org. 

In general, requests by a company to "reconfirm" or "verify" personal data is a ruse. 

Any time you get an email that seems to be from a financial institution you deal with, don't follow the link in the email. Instead type the company's address into your web browser manually. 

If the email is addressed "Dear SunTrust customer" it is likely a fraud. A real message from a company you do business with would address you by your full name. This indicates the sender of the message does not know your name. Citibank, a very popular victim of phishing scams, now includes your first name, last name and the last 4 digits of your account number at the top of any email message from them. 

It used to be that bad spelling and grammar were also a tip-off that a message was fraudulent. Over time though, fewer phishing emails suffer from these obvious problems. 

See 10 ways to recognize phisher (spoof) emails from Earthlink and How Not to Get Hooked by a ‘ Phishing’ Scam from the FTC (June 2005). 

Ciphertrust offers a free TrustedSource Toolbar that integrates with Outlook and Lotus Notes and warns you with red and green icons whether an email message is from a trusted source or not. A new version designed for Web-based mail (Hotmail, Yahoo, etc.) will be available during the second quarter of 2006. It requires the .NET Framework v1.1. If your computer has version 2 of the .NET Framework, you still have to install version 1.1.


Classic ScamTOP

Ignore messages from someone claiming to be a representative of the Nigerian government, promising a multi-million dollar reward for your help in transferring a huge sum of money. This scam, known as the "419 Scam" or the "Nigerian scam", pre-dates the Internet. Victims are asked for their bank account and other personal information. Invariably a "problem" arises and the victim is pressured or threatened to provide a large sum of money to save the venture.

In another wrinkle, a person claiming to be from a third-world country, again with custody of a large amount of money, offers to share the wealth with you if you will help them get it out of the country. The scammer needs your bank account information to deposit the money in your account. If you give it, you find that money withdrawn from, rather than deposited to, your account. 

Here are two examples:


Subject: NICE TO MEET YOU 
From: "MR. KONAL OXFORD" <konal@katamail.com> 
FROM: THE DESK OF MR.KONAL OXFORD. 
CREDIT OFFICER, FOREIGN REMITTANCE DEPARTMENT, UNION BANK OF NIGERIA(U.B.N). 

DEAR SIR, 

FIRST, I MUST SOLICIT YOUR CONFIDENCE IN THIS TRANSACTION; THIS IS BY VIRTUE OF ITS NATURE AS BEING UTTERLY CONFIDENTIAL AND TOP SECRET. THOUGH I KNOW THAT A TRANSACTION OF THIS MAGNITUDE WILL MAKE ANY ONE APPREHENSIVE AND WORRIED,BUT I AM ASSURING YOU THAT ALL WILL BE WELL AT THE END OF THE DAY. 

WE HAVE DECIDED TO CONTACT YOU DUE TO THE URGENCY OF THIS TRANSACTION, AS WE HAVE BEEN RELIABLY INFORMED OF YOUR DISCRETNESS AND ABILITY IN TRANSACTION OF THIS NATURE. 

LET ME START BY INTRODUCING MYSELF PROPERLY TO YOU. I AM MR. KONAL OXFORD,CREDIT OFFICER WITH THE UNION BANK OF NIGERIA PLC,LAGOS. I CAME TO KNOW YOU IN MY PRIVATE SEARCH FOR A RELIABLE AND REPUTABLE PERSON TO HANDLE THIS CONFIDENTIAL TRANSACTION,WHICH INVOLVES THE TRANSFER OF HUGE SUM OF MONEY TO A FOREIGN ACCOUNT REQUIRING MAXIMUM CONFIDENCE. 

THE PROPOSITION: 

A FOREIGNER AN AMERICAN,LATE ENGR JOHN CREEK (SNR) AN OIL MERCHANT WITH T HE FEDERAL GOVERNMENT OF NIGERIA,UNTIL HIS DEATH IN KENYA AIR BUS (A310-300) FLIGHT KQ430,BANKED WITH US AT UNION BANK OF NIGERIA PLC LAGOS AND HAD A CLOSING BALANCE AS AT THE END OF JANUARY,2000 WORTH USD25, 000,000.00 (TWENTY FIVE MILLION UNITED STATE DOLLAR),THE BANK NOW EXPECTS A NEXT OF KIN AS BENEFICIARY.VALUABLE EFFORTS ARE BEING MADE BY THE UNION BANK OF NIGERIA TO GET IN TOUCH WITH ANY OF THE CREEK'S FAMILY OR RELATIVES BUT TO NO SUCCESS. 

