By Gerry Patterson
And would you care for some sauce with that spam?
After doing some research on spam, I have decided to take
counter-measures. However, I came across two types of spam that I hadn't
encountered when I wrote the first article.
This can be considered either a late addition to the August Edition of the PGTS Journal or an early addition to the October edition.
After I set up my website in March 2002, I started to investigate the issue of spam, which I hear so much about in the mainstream media. I soon discovered SpamBots, robots that crawl the web, prospecting for e-mail addresses. I even identified some suspects. I published my findings in an essay entitled Reducing Spam Rage. Since then the quantity of spam has started to increase. Since I had sufficient material for an article on spam I started taking counter-measures. This has been:
- Removal of mailto: tags and obfuscation of email addresses.
- A CGI script for accepting messages and e-mail.
- Contacting sender ISPs, informing that I object to receiving spam and requesting that they take action.
Nevertheless a couple of incidents do deserve a special mention. And for that reason I have added them here.
That's Not A Virus ... This is a virus!
After boasting that I have only received about 100K of spam, I was suddenly hit with 800K of unwanted junk!
This occurred when the following message arrived
from email@example.com Tue Jul 23 20:18:57 2002 Return-Path: <firstname.lastname@example.org> Received: from CORREO ([126.96.36.199]) by pgts04.pgts.com.au (8.11.6/8.11.6) with SMTP id g6NAI5O37647 for <info pgts.com.au>; Tue, 23 Jul 2002 20:18:05 +1000 (EST) (envelope-from email@example.com) Date: Tue, 23 Jul 2002 20:18:05 +1000 (EST) Message-Id: <200207231018.g6NAI5O37647@pgts04.pgts.com.au> From: <firstname.lastname@example.org> Subject: @=06O=04$=F5=01P=FCwg=FCwP=F6=01=D0=01opnavprueba cpdprueba cpdmue= stradesktopmuestramuestramuestradesktop MIME-Version: 1.0 Content-Type: multipart/related; type=3D"multipart/alternative"; boundary=3D"=3D=3D=3D=3D_ABC123456j7890DEF_=3D=3D=3D=3D" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 To: undisclosed-recipients:; --=3D=3D=3D=3D_ABC123456j7890DEF_=3D=3D=3D=3D Content-Type: multipart/alternative; boundary=3D"=3D=3D=3D=3D_ABC09876j54321DEF_=3D=3D=3D=3D" --=3D=3D=3D=3D_ABC09876j54321DEF_=3D=3D=3D=3D Content-Type: text/html; charset=3D"iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D3D#ffffff> <iframe src=3D3Dcid:EA4DMGBP9p height=3D3D0 width=3D3D0> </iframe></BODY></HTML> --=3D=3D=3D=3D_ABC09876j54321DEF_=3D=3D=3D=3D-- --=3D=3D=3D=3D_ABC123456j7890DEF_=3D=3D=3D=3D Content-Type: audio/x-wav; name=3D"sample.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p> --=3D=3D=3D=3D_ABC123456j7890DEF_=3D=3D=3D=3D --=3D=3D=3D=3D_ABC123456j7890DEF_=3D=3D=3D=3D--
The accompanying humungous (400K) binary was called sample.exe. I was hit twice! Once at my info address, and once at my sales address. The offending netblock was owned by the Spanish division of British Telecom. I sent mail to them but it was ignored.
I sent an email to the MAPS mailing list. Paul Menchini (USA), suggested that it was a virus. In fact, the headers and the .exe file did suggest a virus. I decided it was unlikely, given the size. I have lost touch with the trend in M$ viri since I kicked the M$ habit, and when I last checked, no-one in their right mind would create a virus that was 400K in size!
Paul Menchini kindly offered to scan the offending file for me. I sent him a gzipped sample. He confirmed that it was W.32.Nimda.E@mm. It looks as though bloatware rules! Even the viri have become bloated! Incidently, it is easy to check from the Unix command with the strings command. I could confirm the virus presence with:
strings -a sample.exe | grep -i nimda which returns the following: Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda.)
This is generally regarded as a signature string for Nimda.
This seems to be a chronologic account of the incident (reconstructed from log files):
- At 22-Jul-2002:09:08 GMT I received a visit from 188.8.131.52. He came from Google after searching for: configuration+dns+for+mail. Google referred him to: http://www.pgts.com.au/cgi-bin/pgtsj?file=pgtsj0204c. His agent string indicates that he was using MSIE 5.01 on Windows 2000.
