Best. Scam. Ever.



  • Recieved this in my university email. It was followed a few minutes later by an email urging everyone to not be scammed.

    Subject: Warning!!
    From: UWM@mta01.pantherlink.uwm.edu, Help@mta01.pantherlink.uwm.edu, Desk@mta01.pantherlink.uwm.edu

    You Are Currently Running On Low GB Due To Hidden Files And
    
    Folder On Your Mailbox.
    
    Please Click Here http://redacted.domain/0/uwmhelpdesesk1 To Validate
    
    Your Mailbox And Increase Your Quota.
    
    Failure To Click This Link And Validate Your Quota May Result
    
    to Loss Of Important Information In Your Mailbox/Or Cause
    
    Limited Access To It.
    
    Thanks For Co-operating with Us.
    
    Copyright © 2012.
    
    University of Wisconsin-Milwaukee
    Help Desk

    Let's count the WTFs:

    1. Subject contains the style of punctuation I'd expect from an eight year old who just found out about computers
    2. Every Single Word Is Capitalized
    3. They double-spaced an email.
    4. There are THREE From: addresses, all of which are from a domain with no MX record.
    5. The URL shortener they used is "for furries"
    6. They spelled desk wrong in their phishing URL, probably because the correct spelling was already taken
    7. The shortened link redirects to www.123contactform.com
    8. They copyrighted an email
    9. None of this was caught by the spam filter
    10. Someone probably fell for it


  • i don't get it, what's the objective of the scam? getting access to worthless terabytes of documents to be sold on the university black market?



  • Getting access to more horsepower for some botnet? Getting eyeballs on some other scam?

     

    I heard the illiterate style is a deliberate attempt to focus their attention on the most gullible recipients (this probably applies more to 419 scams where they need to spend their own time chasing after marks).

     



  • @Ben L. said:

    There are THREE From: addresses, all of which are from a domain with no MX record.

    How is that even possible? The three from addresses, I mean...



  • @ekolis said:

    @Ben L. said:
    There are THREE From: addresses, all of which are from a domain with no MX record.

    How is that even possible? The three from addresses, I mean...

    Well you can write anything you like to in the From header. How mail servers, spam filters and clients will take it is another thing though...



  • @poizan42 said:

    Well you can write anything you like to in the From header.

    Can you write backspace backspace backspace ist !!!11! ?



  • @Speakerphone Dude said:

    i don't get it, what's the objective of the scam?
    Typically they are trying to get you to click on a link which will take you to a page that attempts to use one of the 4,567,823 security holes in Java, Flash or Acrobat Reader to install some sort of malware.



  • @Ben L. said:

    5. The URL shortener they used is "for furries"
    Aren't they all?



  • @Ben L. said:

    Recieved this in my university email. It was followed a few minutes later by an email urging everyone to not be scammed. ...

    Copyright © 2012.

    They copyrighted an email

       

      Ahah! They gotcha! They copyrighted the spam e-mail, and you posted it on The Daily WTF. You are in violation of the copyright. You can be sued. Fork over US$500 to get off the hook!

      One of my moneymaking ideas is to write a virus, and copyright it, and sue everyone who gets infected. Impossible? Just like GMO crops!




    1. @Speakerphone Dude said:

      i don't get it, what's the objective of the scam? getting access to worthless terabytes of documents to be sold on the university black market?

      Getting your university email password, using it to access your normal email since most people reuse their password for everything, and from this accessing your PayPal account?



    2. @Ben L. said:

      1. Subject contains the style of punctuation I'd expect from an eight year old who just found out about computers

      Didn't you know that everyone writes like that nowadays ??

      One ! or ? is never enough, and modern written style mandates a space between the last word and the "!!" or "??" when used in a sentence !! (Seriously what's with that? I had some e-mails from a guy who was randomly putting two and three spaces between words, and between the last word of a sentence and the full stop (".") – maybe this is just another illiterate British failing. We suck at everything we invent, so I guess we're going to suck at our own language too.)



    3. @poizan42 said:

      @ekolis said:
      @Ben L. said:
      There are THREE From: addresses, all of which are from a domain with no MX record.

      How is that even possible? The three from addresses, I mean...

