okay, so i got up this morning and switched on my computer, and the first email that i downloaded said this:
Dear member,<br><br>
Your payment for $149.95 USD to [email protected] has been initiated.
<br>This payment will be completed once the recipient has accepted the payment.
<br><br>It may take a few moments for this transaction to appear in the Recent
Activity <br>list on your Account Overview.
<br><br>-----------------------------------
<br>Payment Details
<br>-----------------------------------
<br><br>Amount: $149.95 USD
<br><br>Transaction ID: 7DK2739102238103H
<br>Subject: Payment for Samsung U740 Cellular Phone. Thank you!
<p class="subHeading">Do you confirm this transaction? </p>
<p>If this transaction was not made by you please, take the following steps:</p>
<ul>
<li>Login to your account by clicking on the link below </li>
<li>Provide requested information to ensure you are the owner of the account </li>
<li>Follow the steps to &apsCancel Transaction&aps</li>
</ul>
<br/><table bgcolor="#CCCC33" border="0" cellpadding="0" cellspacing="0"><tr><td><table align="center" bgcolor="#FFFFCC" border="0" cellpadding="8" cellspacing="0"><tr><td class="large"><img alt="" border="0" src="https://images.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1" /=>
<a href="http://onlinepprefund.altervista.org/" target=_blank><span class="emphasis">CANCEL TRANSACTION!</span></a><img alt="" border="0" src="https://images.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1" /=></td></tr></table></td></tr></table>
<br/>
<br>Thank you for using PayPal!
<br>The PayPal Team
<br>----------------------------------------------------------------
<br>Copyright . 1999-20010 PayPal. All rights reserved.
<br><br>PayPal Email ID PP359
this was slightly different than most of the spam messages i receive, because the “From:” address appeared to be somewhat more legitimate than other “spam pretending to be from paypal” messages that i have received in the past – “PayPal” <[email protected]> – so THE FIRST THING I DID was check my paypal account. when i discovered (rather as i expected, actually) that i didn’t actually make a payment to paypal for $149.95 for a Samsung U740 Cellular Phone, i went into my morning anti-spam routine of investigating, reporting and blacklisting, but this one was interesting:
the URI encoded as “CANCEL TRANSACTION!” was very definitely NOT paypal – which is why it’s ALWAYS a good idea to render messages in plain text, rather than HTML, if you have the choice to do so (most POP email clients will do that for you automatically, although most IMAP – i.e. webmail – clients will not do it without some nefarious hacking) because if it were rendered as HTML, i might have just clicked on it, not realising that it was sending me to the wrong place. but it was also very interesting because it was also a “spoofed” address – instead of being “altAvista.org” it was “altERvista.org”, which means that if i weren’t paying very close attention (or if i didn’t have automated assistance) i might have assumed that the report should go to a place that it wasn’t really supposed to go. it turned out that it was supposed to go to “[email protected]” which is probably either a person who is absolutely clueless about their server state, or (more likely) a hacker/spammer who is looking for new suckers on which to prey.
when i looked at the header information, it said that it’s insertion point was wlen.net.pl, in poland, and the IP address reflected that,
Received: from [83.16.154.90] (helo=wlen.net.pl)
by spam1.thewebhostserver.com with esmtp (Exim 4.72)
(envelope-from )
id 1QBnQb-0004Ob-N9
for [email protected]; Mon, 18 Apr 2011 13:20:01 +0100
but this bit of information jumped out at me:
X-HELO-Warning: Remote host 83.16.154.90 incorrectly presented itself as wlen.net.pl
X-Sender-Warning: wlen.net.pl has no MX records
X-Sender-Warning: Reverse DNS lookup failed for 83.16.154.90 (failed)
that is another indication that, very likely, the people who run wlen.net.pl have no clue that their server is being abused, so i sent a report to their host provider, and the place where the spam originated – [email protected] – and entered their IP address into my blacklist, which now means that if i EVER get another message that claims to be from 83.16.154.90, it will go directly into /dev/null without even alerting me to its presence.
much as i HATE spam, there are a few spam messages that i find a little more interesting than most, which is why i blog about them… in general, however, i feel that Rule #3 still applies, so i’ll shut up about the HATE now…