Email spam

Forum: 
quote:
From : meche01
Sent : Wednesday, 4 January 2006 4:06:29 AM
To : redwyre
Subject : Sent From Sumea by meche01

MIME-Version: 1.0
Received: from mail1.atl.registeredsite.com ([64.224.219.75]) by bay0-mc3-f11.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 3 Jan 2006 10:07:03 -0800
Received: from server_name.usa.prod.interland.net (ipswbz0003atl2.usa.prod.interland.net [64.225.249.145] (may be forged))by mail1.atl.registeredsite.com (8.12.11/8.12.11) with ESMTP id k03I6Hmu026141for ; Tue, 3 Jan 2006 13:07:03 -0500
Received: from IPSWBZ0003ATL2.usa.prod.interland.net ([127.0.0.1] RDNS failed) by server_name.usa.prod.interland.net with Microsoft SMTPSVC(6.0.3790.211); Tue, 3 Jan 2006 13:06:29 -0500
X-Message-Info: JGTYoYF78jEUECxRRGQH+HXeQ8/JLKYJXIm/sO4dzkY=
X-MSMail-Priority: Normal
X-mailer: Asp Component Bundle 4.11 (COMB680600)
X-OriginalArrivalTime: 03 Jan 2006 18:06:29.0686 (UTC) FILETIME=[6BD16D60:01C61090]
Return-Path: doujey05@yahoo.fr
----------------------------------

Hello redwyre

You received the following message from: meche01 (doujey05@yahoo.fr)

At: http://www.sumea.com.au/forum/

From Michael Doujey
Avenue 5 Lot 172 Cocody Quarters
Abidjan Cote d'Ivoire
3/1/2006
Good day Dear One,

Greetings and How are you today,I am Michael Doujey I would like you to permit me to apply through this medium for your
co-operation and to secure an opportunity to invest and do joint relationship and business with you in your country.

...

It appears the spammers have not given up on abusing sumea! Souri, can you confirm if that is from the forum mailer or just completely spoofed?

Jacana's picture

I got that too!

romijade's picture

Likewise.

lorien's picture

and me :(

LiveWire's picture

same, probably went out to all memebers

lorien's picture

quote:Originally posted by LiveWire

same, probably went out to all memebers

If so that's one dedicated spammer. It would be a lot of stuffing about to send something to everyone on sumea unless you are Souri wouldn't it?

I wonder what a suitable punishment is? :)

Makk's picture

yay! me too, I fee special....LAME!!

lorien's picture

Just to make that jerks email address a bit clearer and make sure he gets some spam it is doujey05@yahoo.fr

souri's picture

Yeh, I got it too. What ever you do, for goodness sakes, please don't reply to that email. They sent it via the Sumea forum, the forum never reveals anyone's email address to anyone except forum administrators, so spammers will have no idea what your email address is.

Snitz isn't as popular or widely used forum as phpbbs, vBullettin etc, so we've fared pretty well with spammer attacks, but it's a bit concerning to see them making successful inroads into the forum. I get a tonne of bounced emails from failed registration attempts from spammers who trying registering with an invalid email account though.

If this spammer didn't use a script or program to automate the process and sent it one-by-one to each member, then I would say that he'd be the lamest spammer in the known universe. [;)]

I've locked his account, and if anyone gets anymore like that in the future, please post about it in this thread.

inked's picture

damn so i'm really not going to score $3.5 million??? =I =D

J I Styles's picture

nothing new, just chalk one more up for me too.

Souri, you've done a great job keeping the spam and harvesting pretty minimal, so cheers [:)]

MoonUnit's picture

heh, the email account that this forum is registered too i dont even use anymore (my main page account email is current though) because its so bogged with spam anyway so i havent been botherd :P Thanks for doing your best to keep us spam free though!

lorien's picture

Souri: that spammer IS lame. Picking a forum full of computer nerds to try a scam like that Nigerian thing a while back is not very bright [:)]

CynicalFan's picture

Ah, I see I was not the only one to get this one.

You know, if I ever meet one of these spammers, I am going to beat them to death with a keyboard. I won't be at all angry about it either, just nice and calm as I bash their head in and then watch them bleed to death from severe head trauma ;). After all, I would be doing a public service ;).

I wonder if anyone would be ever stupid enough to admit they were one though...

souri's picture

Bleurgh, it seems like a tonne of people have received it. I got a few emails from some curious forum members who thought this email was on the behalf of Sumea, and I can understand the confusion because the email headers say the email came here (yeh, it was sent from the forum mailer, and not spoofed).

But just to re-iterate, what this spammer did wasn't anything clever. He simply registered onto the forum with a valid Yahoo address, went to the memberlist and sent an email to each forum member, which Sumea sends. So yeh, the spammer selected the member, pasted his spam message, clicked send, and then went to the next member to do it again. This would've taken hours and hours, and unless he had this automated somehow (which he most likely did), would've been absolutely mind numbing work.

I'll look into putting in measures so this doesn't happen again, but from the top of my head, the easiest solution would be putting a check in the send email page to see if the forum member has at least been registered for a certain ammount of time before they can send an email.

And yeh, I can't believe this idiotic spammer is even trying that old and very, very tired Nigerian 419 scam - I mean, you can tell straight away when they're offering to investments or need a place to to safe guard a huge fortune. They'll try to get you to disclose your bank account details, and of course, before they can make the transfer, they'll need you to pay some fees or money for bribes to help them out etc [:o)].

redwyre's picture

What about the now-standard "type these numbers in a box" method? You could use it on the comments as well, I'm sure it would eliminate spam almost completely.

Lorien: I doubt the spammer did any "picking" other than choosing some sites out of a google search. Then they probably just typed it into some "spam-4-u" program and it mailed everyone in the database (it's quite simple, just a url and sequential ids)

mcdrewski's picture

velocity checking might help. no more than five messages in each hour per account?

souri's picture

This is his ip address if anyone wants to look it up XD

81.199.125.5

mcdrewski's picture

Meh. a dialup block in the ivory coast. dead end.

quote:
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag

% Information related to '81.199.124.0 - 81.199.127.255'

inetnum: 81.199.124.0 - 81.199.127.255
netname: CIDR-AROBASE-1
descr: Arobase Telecom
country: ci
admin-c: KR451-RIPE
tech-c: BN537-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: AS12491-MNT
source: RIPE # Filtered

person: Kouassi Remi
address: Rue du commerce, Plateau
address: 01 BP 6944 Abidjan 01
address: C.te d'ivoire
phone: +225 2031 0090
e-mail: remi.kouassi@arobasetelecom.ci
nic-hdl: KR451-RIPE
source: RIPE # Filtered

person: Brou N'guessan Baudouin
address: Rue du commerce, Plateau
address: 01 BP 6944 Abidjan 01
address: C.te d'ivoire
phone: +225 2031 0090
e-mail: baudouin.brou@arobasetelecom.ci
nic-hdl: BN537-RIPE
source: RIPE # Filtered

% Information related to '81.199.124.0/22AS34126'

route: 81.199.124.0/22
descr: Arobase, Cote d'Ivoire
origin: AS34126
mnt-by: AS12491-MNT
source: RIPE # Filtered

J I Styles's picture

Although not the direct goal of the nigerian scam, it has gone far enough in a few cases where other "opportunities" have arisen which have resulted in more than a number of kidnappings/ransoms and at least one known death. People have been gullible and naive enough to pay for their own transport to a foriegn country and become easy targets.