📧 The Official Spam Emails Thread™
-
@jbert said in 📧 The Official Spam Emails Thread™:
@tsaukpaetra You thought those "Use your account within 90 days or it will be deleted" mails were spam, didn't you?
Yahoo doesn't send those. Presumably because you wouldn't read them anyways.
-
Not exactly email. but I just got a call from an unknown number, which I didn't pick up. I looked up the number and found one of those "who called" type sites with a bunch of comments:
Telemarketer doing a "survey"
called saying they were [appliance rental company] to sign up for some insurance.
It is [appliance rental company].......call the number back and say you wish to be on their do not call list............haven't received a call back since.
Ok, sounds pretty standard.
stalking ex lover call and noise
Pervert. Breathing like a man masturbating. Call the police. It's so disturbing.
Huh?
Stalker/ romance disguise as a survey. Looking for verbal sex. Hung up on him a few times. Do not answer!
Yeah he works there
So it's either a legit company doing surveys and/or telemarketing, or a pervert, or maybe it's a pervert who works at that company. In any case, I'm glad I didn't pick up.
-
@hungrier said in 📧 The Official Spam Emails Thread™:
I'm glad I didn't pick up.
But ... now we'll never know!
-
It makes a change from v1agr@ spam but I just can't see the response rate being high enough to make this even worth it. Maybe piano teachers know something I don't.
-
@cursorkeys Maybe they misheard something as "improving pianists"
-
Thank you Outlook but that's not my address is it. I wonder how they did that, P1/P2
from
address spoofing is easy butto
address shenanigans is a new one. Lets just check the headers:Received: from *****ASA01 (192.168.100.50) by remote.*****.co.uk (192.168.158.105) with Microsoft SMTP Server id 8.3.485.1; Fri, 6 Jul 2018 13:36:14 +0100 Return-Path: hofmann.hanna@t-online.de X-Envelope-From: hofmann.hanna@t-online.de X-Envelope-To: *****@*****.co.uk Received: From mailout05.t-online.de (194.25.134.82) by *****ASA01 (MAILFOUNDRY) id KdA2WoEZEei3AAzE; Fri, 6 Jul 2018 12:36:11 -0000 (GMT) Received: from fwd23.aul.t-online.de (fwd23.aul.t-online.de [172.20.26.128]) by mailout05.t-online.de (Postfix) with SMTP id C1E26422A6CE; Fri, 6 Jul 2018 14:36:10 +0200 (CEST) Received: from aijkepqutx (XRxZHcZeYho904yTwMMEo8-syidsJWhPSqYXIWfXUquoHRgzrcdtKyMnVmCGhqDZLb@[160.238.72.88]) by fwd23.t-online.de with (TLSv1:ECDHE-RSA-AES256-SHA encrypted) esmtp id 1fbPxv-1uD6Wy0; Fri, 6 Jul 2018 14:35:59 +0200 From: EDF Energy <hofmann.hanna@t-online.de> Content-Type: multipart/alternative; boundary="Apple-Mail-FE5CD35B-C2F1-0B08-2DB9-AEACACD34D86" MIME-Version: 1.0 (1.0) Subject: Invoice ID494986593376 Message-ID: <BD1FB89B-4EF4-266C-75CB-5F255A43BD76@t-online.de> Date: Fri, 6 Jul 2018 05:35:59 -0700 To: <adridi@extech.co.uk> X-Mailer: iPad Mail (13E238) X-AMQ: http://asqwii.com/link/unsubscribe/nceokwea/ Importance: High X-Level: 9261.31605-512011.2531871 X-ID: XRxZHcZeYho904yTwMMEo8-syidsJWhPSqYXIWfXUquoHRgzrcdtKyMnVmCGhqDZLb X-TOI-MSGID: c50f2248-423e-48c9-ac85-4d7977824074 X-MS-Exchange-Organization-PRD: t-online.de X-MS-Exchange-Organization-SenderIdResult: None Received-SPF: None (*****.*****.local: hofmann.hanna@t-online.de does not designate permitted sender hosts)
Ok, the
X-Envelope-To
is at least an address in my domain but it isn't my address either. TheTo
is just wrong.Anyone know how this got delivered?
Edit:
Let's ask the server what it thought happened!
WUT...
-
@cursorkeys the email headers are all content. The "envelope" is sent in SMTP before any headers.
Edit: Here, look at this: https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example
-
@cursorkeys X-Envelope-To is not a standard header. I've heard of mail servers which add it, but given that here it is below the topmost Received header, I would class it (and the Received headers below it) as fiction from the sender.
If you are BCC on an email, then it is perfectly reasonable for your email address to not be included in the headers you receive at all.
-
@ben_lubar said in 📧 The Official Spam Emails Thread™:
the email headers are all content
Well, they lead a peaceful unworried existence.
