What’s the Point of This Stuff?

Most of the time I understand the theory behind email sp*m. People are hoping I'll click a link or reply. In the end they either want to sell me something, or they want to spoof some information from me. Similarly with blog sp*m — either it's ads, or an attempt to raise their Google rankings by showing a link from here (with a decent Google rank) to there.

But there are two kinds of sp*m I do not get at all.

The first kind is the blog comment with a link to a web site of garbage characters. Usually when I click, there's nothing there. What's the point? Is the botnet just practicing?

The second kind are email messages like the one I just got twice today, which I quote in its entirety, compete with original formatting:

Dear Sir,
I will like to know if it is possible for me to make
reservations of plane tickets in your travel agency for one of our
members and to pay remotely with international card accorded with
authorizations.
I remain on standby of a favourable response from your office. Please
confirm this booking and forwards fare as soon as possible.[Accra to
Cairo to Paris]
Name: [1] KOFI OPOKU
Date is 15th of November 27th of November 2008.
Best greetings.
Dr Aileen Winch

Any ideas?

This entry was posted in Internet. Bookmark the permalink.

11 Responses to What’s the Point of This Stuff?

  1. Mark Barton says:

    The blank web page is probably a scheme to verify your email address. The exact sequence of garbage characters is probably an encoded version of your address, and the webserver will be programmed to decode it or look it up in a table and flag it as (i) valid, (ii) belonging to someone stupid enough to click on links in spam. Such addresses can be sold for a much higher price.

    The plausible but slightly weird email is probably an effort to get round modern spam filters, which have gotten pretty good at identifying typical spam and require a fair bit of pretty innocuous text to confuse them. However if there’s no link, or advertisement in the subject line, then I don’t get it either.

  2. michael says:

    To be clear:

    1. the blank web pages are what I find in in links to certain blog sp*m. So how does that get them my email if I click on the link? (Is it about browser leaks?)

    2. The email message I quoted was quoted in full. The subject line was “BOOKING”. There was no ad, no graphic. no web bug or hidden HTML.

  3. Ed Bott says:

    The blog comments are indeed practice. If the comment goes through and doesn’t get deleted, it means your site becomes a viable target for later attacks. And because it’s a single innocuous message, it doesn’t necessarily trip your defenses, and your anti-comment-spam software whitelists the IP address it came from.

    The e-mail message is an old scam that predates the Internets. The greedy recipient sees a way to make a few bucks, and the scammer hauls him in with stories about expensive credit cards and wire transfers and cashier’s checks. He’ll overpay you and allow you to keep the difference as a commission, but then something wil happen and you’ll need to send him back part of the money. Then the cashier’s check will bounce and you’ll be SOL.

    Lots of examples out there, like these:
    http://antifraudintl.org/showthread.php?p=23832
    http://scamorama.com/bates_givet.html

  4. SEO says:

    Michael, next time the invisible webpage happens right click and view the source code of the page. It’s possible there’s hidden spam links to all sorts of stuff, or it may be because they use tools to do this spam and it pasted in a list of their URL’s to link to and had a broken link amongst it.

    They also setup these spam tools on servers that run non-stop, perhaps the domain was taken down but it’s still in the list to get links to.

    With the booking, exactly like Ed said it’s an innocent message to get past spam filters then when you reply they will engage in some “deal” where they send you extra money, you have to send money back and the cash winds up being stolen and your left holding the hot potato.

    Just like laundering ill gotten funds, and your the washing machine.

    The spam i hate is when people say “I used company xyz and i highly recommend them” and you check Google and they have posted it on 5,000 other sites and they are on the companies about page. Very deceptive.

    Carly,

  5. Apparently the e-mail harverter misidentified your addres as posibly being that of a travel agency: “I will like to know if it is possible for me to make reservations of plane tickets in your travel agency for one of our members and to pay remotely with international card accorded with authorizations….”

    Travel agents get spam virtually identical to this every day, and have bene getting them for a decade. The scam is to get the victim travel agency to issue a prepaid ticket, giving a stolen or completely fictitious credit card number as payment. The scammer (or an accomplice) collects the ticket from the airline’s office in their country, and either cashes it in for a refund, or less often uses it or exchanges it for a ticket they can use or sell.

    A “prepaid ticket advice” (PTA) is like wiring money: someone pays the airline (or a travel agent) in one place, and they send a message through the reservation system authorizing the airline to issue a ticket someplace else.

    Aside from the typical language of the spam, the tipoff that this is a scam is that the credit card is invariably in a different name from that of the traveler, since the name on the ticket has to match the documents presented by the person who claims the ticket.

