Tag Archives: MailWasher

Fake “Amazon.com – Your Cancellation” e-mail

I received an item of e-mail reporting to be an Amazon order cancellation. It looked fairly authentic: to the untrained eye with some curiosity, you may be fooled into clicking on the ORDER DETAILS link. If you are in the UK, one of the key clues is the fact that this e-mail is reporting itself as originating from amazon.com – in the UK we would expect such e-mail to come from amazon.co.uk. The same could be said for other non-.com editions of the Amazon site.

Closer inspection reveals that the ORDER DETAILS link doesn’t goto an Amazon web-page, but to a completely different site…in this case you’ll be taken to a site that offers you tablets for helping make something bigger! However, there’s nothing to tell you how dangerous the destination site is…a single click can cause a lot of damage.

I use MailWasher Pro as my client-side anti-spam filtering tool, it’s kind enough to expand links in e-mails such that the true destination is revealed, as the screenshot below demonstrates:

The learning experience behind this blog post is that you should never trust links on face value. Always hover the mouse over the link and see where it ultimately leads to: if it’s not going where you expect it to be going, resist the temptation to “just click on it”! If hovering the mouse over the link doesn’t help you, see if you can find the message source (In Outlook right clicking on an e-mail, choosing Message Options lets you look at the “Internet Headers” and the raw message).

FYI, here’s the full body of the original e-mail.

Received: ... from forum.mbfpro.biz ([])
by twx8...com with smtp (Exim 4.69)
(envelope-from )
id 1No5Qd-0001Xk-S3
for ...; Sun, 07 Mar 2010 01:37:14 +0000
Date: Sat, 6 Mar 2010 23:59:45 +0400 (UTC)
From: "order-update@amazon.com"
Message-ID: <151840.7152476933828043636.JavaMail.correios@na-mm-relay.amazon.com>
Subject: Amazon.com - Your Cancellation (0713-48571-25595)
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-AMAZON-CLIENT-HOST: online-gp-48l06.iad9.amazon.com
Bounces-to: 20103c7b52838824c217f09b0630caf76b94d527f4@bounces.amazon.com
X-Spam-Status: No, score=4.1
X-Spam-Score: 41
X-Spam-Bar: ++++
X-Spam-Flag: NO

<title>Amazon.com - Your Cancellation
<body bgcolor="#FFFFFF" link="#0066CC">

Dear Customer,
<br />
Your order has been successfully canceled. For your reference, here`s a summary of your order:<br />

You just canceled order #859-8266172-041110

<br />Status: CANCELED

_____________________________________________________________________<br />

<a href="http://almedicgroup.com/robbie.html">ORDER DETAILS</a><br />
Sold by: Amazon.com, LLC
<br />
_____________________________________________________________________<br /><br />

eCards linking to dangerous executable files…

In a previous post I mentioned that phishing and spoofing were still very much in the mainstream. There are many tricks that scammers use in order to convince the unsuspecting Internet user to part with their financial details. One such trick is to send fake e-mails inviting users to click on an “eCard”. In reality, clicking on the eCard link typically links to file that can be run on the victim’s computer – even though today’s modern browsers offer many levels of warning, users frequently click on yes or OK when asked “are you really sure?”

Most eCards are trojan horses – they lay in wait watching for useful information such as credit card details, passwords, etc. to be typed into reputable web-sites. They then capture that information and, more often than not, attempt to transmit it to a central source that is capable of making the most of stolen credit card information.

Here’s an example:

As noted in my previous posting, it’s always worth verifying the destination of any links found in e-mails (there are some good comments on that post, with tips worth heeding). However, link aside, the text of the e-mail has a few other clues that suggest it might not be authentic. Look for problems with grammar, spelling mistakes, incorrect spacing, etc. I’ve highlighted a couple in the e-mail above. Also look out for “odd” e-mail addresses that are out of character, e.g. Hallmark would never use a personal e-mail address (other card vendors are available!)

