Patrick Nortoni

September 25th, 2009

Sometimes, people just catch you on an off day, causing your usual cool exterior to crack and spew forth a torrent of vitriol and abuse.  Today wasn’t one of those days, but ‘Patrick Nortoni’ managed to annoy me a great deal by posting his default spam email nonsense into the contact form on one of my sites:

We would like to get your website on first page of Google.All of our processes use the most ethical “white hat” Search Engine Optimization techniques that will not get your website banned or penalized. Please reply and I would be happy to send you a proposal. In order for us to respond to your request for information, please include your companys website address (mandatory) and or phone number.

Patrick Nortoni
patrick2316@gmail.com
SEO Company
000-000-0000


Sent at 21:36.21 on 22nd September 2009 from 122.160.99.22

Where to begin with this nonsense?  He sends me an non-personalised email through a mail form using a GMail address and doesn’t even bother to include a real phone number.  Hmm.. I wonder why that could be?  Let’s take a look at that IP address…

Click to view Full Image

Click to view Full Image

Now I’m sure that there are plenty of hard-working, honest IT workers in India, but I never seem to meet them. All I get are the spam emails for outsourcing my web design work or – in the case of Patrick Nortoni here – my SEO work.

A quick Google search for ‘Patrick Nortoni’ throws up comment spam. Lots of comment spam. Comment spam pimping his great SEO services on pages that have absolutely nothing to do with SEO. Presumably, these are his ‘most ethical “white hat” Search Engine Optimization techniques’. Whatever, I won’t be wasting my time with this fool, and neither should you.

Update:
It’s a funny old game. This post is now 4th 2nd on Google for ‘Patrick Nortoni’, and not a comment spam in sight.

Tags: ,
Posted in Internet, Spam & Viruses | 16 Comments »

Worldpay CARD Transaction Confirmation Spam/Virus

June 25th, 2009

This afternoon I received an email with the subject “Worldpay CARD transaction Confirmation“, which instantly caught my attention because I use Worldpay while paying off one of my credit cards, and for a moment I wondered if I had done it and forgotten about it.

The email content was as follows:

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.

The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team

This confirmation only indicates that your transaction has been processed successfully.
It does not indicate that your order has been accepted.
It is the responsibility of Amazon Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

All very convincing and official-looking, but Amazon doesn’t use Worldpay, and the email was not sent to amazon@<my email domain> – it was sent to my office address which is only used for, well, office stuff.

The email attachment is a simple HTML file so it is not picked up as anything dodgy, but it comprises a single META REFRESH line directing you to an executable file hosted elsewhere, so don’t open the attachment.

Tags: , , ,
Posted in Internet, Spam & Viruses | No Comments »

Twitter Porn Fail

June 15th, 2009

One of the major irritants on Twitter is the sheer number of spammy, camwhore types that follow random people in the hope they’ll visit the profile paqge and click the link to whatever adult service it is they’re offering.  Many of these tend to be a single organisation with a referral scheme set up, and everyone who pays to view more pics of the girl on offer ends up putting money in their pocket.

Twitter Porn Fail

"Kelly Ann"

Occasionally you get a genuine, bona-fide standalone female doing the same thing – sometimes you can tell, other times you can’t.  Often it’s the lack of technical knowledge that gives the game away, with links not working, pages down and so forth.

Even rarer, you get something like kellyann18 offering a small selection of pictures to entice people, with the promise of the real goods later.  Unfortunately, Kelly Ann (or the webmaster behind it) doesn’t understand that if you give your images sequential number filenames, it’s pretty easy to guess the URLs for the entire set.

FYI, there’s 20 in the series.  Numbered 1 to… yeah.

Update:
There’s also this page on the same site – not sure about the legitamacy of that one.  I posted the link to Twitter and the images were unlocked in just a few minutes, proving beyond a shadow of a doubt that Twitter users love a headline like “My girlfriend cheated on me. It’s PAYBACK time.”

Posted in Internet, Spam & Viruses, Websites | 2 Comments »

‘Your internet access is going to get suspended’ Email

November 10th, 2008

If you receive an email with the subject ‘Your internet access is going to get suspended’ then don’t panic – it’s another Virus doing the rounds that sends out these worryingly-phrased emails in an attempt to trick you into running the attachment and infecting yourself with the payload. Several sites have picked up on it and a few of the popular virus scanning packages had spotted is already.

