A bit over a year ago I wrote here about the “New Shopping, new life” spam that was sent from hacked free webmail accounts to advertise fake Chinese online shops. Recently I am seeing a lot more spam like that, mostly using hacked Hotmail accounts. Here is a typical example:

hello：
Please forgive us to disturb your valued time.
This is a big wholesale company in china, sell electronic products to all the world,such as laptop, camera, phone and so on. We can offer the low price and high quality to you. If you have free time, please to visit our official website: http://lezucker.com
if you have any other questions, please be free contact us by email or msn at any time.
Yours Sincerely,

——————————————————————————–
Not got a Hotmail account? Sign-up now – Free

The emails accounts appear to be accessed from IP addresses in China such as these:

• 60.4.32.231 (3220 emails)
• 116.7.20.191 (1974 emails)
• 121.35.79.35 (1865 emails)
• 60.4.153.48 (326 emails)
• 121.35.79.16 (265 emails)

The email counts are for a period of about 60 hours and are only for my spam traps and external spam feeds, not the total sent from those addresses. What’s more, it’s not just a large number of emails per IP address but also per mail account (full address obscured for privacy reasons):

• XXamari35@hotmail.com (2645 emails)
• XXpsychling@hotmail.com (1994 emails)
• XXishacarroll@hotmail.com (1215 emails)
• XXbgreene27@hotmail.com (671 emails)
• XXedina723@hotmail.com (575 emails)
• XXgmo@hotmail.com (326 emails)
• XXroxd1@hotmail.com (294 emails)

I find it surprising that Hotmail would allow a single free mail account to send out thousands of spams a day without getting it shut down. I can only guess what the total number is, as the above are only spam that I have received copies of. Clearly Microsoft will have to improve its mechanisms to catch such abuse.

Here are some of the domains advertised via these scammers:

• lezucker.com (4189 emails)
• ebroun.com (2645 emails)
• hgbet.com (329 emails)

The IP address seem to be mostly but not exclusively from providers in the South of China, in Henan and Guangdong provinces:

inetnum: 115.48.0.0 – 115.63.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN

inetnum: 123.8.0.0 – 123.15.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN

inetnum: 123.52.0.0 – 123.55.255.255
netname: MAINT-CHINANET-HA
descr: CHINANET HENAN PROVINCE NETWORK
descr: henan Telecom Corporation
descr: 97# Zhongyuan Street, Zhengzhou,henan,Chinese
country: CN

inetnum: 121.32.0.0 – 121.35.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN

inetnum: 219.128.0.0 – 219.137.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN

inetnum: 123.112.0.0 – 123.127.255.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN

Since Google ranks sites primarily by how many other pages and sites link to them, unethical people have been trying to boost their site rankings by tricking others into creating links to them.

Link exchange spam, i.e. unsolicited offers to reciprocally create links to each other’s sites, has been around for many years. Recently I came across a new twist, broken link suggestion spam. You’ll receive a personal looking email like the following that tells you about a broken link on a page on one of your sites, with a suggestion for a replacement link target (boldface added by me):

Hi Joe!
Sorry to bother you, my name is Kate Austen, I’m a teaching assistant for a sociology class. I’ve been doing some research online for an upcoming lesson on the urban legends, myths, and hoaxes, and your page was very helpful. Thanks so much!

I noticed that on your page (http://www.joewein.de/hoax.htm) you have a broken link http://www.urbanlegends.com/index.html (an old page about urban legends)… May I offer a thought on a possible replacement? http://www.costumesupercenter.com/csc_inc/html/static/btarticles/urbanlegendsandmyths.html It has some great information about several urban legends and myths. I found it to be a great resource during my research, and it would be a great fix to your broken link. I’ve added it to my bookmarks, along with your site 🙂

Just thought I’d let you know 🙂

Take Care,
Kate
kate@professor-research.org

I plugged some phrases from the above email into Google and it found the following similar email (boldface also added by me, please compare the two):

Crystal Sawyer
crystal@studentresearchers.org

Hi!
Sorry to bother you, my name is Crystal Sawyer, I’m an education major from upstate New York. I’ve been doing some research online for a class project and your pages were very helpful. Thanks so much 🙂