-
Spam? Not sure. But that's not my name, nor have I ever played a game that would require an Epic Games account, let alone made such an account.
-
@ben_lubar said in 📧 The Official Spam Emails Thread™:
@cursorkeys the email headers are all content. The "envelope" is sent in SMTP before any headers.
Edit: Here, look at this: https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example
Cheers, you and @PleegWat have it. I finally managed to re-create:
Using this:
telnet remote.****.co.uk 25 220 ****ASA01 MAILFOUNDRY ESMTP EHLO MAIL.TEST.COM 250-****ASA01 250-SIZE 250 HELP MAIL FROM:A@BADSPAMMER.COM 250 OK RCPT TO:ME@****.CO.UK 250 OK DATA 354 OK To: <totally@invalid.com> Subject: Spam Blarg . 250 Message accepted for delivery QUIT 221 ****ASA01
So, Exchange only cares about the
RCPT TO:
for delivery while Outlook will show you any old rubbish from the Envelope Fields.I learnt more about SMTP anyway
-
A 'vacant position' you need filling eh? I warn you, my resume is very long...
Edit: Also, bonus time travel. Didn't notice that originally.
-
@cursorkeys said in 📧 The Official Spam Emails Thread™:
Edit: Also, bonus time travel. Didn't notice that originally.
Your spam could have been sent from New Zealand...
-
@jbert said in 📧 The Official Spam Emails Thread™:
@cursorkeys said in 📧 The Official Spam Emails Thread™:
Edit: Also, bonus time travel. Didn't notice that originally.
Your spam could have been sent from New Zealand...
Originated in Worst Korea if you believe the header trail:
182.211.132.149 IP address : 182.211.132.149 Country Code : KR / KOR Country Name : Korea, Republic of Region : 11 - Seoul-t'ukpyolsi City : Seoul Continent Code : AS Internet Service Provider (ISP) : AS17858 LG POWERCOMM
-
This one scared me for a moment:
I'm aware, xxx, is your pass word. you may not know me and you are probably thinking why you are getting this e-mail, right?
Well, I installed a malware on the adult video clips (porn material) and there's more, you visited this web site to experience fun (you know what I mean). While you were busy watching videos, your internet browser began working as a Rdp (Remote desktop) having a key logger which provided me with access to your screen and also web camera. After that, my software program obtained every one of your contacts from messenger, facebook, as well as email.
What exactly did I do?
I've made a double-screen video. 1st part shows the video you were viewing (you've got a good taste rofl), and 2nd part displays the recording of your web cam.
Exactly what should you do?
Well, honestly, $1200 is a reasonable price for our little secret. You'll make the payment by Bitcoin (if you don't know this, search "how to buy bitcoin" in google).
BTC ADDRESS: 12F8h5FLA5TNXHKxxx
(It's case sensitive, so copy and paste it)
Notice:
You now have one day to make the payment. (I've a unique pixel within this mail, and at this moment I know that you've read this email message). If I do not receive the BitCoin, I will definitely send your video recording to all of your contacts including family members, colleagues, and many others. nonetheless, if I do get paid, I will erase the video immediately. If you really want evidence, reply with "yes!" and I definitely will send out your video recording to your 13 contacts. It's a non negotiable one time offer, so do not ruin my personal time & yours by replying to this message.
Ok so:
- The password in the email's first line is one I actually used years ago but never for anything actually important.
- I don't even have a webcam installed on the computer I used for... that purpose
- If he knew anything about me, he'd know I don't use Facebook messenger (have literally never touched it)
- The tracking pixel point is gibberish because it's a Gmail account, and Gmail neuters those. (The pixel is hit by one of their servers, if at all, and when it's hit has no relation to when the email was read. Anybody who's worked with email lists knows that) (In any case, I checked the email's source and there's no tracking pixel.)
BTW the HTML version of the email looks like this:
I<= !-- ftw -->t's<!-- i --> a n<!-- lme -->on<!-- qhp --> n<!-- vdz -->eg<!-- = hw -->o<!-- drm -->ti<!-- cgb -->able<!-- fwt --> on<!-- ki -->e<!-- zvg --= > ti<!-- sos -->me<!-- vc --> offer, s<!-- uwf -->o<!-- h --> d<!-- big -->o n<!-- h -->o<!-- rko -->t r<!-- ow= -->uin<!-- u --><!-- l --> m<!-- r -->y p<!-- h -->ers<!-- y -->on<!-- emm= -->al<!-- uh --> ti<!-- f -->me &<!-- bl --> y<!-- q -->o<!-- mz -->ur= s b<!-- qt -->y rep<!-- da -->l<!-- m -->yin<!-- uem -->g<!-- u --><!-- ab = --> t<!-- zt -->o<!-- r --> t<!-- sqa -->h<!-- vu -->is<!-- r --> mess<!-- klx= -->ag<!-- ev -->e.
