 |
Home => Bad Emails
|
|
Home => Bad Emails
|
| [Formatted for Printing] | From the personal web site of Michael Horowitz |
| On the theory that a picture is worth a thousand
words, the following are examples of different types of "bad" email messages. It's a
dangerous world on the Internet. | |
| Topics Below: | |
| Virus Cat and Mouse | Phishing | Classic Scam | Spam | Bounced Emails | |
For a virus to infect your computer, you have to run it. Most often, the virus attaches itself to an email message and usually (but not always) just viewing the email message is safe. However, that starts a cat and mouse game with the virus writer saying anything and everything he/she can think of to trick you into opening the attached file and thus running the virus and infecting your computer.
Here are some examples of the ploys used to get you to open an attached file. In these cases the messages came from someone unknown to the recipient, but be aware that the FROM address of an email message is very easily forged. Don't treat a message with less suspicion because it seems to have come from someone you know. Also, see the note at the end of this topic; you may not be seeing the full file name of attached files.
| My Comments | Sample Virus Infected Emails |
| You didn't ask for this file, but perhaps think you did or you are curious as to whether it's an honest mistake. It's not. Also, never open a file of type ".pif". |
Subject: Re: Your product From: arielb@rice.edu Here is the file. Attachments: your_product.pif 23k |
| Lies, lies, lies, solely designed to get you to run the attached .EXE file. |
Here is the archive with those information, you asked me. And don't forget, it is strongly confidential!!! Seya, man. P.S. Don't forget my fee ;) |
| The W32.Sober.K@mm virus. Some viruses are hidden inside ZIP files. As usual, the FROM address is forged. |
Subject: You visit illegal websites From: Officer@FBI.gov Dear Sir/Madam, we have logged your IP-address on more than 40 illegal Websites. Important: Please answer our questions! The list of questions are attached. Attachments: indictment_cit2987.zip |
| You did not request the attached document, never open a .pif file and note that the message is RE a message you never sent in the first place. |
Subject: Re: Re: Thanks! From: jbmiklas@capousd.org Your document is attached. Attachments: document.pif |
| Inside the .ZIP file was a single file, not two. The file was an .SCR file which is often used by the bad guys because most people don't know that this is an executable file, just like .EXE. Considering I run a few web sites, this one made me pause at first. |
Subject: Photo Approval Needed Date: Sep 29, 2005 7:01 PM Hello, Your photograph was forwarded to us as part of an article we are publishing for our October edition of Web Review Monthly. Can you check over the format and get back to us with your approval or any changes you would like. If the photograph is not to your liking then please attach a preferred one. We have attached the photo and article here. Kind regards, John Andrews http://www.webreview.com/ Attachments: Photo + Article.zip |
| No text in the body of the message is not uncommon. Never ever install any software without doing a background check on it. |
Subject: A special funny game From: s.connetable@bio-inova.com Attachments: rock.exe |
| Don't look at the attached file, even if it is from someone you know (the FROM address might be forged). The two REs in the subject are phony. |
Subject: Re: Re: Thanks! From: mschaus@haverford.edu Please have a look at the attached file. Attachments: document.pif 29 k |
| Never trust an email message that tells you to do something regarding a virus infection. More below... |
Subject: something for you From: brendenxcort@hotmail.com You are infected. Read the details! Attachments: old_photos.rtf.scr |
| The Sober virus, from April 2005, was a new wrinkle. Bad grammar, spelling and capitalization are often a clue to the fraudulent nature of the message. | |
| The attached file is called: your_text.zip and it contains a copy of the virus in a file called mail.document.Datex-packed.exe |
Subject: I've_got your EMail on
my_account! Hello, First, Very Sorry for my bad English. Someone is sending your private e-mails on my address. It's probably an e-mail provider error! At time, I've got over 10 mails on my account, but the recipient are you. I have copied all the mail text in the windows text-editor for you and zipped then. Make sure that this mails don't come in my mail-box again. |