- Inside this HTML page had been two addresses: one for my info mailbox and the other for my sales mailbox.
- At 23-Jul-2002 10:17 GMT I received a large email with a malicious executable, called sample.exe. The size of the attachment was 480K. However this was the MIME encoded size. Once it was decoded the size was 364544 bytes. The e-mail, which was sent to my sales mailbox, had bogus headers typical of a spam session. The source was 184.108.40.206.
- At 23-Jul-2002 10:19 GMT I received another large email, sent to my info mailbox, containing an identical binary. The source was once again 220.127.116.11.
This behaviour is consistent with a malicious program that searches through the cached pages and then mails executables to any email addresses that it finds.
It seems that malicious programs today can engage in activities like routinely searching disk cache and mailing out 400K binaries without causing any concern to the owner/operator. At first I was incredulous. And then I re-called some of my own encounters with Microsoft Outlook.
This had been many years ago, when I was working for a major Corporate client. The IT department had decided to adopt MS Outlook as the standard MUA. Since I was only a lowly contractor, I had been given an old PC that no-one else wished to use. This relic from our computing history took a considerable amount of time to load the MS Outlook program. I could go to the kitchen, make a coffee, return to my desk and still have time to drink a quarter of it while Outlook started up. Bear in mind that I despise instant coffee, so I made my own coffee in a small plunger. Seriously, I am not kidding! Eventually, despite the protests from the PC support group, I got rid of Outlook and switched to Netscape Messenger. My reasoning was that Outlook seemed to be potential security risk. And that assessment would later prove correct. I considered Netscape messenger slow. It took at least a minute to start up, which I thought was pretty outrageous compared to elm (about 50 milliseconds on the central unix box if the server was busy, even faster if it wasn't). But the time to load Outlook was completely off the scale! What on earth was it doing?
One can only wonder.
So perhaps, it is possible for someone to own a Microsoft system and not notice that the MUA is sending e-mails each about half a megabyte in size! Still I would have thought that the owner might have been curious about any statistics gathered by their ISP.
I took no further action against 18.104.22.168. I just added him to my blacklist.
The next incident which I think deserves a mention is an email from
David.S. When it arrived, I couldn't make up my mind whether to file it
under spam or humour:
From david.s@Ctg.zzn.com Fri Aug 9 20:35:27 2002
FROM:DAVID SAVIMBI AND RITA SAVIMBI(SISTER).
JOHANNESBURG SOUTH AFRICA
TELL:+27 83 729 0868
I am DAVID SAVIMBI the son of the late JONAS SAVIMBI of ANGOLA, and I
know the news about the death of my father must have come across your
country through B.B.C. LONDON, voice of America and other news papers
in The world. I have a project that requires the aid of a foreign
Partner, TWO boxes containing ($35,000,000) THIRTY-FIVE Million
Dollars, was deposited in a security company for safe custody in
South Africa. For your
information this fund was made through Gold and Diamond when our
father was in position of the Gold and Diamond areas of our country
before his death. The boxes was kept as family valuables. As it may
interest you to know, I got your impressive Information through some
friends I meet who works with Chamber of commerce on foreign business
relations here in JOHANNSBURG SOUTH AFRICA. It is these my friends
recommended your Person to me to be viable and capable to champion a
Business of such magnitude without any problem.
My father JONAS SAVIMBI deposited the boxes as belonging to his
foreign business partner and he told them that the keys is with his
foreign partner, this was to avoid them from inspecting the boxes,
and I am now interested to claim the boxes and invest the money,since
the documents covering the two boxes are with me as the owner as the
next of kin,but my condition since the death of my father does not
warrant me to
expose this fund to any body couple with the agreement he entered
with the security company concerning this consignment , I have gone
to claim the consignment and the Director of the security company
told me until when my father's foreign partner will be around before
the consignment will be released to me ,then I told them that the
foreign partner will be coming any moment from now , and I only kept
this information to myself as my top secret.
Based on this condition
I am calling you to assist me Stand as my late father foreign
business partner by Representing me as my late father foreign
business partner So that the consignment could be claimed for An
investment purpose in your country or elsewhere you may Deem most.
