Skip navigation.

exploreopera

| Help

Sign up | Help

Dantesoft's pages

do not seek the treasure !

Phish with Nigerian spam

Thursday, 10. August 2006, 07:37:28

Two messages passed by the spam filter this morning, on yahoo, "from" mad.scientist.com:【Just published Do you wish to increase your volume by up to 500%?】 and on gmail, "from" presidency.com:【...Unfortunately we have faced some difficulties while receiving payment for our software in our country as need 10-30 days to get a payment from your country.

The first one (which I won't bother to link to) should have been caught, I think, containing such words as "your woman", "speechless", "Tonight you’ll prove", "excellent formula", "See our shop" and the unambiguous "Have you ever dreamt to have a very hard [censored]". Even this post can now be flagged.


But maybe it got through because it ended with "Laughter is the closest distance between two people You cant buy love". Some subroutine inside the Bayesian filter probably went "What the heck, he needs a good aphorism in the morning".

(Speaking of Idiot's Bayes, see DeconstructingSundance.com. The top menu has more interesting stuff.)

The second one is more sneaky, as the scam usually is. Not easy to flag it as unwanted, unless more people that received it mark it as spam. Which is exactly what GMAIL did, less than one hour later with an almost identical mail, on the same story.

Speaking of the well thought-of story, I noted bad orthography and grammar, which is strange, and should ring additional warning bells.

Content-Type is text/html, so line breaks are the invisible
<font color=#fcfcfc>r&d nr lead 4</font><br>
<font color=#fcfcfc>cooper coif junk dewy</font><br>
<font color=#fcfcfc>46 army wahoo claws</font><br>
<font color=#fcfcfc>porch boor hives stars</font><br>
<font color=#fcfcfc>ref fetus twin times</font><br>
<font color=#fcfcfc>elope rep pus lash</font><br>
<font color=#fcfcfc>storm scans uvula boss</font><br>
<font color=#fcfcfc>pores wq bundy drawn</font><br>
Oh yeah. We never saw these tricks before :wink-wink:. Speaking of Hypertextus Interruptus, please consult the excellent Spammers' Compendium for more tricks.


Back on the phishing front, I'd like to report two Y!M attempts, some time ago (I keep myself sooo busy)
(3:52:38 AM) :-O www.geocities.com/ooopsss_101/ #-o =))
(7:04:30 PM) :)) -->> www.geocities.com/gotta_see_too_funny_4/ =))

The pages looked like Yahoo login pages (of course, not the recent default secured ones, by HTTPS)
To get started on Flickr... Sign in to Yahoo!
but the form gets submitted to www2.fiberbit.net/form/mailto.cgi (at least in the second page, which I had the presence of mind to save). All this on some free GeoCities account.

The instant messages got sent without the user's knowledge, I suspect some bug in Y!M (this to push my GAIM agenda). Or it could be as simple as this explanation
Once the crackers find your Yahoo ID and Password, they log into your Yahoo messenger (either manually or through automated programs) and send a message to everyone in your contact list asking them to visit the site too.


What is surprising is how long it took GeoCities to take down those pages. I tried reporting, but found it almost impossible to contact them, as a netizen who doesn't have an account there.
How do I contact GeoCities Customer Care?

Have questions or feedback? You can contact us anytime via email using one of our email support forms. GeoCities Free members can use our standard form. With a GeoCities Plus or GeoCities Pro plan, you'll get priority email assistance if you encounter a problem or have a question about your plan.

To contact customer support anytime, visit the Help tab of your GeoCities Control Panel. In the upper-right corner of the page, click the "Contact us" link to access the standard or dedicated priority-support email form, depending on your plan.
Terrible. No "control panel", no contact.

Much (too late) later, I found abuse@yahoo-inc.com ("for reports of spam on Yahoo!", but close enough) and http://add.yahoo.com/fast/help/us/geo/cgi_abuse (the link is from an image copyright policy page). How about a more prominent "report abuse" page, GeoCities ? Or at least showing the abuse form with the search results for "contact". (I'm not the only one to complain, see this Romanian thread)


I wonder how many of my sister's friends would have fallen for any of the above attempts.

alé lé bléWinGaim's startup crash on MSN accounts

Comments

avatar
Just a few days ago, we've discovered a Nigerian scam site has used Opera's address in their web site.

I have asked Yahoo recently to change my email address from yahoo.com domain to yahoo.no. I have received an automated reply about how to sign up a new Yahoo account and explanation that simply says I cannot change my Yahoo ID. Actually, I wanted ID to be kept but domain of my email address to change.

Do you check sender from RBL? I was using bare Postfix, *without* SpamAssassin and I have never received a SPAM. I was using qmail+SpamAssassin before that and this couple sometimes was leaking SPAM, sometimes marking message as spam and letting it into my mailbox, although I have enabled "delete immediately" option.

By ismailp, # 12. August 2006, 01:29:50

avatar
Not much you can do about that CN site...

Maybe you need to rephrase the email, they actually reserve your nickname on all yahoo domains.. so your yahoo.no email is just waiting for you.
As a bonus, I think mail to @yahoo.no should be delivered to your @yahoo.com right now. Or at least the IMs.

I manage nothing. I just use yahoo, and gmail. For the latter account, I also use an additional filter, Opera's Bayesian spam filter in its email client.
But I don't expect any to flag the Nigerian scam as spam. I congratulate GMAIL, though, on its spam filters.

By dantesoft, # 13. August 2006, 20:17:46

avatar
UPDATE: (7:54:40 PM) :)) --->> www.geocities.com/lol_just4laughs.com1/ =))

Guess it's still going on / around.

By dantesoft, # 31. August 2006, 18:02:48

avatar
UPDATE: (10:03:17 PM) oh my god , i've won a 20000 usd lottery :O http://nsl-school.org/?id=winning_list . Come to my house tonight for a party !! >:D<

Redirects to http://www.look4bride.com/main.php so it looks like it's a different animal, a run-of-the-mill adware infection.

By dantesoft, # 9. November 2006, 20:08:21

avatar
This is new
                                                    eU                              
85    Qt  lR                                        Sq5S     1e       JI6T     hf    
Sz    mX                                           0Gdt9m  jWSe      XH  q2  cjO5    
 VR  TC                                            3AfR      Yg          Pi    mY    
 94  uo   UZ   IUoY    GEwNv  MJYk   e1iV          SsjI      Fm          13    R0    
 7Q  ag   oP      1E  oO  M4  nOH       aN          yNWP     0b         Aj     iZ    
  zLKI    bo   pglfX  FH  lN  bG     GC9UK  Qqmle    PGDD    sQ        fi      aq    
  tqOw    Qg  yX  Dl  6H  n4  k5    hl  uG           JYs0    Us       Kt       Hd    
   GI     iN  G3  Vn  al  48  VB    iN  DL         v4hn0q    Eh      Ab        kw    
   1v     XG   IFnAZ   Uy562  Jc     GIW7J          VXfZ     7H  NT  oIcAHw    Sh    
                          sL                         90                              
                      TLWkf

The URL is ASCII-Art encoded, too

By dantesoft, # 5. March 2008, 11:14:32

Write a comment

You must be logged in to write a comment. if you're not a registered member, please sign up.

Photos

image002.jpgimage012.jpgimage003.jpgimage008.jpgimage006.jpgimage004.jpgimage005.jpgimage007.jpgimage011.jpgimage009.jpg