IT IS BECAUSE OF THE PERCEIVED POSSIBILITY OF NOT BEING ABLE TO LOCATE ANY OF LATE ENGR.JOHN CREEK(SNR)'S NEXT OF KIN (HE HAD NO WIFE OR CHILDREN THAT IS KNOWN TO US).THE MANAGEMENT UNDER THE INFLUENCE OF OUR CHAIRMAN AND MEMBERS OF THE BOARD OF DIRECTORS,THAT ARANGE HAS BEEN MADE FOR THE FUND TO BE DECLEARED "UNCLAINMED" AND SUBSEQUENTLY BE DONATED TO THE TRUST FUND FOR ARMS AND AMMUNITION TO FURTHER ENHANCE THE COURSE OF WAR IN AFRICA AND THE WORLD IN GENERAL. 

IN ORDER TO AVERT THIS NEGATIVE DEVELOPMENT, SOME OF MY TRUSTED COLLEAGUES AND I NOW SEEK YOUR PERMISSION TO HAVE YOU STAND AS NEXT OF KIN TO LATE ENGR. JOHN CREEK(SNR) SO THAT THE FUND USD25 MILLION WILL BE RELEASED AND PAID INTO YOUR ACCOUNT AS THE BENEFICIARY'S NEXT OF KIN. ALL DOCUMENTS AND PROVES TO ENABLE YOU GET THIS FUND WILL BE CAREFULLY WORKED OUT. 

WE HAVE SECURE FROM THE PROBATE AN ORDER OF MADAMUS TO LOCATE ANY OF DECEASED BENEFICIARIES,AND MORE SO WE ARE ASSURING YOU THAT THIS BUSINESS IS 100% RISK FREE INVOLVEMENT.YOUR SHARE STAYS WHILE THE REST BE FOR MYSELF AND MY COLLEAGUES FOR INVESTMENT PURPOSE. 

ACCORDING TO AGGREMENT WITHIN BOTH PARTIES AS SOON AS WE RECIEVE AN ACKNOWLEDGEMENT OF RECEIPT OF THIS MESSAGE IN ACCEPTANCE OF OUR MUTUAL BUSINESS PROPOSAL,WE WOULD FURNISH YOU WITH THE NECCESSARY MODALITIES AND DISBURSEMENT RATIO TO SUITE BOTH PARTIES WITHOUT ANY CONFLICT. 

IF THIS PROPOSAL IS ACCEPTABLE BY YOU DO NOT MAKE UNDUE ADVANTAGE OF THE TRUST WE HAVE BESTOWED IN YOU AND YOUR COMPANY,THEN KINDLY GET TO ME IMMEDIATELY VIA MY EMAIL: konal@ecplaza.net

PLEASE FURNISH ME WITH YOUR MOST CONFIDENTIAL TELEPHONE, FAX NUMBERS SO THAT I CAN USE THIS INFORMATION TO APPLY FOR THE RELEASE AND SUBSEQUENT TRANSFER OF THE FUND IN YOUR FAVOUR. 

THANK YOU IN ADVANCE FOR YOUR ANTICIPATED CO-ORPORATION.
YOURS FAITHFULLY,
MR.KONAL OXFORD.


Subject: urgent assistant
From: "Michael James"
Dear Sir/Madam

I know this letter will come as a surprise to you, but i would like you to give it a top consideration so as to help me and my family from our present predicament.

I am Michael James, the first son of Mr Leonard James, a British Farmer based in Zimbabwe. My father is now dead as a result of his incarceration by the Zimbabwean Government under President Robert Mugabe who ordered the white farmers in Zimbabwe to vacate their Farm Land and go back to their country.

But my father, due to his large investment in the Farm Land refused to quit Zimbabwe for his country. Based on this reason he was arrested and imprisoned and as a result of his protracted sickness [Diabetics] he died in Manfe prison on 19 sept 2002. May his gentle soul rest in perfect peace.

After his death, all efforts by my mother who is a Zimbabwean to secure most of my father's investment was frustrated by the President Mugabes Government. Towards this end my mother discovered an original certificate of deposit for a trunk box containing the sum of USD9,000,000.00 ( Nine million U.S.Dollars) deposited by my late father in custody of a security trust company in Dubai, UAE. The money belonged to the White Farmers Association [W. F. A] which my late father was the Founder/President with the help of my maternal uncle who was a Comissioner in Zimbabwe.

