Email Forgery
Spam 'n' Scam
Copyright © 2008 by David Harper and L.M. StockmanDesigned and maintained by Obliquity
http://www.obliquity.com/computer/spambait/theft2008.html
Spammers routinely forge the From: line in their junk emails,
causing the inevitable flood of bounces, auto-acknowledgements and complaints
to land in some innocent third-party's inbox. Like so many other domain
names, obliquity.com is sometimes used in these forgeries.
The number of attacks perpetuated by spammers on our domains has made it impossible to track every spam run. Thousands of spam emails and bounces sent to randomly generated addresses in our domains arrive every day.
| Spammer | Forged Addresses | First Bounce Date and Time (GMT) | ||
|---|---|---|---|---|
| January | Storm Worm malware | arlette, armfulrugs, receipts, sac, sharp, socila, voysecure, wewior, woodhandicrafts | January 1 | 06:36:18 |
| Canadian/European Pharmacy, Casino Club V.I.P., Diamond/Prestige Replicas, E2 Finance, King Replica, Mortgage-Infinity, "Phony University Degrees", Prestige Footware, "Pump and Dump", VPXL |
two names, name.name, name followed by a word and another name, name followed by a number and a letter |
January 22 | 21:51:08 | |
| January 27 | 22:23:31 | |||
| January 29 | 22:33:48 | |||
| January 30 | 01:31:26 | |||
| February | February 2 | 03:51:30 | ||
| ggomes, jeni.palmer, jingtao.sun, johna, jrblack, jreed, kaylaren, kendergin, solvent.bobble.pluk, spiritbv | February 3 | 15:42:54 | ||
| name.name, name.LAST_NAME |
February 5 | 02:41:17 | ||
| name followed by a word and another name | February 23 | 12:18:41 | ||
| career97, c.doornkamp, fournier, glolyoung, jjujjubong_bar, josedluc, ryo-mate, sandy.wilson, shahid.khan, sjohnson, tina.visnovska, ucyl | February 23 | 13:23:22 | ||
| name followed by a word and another name | February 25 | 13:59:13 | ||
| February 25 | 14:59:08 | |||
| February 25 | 17:18:27 | |||
| March | Diamond/Prestige Replicas, "Google Groups casino spammer" |
March 1 | 22:45:14 | |
| Canadian/European Pharmacy, Diamond/Prestige Replicas, ExpressHerbals/MaxHerbal/VPXL |
March 6 | 10:45:35 | ||
| Canadian/European Pharmacy, Kraken or Storm Worm malware |
aunsen, cho, connington, drbahuleyan, jstead, kredman, lb_koroszczyn, marc, marcel_raimann, mickeyt13, phillips.wr, richard.scullion, stoneworks | March 7 | 10:12:06 | |
| [unknown] | beckyvfcathode, beckyw8chariot | March 23 | 19:14:05 | |
| Canadian/European Pharmacy, ExpressHerbals/MaxHerbal/VPXL |
joybkysnell sometimes preceded by numbers and/or letters | March 23 | 22:50:13 | |
| vindicator sometimes preceded by numbers and/or letters | March 24 | 04:12:59 | ||
| deobstruent sometimes preceded or followed by numbers and/or letters | March 24 | 06:21:47 | ||
| joybkysnell sometimes preceded by numbers and/or letters | March 24 | 07:40:13 | ||
| dishonestyn | March 26 | 04:55:05 | ||
| pearlzxfchappell sometimes preceded by numbers and/or letters | March 26 | 18:34:47 | ||
| vusfa sometimes preceded by numbers and/or letters | March 27 | 00:22:28 | ||
| Canadian/European Pharmacy, International Legal RX medications |
asghar.h.mirza, barrycurrey, benchakroun, budialu, leenau, lynne.benson, matt_mcmillan, pazur, rajuatkims05, sklavebob2002, sthntirc, tdky, thorntol | March 27 | 19:02:02 | |
| Diamond/Prestige Replicas, King Replica, Prestige Footware |
reliance sometimes preceded by numbers and/or letters | March 28 | 15:04:10 | |
| likin sometimes preceded and/or followed by numbers and/or letters | March 29 | 08:33:26 | ||
| ilvan | March 29 | 11:36:58 | ||
| jasonrywwalker sometimes preceded by numbers and/or letters | March 29 | 16:54:59 | ||
| dishonestyn, dishonestynn | March 30 | 00:47:28 | ||
| silvand, silvandd | March 31 | 00:01:49 | ||
| April | [unknown] | jk | April 1 | 15:04:27 |
| Canadian Health&Care Mall, King Replica, Prestige Footwear |
prestigiatory sometimes preceded by numbers and/or letters | April 1 | 16:50:47 | |
| Diamond/Prestige Replicas | relianced | April 3 | 00:04:54 | |
| [unknown] | palpus | April 3 | 13:24:51 | |
| jerroldtwjulio | April 3 | 20:49:53 | ||
| Kraken or Storm Worm malware, Canadian Health&Care Mall, Diamond/Prestige Replicas, ExpressHerbals/MaxHerbal/VPXL, King Replica |
georgenbfwilson sometimes preceded by numbers and/or letters | April 4 | 03:51:40 | |
| relianced sometimes preceded by numbers and/or letters | April 4 | 12:59:15 | ||
| [unknown] | palpus | April 4 | 16:27:47 | |
| Diamond/Prestige Replicas | petgord34truew | April 5 | 03:57:56 | |
| [unknown] | dishonestyn | April 5 | 07:49:59 | |
| ikin | April 5 | 08:41:50 | ||
| prestigiatory sometimes preceded by numbers and/or letters | April 6 | 18:06:29 | ||
| Kraken or StormWorm malware, Canadian/European Pharmacy, King Replica |
assagaid sometimes preceded by numbers and/or letters | April 6 | 22:44:17 | |
| Canadian/European Pharmacy, Diamond/Prestige Replicas, King Replica |
youngun sometimes preceded by numbers and/or letters | April 7 | 13:43:33 | |
| Diamond/Prestige Replicas, King Replica |
info sometimes preceded by numbers and/or letters | April 8 | 16:04:58 | |
In late February and early March we received thousands of bounces from the googlemail.com mailer daemon. These were in addition to the spam runs listed above. The forged obliquity.com address was in the form name followed by a word and another name.
From 23 March the forgeries changed in character. (Non-existent) addresses
which had been receiving spam for months, sometimes years, were (sometimes)
slightly altered and used in the From: line during (what were
usually but not always) short-lived spam runs numbering several per day.
On 10 April we changed the email settings at obliquity.com to discard all email except those sent to a limited number of authorised addresses. Thus, we no longer track these forgeries.
Email Forgery
Spam 'n' Scam
Copyright © 2008 by David Harper and L.M. Stockman