If you are feeling even more adventurous, you could take a look at the message itself. In Microsoft Outlook if you right click on an e-mail in the Inbox view, choose Message Options and you’ll see something similar to the text below:

Envelope-to: your.name@yourdomain.com
Delivery-date: Mon, 13 Oct 2008 15:30:19 +0100
Received: from dynamic-123-123.natpool.uc.edu ([])
by pc1.yourmailhost.com with esmtp (Exim 4.69)
(envelope-from )
id 1KpOR9-0007BM-6h
for your.name@yourdomain.com; Mon, 13 Oct 2008 15:30:19 +0100
Message-ID: <09622.bamber@nolan>
Date: Mon, 13 Oct 2008 12:42:56 +0000
From: “123greetings.com”
User-Agent: Thunderbird (Windows/20080213)
MIME-Version: 1.0
To: “friend”
Subject: You have received an eCard
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=4.7
X-Spam-Score: 47
X-Spam-Bar: ++++
X-Spam-Flag: NO

A few things can be gleamed from the e-mail headers. Most reputable eCard web-sites wouldn’t use a client-side e-mail tool such as Thunderbird. Nor would they purport to be “123greetings.com” but actually be a personal e-mail address of a.bbbb@acccgggs.com. Similarly, “friend” isn’t something mainstream vendors would use. A closer inspection reveals that this e-mail appears to have made use of a .edu domain, i.e. an educational establishment may have been used in the transport of this particular e-mail. Indeed, it is this .edu domain that demonstrates the true nature of trojan horses – they don’t always steal your financial details, they sometimes enable your computer such that it can act as e-mail hubs whereby further propagation of the the same or similar eCard e-mail takes place. In other words your computer could be used to send out eCard e-mails.

Incidentally, this particular eCard hit my spam filter before I even saw it. However, whilst my e-mail host has good spam filtering, coupled with my local spam filter (MailWasher Pro), it doesn’t mean other e-mail hosts are doing the same, it’s still possible that an eCard could make it into your inbox.

Again, regular readers will be sucking eggs after reading this post, however these e-mails are still doing the rounds. I always find it handy having these real world examples handy as demonstrations when I’m explaining the less than salubrious side of the Internet to newcomers.

Technorati Tags: , , , , ,

Spam: recognition

Two things:

1. I know this is spam
2. I know the kind of folks who this is targeted at

Anyway, a lot of folks have asked me “how do I know if something is dodgy?” It can be a difficult question to answer as a lot of IT “things” are intuitive, it’s obvious. But end users (friends too) don’t want to hear that, they want to know what they can look out for.

Sometimes it’s easy, sometimes end users (and friends) visit dodgy sites, downloading toolbars on they way. Here’s a tip, if a web-site opens a pop-up window and offers you a great new search toolbar, ignore it, click on the red close icon in the top left of the pop-up (or, better still, shut the machine down). The same goes for anything that offers to rid your machine of adware, spyware or other such nasties: it’s very likely that your machine was relatively free from such things…until you click “yes, please scan my computer for adware, etc.”

I’m working on a rather lengthy article/blog posting that covers my suggested security tips, but to keep my writer’s block from setting it, I thought I’d push this out now.

Here’s a typical example of a dodgy e-mail…my comments are in bold italic…they should be enough to get you started.

Return-path: < rmoore @lotto.nl> there’s a space after the ‘moore’ and before the ‘r’
Received: from punt-3.mail.demon.net by mailstore
for id 1E7Big-0000Uk-Lm;
Mon, 22 Aug 2005 12:48:06 +0000
Received: from [] (helo=anchor-hub.mail.demon.net)
by punt-3.mail.demon.net with esmtp id 1E7Big-0000Uk-Lm
for ; Mon, 22 Aug 2005 12:48:06 +0000
Received: from [] (helo=drake.uknoc.co.uk)
by anchor-hub.mail.demon.net with esmtp id 1E7Big-0002rC-Ik
for ; Mon, 22 Aug 2005 12:48:06 +0000
Received: from [] (helo=rmoore@lotto.nl) no space
by drake.uknoc.co.uk with smtp (Exim 4.52)
id 1E7Big-00087e-RE
for ; Mon, 22 Aug 2005 13:48:07 +0100
From: “Director Moore”
Subject: Congratulations: Vernus Millionaire Lotto winner !!! Sounds like a famous name UK-based gambling group…
Mime-Version: 1.0
Content-Type: text/plain; charset=”iso-8859-1″
Date: Mon, 22 Aug 2005 14:48:09
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – drake.uknoc.co.uk
X-AntiAbuse: Original Domain – scottishdevelopers.com
X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain – lotto.nl