Note: before disclosing the Security Company to you, I Will like to
know your interest and also the advice you Can give on how to invest
this amount of money in your Country because this is my only hope in
life and I will Not afford to joke with it. I only need the
followings from you as the first step to the project. 1) I will
change the beneficiary to your name . 2) You will come down to
Johannesburg where the boxes was Deposited to claim the boxes, You
will provide investment plan for the fund in or outside your country
3) You will provide an account where the money will be transfer
Also 30% of the total amount will be given to you for your noble
assistance. For your information it is risk free as all the vital
document will be forwarded to you as proof of ownership 1) the
certificate of deposit 2) the agreement bond 3) the security company
initial payment receipt.I await your urgent respond as we proceed
to a successful conclusion of this transaction .kindly please as soon
as you receive this mail give me a call on +27 83 729 0868.
Please,if your intrested to assist me in this transaction do indicate
urgently,but if you are not intrested to help me please keep it
within yourself and do not expose it to any one else.
Thanks and God bless you for your co-operation.
DAVID SAVIMBI AND RITA SAVIMBI(SISTER}.
The interesting feature about this e-mail was that it appeared to be the
proud owner of of a lovely set of genuine headers! I had earlier come
to the conclusion that all twenty-first century spam uses faked headers. You
can read about my conclusions in the previous article on spam. Obviously this
is not the case if the spammer wants you to enter into a dialogue. In order to
save space I have not published the full headers. Anyway since it appeared to
be a genuine address, I replied to David with the following email:
Date: Fri, 9 Aug 2002 21:08:31 +1000 From: Gerry Patterson
Subject: Re: Humble Assistance To: "david.s us" David, I am very interested in your proposition. Can you tell me how I should provide you with bank account details? Regards Gerry Patterson
Sure enough it was a genuine address. David's reply came the following
From david.s@Ctg.zzn.com Sat Aug 10 21:09:59 2002
Dear Gerry Patterson
I write to acknowledge reciept of your mail today 9th
I am grateful to note of your willingness and
readiness to partake in this transaction which is of
Meanwhile i got your contact during my seach for a reliable person to
assist me in this transfer in the South African chamber of commerce
and industry and decided to write to you.
To give more details as per your request, I therefore
state as follows:-The said money which I intend to transfer into your
account in your country is presently deposited as
consignment with a private security company here in
You are therefore expected to forward a bank account
in your country where exactly we shall tranfer the whole
money for investments into any fruitful business
venture. Also your physical presence will be highly
needed here in Johannesburg South Africa to get
another bank account opened. This account is called a
non-resident dollar account which is where we are to
lodge the money here for onward transfer into your
You are to pose as the real beneficiary of the whole
money. Also you need to assist me both finacially and
otherwise to retrieve this money from the security
For your personal efforts and assistance both
financially and otherwise, you will get the said percent i gave to
you while the 5% will be for the reinbursement of the expenses we
mighy incure during the corse of this transfer. The remaining amount
of money will be for me and my family investments in your country
which must be under your supervision.
Be assured that there is no risk involved as already I
have a Lawyer who will work with us to
make sure that we achieve a smooth and successful
transfer. I therefore, urge you to treat this matter
with due respect and treat also as strictly
Don't hecitate to tell me if you need an invitation letter to enable
you obtain visa from the south africa embassy in your country so that
i will instruct my attorney to prepare one for you.
Meanwhile, i want you to furnish me with all information about
yourself and business because the lives and future of my family
depends on this money,so i don't want anything to jeopartize our
sucess of transfering this money out of south africa.
I await your immediate response to enable us start
immdiately with the transfer process.
Once more, thanks and God bless.
A couple of questions did spring to mind when I looked at David's emails:
- How did he manage to to send the reply before the original email?
- How did he manage send both of them from 1979? Is he communicating via a worm-hole in the space-time continuum?
- Since he lives in South Africa, why is his Net Block registered in California, USA? Ok, Ok ... I've already answered that one ... it's a worm-hole in the time-space continuum!