    You can tell the actual location of the scammer (or their accomplice) by the point of origin of the requested flights, since that’s is where they want to have the prepaid ticket sent for pickup. Usually this is in Nigeria or elsewhere in Africa, but more recently I’ve begun to see these from Hong Kong, China, Malaysia, and occasionally Eastern Europe.

  6. Here are some samples of this genre of travel scam spam from my files:

    Date: Fri, 31 Aug 2001 05:28:18 -0700 (PDT)
    From: Emilio Basiletti
    Subject: TICKETS PURCHASES

    Dear Customer Service,
    Kindly book the intinarary and cheapest fare of the
    below passengers urgently .
    Route: lagos/brussel/shanghai/brussel/lagos.
    1. EZENWAIRE EMMANUEL NNAEMEKA
    2. IHEANACHO EMMANUEL NWADINOBI
    3. OBIDILO CHINAEDU CHRISTAIN
    4. OKEKE OKWUDILI LONGINUS
    5. OGBUOZOBER CHUKWUDIEGHU THEOPHILOS
    Last name first in that order.
    Date of travel: 20th sept.2001.
    Return Date: 18th nov.2001.
    Class: Economy.
    I await your response on intinerary and fare,so that i
    can proceedto effect payment soonest.
    Kind Regards.
    Emilio

    =====

    Sometime they first send a phishing letter before any specific booking request:

    Date: Fri, 7 Sep 2001 12:48:06 -0700 (PDT)
    From: dennis davids
    Subject: TICKET INQUIRY

    FLYEAGLE TRAVEL & TOURS LIMITED
    23,IJERO ROAD EBUTE METTA (WEST)
    LAGOS, NIGERIA.
    TEL: 234 1 844266
    E-mail:flyeagle111@yahoo.com

    Dear Sir/Madam,

    We are flyeagle Travel & Tours Limited based in Lagos
    The Former Federal Capital of Nigeria. Being a
    commercial capital city in Nigeria, There are lots of
    expatriates working with Multi National Companies who
    want to purchase flight ticket for their staffs or
    themselves with their credit cards.

    But we as a travel consultants we dont have the
    facility to process the credit cards for them. We
    have a lot of passengers ready to travel to their
    various destinations.

    If you accept our proposal, specify the type of credit
    cards you accept so that we can have a good
    business relationship. And let us know your service
    charge. (that is your commission on each ticket you
    issue).

    Kindly reply through my e-mail.

    Thanks

    Maryam Thompson (Mrs.)

    For: flyeagle Travel & Tours Ltd
    E-mail:flyeagle111@yahoo.com

    =====

    Be glad you don’t get these every day!

  7. Clemente Vivanco says:

    No mistery, it’s a scam…….

  8. michael says:

    Carly – I can assure you that “There was no ad, no graphic. no web bug or hidden HTML.” That’s why I was puzzled…

  9. SEO says:

    I’d say the site might just be AWOL then Michael.

    These spammers run thousands of sites/domains, “typically” cheap domains like $1.99 .info’s and do this spam on a mass scale. They will register say 1,000 domains, and paste this list in a tool and let it run around the clock in rotation so each one gets it’s share of spam links.

    They also utilize dozens of cheap hosting accounts on different IP’s to avoid detection, the good hosts will shut them down leaving their list with say 900 working domains and i guess it would be a logistical nightmare keeping it fully up to date and you get spammed with defunct sites.

    Also they may be using IP or Useragent “cloaking” tricks so you see nothing but Google’s IP sees links on the page.

    Anyhow if you Google Xrumer the first few links are to Wikipedia and Washington Post, it seems to be the #1 spam tool of choice as it even breaks Captcha’s and is a right pain in the backside. I had to implement random mathematical questions to stop the 2,000 spam comments a day.

  10. Web Designer says:

    What I understand is that if garbage characters are dispaying then it must be some chinbese or japaense website as I receive a lot of spam like that on my blog too.

    Secondly regarding hat awkward email I feel they acquired some mailing list which had you email id too and they bombarded each one of you as few of the ids in that list may work for them…

  11. ADAC says:

    They are probably just looking for people who will respond. If you click on a link or respond back it gets tracked. Now your on a list of people likely to be susceptible to scamming.

    Clicking on a link and going to a site also opens up the possibility of downloading something on your computer. These work by the numbers. The more people you get to click out of curiosity the better the chance of catching someone.

Leave a Reply

Your email address will not be published. Required fields are marked *