| The messages below are particularly clever and are from a virus that first starting circulating in March 2004. In each case, the name "mikesdomain.org" is merely for illustrative purposes. For more on this particular tactic, see Viruses Try New Tactics by Lincoln Spector in PC World March 17, 2004. | |
| Still another trick to get you to open (and thus run) the attached file. The FROM address here was forged. It came from a "bad guy" not from the staff running the web site mentioned. Again, the attached file is a .pif. |
Subject: Notify about your e-mail account utilization. Dear user, The management of Mikesdomain.org mailing system wants to let you know our main mailing server will be temporary unavailable for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. Further details can be obtained from attached file. Sincerely, The mikesdomain.org team http://www.mikesdomain.org Attachments: TextFile.pif 16 k [ application/octet-stream ] |
| The latest variation in this ongoing cat and mouse game. By compressing and password protecting the attached file, the virus writer is trying to prevent anti-virus programs from being able to read the file and detect the virus. |
Subject: Important notify about your e-mail account. Dear user of mikesdomain.org gateway e-mail server, Your e-mail account has been temporary disabled because of unauthorized access. Further details can be obtained from attached file. For security purposes the attached file is password protected. Password is "27815". The Management, The mikesdomain.org team http://www.mikesdomain.org Attachments: Document.zip 16 k [ application/octet-stream ] |
| Yet another variation on the same theme. From the WinXPnews newsletterof March 23, 2004. |
Dear user of mikesdomain.org mailing system, Our anti-virus software has detected a large amount of viruses outgoing from your email account. You may use our free anti-virus tool to clean up your computer software. For further details, see the attached. The mikesdomain.org team |
| Lies, lies, lies. This is the Beagle virus (according to Symantec). The attached file was TextFile.zip. The real sender was a computer named BigJim at IP address 24.184.215.163. |
Dear user, the management of mikesdomain.org mailing system wants to let you know that, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. Pay attention on attached file. In order to read the attach you have to use the following password: 88446. Cheers, The mikesdomain.org team http://www.mikesdomain.org |
| Other viruses also pretend to come from an official source. | |
| I got this June 15, 2005. The incoming email virus scan done by my ISP did not detect this as a virus. It is. The attachment was account-details.zip. I run the JavaTester.org web site. The last two lines, about no virus found, are a total fraud. |
From: service@javatester.org Subject: Warning Message: Your services near to be closed. Dear Javatester Member, Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service. If you choose to ignore our request, you leave us no choice but to cancel your membership. Virtually yours, The Javatester Support Team +++ Attachment: No Virus found +++ Javatester Antivirus - www.javatester.org |
| In January 2004, the MyDoom virus/worm did a great job of fooling people into opening the attachment (Note: Symantec/Norton called this Novarg). | |
| MyDoom's message body varied, two of them are shown here. They look very much like messages from your email program. |
Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sent as a binary attachment. |
| An actual MyDoom message with a third variation on the theme. Lurking in the .zip file is a virus. |
Subject: Status From: szuccotti@compuserve.com The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. Attachments: document.zip 30 k [ application/octet-stream ] |
In the message above that says "You are infected. Read the details!", the attached file is "old_photos.rtf.scr". You should not open .scr files either, just like .pif files, Windows will try to execute them. The reason the file name has ".rtf" in it is to fool people who know not to open files that are executable. An .RTF file is not executable. There is a very bad default in Windows Explorer that hides the file extension of files of known types. I think this was done either to make Windows simpler for new users or to copy the Mac. It is a very bad way to go and all Windows users should change this option and force Windows to always show you the full file name. If your copy of Windows is not showing you full file names, you will see this attached file as "old_phots.rtf" and feel safe opening it.
