Spam, spam, spam
December 5, 2004 8:51 AM Subscribe
From the "...da hell?" department: I received this e-mail recently. Now, I live in Chicago, so I'm not too concerned about the warnings; but I'm wondering why in the world a spammer would send me this. [a little more inside]
What confuses me about this is why a spam would include strings of random characters that aren't meant to be seen (the white ones — the original background was white as well), and more importantly why a spam would send me to a website that doesn't appear to be selling anything or harbouring any malicious Javascript. Any thoughts?
What confuses me about this is why a spam would include strings of random characters that aren't meant to be seen (the white ones — the original background was white as well), and more importantly why a spam would send me to a website that doesn't appear to be selling anything or harbouring any malicious Javascript. Any thoughts?
the spammer is simply checking whether your email address is live.
your email address didn't bounce - check.
the email message was opened - check.
the URL inside of the email message was clicked on - check.
prepare for a tsunami of spam, Johnny Assay!
posted by seawallrunner at 9:00 AM on December 5, 2004
your email address didn't bounce - check.
the email message was opened - check.
the URL inside of the email message was clicked on - check.
prepare for a tsunami of spam, Johnny Assay!
posted by seawallrunner at 9:00 AM on December 5, 2004
There's also a trojan on the page it links to.
posted by borkingchikapa at 9:08 AM on December 5, 2004
posted by borkingchikapa at 9:08 AM on December 5, 2004
Firefox showed a completely empty page for the url hugewave.com - IE6 blocked a popup. Having allowed it, I am now running AVG and crossing my fingers.
Don't go there, folks.
posted by dash_slot- at 9:58 AM on December 5, 2004
Don't go there, folks.
posted by dash_slot- at 9:58 AM on December 5, 2004
Crap, I did. (Saw it in Firefox.) Do I have to worry now?
posted by CunningLinguist at 10:03 AM on December 5, 2004
posted by CunningLinguist at 10:03 AM on December 5, 2004
It was .org by the way.
posted by CunningLinguist at 10:04 AM on December 5, 2004
posted by CunningLinguist at 10:04 AM on December 5, 2004
I doubt this is dangerous though - a whois lookup give a name for the registrant, which a google search on that persons name seems to indicate is genuine, as a phone no. and map link is there too. Spammers and hackers tend to be more elusive than that, right?
posted by dash_slot- at 10:06 AM on December 5, 2004
posted by dash_slot- at 10:06 AM on December 5, 2004
firefox works fine for me, with no popus (and what is a "trojan" on a webpage?), but the url in the email is hugewave.org. not com.
however, it seems to be owned by someone in the usa and seems to be a (modified) copy of this page.
posted by andrew cooke at 10:08 AM on December 5, 2004
however, it seems to be owned by someone in the usa and seems to be a (modified) copy of this page.
posted by andrew cooke at 10:08 AM on December 5, 2004
oh. and what everyone else said.
posted by andrew cooke at 10:09 AM on December 5, 2004
posted by andrew cooke at 10:09 AM on December 5, 2004
Response by poster: cillit bang: That makes sense. I suppose the random strings of letters are there to intentionally trigger the spam filters?
seawallrunner: I suppose it's true that the e-mail didn't bounce, but how would the spammers know that it was me that clicked on the link? As far as I can tell, there's no identifying tags in the hyperlink. (The copy I linked is identical to the one received, except for changing the background colour.)
borkingchikapa: I was afraid of that... But when I view the source (in either Safari or Firefox), I don't see anything other that circa-1995 HTML code. Where's it hiding?
On preview: Crap, I hope haven't caused anyone's computer permanent damage by putting up the link. If somebody's reading this without having clicked on the link, please exercise caution when doing so.
posted by Johnny Assay at 10:12 AM on December 5, 2004
seawallrunner: I suppose it's true that the e-mail didn't bounce, but how would the spammers know that it was me that clicked on the link? As far as I can tell, there's no identifying tags in the hyperlink. (The copy I linked is identical to the one received, except for changing the background colour.)
borkingchikapa: I was afraid of that... But when I view the source (in either Safari or Firefox), I don't see anything other that circa-1995 HTML code. Where's it hiding?
