Very peculiar SPAM emails?

stockhausen

stockhausen

stockhausen

Capodecina
Soldato
Joined
30 Jul 2006
Posts
12,130
I have for some months now had some very strange emails, apparently from people with whom I worked in the past or from friends. They never have a credible "Subject" line, they are usually identified as SPAM and they always seem to follow a similar pattern; I can't quite work out what the point of them is.

I have now heard from two other people (contacts, neither past work associates or members of my social circle) who have also had similar emails.

Below I give two examples of emails that have been passed to me for investigation and comment.

Exhibit 1:
From: "Angela Stones" <[email protected]>
Date: 14 January 2020 at 02:35:32 GMT
To: "ME"
Subject: RE:
Reply-To: "Angela Stones" <[email protected]>

ME

sptth://clck.ru/LpdSv​

Exhibit 2:
From: Angela Stones <[email protected]]
Sent: Monday, January 13, 2020 09:35:32 PM
To: "ME"
Subject:

sptth://www.google.com/search?ei=F78-qQ9a0a6UMf2U484w20hk8KB7Ubs503Z&gs_l=cwsdb1gwn51s6a14

I have read suggestions that the "recipient" email addresses have been garnered from LinkedIn (which is possible) and that the links take you to a site offering to supply you with BitCoins - I haven't followed the URLs and I have reversed "https" above. Similarly, the recipient email address has been removed.

Has anyone else noticed anything similar?
Does anyone have any idea what is behind this?
 
There are a number of ways this happens.

The scammers get lists of email addresses by scanning various sites (you mentioned linked in). This can also show associations.

One of your contacts has done something dodgy. Allowing something access to there address book. You were in it.

There details and all there contacts details are now sat in a database somewhere that has been copied and sold umpteen times and passed around all over the internet.
You will get emails forever that look like they come from your contact but do not. The adress will be altered in some way. Such as extra characters and/or a different domain.
The content is irrelevant. There sole intent is to get you to click on a link that does 2 things.

1/. Proves you exist so they can continue to keep spamming you.
2/. Allows them to deliver a payload of some description.

Do not reply to the email and do not click on any of the links, this includes the "un subscribe me" links.
Just flag the email as spam and delete it.
 
MonkeyBasher said:
. . .
The content is irrelevant. There sole intent is to get you to click on a link that does 2 things.

1/. Proves you exist so they can continue to keep spamming you.
2/. Allows them to deliver a payload of some description.

Do not reply to the email and do not click on any of the links, this includes the "un subscribe me" links.
Just flag the email as spam and delete it.
Click to expand...
I can't see how replying would prove that the email address is valid - the fact that the email isn't bounced should be enough - I accept that there are many (throwaway) email addresses which are no longer monitored ;)

You are right about a possible payload although I suspect that this can be delivered just by accessing the message / opening the email; I don't think that it is necessary to follow the link - this may be overly cautious?

Whatever, these particular emails do appear to be pretty blindingly obvious which does make me wonder what their purpose is and why they have suddenly become more frequent and specifically targeted - has LinkedIn been compromised recently?
 
By interacting with the email in any way you prove there is a person on the other end reading the emails. Its not a robot acount and its not an abandoned account.

Most email clients will render text based emails, html based emails and will render only a subset of image types also they will generaly not open attactchements unless you specificaly OK a dialog or alter the security settings.
Thunderbird for example by default only renders text emails and shows no images.

By clicking on a link in abest case scenarior you open the page in a browser. This means its now running under the privaleges of the browser and with all the bugs / exploits the browser has.
It can also now run JavaScript and many other ****** scripting languages. Which all have bugs and exploits allowing code to run on your system.
On most broswers this also will render videos and more complex image types (such as animated gifs). Which are able to contain futher payloads not visible to the user due to even more bugs and exploits.

In a worse case scenario there ****** scripts exploit some kind of buffer exploit and are now managing to run random code on your mahcine under your account with all the privaledges that has.
Your "nature docs", "linux isos" and "webcam hotties" folder now become prime targets.
They also have access to your Documents Folder.

This is why those spam emails have un-subscribe me links. You click that link and it runs whatever code they intended it do and does the exact oposite of unsubscribing you.

The reason you are getting all this spam is most likley because someone clicked on a link in a spam email.