Still another trick takes advantage of the fact that many email messages are scanned by anti-virus programs before they reach your inbox. The virus inserts a forged message at the bottom that looks like an anti-virus program scanned the email and gave it a good bill of health. For example:
|
+++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com |
As a point of comparison, below is a legitimate message from a server-side anti-virus program that deleted a virus in an attachment:
| ++++++++++++++++++++++++++++++++++++++ VIRUS BLOCKER MESSAGE STATUS ++++++++++++++++++++++++++++++++++++++ + Virus successfully cleaned out of attachment: + Attachment(s) deleted due to virus: + 1. Readme.vbs: W32.Beagle.W@mm ++++++Powered by Symantec+++++++++++++++ |
For more examples of this and long list of cat and mouse tricks from the NetSky worm, see Virus Descriptions : NetSky.P from F-Secure.
I don't have an example of this, but another common approach to trick you into opening/running an attached file is for the email message to appear to come from Microsoft. The message seems to be a warning that you you should update your security software. In reality, Microsoft never ever sends software via email. In fact, no legitimate organization will ever send you an executable file attached to an email message. Microsoft won't do it, Symantec won't do it, McAfee won't do it, Apple won't do it, Adobe won't do it, Macromedia won't do it, etc. etc. etc. These companies may send you a message announcing that a new patch or new software is available, but they will never send the program or patch as an email attachment. The only way to be sure that a program or patch comes from the company itself, is to go the company's web site and download it from there.
This article (Worm Steals CNN Headlines To Stay Timely, Fool Users By TechWeb News January 21, 2005) describes another new tactic to fool you. The subject line and body of the virus-laden email message vary frequently and are copied from current news at CNN. Again, never click on a file attached to an email message.
Report phishing emails to the
Phishing Incident Reporting and Termination (PIRT) Squad
or to Phish Tank
Phishing refers to fraudulent email messages designed to trick you into providing personal information. This information is typically used to buy merchandise via credit cards and stick you with the bill. Be wary of any email message asking for your credit card number, Social Security number, bank account number, phone number, mother's maiden name, etc.
The typical ruse is that there is a problem with your account and you have verify or re-enter this personal information. To learn more about the problem of phishing see www.antiphishing.org.
As part of the scam, the links in the email message do not take you where they appear to. Instead you are taken to a web site that looks real but exists on a computer controlled by the bad guys. I have more details on the technical tricks used to fool you in my Links That Lie page.
Since a picture is worth a thousand words, here are pictures of some phishing email messages:
The message shown at the right (click the image to see it full size) is a phishing email message. It was not from Chase bank, a bad guy sent it - the FROM address was forged. The link to "change your password" actually took you to:
chaseonline.chase.com.superclean-tech.com.tw/.usa/index.php?prospect_nfpb= The web site is "com.tw" in Taiwan. The bad English and spelling makes this one pretty easy to spot. |
|
Below is an excerpt from a fraudulent email message made to seem as if it came from someone selling merchandise on eBay. Since eBay has over 50 million users, it is likely to be sent to many of them, purely by accident. I am not an eBay user, making the fraud obvious. However, someone who does use eBay could be very easily fooled. 