On preview: Crap, I hope haven't caused anyone's computer permanent damage by putting up the link. If somebody's reading this without having clicked on the link, please exercise caution when doing so.
posted by Johnny Assay at 10:12 AM on December 5, 2004
Best answer: This seems to be a new type of spam that is solely designed to get you to click on the link so that the site can try to exploit a hole in your browser to install some malware. In this case, the exploit is only attempted if you are using IE.
I've seen another one that claims to be a receipt for an order you placed. Other than having no specific information, the email and the site look semi-legit, so you could easily go there thinking someone had stolen your credit card number and wanting to check it out.
I have to disagree with everything seawallrunner said. Spammers don't receive bounces since they usually send the messages from zombie machines with phony return addresses. They don't know whether you opened the message unless it contains a "bug" image (this message doesn't), and you have images set to load. And they would only be able to tie clicking on a link to your address if the link had some identifying information, and this one doesn't.
If the exploit works, the spammer gains by getting another zombie machine to send commercial messages from.
posted by mcguirk at 10:13 AM on December 5, 2004
I've seen another one that claims to be a receipt for an order you placed. Other than having no specific information, the email and the site look semi-legit, so you could easily go there thinking someone had stolen your credit card number and wanting to check it out.
I have to disagree with everything seawallrunner said. Spammers don't receive bounces since they usually send the messages from zombie machines with phony return addresses. They don't know whether you opened the message unless it contains a "bug" image (this message doesn't), and you have images set to load. And they would only be able to tie clicking on a link to your address if the link had some identifying information, and this one doesn't.
If the exploit works, the spammer gains by getting another zombie machine to send commercial messages from.
posted by mcguirk at 10:13 AM on December 5, 2004
To reiterate, that site gives you a completely clean page (or so it seems) if you use Firefox, but it gives you all kinds of evil stuff if you use IE. Don't try it with IE unless you're pretty confident about your security situation (and with IE, I don't see why you would be...)
posted by mcguirk at 10:16 AM on December 5, 2004
posted by mcguirk at 10:16 AM on December 5, 2004
Yes, it was .org, as C_L says.
I just left a message on an ansafone to a US number, which recording did use the same name as the one in the whois database. I'll post here if they call me back.
posted by dash_slot- at 10:17 AM on December 5, 2004
I just left a message on an ansafone to a US number, which recording did use the same name as the one in the whois database. I'll post here if they call me back.
posted by dash_slot- at 10:17 AM on December 5, 2004
Whew. Thanks.
posted by CunningLinguist at 10:20 AM on December 5, 2004
posted by CunningLinguist at 10:20 AM on December 5, 2004
ah, ok. if you use ie6 without sp1 then you're taken to http://www.danger-tsunami.com/index2.html
that page then attempts to download http://www.danger-tsunami.com/server.exe which contains the trojan BackDoor.CommInet
but to be infected you'd need to:
- get that far (it will only redirect you if it thinks it has a chance of successfully infecting you)
- not have recent patches applied
- execute the downloaded program (rather than, say, saving to disk)
you should not be harmed by simply looking at the page. and if you have the latest avg, it detects the trojan.
sorry for questioning this....
posted by andrew cooke at 10:36 AM on December 5, 2004
that page then attempts to download http://www.danger-tsunami.com/server.exe which contains the trojan BackDoor.CommInet
but to be infected you'd need to:
- get that far (it will only redirect you if it thinks it has a chance of successfully infecting you)
- not have recent patches applied
- execute the downloaded program (rather than, say, saving to disk)
you should not be harmed by simply looking at the page. and if you have the latest avg, it detects the trojan.
sorry for questioning this....
posted by andrew cooke at 10:36 AM on December 5, 2004
I doubt this is dangerous though - a whois lookup give a name for the registrant, which a google search on that persons name seems to indicate is genuine, as a phone no. and map link is there too. Spammers and hackers tend to be more elusive than that, right?