Well there are a many things wrong with David's emails, but let's not go
into them all here. Still I thought it deserved a reply that was equally as
forthright and honest. And so I composed one:
From gerry Sun Aug 11 23:00:10 2002 Date: Sun, 11 Aug 2002 23:00:10 +1000 From: Gerry Patterson
To: "david.s us" Subject: Re: Urgent Reply David, Thank you so much for replying. I am not always able to gain access to a computer, and I have to wait till the staff here leave this computer unguarded so that I can answer my e-mail. Unfortunately, I no longer have access to my bank accounts because since my wife had me certified as legally insane I have not been able to transact business through my bank accounts. This is a gross travesty since I am as sane as you are. I am just the victim of circumstances. Also there is a large sum of money which should have been due to me from a deceased estate, however I cannot gain access to it. I would like to somehow concoct a scheme whereby I can get this money and also consolidate it with the money that you are trying to move out of your country. I must go now one of the security staff is coming. Please keep this e-mail confidential. Regards, Gerry Patterson
Old Internet lags were aghast that I had actually replied. Apparently this was an example of the infamous Nigerian Spam. Didn't I know about Nigerian Spam!? Well yes, I had heard a lot background chatter about it, but never actually seen any. I did a web search and found out more. It seems these jokers are sometimes referred to as the Lads From Lagos. Now I must say that when I first saw the email I had thought the whole thing was a hoax. This was because I couldn't believe that anyone would be stupid enough to fall for such a transparent and obvious con trick! Maybe it's not so obvious because the Lads from Lagos WebSite contains testimonials which claim that they have indeed been duped. And I must admit, it is really up-front for victims to come forward and admit their gullibility. But, seeing as we are deep in behind-the-looking-glass territory here, I don't know if one tenth of what I read about these jokers is true.
Nevertheless, everything I find on the net so far suggests that these guys are genuine con-men. I am truly amazed that these clowns actually manage to make a full-time living out of this. Another website claims to show a cast of characters that these bullshit artists have created. And I find David Savimbi listed on this site as a Prince. Perhaps he was going to reveal his royal lineage at a later date, no doubt after the labyrithine soap sketch unfolded. I was almost sorry that I did not follow-up on the dialogue a bit further. Some of the sketches listed on these sites are as well-scripted and more amusing than several popular TV sitcoms and soap operas (which is perhaps not such a ringing endorsement of the quality of the script).
I could find no mention of Rita Savimbi on the web. Still going by the patterns exhibited in previous documented attacks, she probably would have played a role. Another website gives a brief outline of The Nigerian Sting. Someone has setup an anti-419 coalition home page on the topic ... the 419 Coalition Website, which presents a plausible explanation of how the scam works. It is often called a 419 scam. Apparently the so-called 419 scam is an old sting. In fact it used to be accomplished by ordinary mail. Another article titled The Nigeria 419 scam gives an explanation of where the name 419 scam originates, and further explains why it is not confined to Nigeria. In fact, my bad guys seem to have operatives in the Good Old USA.
I waited for a reply from David.S and his sister Rita. But it seems that I had dissuaded them from further conversation. Perhaps my e-mail was a little over the top. Or maybe they don't want to try to con someone who claims to be legally insane, concerned that I might be a trifle unpredictable. Still I was not sitting on my hands while I awaited a response. I thought I would be a good Internet citizen and compose an official complaint which I sent to the registered owner of the netblock. This was a company called Exodus whose details were:
Exodus Commnications Inc. (NETBLK-ECI-6) 1605 Wyatt Dr. Santa Clara CA 95054 USA Netname: ECI-6 Netblock: 22.214.171.124 - 126.96.36.199 Maintainer: ECI Coordinator: Exodus Communications (EC8-ORG-ARIN) noc@EXODUS.NET 800-263-8872 2650 San Tomas Expressway Santa Clara, CA 95051 Tel: 408-346-2210 Fax: 408-305-1427 www.exodus.com Chairman and CEO: L. William Krause ----------------------------------------------------------------- Founded in 1994, Exodus Communications is an Internet hosting provider. Exodus pioneered the Internet Data Center Market and managed a network of Data centers located in North America, Europe and Asia Pacific. In September 2001, Exodus announced a voluntary filing of petitions for reorganization under Chapter 11 of the U.S. Bankruptcy Code while it pursues liquidity options. -----------------------------------------------------------------
Which probably explains why the spammers chose them!
This type of abuse is not as objectionable as regular spam. The script sent is a hook, and I must confess that I found it amusing. Despite the light entertainment it provided, it was a criminal act. It had been mailed out on mass to various addresses that would have most likely been mined with a SpamBot. And the intent had been clearly criminal. Also the Exodus website carries an unequivocal policy statement which states that use of their network for spam or criminal behaviour is expressly forbidden, and offenders will have their service terminated. I would have thought that this commitment to an anti-spam policy would place some form of obligation on the new or temporary owners of the network, who I believe are Cable & Wireless.