For more, see the full email message and the phony web page that the email sends victims to. There is no
reason that the phony web page could not look exactly like a valid eBay web page. It even includes
links to many valid eBay pages - all part of the scam. The only thing that gives
it away is that the address of the web page (URL) is given as a number rather
than as "ebay.com". For more on fraudulent URLs, see my Links
that Lie page. When an eBay userid and password is entered on this
fraudulent web page, the bad guy saves it and then transfers you to a real
eBay login page - one that looks exactly like this page. The scheme is that
you think the computer never got your eBay userid and password and then you
enter it again and, lo and behold, you are logged in to eBay. |
|
| A sample phishing message directed to PayPal customers | |
| Two things gave this away as the fraud it is. For one, I was not a PayPal customer at the time this message was sent to me. Secondly, the link did not go where it, at first, appears to go. Hovering the mouse over the link was all it took to see that it really takes you to thisismine.netfirms.com |
Subject: URGENT: Verify Your PayPal Account! From: "PayPal" <security@paypal.com> Dear PayPal User, Due to the recent increase in online auction fraud it is now mandatory for you to verify your account before May 1, 2004 or your account will be frozen and all funds forfeited. We are sorry for the inconvenience, but this is an important step in stopping online fraud. Please take the time now to verify your account at https://www.paypal.com/verify.htm We hope you continue to use and enjoy the PayPal service. Thank You, PayPal Security Department |
| Another PayPal phishing scam | |
| This was sent to someone who is not a PayPal customer, a hint that it might be fraud. :-) You should see a fairly obvious pattern to these phishing scams by now. Again, the visible link was not in fact the real link. Clicking on it sent you to puipa1.com The from address was forged, as usual. This scam had a happy ending. The web site was hosted at sprintserve.net and when they were alerted to the scam, they pulled the site. |
Subject: Urgent Regarding Your PayPal Account From: "PayPal" <Security@PayPal.com> Dear PayPal User, It is mandatory for you to verify your account due to your recent auction transactions. We are sorry for the inconvenience, but this is an important step in stopping online fraud. Please; take the time now to verify your account at https://www.paypal.com/verify/ Your account must be verified by June 1, 2004 or your account will be frozen until further action is taken. Thank You, PayPal Security |
| A sample eBay phishing scam | |
| This scam took advantage of a bug in Internet Explorer which is used by both Outlook and Outlook Express when viewing HTML based email messages. The visible link was not in fact the real link. That is, you thought that clicking on the link would take you to one web site, when in fact, it took you to a different web site. For more on this scam see antiphishing.org |
Subject: NOTICE eBay Obligatory Verifying-Invalid User Information From: S-Harbor@eBay.com Dear Ebay user, We regret to inform you that your home phone number had an error on Ebay Inc. databases... To provide us with your phone number, just click the link below and please complete this form. Regards, Ian eBay Safe Harbor Investigative Team |
| Targeting eBay again | |
| Simple. Clean. Elegant. Fraudulent. |
From: Ebay Gift Support [mailto:ToryGriffith@melicerous.com] Subject: Ebay Customer - 187A1-167 ---------------------------------------- Dear [email userid], Your business is greatly appreciated and to show our thanks we would like to simply go to the following website and fill our form out and we will award you a free gift. http://www.protending.com/ebay/ Thanks Again and Enjoy! |
| Here is a (text-only) sample of another Citibank phishing scam | |
| The From address was forged. The Reply to address was also forged.
Clicking on the link sent you to citisupportteam.biz which is not
associated with Citibank. The name is registered to Enom International Corp.
JavaScript was used to display a fake address as the destination link. They
wanted you to think that clicking on "here" sent you to www.citizensbankonline.com It did not. |
Dear Citibank valued customer, Citibank is committed to protecting the security of our clients’ personal information, including when it is transmitted online. Therefore our ATM services utilize advanced security technology to protect your personal financial information. In order to be prepared for the smart card upgrade on Visa and MasterCard debit and credit cards and to avoid problems with our ATM services, we have recently introduced additional security measures and upgraded our software. This security upgrade will be effective immediately and requires our customers to update their ATM card information. Please update your information here |
| And yet another Citibank phishing scam | |
The link went to a web site at IP address 66.98.211.105 which is customflix.com in association with breakdance.com |
From: Citibank Online <online@citibank.com> Subject: Citibank Online Security Message Dear Citibank Customer, When signing on to Citibank Online, you or somebody else have made several login attempts and reached your daily attempt limit. As an additional security measure your access to Online Banking has been limited. This Web security measure does not affect your access to phone banking or ATM banking. Please sign on and verify your information here. You will be able to attempt signing on to Citibank Online within 24 hours after you verify your information. (You do not have to change your Password at this time.) Citibank Online Customer Service |
| A Sun Trust phishing scam | |
| The From address was forged. It was sent via jangae.bora.net. Clicking on the link sent you to a web page at IP address 220.82.29.51. This web site belongs to the DaeJeon Youth Counseling Center in Korea dycc.or.kr. Some youths there really do need counseling in the worst way. |
Dear SunTrust Bank customer, Recently there have been a large number of identity theft attempts targeting SunTrust Bank customers. In order to safeguard your account, we require that you confirm your banking details. This process is mandatory, and if not completed within the nearest time your account may be subject to temporary suspension. To securely confirm your SunTrust Bank account details please click on the link below: https://www4.SunTrust.com/internetBanking/ RequestRouterrequestCmdId=DisplayLoginPage Thank you for your prompt attention to this matter and thank you for using SunTrust Bank. |
| And finally, one for Washington Mutual customers | |
|
This one is particularly well written. If you hadn't reviewed the samples above, it could fool you. The spelling errors in the next to last sentence are a big clue to the fraudulent nature of the message. The link really went to: 218.236.31.212/.wamu/update.html which is in China |
Washington Mutual is committed to maintaining a safe environment for its community of buyers and sellers. To protect the security of your account, Washington Mutual employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the Washington Mutual system for unusual activity. We recently have determined that different computers have logged We thank you for your cooperation in this manner.