      Well you can write anything you like to in the From header. How mail servers, spam filters and clients will take it is another thing though...

      I suspect the header said From: UWM Help Desk and the MTA has treated this as three whitespace-delimited local identities, and has put its own hostname after each one. That's what normally happens with unqualified addresses. (This is the MIME header though, not the envelope header. Even so, SMTP servers should reject messages with garbage MIME headers.)



    4. @El_Heffe said:

      @Speakerphone Dude said:

      i don't get it, what's the objective of the scam?
      Typically they are trying to get you to click on a link which will take you to a page that attempts to use one of the 4,567,823 security holes in Java, Flash or Acrobat Reader to install some sort of malware.

      Nope, it's a contact form with a username and password field. On 123contactform.com.



    5. @Daniel Beardsmore said:

      This is the MIME header though, not the envelope header. Even so, SMTP servers should reject messages with garbage MIME headers.

      Be conservative in what you send, liberal in what you accept. When it comes to emails it is usually a good idea to be conservative in what you accept though - an astonishing large amount of spam mails can be rejected outright for not following the RFCs.

      Another thing is that multiple from addresses are actually allowed by RFC 5322 - a Sender header is required in that case:

         The originator fields of a message consist of the from field, the
         sender field (when applicable), and optionally the reply-to field.
         The from field consists of the field name "From" and a comma-
         separated list of one or more mailbox specifications.  If the from
         field contains more than one mailbox specification in the mailbox-
         list, then the sender field, containing the field name "Sender" and a
         single mailbox specification, MUST appear in the message.  In either
         case, an optional reply-to field MAY also be included, which contains
         the field name "Reply-To" and a comma-separated list of one or more
         addresses.
      

      from = "From:" mailbox-list CRLF

      sender = "Sender:" mailbox CRLF

      reply-to = "Reply-To:" address-list CRLF

      The originator fields indicate the mailbox(es) of the source of the
      message. The "From:" field specifies the author(s) of the message,
      that is, the mailbox(es) of the person(s) or system(s) responsible
      for the writing of the message. The "Sender:" field specifies the
      mailbox of the agent responsible for the actual transmission of the
      message. For example, if a secretary were to send a message for
      another person, the mailbox of the secretary would appear in the
      "Sender:" field and the mailbox of the actual author would appear in
      the "From:" field. If the originator of the message can be indicated
      by a single mailbox and the author and transmitter are identical, the
      "Sender:" field SHOULD NOT be used. Otherwise, both fields SHOULD
      appear.

        Note: The transmitter information is always present.  The absence
        of the "Sender:" field is sometimes mistakenly taken to mean that
        the agent responsible for transmission of the message has not been
        specified.  This absence merely means that the transmitter is
        identical to the author and is therefore not redundantly placed
        into the "Sender:" field.
      

      The originator fields also provide the information required when
      replying to a message. When the "Reply-To:" field is present, it
      indicates the address(es) to which the author of the message suggests
      that replies be sent. In the absence of the "Reply-To:" field,
      replies SHOULD by default be sent to the mailbox(es) specified in the
      "From:" field unless otherwise specified by the person composing the
      reply.

      In all cases, the "From:" field SHOULD NOT contain any mailbox that
      does not belong to the author(s) of the message. See also section
      3.6.3 for more information on forming the destination addresses for a
      reply.



    6. @ekolis said:

      @Ben L. said:
      There are THREE From: addresses, all of which are from a domain with no MX record.

      How is that even possible? The three from addresses, I mean...

      You have a very optimistic view of RFC 822.



    7. What I don't get are the World-of-Warcraft/Diablo3 account s[c|p]am messages I keep getting. Even beside the fact that I don't have an account for either game, they are obviously fake, bearing all the usual signs (Bad spelling, punctuation and grammar; sentences that sound as if they had been run through google translate several times back and forth; you name it ...).

      However, the links in those mails seem to be legit (at first glance at least, I never bothered trying to follow one of them, of course), pointing to sites at domains like blizzard.com (no url trickery for catching morons, like blizzard.com.butno.itsreally.thescammersdomain.net or similar crap), which I assume actually belongs to Blizzard (I can't imagine they'd allow anyone to squat on such a high-profile domain name...)

