Well now that the election is over I’m already getting spam to watch an “amazing viedo of Barack Obama”. No clever tricks here just the old “click on this link”. The link is not masked in any way, just points to a url a person would not identify with anything. An example of the email content is:
From: "Elections center"
Subject: USA Election Results
Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become
the 44th president and the first African-American president of the
Watch His amazing speech at November 5!
Proceed to the election results news page>>
2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and
about American life and culture.
If you get one of these pay attention to the link, viewing source is actually a better way to tell. The url your taken to when clicking on “Proceed to the election results news page>>”, which you should NOT do, is associated with wconlinenrue.com. If we check the registration info for that domain we can see it’s not legit.
Domain Name: WCONLINENRUE.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.SPRITSONLINE.NET
Name Server: NS2.SPRITSONLINE.NET
Updated Date: 04-nov-2008
Creation Date: 04-nov-2008
Expiration Date: 04-nov-2009
A little to obvious, the domain was created yesterday and will expire next year. If we check Spam Trackers we find a wiki entry for bizcn and if we go to the Uribi Blacklist for bizcn we find wconlinenrue number 2 on the list. At least that is as of my typing this.
So if your spam filter doesn’t catch these delete them, better yet don’t open an email if you don’t recognize the sender. If you do recognize the sender pay attention to the links you will be clicking on.
Update: since typing this just 20 minutes ago I’ve gotton a few more emails but with a different domain, lopbiuemis.com. In all cases though the body of the message was the same as above. No doubt their will be many domains associated with the links.
For most wandering over to the Internet Storm Center is not going to be regular reading on the web. But from time to time their is something for everybody there. A recent post offered some good advice with a major world event just around the corner.
I’ll admit I sometimes don’t connect getting spam emails with what’s going on in the world but that is something they (spammers) do. If an email references a current topic a person is more likely to pay attention. So give it a quick read to remind yourself what not to do.
While replying to a fellow hockey players email this evening I ran across a strange mail delivery failed message.
550-x.x.x.x blocked by ldap:ou=rblmx,dc=bellsouth,dc=net
550 Blocked for abuse. See http://www.att.net/bls_rbl/ for information.
Thought that was rather strange, never been accused of sending spam before and keep a pretty close eye on what’s coming from my machines.
Following the link took me to three resources for third party spam detection databases. They were.
When looking up my domain none reported the IP as being on any blacklist but when looking up my routers IP I got some interesting information. This is from mail-abuse.com.
January 20, 2003: If you are a COMCAST customer and are seeing messages that your IP address is on the MAPS DUL, please contact COMCAST directly. You may also want to review this page as well.
If you are a mail user with a standard mail client (such as Eudora, Pegasus Mail, Netscape Mail, or Outlook Express) and you can’t send mail because your IP address appears on the MAPS DUL, it is probably because your mail program is set to use a mail server other than the one your current Internet access provider provides you. Most ISPs usually prevent this type mail relay with their own anti-relay software, but depending on their configuration they may check the MAPS DUL before they check for unauthorized relay.
If you use a mail (SMTP) server on your own computer, or you share your Internet connection with several other people on a local network with a proxy server such as Whistle’s InterJet, and you can’t send mail because of this list, it is because your recipients cannot tell the difference between your legitimate mail delivery and a spammer’s trespassing on their equipment. However, there is a very easy way to work around the MAPS DUL and get your mail through, and it may even speed up your mail in the process.
How about that a message can be seen as spam if the smtp server sending the message is not in the domain of the source IP, i.e. an open mail relay. I guess that would make sense. I may have to start pushing mail through Comcast or switch to imap if this continues.