|
Gone Spear Phishing December 3, 2005. New York Times. A new type of phishing
Read Citibank Rejects Phishing Report As Spam By Ed Foster (August 23, 2004) for another Citibank problem.
Take The MailFrontier Phishing IQ Test to see if you would fall for a phishing scam.
AntiPhishing.org also has details on an "AOL Billing Center" scam (March 10, 2004) and a "Please verify your Wells Fargo account" scam (March 9, 2004). You can report phishing emails to them at reportphishing@antiphishing.org.
In general, requests by a company to "reconfirm" or "verify" personal data is a ruse.
Any time you get an email that seems to be from a financial institution you deal with, don't follow the link in the email. Instead type the company's address into your web browser manually.
If the email is addressed "Dear SunTrust customer" it is likely a fraud. A real message from a company you do business with would address you by your full name. This indicates the sender of the message does not know your name. Citibank, a very popular victim of phishing scams, now includes your first name, last name and the last 4 digits of your account number at the top of any email message from them.
It used to be that bad spelling and grammar were also a tip-off that a message was fraudulent. Over time though, fewer phishing emails suffer from these obvious problems.
See 10 ways to recognize phisher (spoof) emails from Earthlink and How Not to Get Hooked by a ‘ Phishing’ Scam from the FTC (June 2005).
Ciphertrust offers a free TrustedSource Toolbar
that integrates with Outlook and Lotus Notes and warns you with red and green
icons whether an email message is from a trusted source or not. A new version designed for Web-based mail (Hotmail, Yahoo, etc.) will be available during the second quarter of 2006.
It requires the .NET Framework v1.1. If your computer has version 2 of the .NET
Framework, you still have to install version 1.1.
Ignore messages from someone claiming to be a representative of the Nigerian government, promising a multi-million dollar reward for your help in transferring a huge sum of money. This scam, known as the "419 Scam" or the "Nigerian scam", pre-dates the Internet. Victims are asked for their bank account and other personal information. Invariably a "problem" arises and the victim is pressured or threatened to provide a large sum of money to save the venture.
In another wrinkle, a person claiming to be from a third-world country, again with custody of a large amount of money, offers to share the wealth with you if you will help them get it out of the country. The scammer needs your bank account information to deposit the money in your account. If you give it, you find that money withdrawn from, rather than deposited to, your account.