However, nothing was returned from the Exodus abuse mailbox. So I e-mailed a MAPS mailing list. Dominic Jackson (USA) informed me that Exodus had been slow to take action even when they were solvent, preferring to let the abuse notifications float lazily downstream. He suggested that I try the address listed in the abuse.net database. I sent an abuse notification to the abuse mailbox for mailcentro.
Almost immediately I received an email back from mailcentro:
Subject: Re: Mail abuse from 188.8.131.52 Date: Mon, 12 Aug 2002 23:21:52 -0700 Thanks Gerry. david.s@Ctg.zzn.com terminated These jerks must be following some kind of script because thats the second one this week. alan.
I waited about 24 hours and sent another email to David.S, to confirm the kill. Not because I am naturally suspicious, but because a lifetime in IT has made me so. I did not receive confirmation that the account had been de-activated.
I also sent a notification of the incident to the US Law Enforcement Agencies. Their website claimed that they would not acknowledge receipt of reports that involved No financial loss.
I forgot all about them. Then a week later, I remembered to send David.S another email. I received a Delivery Status Notification message from the mailadmin account for the Ctg.zzn.com domain.
Date: Sat, 17 Aug 2002 18:41:20 -0700 (added by postmaster) .. .. david.s@Ctg.zzn.com; Action: Failed; Status: 5.1.1 (bad destination mailbox address) Remote MTA C2MDS08.prontomail.com: SMTP Diagnostic: 550 RCPT TO:
The headers and message encapsulation appeared genuine. So it seems likely that David.S has one less account.
I am sure he has lots more of them.
Anyone For A Mortgage?
Our old friend who was keen to give away low interest-rate mortgage without security in the USA is still offering his wares. I had blocked these e-mails when I noticed that one of the header fields was constant. For a month, I received no offers of mortgages. Then he figured out which field I was blocking and started to put variations in the headers. I could have started analysing the text in the Subject and body, but I decided not to waste too much time on trying to block him. This particular spammer seems to have a huge supply of IP addresses. He may even be faking them. Instead I decided to go after his client's URLs. The emails always include a URL in the body, which must be the URL of the spammer's client. To date these are the spam batches I have been sent:
(Fake) Address Date And Time IP (Fake?) ------------------------ --------------------- ---------- LowestMortgage4u@msn.com Tue 18 Jun 2002 12:43 [184.108.40.206] email@example.com Tue 25 Jun 2002 07:26 [220.127.116.11] firstname.lastname@example.org Thu 4 Jul 2002 16:07 [18.104.22.168] NYCLending@aol.com Mon 29 Jul 2002 11:11 [22.214.171.124] email@example.com Tue 27 Aug 2002 02:14 [126.96.36.199] firstname.lastname@example.org Sat 14 Sep 2002 20:20 [188.8.131.52] BankOfAmerica16@msn.com Fri 20 Sep 2002 19:06 [184.108.40.206] BankOfAmerica28@msn.com Sun 22 Sep 2002 09:25 [220.127.116.11] email@example.com Wed 2 Oct 2002 05:25 [18.104.22.168]
I haven't included client URLs. They have all been terminated anyway. The client's URL has become increasingly obtuse. He has moved offshore (i.e. outside of the USA), and is trying various convoluted referral mechanisms. Still, despite many ingenious twists and turns, he can't hide! If he wants a URL, he must use a legitimate provider. And so far all of them seem willing to terminate miscreants.
As I said, I received no spam from this source between 29-Jul-2002 and 27-Aug-2002, probably because I was blocking it. After that, the headers had a new variation inserted, so I started chasing the URLs. The two e-mails on 20 and 22 September were advertising the same URL. It was in China. It appeared that he was terminated (possibly after the notifications of abuse), and then may have talked his way back onto the same server. But only for a couple of days. Unfortunately, I have not made a note of the information about the loan shark (I presume that's what he is) as listed on his Web Site. Next time some spam arrives, I will check the URL and gather that information, before it is terminated. I will post the details as an update to this article.
Lately he seems to be slowing down. Could he be finding the un-ending search for new accounts a little wearisome? Let's hope so.
Note: There is an a follow-up to this article entitled Spam Turkey Bastards, in which I postulate an additional explanation for the intense dislike of spamming.