There purpose is to target the lowest common demoninator.
If they send out 9 million emails and only 1% click. That is 900,000 hits they got.
If 1% of those 900000 had bank docs stored in "my documents" thats 9000 bank acounts they potentialy have access to.
Just by sending out some "free bewbs here" emails.
 
As suggested, I have ex-colleagues who evidently have had their address books hacked, complete with my email address, adn receive similar emails.

As MB said, I use thunderbird set to show just text, which is how I've configured relations PC's, but I am intrigued what could happen if you had an email client that runs javascript.
 
My friend sends me loads of jokes in emails
When he forgot to use blind carbon copy I got the full list of his contacts ~presumably he forwarded the jokes
Hundreds of email addresses
It's not hard to see how people get hold of your email address
 
jpaul said:
As suggested, I have ex-colleagues who evidently have had their address books hacked, complete with my email address, adn receive similar emails.

As MB said, I use thunderbird set to show just text, which is how I've configured relations PC's, but I am intrigued what could happen if you had an email client that runs javascript.
Click to expand...
Are the emails ALWAYS identified as SPAM?

For some reason, ALL of these are, not only those that I receive but in the other two cases as well - there must be a common characteristic, the only thing I can see is that they appear not to have a meaningful "Subject" if there is anything there at all.
 
Server side spam filters work at many different levels.

They can block by full address or by a partial domain match.
At the moment ****@cnet.online.com is doing the rounds and is auto detected by MS spam filters.
They can also block by content if the text is just plain text and isn't encoded in some way. Realistically how many legitimate emails are there going to be about penis pills or hot Thai babes, so these get auto flagged as well.

The more sophisticated filters can convert parts of the email into a big number using "maths" and then just compare those numbers.
If they know that a particular email is doing the rounds and it has a certain pic in it. That pic has a recognisable signature. They can then just auto flag every mail that has an image in it with that signature.

There are also client side filters running in your client if you are not using web based email.

There also is a large amount of data in an email that is only machine readable that you as a user will not generally see. This can also be used to identify it.

There will always be SPAM that is not auto detected correctly and gets delivered to your in box. Its your responsibility to report that as spam and then delete it. This improves the filters.
There will always be real mail that gets wrongly detected as spam. Again you can report as not-spam and move it to your in box. improving the filters.

You can avoid allot of spam by being sensible about how and where you use your mail address. There is no need to type it into a form just because they ask for it. The same at store checkouts when buying coffee etc, just say no.

You can also have multiple email addresses and give them out based on the level of security you think they have.

I use an extension to the email address system, but it is not supported by all clients and some sites will not accept the addresses either.
If your address is [email protected] you can use
[email protected]
[email protected]
[email protected]
[email protected]
They all get delivered to [email protected]

If you start to get spam to [email protected] you know amazon have leaked your email address.
 
stockhausen said:
Are the emails ALWAYS identified as SPAM?
Click to expand...

I don't know, the ones that are pattern copies of what you posted are , probably down to the subject.

But, other marketting emails, could be spoofed, so I ignore them unless they explain, just in (thunderbird) text view, what the message is,
and wouldn't click links anyway. (richersouunds/ebay/amazon/lewis/... take note)

If the spam filters are able to cross-check the domain address the email is from, againt the email contents keywords, I'm not aware of that functionality.
 
I have just found out about another way that these firms get your email address that I was not aware of.
Auction sites and online shopping.
Take ebay for example. Ebay do not share your details, any contact goes through there services.
Until you pay using paypal. Then the seller has direct access to your paypal email.

All those ebay shops full of plastic crap that they sell delivered for 75p and it takes 2 months to get to you. They also harvest your email address when you pay via paypal.
 
I accept that email addresses are harvested common currency and that some large organisations that should be more conscientious about and responsible for data security are somewhat lax about it.

However, what I am interested in here is the rationale behind the upsurge in these strange, apparently pointless emails :confused:
 
Just one of my email accounts gets these on a semi-regular basis, however they come from an ex-friend so I just delete them and chuckle to myself at the thought he's been compromised somehow.
 
I have an email account i'm set to delete soon as it's spammy. But the spam is 99% really badly written, except one which is a guy who i used to know who has also been compromised. The addresses are a series of random characters, the subject/title are really poor, never opened one though. I guess it's mentioned as above, anything to get a link clicked, or an account sign in from you.
 
You must log in or register to reply here.
Back
Top Bottom