Here are two examples:
|
Subject: NICE TO MEET YOU From: "MR. KONAL OXFORD" <konal@katamail.com> FROM: THE DESK OF MR.KONAL OXFORD. CREDIT OFFICER, FOREIGN REMITTANCE DEPARTMENT, UNION BANK OF NIGERIA(U.B.N). DEAR SIR, FIRST, I MUST SOLICIT YOUR CONFIDENCE IN THIS TRANSACTION; THIS IS BY VIRTUE OF ITS NATURE AS BEING UTTERLY CONFIDENTIAL AND TOP SECRET. THOUGH I KNOW THAT A TRANSACTION OF THIS MAGNITUDE WILL MAKE ANY ONE APPREHENSIVE AND WORRIED,BUT I AM ASSURING YOU THAT ALL WILL BE WELL AT THE END OF THE DAY. WE HAVE DECIDED TO CONTACT YOU DUE TO THE URGENCY OF THIS TRANSACTION, AS WE HAVE BEEN RELIABLY INFORMED OF YOUR DISCRETNESS AND ABILITY IN TRANSACTION OF THIS NATURE. LET ME START BY INTRODUCING MYSELF PROPERLY TO YOU. I AM MR. KONAL OXFORD,CREDIT OFFICER WITH THE UNION BANK OF NIGERIA PLC,LAGOS. I CAME TO KNOW YOU IN MY PRIVATE SEARCH FOR A RELIABLE AND REPUTABLE PERSON TO HANDLE THIS CONFIDENTIAL TRANSACTION,WHICH INVOLVES THE TRANSFER OF HUGE SUM OF MONEY TO A FOREIGN ACCOUNT REQUIRING MAXIMUM CONFIDENCE. THE PROPOSITION: A FOREIGNER AN AMERICAN,LATE ENGR JOHN CREEK (SNR) AN OIL MERCHANT WITH T HE FEDERAL GOVERNMENT OF NIGERIA,UNTIL HIS DEATH IN KENYA AIR BUS (A310-300) FLIGHT KQ430,BANKED WITH US AT UNION BANK OF NIGERIA PLC LAGOS AND HAD A CLOSING BALANCE AS AT THE END OF JANUARY,2000 WORTH USD25, 000,000.00 (TWENTY FIVE MILLION UNITED STATE DOLLAR),THE BANK NOW EXPECTS A NEXT OF KIN AS BENEFICIARY.VALUABLE EFFORTS ARE BEING MADE BY THE UNION BANK OF NIGERIA TO GET IN TOUCH WITH ANY OF THE CREEK'S FAMILY OR RELATIVES BUT TO NO SUCCESS. IT IS BECAUSE OF THE PERCEIVED POSSIBILITY OF NOT BEING ABLE TO LOCATE ANY OF LATE ENGR.JOHN CREEK(SNR)'S NEXT OF KIN (HE HAD NO WIFE OR CHILDREN THAT IS KNOWN TO US).THE MANAGEMENT UNDER THE INFLUENCE OF OUR CHAIRMAN AND MEMBERS OF THE BOARD OF DIRECTORS,THAT ARANGE HAS BEEN MADE FOR THE FUND TO BE DECLEARED "UNCLAINMED" AND SUBSEQUENTLY BE DONATED TO THE TRUST FUND FOR ARMS AND AMMUNITION TO FURTHER ENHANCE THE COURSE OF WAR IN AFRICA AND THE WORLD IN GENERAL. IN ORDER TO AVERT THIS NEGATIVE DEVELOPMENT, SOME OF MY TRUSTED COLLEAGUES AND I NOW SEEK YOUR PERMISSION TO HAVE YOU STAND AS NEXT OF KIN TO LATE ENGR. JOHN CREEK(SNR) SO THAT THE FUND USD25 MILLION WILL BE RELEASED AND PAID INTO YOUR ACCOUNT AS THE BENEFICIARY'S NEXT OF KIN. ALL DOCUMENTS AND PROVES TO ENABLE YOU GET THIS FUND WILL BE CAREFULLY WORKED OUT. WE HAVE SECURE FROM THE PROBATE AN ORDER OF MADAMUS TO LOCATE ANY OF DECEASED BENEFICIARIES,AND MORE SO WE ARE ASSURING YOU THAT THIS BUSINESS IS 100% RISK FREE INVOLVEMENT.YOUR SHARE STAYS WHILE THE REST BE FOR MYSELF AND MY COLLEAGUES FOR INVESTMENT PURPOSE. ACCORDING TO AGGREMENT WITHIN BOTH PARTIES AS SOON AS WE RECIEVE AN ACKNOWLEDGEMENT OF RECEIPT OF THIS MESSAGE IN ACCEPTANCE OF OUR MUTUAL BUSINESS PROPOSAL,WE WOULD FURNISH YOU WITH THE NECCESSARY MODALITIES AND DISBURSEMENT RATIO TO SUITE BOTH PARTIES WITHOUT ANY CONFLICT. IF THIS PROPOSAL IS ACCEPTABLE BY YOU DO NOT MAKE UNDUE ADVANTAGE OF THE TRUST WE HAVE BESTOWED IN YOU AND YOUR COMPANY,THEN KINDLY GET TO ME IMMEDIATELY VIA MY EMAIL: konal@ecplaza.net PLEASE FURNISH ME WITH YOUR MOST CONFIDENTIAL TELEPHONE, FAX NUMBERS SO THAT I CAN USE THIS INFORMATION TO APPLY FOR THE RELEASE AND SUBSEQUENT TRANSFER OF THE FUND IN YOUR FAVOUR. THANK YOU IN ADVANCE FOR YOUR ANTICIPATED CO-ORPORATION. YOURS FAITHFULLY, MR.KONAL OXFORD. Subject: urgent assistant From: "Michael James" Dear Sir/Madam I know this letter will come as a surprise to you, but i would like you to give it a top consideration so as to help me and my family from our present predicament. I am Michael James, the first son of Mr Leonard James, a British Farmer based in Zimbabwe. My father is now dead as a result of his incarceration by the Zimbabwean Government under President Robert Mugabe who ordered the white farmers in Zimbabwe to vacate their Farm Land and go back to their country. But my father, due to his large investment in the Farm Land refused to quit Zimbabwe for his country. Based on this reason he was arrested and imprisoned and as a result of his protracted sickness [Diabetics] he died in Manfe prison on 19 sept 2002. May his gentle soul rest in perfect peace. After his death, all efforts by my mother who is a Zimbabwean to secure most of my father's investment was frustrated by the President Mugabes Government. Towards this end my mother discovered an original certificate of deposit for a trunk box containing the sum of USD9,000,000.00 ( Nine million U.S.Dollars) deposited by my late father in custody of a security trust company in Dubai, UAE. The money belonged to the White Farmers Association [W. F. A] which my late father was the Founder/President with the help of my maternal uncle who was a Comissioner in Zimbabwe. We are able to trace the security trust company to Dubai [U.A.E] where the box containing the money is presently deposited, declared as Family Jewellries and Antiquities as to avoid raising any eye brow from the authority here. All documented proofs in respect of this deposited consignment are in my pocession. As it is, I am looking for a reliable partner who can help me safe-guide and invest this money very prudently in his company as advised by my mother. 20% of this money will be given to you while 5% will be set aside for miscellanous expenses that we may incure during the process. Also note that this transaction is 100% risk free, you may also be required to come to Dubai if need be on indication of your interest. Please confirm your interest on this transaction and contact me on my email address; michaeljames@Z6.com I am presently in Dubai [U A E]. Hoping to hear from you soonest. Thanks and Remain blessed Michael James |
For more see www.secretservice.gov/alert419.shtml and The Nigerian Nightmare Who's sending you all those scam e-mails? by Brendan I. Koerner in Slate October 22, 2002. In addition 419eater.com has stories from people who have engaged the scammers in conversations. They call it scambaiting - entering into a dialogue with scammers to waste their time and resources.
Needless to say, no one needs examples of SPAM. However, there is an interesting point about the message below.