I guess to defeat spam filters?
So I'm ignoring that, but now I have the challenge of discovering which site still uses that old password...
I'm tempted to reply with "Yes!" and see what happens. (Nothing will.) But I'm sure that'll just put my email on some list for every spam ever.
EDIT: hm, stumped on that password. Maybe he's the Russian who keeps trying to break into my Yahoo account, the password's old enough it could be for that.
-
@blakeyrat said in 📧 The Official Spam Emails Thread™:
EDIT: hm, stumped on that password
- Enter your email address into https://haveibeenpwned.com/
- Might you have used the password on any of the sites listed?
-
-
@blakeyrat said in 📧 The Official Spam Emails Thread™:
$1200 is a reasonable price for our little secret.
https://www.theregister.co.uk/2018/07/13/hacker_extortion_scam/ - You seem to be getting a discount.
-
I get dozens of these "get rich with cryptocurrencies" emails per week, but what the heck does "hack the laptop lifestyle" mean? And why is Dana giving me her address?
-
Oh my fucking god.
I gotta hand it to them, these people are creative.
-
@anonymous234 said in 📧 The Official Spam Emails Thread™:
Oh my fucking god.
I gotta hand it to them, these people are creative.
I was looking through Dr. Memory's code and they have constants for Windows versions through 14.
-
@anonymous234 said in 📧 The Official Spam Emails Thread™:
And why is Dana giving me her address?
It makes it look more legit. Presumably not "her" address, of course.
-
Yes, I'll visit some blog about my facebook post that was removed...
-
@Tsaukpaetra To say nothing about bad grammar.
-
@Tsaukpaetra said in 📧 The Official Spam Emails Thread™:
Yes, I'll visit some blog with a Nigerian domain about my facebook post that was removed...
Sounds legit!
-
It's a scam e-mail that's promising compensation to victims of scam e-mails. M-E-T-A
-
@blek If you think about it, who would be likely to fall for that email? Basically anyone who fell for another scam email.
-
@blek
And, after all, it is an official e-mail from the One World Government and the Almighty Dong.
-
@blek Fascinating. I had no idea the United Nations operated out of the University of Iowa.
-
@blek huh well, if you can't trust Paul Watson who can you trust
-
@Gribnit The InfoWars writer?
-
@pie_flavor Middle name not specified. It's in the email scammy thingie, along with lots of other people's names. this one seems... too stupid. But they all seem that way.
That said, that's the only Paul Watson I can think of right now, maybe hit him up on Twitter.
-
Spam notifications:
Yes, Niantic, you want me to play. Fuck off.
-
Where
mail provider
is providingspam
;GPS is Doomed (No Joke)
Meet the company taking on an $11.2 trillion dollar market. Don't miss this one.
-
@Gribnit Yeah, the main case where GPS is doomed is for consumer use if the tension in the world rises enough that the US, EU, russia, and china all turn their positioning systems to military use only mode.
-
@dcon said in 📧 The Official Spam Emails Thread™:
@Tsaukpaetra To say nothing about bad grammar.
I find messages like that all the time in my app, usually written by my Chinese cow-orkers.
-
@boomzilla said in 📧 The Official Spam Emails Thread™:
@dcon said in 📧 The Official Spam Emails Thread™:
@Tsaukpaetra To say nothing about bad grammar.
I find messages like that all the time in my app, usually written by my Chinese cow-orkers.
At least our Russians have good grammar!
-
@dcon said in 📧 The Official Spam Emails Thread™:
@boomzilla said in 📧 The Official Spam Emails Thread™:
@dcon said in 📧 The Official Spam Emails Thread™:
@Tsaukpaetra To say nothing about bad grammar.
I find messages like that all the time in my app, usually written by my Chinese cow-orkers.
At least our Russians have good grammar!
But that's because the grammar russian's you?
-
Not exactly spam (since I subscribe to Glassdoor notifications) - job posting for Dell on Glassdoor:
-
@dcon Man, I can hold down 9 bullet points.