The message reads:

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of
software authors, artists.  We conduct regular wiretapping on our networks,
to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have
attached. We strongly advise you to stop your activities regarding the illegal
downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

The message contains a randomly-named zip file in the format user-XXXXXXXX-activities.zip and after extracting the file is user-XXXXXXXX-activities.exe where XXXXXXXX is random characters.

The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder.

A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerken/data.php?trac kid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6

It makes a change from the usual ‘Please find your receipt attached’ approach, but my main concern is the number of clients who will instantly think they’ve done something wrong and go ahead and get infected.

Tags: , ,
Posted in Internet, Spam & Viruses | No Comments »

Nigerian 419 Lotto Scammers use Fake Lottery Website

August 24th, 2007

It began, as so many adventures do, with a chance tip from a concerned netizen. A lady on the Internet had received an email saying she had won the Lottery and had been in communication with the offenders when she decided she didn’t like the way things were going. She emailed us, and things happened.

Many moons ago I wrote a Lottery Results website. The lady emailed us with an alternate address, revealing that the scammers had copied the entire website – including the list of Lottery Scam Emails – in order to give their 419 Email Scams that added air of legitimacy.

The original site is at: www.the-lottery.info

The cloned site is at: uknlotteries.com/nationallottery/

There were several changes, all geared towards getting an unsuspecting user to type in a username and password (supplied in the scammers’ original email) and then enter their legitimate bank account details. No doubt the scammers would plunder the account, leaving the scammee high and dry.

The WHOIS for uknlotteries.com showed it was on a free hosting company, Freehostia, and that the domain was purchased through ns.com / tucows.com on 14th August – just a week before we were told about it. Pinging the domain gave 64.72.119.253 – an IP handled by AlphaRed.com. All of these companies were sent a copy of our 14-Page report.

Next up, we noticed that the ‘Contact Us’ page still contained the IP and Host Name of the person who downloaded the first copy of the site – ironically this was a security thing:

80.178.248.142.satcom-systems.net / 80.178.248.142
Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)

This was an IP address in Israel. A quick search of the server logs showed that users from Satcom Systems had been visiting at least as early as October 2006.

Examination of the source code revealed other domains in use by the spammers: CTBPLC.co.uk (Not working) and GCBOFLONDON.com (A holding page on a Microsoft Office service). Another free hosting company, Multiververs.com, was used for the latter.

The /secured/ folder did not contain an index file and so we were able to examine the other files in that directory. We found IP activity mini-logs from Web2FTP.com for the following IP addresses:

IP: 82.206.163.11	Time: 15.08.2007|00:44:50	Uploaded 42 files
IP: 213.185.118.207	Time: 16.08.2007|18:57:22 	Editted 1 file
IP: 41.220.75.3		Time: 17.08.2007|10:11:12 	Editted 1 file
IP: 63.109.248.30	Time: 17.08.2007|13:06:56	Editted 1 file
IP: 213.185.118.227	Time: 21.08.2007|10:42:37 	Editted 1 file

Further examination of other know file paths that were cloned revealed that 82.206.163.11 was the IP of the user who had uploaded the files to the fake domain.

IP WHOIS Info for 82.206.163.11? Yep…

inetnum:        82.206.163.0 - 82.206.163.255
netname:        CUST-SUBURBANTELE
descr:          Reassignment to Suburban Telecom
country:        NG
admin-c:        BA771-ripe
tech-c:         BA771-ripe
status:         ASSIGNED PA
remarks:        *************************************************************
remarks:        *                                                           *
remarks:        *   For issues of abuse related to this IP address block,   *
remarks:        *         including spam, please send email to at:          *
remarks:        *                                                           *
remarks:        *               s.ayonote@suburbantelecom.com               *
remarks:        *                                                           *
remarks:        *************************************************************
mnt-by:         AS22351-MNT
mnt-lower:      AS22351-MNT
changed:        TAC.OPS@Intelsat.com 20060623
source:         RIPE
person:       Bruce Ayonote
address:      Plot 1105 Durban Street Wuse II
address:      Abuja, Nigeria
phone:        +234 80 3313 7201
e-mail:       bruceayonote@hotmail.com
nic-hdl:      BA771-ripe
mnt-by:       AS22351-MNT
changed:      tac.ops@intelsat.com 20030611
source:       ripe

A quick IP WHOIS on the other IP addresses confirmed it – a classic Nigerian 419 Scam.