It was sent to the webmaster address of a web site of mine (the name is changed to mikesdomain.org for the purposes of this example). The message came to an email address that never subscribes to anything, so it was obviously "harvested" (the polite word for stolen) from the web site. The "partner website" claim is not true. The main point though, is about the email removal. No matter what email address you try to remove, the web site says it was successfully removed. Make up an email address, and it says its removed. I can't prove it, but I would bet money that trying to remove your email address, just results in more SPAM as the address is now confirmed to be good. The Remove Me button referred to in the message takes you to www.seekercenter.net/remove.php?email=webmaster@mikesdomain.org
The lesson: don't bother un-subscribing to SPAM. It will either be a waste of time or an invitation to get more SPAM.
|
Subject: http://mikesdomain.org
I have visited mikesdomain.org and noticed that your website is not listed on some search
engines. I am sure that through our service the number of people who visit your website will definitely
increase. SeekerCenter is a unique technology that instantly submits your website to over 500,000 search engines
and directories-a really low-cost and effective way to advertise your site. For more details please go to
www.SeekerCenter.net. Give your website maximum exposure today. Looking forward to hearing from you.
|
Also, please, never ever buy anything advertised via SPAM, even if it's something you want. This just encourages more SPAM on all of us. Also, never click on a link in a SPAM email message as this is likely to result in your receiving even more SPAM.
One tactic spammers often use to avoid anti-spam software is to change the spelling of words that the software might think indicates a message is SPAM. The most famous such word is Viagra. A humorous take on the many ways Viagra is purposely mis-spelled can be read in There are 600,426,974,379,824,381,952 ways to spell Viagra. On a serious note, mis-spellings also used, as mentioned above, to disguise the real address of a web site for fraudulent purposes.
Garbage words: Another tactic you may see in SPAM messages is the inclusion of many garbage words or garbage sentences. This is done to get around assorted SPAM filters. Below is an example of this where the garbage words are at the bottom. SPAM filters based on Bayesian interference decide whether a message is SPAM or not based on words that often appear in SPAM messages. The tactic here is to include words that normally do not appear in SPAM messages in order to get a message classified as not being SPAM. I have seen this described as "word salad" or "dictionary salad". In HTML based messages, the garbage words may be hidden by either making them the same color as the background or by making the text extremely small. If you view your messages in plain text, the garbage words will always be visible.
|
Subject: jerome smile |
Bayesian SPAM filters have gotten so good that the bad guys have yet another new tactic, no words. An HTML based email message contains nothing but a link to a picture. The advertising message is wholly contained in the picture.
Why is there so much SPAM and Phishing? It's profitable and easy. Here is one example of the easy part. This is an actual email message that I received in April 2004.
|
Subject: Re: Emails of eBay members |
This message was sent to an unknown user at EarthLink:
| Subject: Mail delivery failed: returning message to sender From: Mail Delivery System <Mailer-Daemon@smtp4.mindspring.com> To: you This message was created automatically by mail delivery software (Exim). SMTP error from remote mailer after RCPT TO:<testingabadaddress@earthlink.net>: |
This message was sent to a non-existing user at AOL:
| Subject: Mail delivery failed: returning message to sender From: Mail Delivery System <Mailer-Daemon@smtp5.atl.mindspring.net> To: you This message was created automatically by mail delivery software (Exim). A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: thisaddressdontexist@aol.com SMTP error from remote mailer after RCPT TO:<thisaddressdontexist@aol.com>: host mailin-03.mx.aol.com [64.12.138.120]: 550 MAILBOX NOT FOUND |
This message was sent to a non-existing user at a domain of mine. The final line is an error message that I configured using the Control Panel of the web site hosting company for the domain.
| Subject: failure notice From: MAILER-DAEMON@lownok.pair.com Hi. This is the qmail-send program at lownok.pair.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <thisuserdontexist@thedomainIown.com>: ===> Message sent to non-existing user. Ignored. <=== |
This message was sent to someone at EarthLink whose email inbox is full:
|
Subject: Mail delivery failed: returning message to sender From: Mail Delivery System <Mailer-Daemon@smtp6.mindspring.com> To: you This message was created automatically by mail delivery software (Exim). |
| | ||
| @defensivecomput | TOP | Home => Bad Emails |
| michael at michaelhorowitz.com | Last Updated: October 4, 2006 | ||
| www.michaelhorowitz.com/bademails.html |
Copyright 2001-2024 |
Copyright 2001-2024 |