      So, what benefit would a scammer have from directing a victim to a site that actually belongs to Blizzard? How are they supposed to intercept any kind of useful information that way (assuming there's not also some kind of DNS poisoning attack or anything like that going on at the same time, and that Blizzards own servers have not been hacked to host malicious sites, which I am sure I would have heard about)?



    8.  @Speakerphone Dude said:

      @poizan42 said:
      Well you can write anything you like to in the From header.

      Can you write backspace backspace backspace ist !!!11! ?

      Last time I saw something like that was in an old Commodore64 book showing how you could hide passwords in your BASIC programs, by writing it out and then adding backspace characters, so they output over the top when you list the code on screen.



    9. @Anonymouse said:

      What I don't get are the World-of-Warcraft/Diablo3 account s[c|p]am messages I keep getting. Even beside the fact that I don't have an account for either game, they are obviously fake, bearing all the usual signs (Bad spelling, punctuation and grammar; sentences that sound as if they had been run through google translate several times back and forth; you name it ...).

      However, the links in those mails seem to be legit (at first glance at least, I never bothered trying to follow one of them, of course), pointing to sites at domains like blizzard.com (no url trickery for catching morons, like blizzard.com.butno.itsreally.thescammersdomain.net or similar crap), which I assume actually belongs to Blizzard (I can't imagine they'd allow anyone to squat on such a high-profile domain name...)

      So, what benefit would a scammer have from directing a victim to a site that actually belongs to Blizzard? How are they supposed to intercept any kind of useful information that way (assuming there's not also some kind of DNS poisoning attack or anything like that going on at the same time, and that Blizzards own servers have not been hacked to host malicious sites, which I am sure I would have heard about)?

       

      I get a ton of these as well. They seem to be using a new trick of using domains with non-ascii characters in. On older browsers they get converted to punycode, but on something  like Firefox, they are displayed as is. The thing is, these domains are more expensive than their ascii counterparts, and a lot of browsers convert to punycode reducing the legitimate effect, so it seems that there are indeed a lot of people getting tricked by this to make it worthwhile to the scammers

       



    10. @ASheridan said:

      non-ascii characters
      Oh. Duh... *facepalm* url spoofing with lookalike characters... the second oldest trick in the book, why didn't I think of that.



    11. @emurphy said:

      I heard the illiterate style is a deliberate attempt to focus their attention on the most gullible recipients
       

      This is true for Nigerian scams where the scammer is trying to extract money from the victim, because the scammer wants to get a lot of money out of a small number of victims; smaller focus is preferable because fewer e-mails means less money going to the spam service.

      For phishing attacks, it mostly comes down to the fact that spam filters are only recently getting advanced enough to detect patterns in spam messages when the grammar and spelling is mangled, and many people aren't using these more-advanced filters. There is still an element of weeding out the less-than-gullible, since gullible people are less likely to notice what you're going to do with their passwords.

       



    12. @curtmack said:

      @emurphy said:

      I heard the illiterate style is a deliberate attempt to focus their attention on the most gullible recipients
       

      This is true for Nigerian scams where the scammer is trying to extract money from the victim, because the scammer wants to get a lot of money out of a small number of victims; smaller focus is preferable because fewer e-mails means less money going to the spam service.

      The reason I've always heard that 419 scams want to use bad grammar is that they want you to think they are stupid so you will think you can take advantage of them. But of course, that's not how it's going to work out.



    13. @ASheridan said:

      I get a ton of these as well. They seem to be using a new trick of using domains with non-ascii characters in. On older browsers they get converted to punycode, but on something  like Firefox, they are displayed as is. The thing is, these domains are more expensive than their ascii counterparts, and a lot of browsers convert to punycode reducing the legitimate effect, so it seems that there are indeed a lot of people getting tricked by this to make it worthwhile to the scammers

       

      I think it is also possible to tell Firefox and other Mozilla based to always show punycode (I use this setting on my own computer).



    14. @zzo38 said:

      I think it is also possible to tell Firefox and other Mozilla based to always show punycode (I use this setting on my own computer).
       

      This intrigues me.

      Do tell.


    Log in to reply