Good day,

This is Mrs Rita Moore the Director of vernus Millionaire Lotto in the NETHERLANDS. Vernus Millionaire Lotto is an independent lotto

Suddenly, vernus is lower-case, previously it was sentence-case
Surely The Netherlands?

organization in the Netherlands that is conducting several online lotto programs on the internet. However,we wish to congratulate you

it’s organisation here in Europe, thank you

over your success in our computer balloting sweepstake held on 20th August,2005 in which your email address attached to ticket number
LNT456780909893 and drew the lucky numbers 4-10-12-55-25-87,batch number 4978/NL and consequently won the lottery in the 1st category.
This is a millennium scientific computer game in which email addresses were used and it is a promotional program aimed at encouraging
internet users;so you do not need to buy a ticket to enter for our online lotto program. Note that this program was largely promoted
and sponsored by a group of philanthropist, industrialists from the internet ware industry and some other big multinational firms who
wish to be anonymous. Therefore,you have been approved for a lump sum amount of U.S

Throughout this e-mail, there is no space after each comma: there should be! If this was legit, the use of language would be spot on.

$1million dollars credited as Bond into your security file LOTTERY REF NUMBER Amt/nt/423275/01 with our security agent. This amount
is from the total prize money of $15,800,000 shared among the seventeen international winners in categories C with serial number:
This email is not one of those numerous lotto email scams you might have received in the past which always require you to sign out a
blank cheque or give out your bank information in order to perpetrate their illicit lotto scams.

The give-away. If you believe this, please cut up your credit cards now!

Please note that this winning is very
real and legitimate and your exercising good faith in this our lottery program will enable us remit your winning funds to you in your
preferred mode of payment without any further delay. Therefore,to confirm the legitimacy of our lottery program, the below website is

The Dutch speak and write better English than some of us…

one of the websites we are running over the internet concerning our lottery programs in the Netherlands.


However,to begin your claim,being non-netherlands resident or citizen,you are required within two days to officially notarize your

uh oh, you want me to go to The Netherlands in person? Surely you’ll just bash me over the head with a baseball bat, take my passport, my Euros, my cards, etc. and leave me with nothing but a sore head?

winning claim at the Dutch Court of Justice in the Netherlands to sign the Release Order and the clearance papers that will enable the
paying Creft Consulting Agency release your winning funds to you. But in case you cannot come to the Netherlands within the stipulated
two days,do inform your claim officer to make proper arrangement regarding your claim notarization. Once your claim is fully notarized
and a copy of the Notary receipt from the court is forwarded to us,we will provide you with your Award winning Certificate. Please for
more information concerning the claim of your winning funds,we advise you to forward a confirmation email to your claim officer at the
paying Creft Consulting Agency and as well follow their claim instructions. Below is the contact details of your claim officer:


Wot, no street name and postal district?

TELEPHONE: +31-622851045
EMAIL: snipped@fsmail.net

fsmail.net – hang on, a consulting agency, I think not!

Conclusively,vernus Millionaire Lotto is not a scam organization therefore this mail should not be treated as a scam scheme or be
taken for granted,we are backed up by the appropriate lottery law in the Netherlands and only the successful winners in this our
online lotto program receive this congratulation mail and because you won that is why this mail is being directed to you.

That’ll be right. Not a scam, not to be treated as a scam scheme…yeah yeah. Pull the other one, it has got bells on.

Remember that all prize money must be claimed not later than 7 working days. After the last day, all funds will be returned as unclaimed.
Congratulations once again from our team of staff and thank you for being part of our promotional program.

Rita Moore
(Lottery Coordinator)

This mail was sended with unregistered version of Zmei Mail Sender.Visit http://www.zmei-soft.com for free download of Zmei Mail

“Sended” – wrong tense, another giveaway!

Unregistered? What? A huge commercial lottery outfit like this? Surely they would have their own domain and their own e-mail software. More evidence.


If you receive an e-mail with any of these characteristics, I suggest you delete it without so much as a second glance (I take no responsibility if you delete a legit lottery winning notification!)

Better still, I can recommend a program that can weed out such spam and prevent it from getting into your mailbox in the first place: check out MailWasher Pro. It “sits ahead” of your e-mail client (application) and uses known databases of spam to intelligently mark incoming e-mail as either legit or possible spam: it’s a boon if you’re still on dial-up.

Technorati Tags: , , ,