We are able to trace the security trust company to Dubai [U.A.E] where the box containing the money is presently deposited, declared as Family Jewellries and Antiquities as to avoid raising any eye brow from the authority here. All documented proofs in respect of this deposited consignment are in my pocession.

As it is, I am looking for a reliable partner who can help me safe-guide and invest this money very prudently in his company as advised by my mother. 20% of this money will be given to you while 5% will be set aside for miscellanous expenses that we may incure during the process.

Also note that this transaction is 100% risk free, you may also be required to come to Dubai if need be on indication of your interest. Please confirm your interest on this transaction and contact me on my email address; michaeljames@Z6.com

I am presently in Dubai [U A E]. Hoping to hear from you soonest.
Thanks and Remain blessed
Michael James

For more see www.secretservice.gov/alert419.shtml and The Nigerian Nightmare Who's sending you all those scam e-mails? by Brendan I. Koerner in Slate October 22, 2002. In addition 419eater.com has stories from people who have engaged the scammers in conversations. They call it scambaiting - entering into a dialogue with scammers to waste their time and resources.


SPAMTOP

Needless to say, no one needs examples of SPAM. However, there is an interesting point about the message below. 

It was sent to the webmaster address of a web site of mine (the name is changed to mikesdomain.org for the purposes of this example). The message came to an email address that never subscribes to anything, so it was obviously "harvested" (the polite word for stolen) from the web site. The "partner website" claim is not true. The main point though, is about the email removal. No matter what email address you try to remove, the web site says it was successfully removed. Make up an email address, and it says its removed. I can't prove it, but I would bet money that trying to remove your email address, just results in more SPAM as the address is now confirmed to be good. The Remove Me button referred to in the message takes you to www.seekercenter.net/remove.php?email=webmaster@mikesdomain.org 

The lesson: don't bother un-subscribing to SPAM. It will either be a waste of time or an invitation to get more SPAM. 

Subject: http://mikesdomain.org
From: "Vanessa Lintner" <reply@seekercenter.net>
Reply-To: "Vanessa Lintner" <vanessa@seekercenter.net>
To: webmaster@mikesdomain.org

I have visited mikesdomain.org and noticed that your website is not listed on some search engines. I am sure that through our service the number of people who visit your website will definitely increase. SeekerCenter is a unique technology that instantly submits your website to over 500,000 search engines and directories-a really low-cost and effective way to advertise your site. For more details please go to www.SeekerCenter.net. Give your website maximum exposure today. Looking forward to hearing from you.
Best Regards, Vanessa Lintner Sales & Marketing 

You are receiving this email because you opted-in to receive special offers through a partner website. If you feel that you received this email in error or do not wish to receive additional special offers, please enter your email address here and click the button of "Remove Me"

Also, please, never ever buy anything advertised via SPAM, even if it's something you want. This just encourages more SPAM on all of us. Also, never click on a link in a SPAM email message as this is likely to result in your receiving even more SPAM. 

One tactic spammers often use to avoid anti-spam software is to change the spelling of words that the software might think indicates a message is SPAM. The most famous such word is Viagra. A humorous take on the many ways Viagra is purposely mis-spelled can be read in There are 600,426,974,379,824,381,952 ways to spell Viagra. On a serious note, mis-spellings also used, as mentioned above, to disguise the real address of a web site for fraudulent purposes. 

Garbage words: Another tactic you may see in SPAM messages is the inclusion of many garbage words or garbage sentences. This is done to get around assorted SPAM filters. Below is an example of this where the garbage words are at the bottom. SPAM filters based on Bayesian interference decide whether a message is SPAM or not based on words that often appear in SPAM messages. The tactic here is to include words that normally do not appear in SPAM messages in order to get a message classified as not being SPAM. I have seen this described as "word salad" or "dictionary salad". In HTML based messages, the garbage words may be hidden by either making them the same color as the background or by making the text extremely small. If you view your messages in plain text, the garbage words will always be visible.  

Subject: jerome smile
From: Gabriela Zavala <estyugoslav@attbi.com>
Reply-To: Gabriela Zavala <slimylens@attbi.com>

Hey, come on - Purchase G.e.n.e.r.i.c V I A G R A - Get the magic Blue Pills NOW!! 
STOP WASTING YOUR MONEY!
http://www.WQ9.wesiwhchned.com/gp/default.asp?ID=bw
We also have these medications in highly discounted generic form:
Ambien, Xanax, Phentermine, Lipitor, Nexium, Paxil, Valium and Vioxx.
Physician Consultation: FREE! 
Fast, private, and FREE delivery 
Convenience: 10 minute online consultation 
I want to say adios

semaphore nuclei bazaar paraphernalia glow beg ambition embassy optometry thump feedback fill scrotum mutter alcove inadequacy vise chalkboard bestseller angle concertina what'd stablemen drier erosion garner monkish sandblast tenneco vignette embryo detente filler grover cute e'er ligget polkadot toad buzz pallid confectionery scowl doorbell blumenthal somerville harrisburg it glisten methylene upsetting botanist sedimentation depict garrison filled bema

Bayesian SPAM filters have gotten so good that the bad guys have yet another new tactic, no words. An HTML based email message contains nothing but a link to a picture. The advertising message is wholly contained in the picture. 