I noticed that on your page (http://www.apfn.org/apfn/mmm.htm) you have a broken link http://www.nara.gov/exhall/charters/declaration/decmain.html (an old page about science projects)… May I offer a thought on a possible replacement? http://legalmetro.com/library/historic-us-documents-the-charters-of-freedom.html It has some great information about teaching children how to do experimental science projects. I found it to be a great resource during my research, and it would be a great fix to your broken link. I’ve added it to my bookmarks, along with your site 🙂

Just thought I’d let you know 🙂

Take Care,
Crystal
crystal@studentresearchers.org

The number of identical phrases is far to high to be a coincidence. Looking at the sender domains professor-research.org and studentresearchers.org, the registrant on both is hidden behind the anonymization service domainsbyproxy.com.

I would say chances are good that both “Kate” and “Crystal” are the same person and that this person works for a company offering paid search engine optimization (SEO) services to boost their customers’ website rankings. They add some editorial contents to the customer website and then deceptively ask owners of sites with a high Page rank (PR) to replace broken links with links to these new pages by posing as students and researchers with no obvious commercial interest in the link target site.

For about a year I have been receiving spam emails like this one below. They all look like they’ve been sent by private individuals somewhere in the world (usually from Yahoo or Hotmail accounts) but advertise companies in China:

hi:
New shopping new life!
How are u doing these days?Yesterday I found a web of a large trading company from china,which is an agent of all the well-known digital product factories,and facing to both wholesalers,retailsalers,and personal customer all over the world. They export all kinds of digital products and offer most competitive and reasonable price and high quality goods for our clients,so i think we you make a big profit if we do business with them.And they promise they will provide the best after-sales-service.In my opinion we can make a trial order to test that.
Look forward to your early reply!
The Web address: www.vanigo.com
E-mail: vanigo@188.com
MSN : vanigo@msn.cn

——————————————————————————–

Få en billig laptop. Se Kelkoos gode tilbud her!

Looking at the mail headers, it had come from the mail account of a Danish Yahoo user, but originated from an IP address in China (details edited to protect the privacy of the account owner):

Received: from [124.118.179.157] by web26101.mail.ukl.yahoo.com
via HTTP; Wed, 11 Feb 2009 19:54:29 GMT
X-Mailer: YahooMailWebService/0.7.260.1
Date: Wed, 11 Feb 2009 19:54:29 +0000 (GMT)
From: uffe #####sen <uf###2@yahoo.dk>
Reply-To: uf###2@yahoo.dk
Subject: hi:
To: undisclosed recipients: ;

IP address 124.118.179.157 belongs to China Telecom:

inetnum: 124.118.0.0 – 124.119.255.255
netname: CHINANET-XJ
descr: CHINANET Xinjiang province network
descr: China Telecom
descr: No1,jin-rong Street
descr: Beijing 100032
country: CN

What appears to have happened is that spammers know the passwords to these mail accounts and are using them to send that spam to everyone in the mail account’s address book.

This is a very effective way to get through spam filters, as many recipients are likely to also have the sender in their address book and address book entries are automatically whitelisted by many spamfilters.

If you receive an email like that, alert the “sender” that their account has been compromised. They need to immediately change their email password to something more secure.

This abuse of stolen passwords illustrates the potential of password harvesting scams such as this one I documented in August 2008, which is still going on.

Here are some Google searches related to the hacked webmail spam:

• “New shopping new life”
• “good company who trades mainly in electornic products”

Here is a (probably incomplete) list of websites advertised this way:

• gvccn.com
• ibvcn.com
• jvccn.com
• tvtcn.com
• szfac.com
• cxkeg.com
• yaier.com
• mmhdf.com
• ixicb.com
• vanigo.com
• wabada.com
• bj-trade.com
• store-168.com
• ele-motors.com
• electronics-brand.com
• exciting-zone.com

Common subject lines:

• New shopping new life
• Good shopping good mood!
• Good web site
• Have a great shopping!
• good website!
• Hi,Thank you!
• Hi,
• Dear friend

Good passwords and bad passwords

A strong password should be the first line of defense against such criminals, but what makes a password good? It should contain a mixture of all of the following:

• lower case letters
• upper case letters
• digits
• at least one non-alphanumeric character

This makes it hard to break the password through brute force or through dictionary attacks.

