Oct 12 2003 Update: I have received evidence, which I feel is credible, that the spams from DegreeInfo and Wholintegral are not the work of Chip White, and that in fact Chip White and DegreeInfo.com have been victims of what is known as a 'joe-job'. I am preparing a follow-up article, which should be available RSN. While I am leaving this article more or less intact, I want to make it clear that I do not consider Chip White to be a spammer, and that any references to Mr. White and DegreeInfo.com should be considered 'pointers' to the real spammers, who have committed what is, in my opinion, character assassination.
One of the things they teach you in Salesmanship 101 is to Personalize the Message. When you send out advertising to someone, give them the illusion that you are communicating your message to them, and only them, by customising the wording to include things like their name, their interests, etc. It changes the ad from something that is mass-distributed to hundreds (or even thousands) of people, to something meant specifically for you, and by 'connecting' with the mark customer in this manner an increase in the response rate can be obtained.
Well, in the 'online bulk email' (spam) realm, this same view seems to be present. Even better is the fact that not only can 'personalized spam' help the spammer to connect to his/her audience, it also provides a means of avoiding those annoying (to the spammer, that is) spam filters which look at content - specifically, a large number of messages with EXACTLY THE SAME content.
Well, I recently got such a spam, and it was sooooo funny that I thought I would share it with you.
So, Without Further Ado: The Spam!
Return-Path: <>
Received: from psmtp.com (exprod5mx16.postini.com [64.75.1.156])
by (8.10.2/8.10.2) with SMTP id g9Q17aF26407
for ; Fri, 25 Oct 2002 20:07:37 -0500
Received: from source ([]) by exprod5mx16 ([64.75.1.245]) with SMTP;
Fri, 25 Oct 2002 21:07:36 EDT
Received: (from httpd@localhost)
by ns7.kabir-ken.jp (8.10.2/8.10.2) id g9Q17ZY31640;
Sat, 26 Oct 2002 10:07:35 +0900
Received: from mail-gw.biglobe.ne.jp (mailsv15.biglobe.ne.jp [2])
by mail2s.biglobe.ne.jp (8.9.1+3.1W/3.7W-99020213) with ESMTP id CAA01931
for ; Sat, 26 Oct 2002 10:07:35 +0900 (JST)
Received: from mail-relay.biglobe.ne.jp by mail-gw.biglobe.ne.jp (8.8.8/3.6W-INET_GW)
id CAA22785 for ; Sat, 26 Oct 2002 10:07:35 +0900 (JST)
Received: from mvf.biglobe.ne.jp by mail-relay.biglobe.ne.jp (8.8.8/3.6W-BIGLOBE_RELAY)
id CAA00201 for ; Sat, 26 Oct 2002 10:07:35 +0900 (JST)
DATE: Sat, 26 Oct 2002 10:07:35 +0900 (JST)
Message-ID: <000001be6d79a08c0d24cd85 @ rwm22251>
X-Mailer: Mozilla 4.06 [ ja ] (Macintosh; I; PPC)
MIME-Version:
To: ed.truitt @ .net
From:
Reply-To:
Subject: just visited your site
Hello [name],
We have just visited your website [site] and find many of your offerings of interest to us.
We request some more info and prices of your services, as they are [compliment] and [compliment 2].
You may also be interested in our services [name] if you never had the chance to go to college. Our books show you how to get a college degree completely online or thru the mail.
Please visit our sites
http://www.degreeinfo.com
http://www.degree.net
New! Purchase books and recordings from DegreeInfo! Now you can purchase books and tapes related to distance learning from DegreeInfo. In addition to getting some of the best information available on choosing a distance learning program (including exclusive products available only from DegreeInfo), you'll help to support our site and ensure that it will continue to be available as a distance learning resource.
Read about our first offering, a brand new, one-hour discussion of distance learning success strategies, narrated by John Bear, Ph.D., and available exclusively from DegreeInfo.com . Many parts are of particular interest to folks from [location] so we guessed it was worth telling you [name].
For more information on the renowned distance learning expert Dr John Bear,Ph.D., please visit our sister site http://www.degree.net
There [name], you will find a wealth of information on getting a degree as fast as possible. If I am ever in [location] I will let you know, take you out to lunch.
I will be on vacation for the next 3 weeks, please email your prices and info for [site] then.
When I get back, we can talk business.
Thanks
Chip White
OK, let's get the header dissection over with. All the Received: lines from Japan have the exact same timestamp, to the second. Examining the rest of the Received: lines more closely, I noticed that ns7.kabir-ken.jp () receives the email from the originator, and sends it to Postini (my ISP's spam-filtering service). Sooo, I am guessing that the last three Received: lines are forgeries, thrown in to confuse spam-tracking systems. The system is a Cobalt RAQ (based on the default Website page), which is configured as an HTTP proxy (I checked), and since it allows anonymous access, it is a perfect target for abuse by spammers (as happened in this case.)
So, since it is unlikely we will ever get a positive ID on the spammer, I will simply post my ''Request for LART'' right here, for everyone to read.
Dear [ISP]
Recently, I received a spam email from one of your [derogatory term for spammer] on the subject of [subject of spam]. I am attaching the [insult] spam, with the full headers, for your review. I don't want to, and have never signed up for the honor having my email inbox flooded with [expletive] offers for [expletive 2] [product].
I checked your website [site] and found out that your ToS/AUP prohibits spamming. So, please apply a heavy wooden mallet to said [derogatory term for spammer]'s [reproductive organs] and LART this sorry [insulting observation on spammer's sexual habits] [insulting observation on spammer's ancestry] [ insult 3] [insult 4] back into [era with no Internet connectivity].
On, and tell that [derogatory term for spammer] that if [s/he/it] every shows up at [location], I will be more than happy to go to lunch - as long as my good friend, Dr. Hannibal Lechter, can join us.
To the owner/administrator of the relay/proxy at [address of open relay/proxy]: The [derogatory term for spammer] took advantage of the fact you allow unauthenticated access to your [expletive]service to send me this [expletive 2] spew. In order to combat these [insult] [insult 2] [derogatory term for spammer], it is imperative you properly secure your [expletive 3] proxy/relay immediately. For further information on how to do this, please visit [URL where the idiot can RTFM].
Regards,
-etee
|