The server could have been compromised without the owners having any idea.
posted by mcguirk at 10:36 AM on December 5, 2004
The server could have been compromised without the owners having any idea.
posted by mcguirk at 10:36 AM on December 5, 2004
Good point mcguirk. Thanks Andrew - it looks like there is some mischief here, and who knows if the person registered is genuine.
posted by dash_slot- at 10:43 AM on December 5, 2004
posted by dash_slot- at 10:43 AM on December 5, 2004
Just to be safe, i have taken the liberty of looking up the WHOIS for www.hugewave.org and donating the registrants e-mail address(let_perez@e-mail.com) to any and all spammers I can find. Can only hope that it is a real address.
posted by mervin_shnegwood at 12:17 PM on December 5, 2004
posted by mervin_shnegwood at 12:17 PM on December 5, 2004
and if he'd been hacked?
posted by andrew cooke at 12:28 PM on December 5, 2004
posted by andrew cooke at 12:28 PM on December 5, 2004
Fine pair of boots, soldier.
posted by dash_slot- at 1:19 PM on December 5, 2004
posted by dash_slot- at 1:19 PM on December 5, 2004
Collateral Damage
posted by mervin_shnegwood at 1:35 PM on December 5, 2004
posted by mervin_shnegwood at 1:35 PM on December 5, 2004
I don't know what's detecting it as Backdoor-CommInet, but this is Berbew:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.berbew.m.html
only the server it reports the stolen info to is waveplanet.org.
Nasty stuff this, it hides all its files to avoid detection. Manual removal: grab HijackThis and kill its 'SSODL' entry, then reboot and you can wipe the files from System32.
posted by BobInce at 1:43 PM on December 5, 2004
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.berbew.m.html
only the server it reports the stolen info to is waveplanet.org.
Nasty stuff this, it hides all its files to avoid detection. Manual removal: grab HijackThis and kill its 'SSODL' entry, then reboot and you can wipe the files from System32.
posted by BobInce at 1:43 PM on December 5, 2004
I really hope you didn't do what you said you did. We were kinda doing ok without vigilante action. Collateral damage isn't what we wanted: information would have been sufficient. Got any?
posted by dash_slot- at 1:43 PM on December 5, 2004
posted by dash_slot- at 1:43 PM on December 5, 2004
strings of random characters: generated individually for each spam so as to prevent identical text among the various missles in the spam salvo. It's a bit outdated, in spam-tech: smarter new filters will take the presence of random alphabetic non-word gook as a sign OF spam. But not everybody uses smart new filters, at the client level or at the service level.
I laughed out loud the first time I got a piece of spam that had random Quotable Quotes in it instead, because it was such a brilliant response to just that vulnerability -- instead of using random letters that trip of a Bayesian filter as non-normal, use random phrases of perfectly legitimate English phrases.
Mark Twain adage, Dorothy Parker poem, c-1-a-l-i-s spam link, Yogi Berra quote.
Motherfuckers.
posted by cortex at 3:55 PM on December 5, 2004
I laughed out loud the first time I got a piece of spam that had random Quotable Quotes in it instead, because it was such a brilliant response to just that vulnerability -- instead of using random letters that trip of a Bayesian filter as non-normal, use random phrases of perfectly legitimate English phrases.
Mark Twain adage, Dorothy Parker poem, c-1-a-l-i-s spam link, Yogi Berra quote.
Motherfuckers.
posted by cortex at 3:55 PM on December 5, 2004
The controlling server waveplanet.org is now down, but it's surprising I was (apparently) the first to contact the ISP in question, as this has been around a few days:
http://notices.ucs.uwa.edu.au/virus.html
The exploit-running servers are still very much running, so I'm sure the trojan will just switch to another hacked server. sigh.
posted by BobInce at 5:40 PM on December 5, 2004
http://notices.ucs.uwa.edu.au/virus.html
The exploit-running servers are still very much running, so I'm sure the trojan will just switch to another hacked server. sigh.
posted by BobInce at 5:40 PM on December 5, 2004
This thread is closed to new comments.
posted by cillit bang at 9:00 AM on December 5, 2004