Also the password should not be too short (8 characters or more) and should be reasonably easy to memorize, so you don’t have much need to write it down. Some examples:

• 45Knife%Cabbage
• 4F5g6H&j
• J0hn1945-07-31

Bad choices are passwords that consist of any word found in a dictionary, proper names, digits-only dates, adjacent keys on the keyboard or repeated characters. Never use anything like these:

• secret
• qwerty
• xxxx
• john45

It is very important not to use the exact same password for different purposes.

If spammers manage to trick you into revealing your password for one site (e.g. by getting you to create a new account at a site they control or by breaking into the database of another site where you’re a customer) then you’ve effectively handed them the key to the candy store. They can get access to your email account, in which they may find login information, password reminders, etc. of many other sites you’ve signed up for. At the very least they can harvest all your email contacts.

Beyond using different passwords for every site and service, it’s also a good idea to use a different password schema for “core” sites that you trust and depend upon (such as your email provider and webhost) and another for sites to which you sign up more casually (such as various forums, online shopping, etc.). Thus if one of the latter is compromised, it does not give criminals any clues what your more critical passwords may look like.

Who is behind this spam?

The sites advertised from the hacked email accounts constantly vary. They usually have been created only a few weeks or months earlier. For example, the domain in the above example was created two months ago:

Domain name: vanigo.com

Registrant Contact:
wuxianj
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Administrative Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Technical Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

Billing Contact:
xiaos wu zhongfm@it5.cn
0592-5861837 fax: 0592-5861834
beijin
beijin beijin 100000
cn

DNS:
ns1.4everdns.com
ns2.4everdns.com

Created: 2008-12-08
Expires: 2009-12-08

Considering the highly illegal way the companies advertised, what are the chances that any order you make at those sites would ever get shipped to you? For sure, they will gladly take your cash by (untraceable, unsafe) Western Union or take your credit card number, expiration date and security code. Never use Western Union to send money to people you don’t know from real life in person. Never enter your credit card on a site that doesn’t have SSL access (indicated by a URL starting with https:// and a padlock icon in the browser status bar) with a proper certificate.

Even more basic: Never do business with spammers. By sending you spam, they have already proven to you that they lack any morals. You have no reason to trust them and every reason to be alert!

If you have received similar spams, feel free to post them below.

I never really got used to the idea of MySpace “friends” and Facebook “friends”, a concept that seems to appeal mostly to teenagers seeking peer-approval. Friends are not objects you collect like others collect postal stamps or or sports memorabilia. Real friends are there for each other when we need someone. With my friends, years may pass without us meeting, but when we see each other again we pick up just like we last saw each other only yesterday. I know them and they know me and we don’t have to explain much. I would never think of showing them off on a website like others show off their gold chains and SUV to boost their self image. This is not at all what friendship is about.

For over two years I’ve been receiving emails coaxing me to join a website called tagged.com, supposedly sent by people who consider me their “friend”, but who I invariably do not recognize. I suppose they have my email address in their address book because they probably reported Nigerian scams to me before (I collect several hundred reports per day, most of which get processed automatically), but I could not possibly have had a two way email exchange with more than a small fraction of them, let alone built a friendship.

Here is a typical example:

Firstname has added you as a friend on Tagged.

Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname may think you said no 🙁

Click here to unsubscribe from Tagged, P.O. Box 193152 San Francisco, CA 94119-3152

Invitation spam

The tagged.com mails are just one example of a category of what I consider invitation spam, because they server no real purpose other than getting me to join a website that I have no interest in joining. The supposed sender already has my address and can contact me any time if he has something to tell me and if we really were friends, chances are I would already have his email too.

What I find particularly annoying about the Tagged.com emails is how they try to pressure the recipient into clicking the “Yes” link by exploiting people’s considerate nature. Most of us don’t unnecessarily want to hurt other people’s feelings. Therefore this line gets really on my nerves:

Please respond or Firstname may think you said no 🙁

Interestingly, the same annoying phrase (either including the colon, left bracket frowning negative smiley or a positive smiley) started appearing in several other invitation spams that don’t mention Tagged.com:

From imvu.com, August 2007:

Hey Joewein,

Firstname has added you as a friend on IMVU.

Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname may think you said no 🙂

From MyYearBook.com, November 2007:

Firstname has added you as a friend
Is Firstname your friend?

[ Yes] [ No ]

Please respond or Firstname will think you said no 🙁

Click Here to block all emails from myYearbook, 280 Union Square Dr., New Hope, PA 18938

From Yaari.com, February 2008:

Firstname Lastname wants you to join Yaari!

Is Firstname your friend?

Yes, Firstname is my friend! No, Firstname isn’t my friend.

Please respond or Firstname might think you said no 🙁

Thanks,
The Yaari Team

____
You are receiving this message because someone you know registered for Yaari and listed you as a contact.
If you prefer not to receive this email tell us here.
If you have any concerns regarding the content of this message, please email abuse@yaari.com.
Yaari LLC, 358 Angier Ave, Atlanta, GA 30312

To this day I am receiving a mix of Tagged.com, MyYearbook, Yaari and IMVU emails from various people.

The only party who really gets anything out of this type of (probably automated) email is the website owner. It actually doesn’t matter whether you click “Yes” or “No” on those spams, either way you’ll end up on a web form to provide personal details to join the site.

Many social networking sites ask for access to your Yahoo, Hotmail, Outlook or other address book when joining. They then send everyone in your address book invitations in your name. Thus the game continues as long as address books aren’t empty and at least some people click on either “Yes” or “No”.

When I receive such emails, I usually archive them to a folder in my mail cabinet that I named “Plaxo-Ringo” after the first two websites that spammed me like that in significant volume. I archive them for research purposes, but if you’re not a spam researcher like me you might as well delete them.

Just like on Facebook and MySpace I never act on “friend” invitations unless I have a genuine personal relationship with the sender, and neither should you. There is no need to feel guilty about discarding spam that is meant to sell commercial websites, even if it masquerades as something much more personal and precious, like friendship.

You can tell that an anti-spam tool is becoming too effective when spammers start trying to work around it.

Such is the case with Spam URL Blacklists (SURBLs), which list domains advertised via spam. Spamfilters will intercept emails that mention blacklisted domains used in clickable links. The spammers can use fake sender addresses and send email from cracked hosts and cracked third party mail accounts, but they still get caught as soon as they mention their websites. This hurts spammers because they only make money when people go to their websites and hand over their credit card details to order fake Rolexes, pills, porn, etc.

To get around this, spammers have been using pages created at free webhosting services and other third party sites where content can be uploaded. The links only mention the free hosting site, which then redirects to the final spam site.

One service abused for this is Google Groups. Other services recently seen used are Google Docs, Microsoft Spaces Live and Geocities. In the case of Google Groups the spammers create mailing lists and upload a spam link to the home page of the new group. They never use the groups for their intended purpose, i.e. mailing lists. This effectively makes it impossible to report the abuse via Google’s abuse handling procedures: Any archived posting or uploaded document on the Google Groups service has an abuse reporting link, but the home page of the group itself does not! Obviously, Google never envisaged that spammers would create groups only to have one page of web content that can be advertised via spam.

Here is an example of a spam:

Received: from host34.net215.omkc.ru (HELO host34.net215.omkc.ru) [217.25.215.34]
by mymailhost (mx077) with SMTP; 21 Jan 2009 04:21:47 +0100
Message-ID: <47940FC9.1016287@verizon.net>
Date: Mon, 21 Jan 2008 03:21:45 GMT
From: arturo <arturo.matthews1@verizon.net>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: mymailbox
Subject: Brighten Your Day
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

After trying out tooth whitening system AT NO COST TO YOU you’ll realize that your smile is irresistably contagious! 😉

http://groups.google.com/group/fkvrqzzzjckhj

(Add S+H)

The page advertises “Click Here – Free Credit Score & Debt Help” which is a spam link using the domain white-teeth2009.com hosted on IP address 220.164.144.205 in China. It is listed on four sub-lists of SURBL (WS, OB, AB and JP). Its name servers are ns1.dckfdc.com and ns2.dckfdc.com. Other domains by the same spammers are whiten-your-smile2009.com and smile-really-great.com.

At the very least Google should add an abuse reporting link to its Google Group pages. It would be even better if they were to check uploaded Google Group content and checked any URLs in it against spam blacklists such as SURBL. This would stop the spammers in their tracks.