A copy of everything we’d found was sent to all concerned parties and the website was gone 10 hours later, with Freehostia being first to pull the plug. As of right now, we don’t know if the scammers can still access the domain, so it’s possible that the site will reappear on another hosting company. We’ll have to keep an eye out for that one.

Updated 6th June: It appears the scammers have created more than one site – this one actually made it into Google’s listings. I’ve tipped off the hosting company, as before, as we’ll see what happens.

Updated September 12th: Finally got rid of it. The hosting company in this case was a little less willing to help and had to be reminded, and even then asked for proof that it was a cloned and phishing site.

Tags: , ,
Posted in Internet, Problems, Spam & Viruses | No Comments »

Email Exchange of the Week

April 25th, 2007

By now, many of you will be well aware of my hatred for all things MySpace-related. Here’s a typical email exchange, illustrating just why I detest them…

    Subject: you are downloaded stuff to my computer without my permission
    i do not know why u r pop up on my screen but can u please tnot pop up

Sure, I can ‘tnot pop up’. Suspecting another d04.net scam, since the email had come in via the d04.net account, I wrote back:

    Hi,

    D04.net does not download anything to anyone’s computer. It is a simple web page. Please read about what d04.net is before emailing. Thanks.

    http://www.d04.net/

    What link did you click on to get to the website? What site did it link to? (should end in d04.net is it’s on our service).

    D

Of course, that didn’t actually make the writer stop and think…

    yes it does it putting nasty web sites on my comnputer thank i have alrwady report it to spam any way u do not know what u are talking about every time i trying to send someone a message a my space your web site po up why

Oh noes! I’ve been ‘alrwady report to spam’! I write back again…

    Please tell me what address is at the top of the page. Do you see a blue bar across the top with a ‘Report This Site’ button on it? If so, please click the button and I will know what site you are talking about.

    Please don’t tell me what my site does or doesn’t do – I wrote it. If you are not willing to answer the questions I ask, I can’t help you.

    D

But no, I was WRONG! I obviously DON’T know what my own website does…

    yes it does when i try to get on my space to send message to some one why do your web page come up u know i am going to report u to spam

Perhaps my web page comes up because.. I dunno.. you’re not looking at MySpace anymore or something equally impossible? Honestly, I couldn’t be bothered to write back after this because it was only going to go downhill from here. Sheesh!

Tags: , , , ,
Posted in Internet, Problems, Spam & Viruses | No Comments »

ImageShack Spam

April 4th, 2007

The war on Spam Filters continues with a new assault – images hosted on ImageShack. You receive an email with just a couple of lines of random text and a link to an ImageShack image. That’s your lot.

ImageShack themselves seem to be pretty quick about taking them down, possibly because others have already reported them, as I’ve never actually seen one working. This leads me to suspect spammers have become even more retarded than previously.

Tags:
Posted in Internet, Spam & Viruses | No Comments »

MySpace Phishing Scam Prompts Website Removal

March 17th, 2007

Over the past few days I’ve had over a million hits from MySpace.com – thousands and thousands of users clicking a link that leads them to a d04.net page. The page explained that the link they’d clicked had been disabled because it had violated our terms and conditions. Straightforward enough, right?

Evidently not for the MySpace crowd! I had hundreds of emails showing a varying level of spelling ability, all asking me why their precious MySpace pages had been blocked. I hadn’t blocked a single person’s MySpace page you understand – just the link to the fake site.

For doing this, I’ve been called a spammer and a hacker. I’ve been told I suck and that people are fed up with my shit. I’ve witnessed a whole gamut of badly-written pleading as people cry about their MySpace, claim they didn’t do anything and won’t ever do anything like it ever again, honest. I’ve even had people send me their login details asking me to fix things – what the hell’s wrong with these people?

So anyway, d04.net is now offline and will remain so until I can be bothered to rewrite it all, making it even more restrictive and even more hassle for me to run – all because some people on the Internet can’t be trusted. And this is why we can’t have nice things.

You’ll understand why I’m in no rush to resurrect it.

UPDATE: (Actually it’s now Sunday, but what the heck)

It appears some of the MySpace users who can’t read a URL have reported d04.net to McAfee Site Advisor which redirects you to a page reading:

    “d04.net/ may try to steal your information.
    Why were you redirected to this page? We believe this site may be
    trying to trick you into entering your financial or personal
    information. This is a serious security threat which could lead to
    identity theft, financial losses or other dissemination of personal
    information. “

I’ve emailed them with an explanation and hopefully they’ll have a real live human with a working brain look at the situation and … ah who am I kidding?