-
@Cursorkeys said in 📧 The Official Spam Emails Thread™:
Thank you Outlook but that's not my address is it. I wonder how they did that, P1/P2
from
address spoofing is easy butto
address shenanigans is a new one. Lets just check the headers:Received: from *****ASA01 (192.168.100.50) by remote.*****.co.uk (192.168.158.105) with Microsoft SMTP Server id 8.3.485.1; Fri, 6 Jul 2018 13:36:14 +0100 Return-Path: hofmann.hanna@t-online.de X-Envelope-From: hofmann.hanna@t-online.de X-Envelope-To: *****@*****.co.uk Received: From mailout05.t-online.de (194.25.134.82) by *****ASA01 (MAILFOUNDRY) id KdA2WoEZEei3AAzE; Fri, 6 Jul 2018 12:36:11 -0000 (GMT) Received: from fwd23.aul.t-online.de (fwd23.aul.t-online.de [172.20.26.128]) by mailout05.t-online.de (Postfix) with SMTP id C1E26422A6CE; Fri, 6 Jul 2018 14:36:10 +0200 (CEST) Received: from aijkepqutx (XRxZHcZeYho904yTwMMEo8-syidsJWhPSqYXIWfXUquoHRgzrcdtKyMnVmCGhqDZLb@[160.238.72.88]) by fwd23.t-online.de with (TLSv1:ECDHE-RSA-AES256-SHA encrypted) esmtp id 1fbPxv-1uD6Wy0; Fri, 6 Jul 2018 14:35:59 +0200 From: EDF Energy <hofmann.hanna@t-online.de> Content-Type: multipart/alternative; boundary="Apple-Mail-FE5CD35B-C2F1-0B08-2DB9-AEACACD34D86" MIME-Version: 1.0 (1.0) Subject: Invoice ID494986593376 Message-ID: <BD1FB89B-4EF4-266C-75CB-5F255A43BD76@t-online.de> Date: Fri, 6 Jul 2018 05:35:59 -0700 To: <adridi@extech.co.uk> X-Mailer: iPad Mail (13E238) X-AMQ: http://asqwii.com/link/unsubscribe/nceokwea/ Importance: High X-Level: 9261.31605-512011.2531871 X-ID: XRxZHcZeYho904yTwMMEo8-syidsJWhPSqYXIWfXUquoHRgzrcdtKyMnVmCGhqDZLb X-TOI-MSGID: c50f2248-423e-48c9-ac85-4d7977824074 X-MS-Exchange-Organization-PRD: t-online.de X-MS-Exchange-Organization-SenderIdResult: None Received-SPF: None (*****.*****.local: hofmann.hanna@t-online.de does not designate permitted sender hosts)
Ok, the
X-Envelope-To
is at least an address in my domain but it isn't my address either. TheTo
is just wrong.Anyone know how this got delivered?
Edit:
Let's ask the server what it thought happened!
WUT...
It got delivered the same way as emails that don't have you in the "To" field because you're BCC'd.
-
@anotherusername said in 📧 The Official Spam Emails Thread™:
It got delivered the same way as emails that don't have you in the "To" field because you're BCC'd.
I thought that too. But the only thing that gave the exact same behaviour was spoofing
RCPT TO:
https://what.thedailywtf.com/post/1374598
-
@Cursorkeys said in 📧 The Official Spam Emails Thread™:
@anotherusername said in 📧 The Official Spam Emails Thread™:
It got delivered the same way as emails that don't have you in the "To" field because you're BCC'd.
I thought that too. But the only thing that gave the exact same behaviour was spoofing
RCPT TO:
https://what.thedailywtf.com/post/1374598How do you think BCC'd emails get to you?
That's how.
This describes it pretty well:
-
Credit where credit is due, Rebecca is using LinkedIn as advertised. But it's still unwanted email...
-
@Tsaukpaetra dunno if LinkedIn is actually cool with pyramid schemes, which this might not be but definitely is. Report it anyway.
-
I get a slow-but-steady stream of spam from the contact form on my website, which I cannot blacklist because it's sent to me through one of my email addresses. Today, the spam message itself is irrelevant, but I thought the footer was funny.
You are receiving this email because you subscribed on our website to the Widget Newsletter
to stop getting this email and offers in future just reply with Unsubscribed.So I subscribed to a website, and they send me all their offers and alerts by typing them into the contact form on my website?
-
@mott555 said in 📧 The Official Spam Emails Thread™:
I get a slow-but-steady stream of spam from the contact form on my website, which I cannot blacklist because it's sent to me through one of my email addresses. Today, the spam message itself is irrelevant, but I thought the footer was funny.
...huh.
Do you have a Gmail address? Add a dot to the email address (either the "from" or "to" address). Create a filter for that mail.
Or add a "+tag" to the "to" address. Again, create a filter for it.
-
@anotherusername The point is if I blacklist it, I will not receive any legitimate messages coming from my contact form. Although I have yet to actually receive a legitimate message...but the spams are generally only one message every day or two.
-
@mott555 Yeah, but you could at least apply a label to it.
Also, you could always try to filter it further.
And have you considered adding a really simple CAPTCHA, and/or randomizing the field names so that it looks less like a contact form to random spambots?
-
@anotherusername said in 📧 The Official Spam Emails Thread™:
@mott555 Yeah, but you could at least apply a label to it.
Also, you could always try to filter it further.
And have you considered adding a really simple CAPTCHA, and/or randomizing the field names so that it looks less like a contact form to random spambots?
I'd have to find a new WordPress plugin for that. And