Journal of PlanetMike

On Saturday morning I wondered how long it would take spam to come into a new email address that was mentioned in a blog post (See Real World Time to Receive Spam.) The answer is: 2.02 days (2 days and 24 minutes). It was a congratulatory email that I had won a World Bank/EU lottery.

How about this address: b3640d1905f542f6a099beebc3528862@planetmike.com

Back on February 3, 2006 I registered with Filmloop.com, probably based on Guy Kawasaki’s recommendation from his blog. I don’t think I ever did anything with the system though. I also have never received any email to that address. Until today. This morning I received an email from Mixercast.com to my Filmloop address. A Google search shows some of the executive team from Filmloop went over to Mixercast. It seems wrong to take customer lists from one venture to another. It probably is wrong, but I don’t have a copy of Filmloop’s privacy policy from Feb. 2006, so it will be a hassle to find a copy of it.

Filmloop is now owned by Fabrik.com. Their privacy policy says they won’t share information. To find their privacy policy, simply click on “Sign up” from filmloop.com, then the link for their terms, then you can find the link for their privacy policy.

Also, the Mixercast email violated CAN-SPAM: there was no way to stop receiving the messages, and there was no physical mailing address. And they violated their privacy policy: “We will give you ability to opt out of any Mixercast promotional e-mails. Simply click on the appropriate opt out button to remove yourself from future e-mails.” They didn’t include the opt-out link. I’ve emailed Mixercast’s privacy manager, I’ll see how they respond.

(Update 8/25/2007 9:56am: The second sentence of the Mixercast privacy policy says: “For our complete Privacy Policy, click here.” Of course, there is no link at the “click here.” Sigh.)

(Update 8/25/2007 9:59am: Email messages to invitations@mixercast.com AND help@mixercast.com both bounced. Invitations was full (probably of bounced messages), and help doesn’t exist in their virtual mailbox table. I’m resending to other addresses.)

On August 6th, I wrote about WordPress Commenting Plugin Needed. In that post I created a unique email address as an example of the hashed address I use at every web site I post at.

The first piece of spam to that address came in at August 9th, at 12:50pm, only 2.97 days later, and has now received nine spam. I wonder about these addresses: ecb80ebc837b5ea93029cfe7d21efcd3@planetmike.com vs. 46c11274d356ffad0be341cd1c0b5018@planetmike.com.

The IRS Scam I wrote about yesterday is on another server, now in South Africa: http://smtp1.cnwweb.co.za/~admin/irs/ . The from is now service@irs.com, and the reply-to is no-reply@irs.com. Many thanks to Susan who let me know that IRS phishing scams can be reported at phishing@irs.gov.

I just received two messages from the “Internal Revenue Service” sent to two different email addresses. I am going to get $109.30! The address in the From was “notice@irs.com” while the Reply-To was “no-reply@irss.com” To collect my refund, I go to “http://www.redalkemi.com/try/irs” At that page (on a server based in India) is hard coded the refund amount of $109.30 since I didn’t give any information to them to access my account. The messages were probably sent through infected Windows machines.

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of 109.30 .Please submit the tax refund request and allow us 6-9 days in order to process it.

You can apply for your refund online here.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please be carefull when entering your data.

Regards,
Internal Revenue Service

© Copyright 2007, Internal Revenue Service U.S.A..

How many ways did this scam get it wrong?

1. No dollar sign in front of the refund amount
2. No physical mailing address
3. Only 6-9 days to process the refund. Is it even possible for the IRS to work that quickly?
4. The IRS never makes notifications via email in the first place
5. Typo, no space after a period at the end of a sentence
6. Misspelling of careful
7. Only go to irs.gov for IRS issues

Remember, never ever give out SS#, any kind of financial account information, or password/login information in response to an unsolicited email.

Whois info trace, leading to some big names who are being abused:

• IRS.com
• IRSS.com
• redalkemi.com
• hitfarm.com
• 123domainregistry.com
• atulgupta.com
• intersearch.com
• digupdomains.com
• parkingdns.net
• logicboxes.com
• directi.com
• resellerclub.com
• directihosting.com

On March 1, 2007 I started receiving spam sent to me with a “unique” signature. The message footer always started with the phrase “This advertisement is presented by” then a company name. From March 1 through August 13, I received 5,220 spam messages. I’m not sure why they stopped on that date.

Here is one of the companies that presented me with these unwanted, unrequested messages. The name is “AdvantageLanguage, Inc.” although the From field said “Education Alert.” I received 17 messages from them, from March 3 to July 30. Their address is consistently given as 207 W. Phoenix Ave, Flagstaff, AZ, 86001, US. But the return address and the web page (which at least matched) to visit to opt-out changed with each message:

http://info.secureinspiron.com/
http://info.just-1-question.com/
http://info.profile230.com/
http://info.opp-powerhouse.com/
http://info.dedicateddivide.net/
http://info.businessmuscle.net/
http://info.major-take.com/
http://info.specialist-help.net/
http://info.cycle-indynamic.com/
http://info.issuespecial.com/
http://info.panelmotor.com/
http://info.monroestamp.com/
http://info.demontral.net/
http://info.lamarival.net/
http://info.howtrans.net/
http://info.fuzzylogicprocessing.net/
http://info.rivalinter.com/

Each has the same URL, a 4 digit number, an underscore, a 3 digit number, slash, the letters usub, a slash, a tracking ID (OTHR_3 letters, 7 digits), a slash, then three uppercase letters (which varied, and repeated): http://info.secureinspiron.com/####_###/usub/OTHR_ZZZ#######/ZZZ

The only domain name that currently resolves is cycle-indynamic.com, which has address 63.208.231.247 and 63.208.231.246. The others all fail.

Here are their Whois records, as of today:

• businessmuscle.net
• cycle-indynamic.com
• dedicateddivide.net
• demontral.net
• fuzzylogicprocessing.net
• howtrans.net
• issuespecial.com
• just-1-question.com
• lamarival.net
• major-take.com
• monroestamp.com
• opp-powerhouse.com
• panelmotor.com
• profile230.com
• rivalinter.com
• secureinspiron.com
• specialist-help.net

I received an odd spam this morning. It was sent to a nonsense address at one of my domains that still has the catchall enabled. The body of the message

Return-Path:
Received: from pdngvw.net (unknown [211.63.134.102])
by server1.planetmike.com (Postfix) with SMTP id 88836400001
for ; Wed, 22 Aug 2007 05:01:14 -0400 (EDT)
Received: from kgfhbaq.net ([203.90.8.251]) by pdngvw.net; Wed, 22 Aug 2007 17:59:46 +0900
From: “sg7lvlopuss3qis”
To: “jfdsncbrnzyesdthqqw”
Subject: FS XF
Date: Wed, 22 Aug 2007 17:59:17 +0900
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary= “—-=_NEXTPart_QX3_HTY5_NPJ5JM3M.EOPLCRUD”
X-Priority: 3
Message-Id: <20070822090114.88836400001@-snip->
Status: O
X-UID: 3245
Content-Length: 417
X-Keywords:

Ohby

Content-Type: text/html; file=”g.html”
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=”LKmFS.html”

The attached HTML file was actually one line of text:

[[ip.add.re.ss,,,jfdsncbrnzyesdthqqw@-snip-]]

I predict that domain will be used for falsified return addresses for a spam run sometime soon. Or, the argument could be made that domain will not be used for false return addresses.