Ash Nallawalla's blog

Peering into spam

Ash Nallawalla

9 August 2008

SEO

More on the theme of stupid or lazy spammers – I often wonder about the spam that is not geo-targeted. I get dire “warnings” allegedly from banks I have never heard of, such as Abbey Bank. Is it run by some monks? I have never sold anything on eBay, but I am often the recipient of “complaints” against me.

Usually the reason for such spam is phishing, where silly little me is supposed to panic and log into what looks like eBay or my bank. I imagine that after supplying my password or PIN, I would get to an error page and I would give up wondering what that was all about. Then some criminal collects all these passwords and drains their owners’ accounts.

Some of these emails carry an attachment that you are supposed to open, thereby infecting your PC with a virus or Trojan. Here is what one contained:

From: Merrill Cormier US Airways [weh@brascabos.com.br]
Attachment: eTicket#1721.zip (133B)
#######################################################################
Panda Antivirus 2007 warning:

The file eTicket#1721.zip [eTicket#1721.exe] was infected by the W32/Nuwar.XR.worm virus and has been disinfected.
#######################################################################

Good day,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: blah@<my domain>
Your password: passLI6W

Your credit card has been charged for $459.30.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Merrill Cormier
US Airways

I know that I don’t fly US Airways and wouldn’t even open the email, but I was in the mood to check the current crop. I suspect that the spammer has never bought an airline ticket online and has no clue what a real confirmation email looks like. Perhaps he is a hapless soul in South Ossetia or Beijing.

The next suspicious item was the attachment – no meaningful document can be 133 bytes, even when zipped. Real world attachments of this kind tend to be PDFs, which don’t shrink much when zipped, so they are sent uncompressed. Had I been a novice user, Panda Antivirus 2007 would have saved me, as the text above confirms.

The attached infection W32/Nuwar@MM is an email spam worm – McAfee has a long and interesting description of its purpose and behaviour at http://vil.nai.com/vil/content/v_140835.htm. The zip file contains an executable file – this assumes the user will double-click it after opening the zip file. This file installs a tiny mail SMTP server on the infected PC. It finds email addresses on this PC and then sends spam to all of them, (which makes it a worm).

Novice users who know other novice users unwittingly help to propagate this nasty worm, as they recognise the apparent sender’s name.

I use Microsoft Outlook 2007 and I viewed the email’s “Options”, which contain the following lines:

Return-path: <abc@brascabos.com.br>
Envelope-to: <my email address>
Delivery-date: Wed, 30 Jul 2008 15:04:15 +0000
Received: from [83.218.133.218] (helo=83-218-133-218.spitfireuk.net)
by .com with esmtp (Exim 4.69)
(envelope-from <abc@brascabos.com.br>)
id 1KODCR-0000nZ-QL
for <my email address>; Wed, 30 Jul 2008 15:04:15 +0000
Received: from [83.218.133.218] by mx.brascabos.com.br; Wed, 30 Jul 2008 15:02:36 +0000
From: “Merrill Cormier” US Airways
To: <my email address>
Subject: E-ticket #4919898619
Date: Wed, 30 Jul 2008 15:02:36 +0000
Message-ID: <01c8f255$4d1dce00$da85da53@abc>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_000E_01C8F255.4D1DCE00″
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
Importance: Normal
X-Spam-Status: No, score=1.1
X-Spam-Score: 11
X-Spam-Bar: +
X-Spam-Flag: NO

The email contents don’t contain the spammy words you see in the “Nigerian” spam emails, so the anti-spam checker at my server was fooled into giving it a low spam score and it got into my Inbox instead of the Outlook Junk E-mail folder.

The Brazilian email address (anonymised here) is probably harvested from a customer of Spitfire ADSL, a UK ISP, which has been allocated the IP address block 83.218.130.0 – 83.218.133.255. Only the ISP would know which of its customers was using that IP address at that time and sent me that email. Even so, we won’t know if the ISP’s customer was the one who passed on the worm or their PC was infected into being a proxy server for yet another infected PC.

I also received a similar disinfected spam email made to look from JetBlue Airways, wherever they might be. Same contents, same worm.

Nothing new here – just a deeper look at the day’s spam.

Ash Nallawalla

Search strategist experienced in large, complex websites. Ash's Google+ profile

Related Posts

Sherpa for Majestic Chrome Extension – Review

Ash Nallawalla

21 October 2017

SEO, SEO Tools

Feel free to share...Most professional SEOs I know use Majestic.com for reliable backlink data. Majestic provides a lot of data about the links to a site, including data about the quality of those links. I have used it for many years, from the time it was known as Majestic SEO. I usually enter the URL […]

Read More

President Obama’s whitehouse.gov pages archived

Ash Nallawalla

22 January 2017

Other, SEO

Feel free to share...After Mr Donald Trump became the president at noon today (USA EST), many reported that the whitehouse.gov website removed references to Climate Change and LGBT. That isn’t entirely accurate. The website up to that point has been archived and can be found at https://obamawhitehouse.archives.gov/. The LGBT URL was https://www.whitehouse.gov/lgbt but it redirects […]

Read More

Older Posts