Tags: ,
Posted in Internet, Spam & Viruses | No Comments »

Personal SpamAssassin Spam Score Record Broken.

December 22nd, 2006

Holy shit. I wasn’t going to post so soon after yesterday’s but this is insane. I am running SpamAssassin on this server which awards to emails it considers spam based on various criteria. Bearing in mind the default (afaik – mine is anyway) cut off is 6 points, I was somewhat suprised to see a message that scored a whopping 49.8 points in my junk tray – a good five points over my previous record.

Here’s the summary – why the hell did the sender think this would ever get anywhere?

Spam detection software, running on the system "xxxxxxxxxxxxxx", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see the administrator
of that system for details.
Content preview:  email advertise like this to 8,000,000 people... free..
  http://www.advertisingemailcorporation.com/ the above noncommercial
  offer is only for noncommercial charities only. press on charity info on
  our web site for full and complete details. this offer is not a
  commercial service and is not at all for sale or lease or trade of any
  kind. [...]
Content analysis details:   (49.8 points, 6.0 required)
 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.4 MSGID_YAHOO_CAPS       Message-ID has ALLCAPS@yahoo.com
 4.5 MIME_BOUND_DD_DIGITS   Spam tool pattern in MIME boundary
 1.0 NO_REAL_NAME           From: does not include a real name
 1.5 FROM_BLANK_NAME        From: contains empty name
 2.2 HELO_DYNAMIC_SPLIT_IP  Relay HELO'd using suspicious hostname (Split
                            IP)
 4.4 MSGID_SPAM_CAPS        Spam tool Message-Id: (caps variant)
 0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay lines
 3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
                            above 50%
                            [cf: 100]
 1.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 2.2 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 3.9 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
                            [83.45.130.42 listed in sbl-xbl.spamhaus.org]
 1.9 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
                            [83.45.130.42 listed in combined.njabl.org]
 3.7 RCVD_DOUBLE_IP_SPAM    Bulk email fingerprint (double IP) found
 1.8 MISSING_SUBJECT        Missing Subject: header
 0.8 DIGEST_MULTIPLE        Message hits more than one network digest check
 1.6 MISSING_MIMEOLE        Message has X-MSMail-Priority, but no X-MimeOLE
 2.1 REPTO_QUOTE_YAHOO      Yahoo! doesn't do quoting like this
 3.7 FORGED_MSGID_YAHOO     Message-ID is forged, (yahoo.com)
 4.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
The original message was not completely plain text, and may be unsafe to open with
some email clients; in particular, it may contain a virus, or confirm that your address
can receive spam.  If you wish to view it, it may be safer to save it to a file and open
it with an editor.
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.25/593 - Release Date: 19/12/2006 13:17

Tags: , , ,
Posted in Internet, Spam & Viruses | No Comments »

Spam, Spammers and Blocklists, oh my!

December 5th, 2006

I’m getting heartily sick of the whole email/spam/rbl situation at the moment.

Our office IP was blocked because we sent out a mass email on behalf of a customer, and it’s proving a pain in the arse to get it off the block lists. Not only does it take weeks, but customers are apparently using RBLs that – according to DNSStuff at least – should not be used.

AOL decided to block email from our server because we had an unsecure script on there at some point in the past. Rather than TELL us, the just blocked us and left it at that. Thanks, AOL! I’m now jumping through their hoops to try and get the ban lifted so that our clients can receive email directly (some of them insist on having their email forwarded to AOL, sigh…) rather than having me forward the bounces.

Customers don’t seem to appreciate how much spam/virus crap we’re dealing with these days. With SpamAssassin and MailScanner both running on the server I still receive around 30 a day that are slipping through. We have our spam filter level set at the default of 6 points and it catches the occasional legit email, so I dare not set it any lower.

And just today I had some stupid script kiddy hacker crap to put up with. Some pillock over at 222.121.133.34 (a Kornet IP) decided to script scan the server for default passwords, over and over again, from the same IP. Thanks, Korea! Jesus. I’ve sent them an email but I’m not holding out much hope.

It is time to go home yet?

Tags: , ,
Posted in Internet, Problems, Spam & Viruses | No Comments »

« Older Entries