Why is there so much SPAM and Phishing? It's profitable and easy. Here is one example of the easy part. This is an actual email message that I received in April 2004. 

Subject: Re: Emails of eBay members
From: Tom Theroux <teodor@crewstart.com>
Hello:
We are offering an email database which allows to contact eBay members (both sellers and shoppers). These are individuals that buy and sell items on the eBay auction. Please notice that 90% of eBay customers are also customers of PayPal. This database will be perfect for selling your products/services, because we are providing you unique prospects who purchase and sell more than anybody else! The data contains 408,000 records, which include personal email addresses only. The records cover ALL categories listed on eBay.
The database will be delivered to you in any format of your choice (Excel, ASCII, CSV, etc.).By default it is provided in a 4.4MB TXT file. The data was collected in the period of last 2 months and will be updated quarterly.
The price we are asking is $360. 
To place the order please fill out the form: http://www.gmthost.com/ebay.php
To contact me please email to info@gmthost.com (THIS EMAIL ONLY! DO NOT 'REPLY'). Please notice that we also maintain a list of eGold sellers.
Best, Tom Theroux

Bounced EmailsTOP

Should you send an email message to an address that does not exist, it is likely that the email server at the recipients domain will respond to you with an email message informing you of the problem. Your message is said to have "bounced". Below are excerpts from legitimate bounce messages. The reason this is here is because there are two types of bad bounce messages.
  • Ones actually generated by an email server, but for an email message that you did not send. Delete the message and forget about it. Many viruses proliferate by emailing themselves with fraudulent FROM addresses. If you are the victim of this, there is nothing you can do. You may also get a real message from a real email server complaining that you sent an email message with a virus in it. Most likely you did not. Instead the virus sent out many copies of itself from someone else's computer using a forged FROM address and you are as much a victim as the recipient. For more see Could You Be Sending Spam? Spammers are using new tools to hide the origin of their messages. by Lincoln Spector in PC World magazine. May 30, 2003 
      
  • More serious is when a virus or worm sends a message that appears to be a normal bounce message but is fraudulent. In this case, there will be an attached file and a phony story in the body of the message that tries to trick you into opening the attached file. Don't! Delete the message. 

This message was sent to an unknown user at EarthLink:

Subject: Mail delivery failed: returning message to sender
From: Mail Delivery System <Mailer-Daemon@smtp4.mindspring.com>
To: you 

This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
   testingabadaddress@earthlink.net

SMTP error from remote mailer after RCPT TO:<testingabadaddress@earthlink.net>:
host mx2.earthlink.net [207.217.125.17]: 550 testingabadaddress@earthlink.net... User unknown

This message was sent to a non-existing user at AOL:

Subject: Mail delivery failed: returning message to sender
From: Mail Delivery System <Mailer-Daemon@smtp5.atl.mindspring.net>
To: you

This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

thisaddressdontexist@aol.com
SMTP error from remote mailer after RCPT TO:<thisaddressdontexist@aol.com>:
host mailin-03.mx.aol.com [64.12.138.120]: 550 MAILBOX NOT FOUND

This message was sent to a non-existing user at a domain of mine. The final line is an error message that I configured using the Control Panel of the web site hosting company for the domain. 

Subject: failure notice
From: MAILER-DAEMON@lownok.pair.com

Hi. This is the qmail-send program at
lownok.pair.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<thisuserdontexist@thedomainIown.com>:
===> Message sent to non-existing user. Ignored. <===

This message was sent to someone at EarthLink whose email inbox is full:

Subject: Mail delivery failed: returning message to sender
From: Mail Delivery System <Mailer-Daemon@smtp6.mindspring.com>
To: you

This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

person22@earthlink.net
SMTP error from remote mailer after RCPT TO:<person22@earthlink.net>:
host mx7.earthlink.net [207.217.125.22]: 554 This mailbox is full.
Please try again later. for person22@earthlink.net