WEIRDEST SPAM EVER…
I just got two spam messages both containing the same message. That’s not unusual, but the message of the emails was. I got curious and took a closer look…
No haiku spam , no penis enlargements(neah, not going to link this one. I had my share of aspiring but clearly illiterate porn actresses/actors), no vicodin , no russian dacha’s (yes, I really got these!) for sale nor am I asked to assist in transfering a large sum of money so that my Nigerian friend can safely leave the country with his fortune. None of these were present in the message used in the spam I received. There were also no attachments to the spam message which is odd. Nowadays spammers do anything to penetrate through spamfilters using images, pdf files and apparently even mp3 files to get their sleazy messages across. More often than not I get spam message with attachments. These ones however were just plain HTML messages.
What also sets these two messages apart is that they are in Dutch, which is also rare for me. Now the contents of message is just plain strange. It talks about the Dutch city Amsterdam having been contaimenated with radio-active radiation and it states that the government does not openly acknowledge this, but only in private. I like that last sentence. They’re willing to admit it, but only in private. For those able to read Dutch:
Op internet-forums is er een melding verschenen over een stevige explosie in een nederlandse Atoomcentrale in de buurt van Amsterdam.
De getuigen beweren dat die explosie op 4 november rond 15 uur plaatsvond. Een inwoonster van de stad belde haar familie op en vertelde
dat er in de stad de telefoonaamsluitingen worden uitgeschakeld, zodat de mensen niemand konden opbellen.
Zij beweert ook dat er inderdaad een explosie, zelfs een heel ernstige, op het Atoomsentrale plaatsvond en dat de radioactive wolk zich op
dit moment snel verplaatst.
De overheid bevestigt deze informatie niet officieel maar wel tijdens de prive gesprekken.
Toch plaatsen de inwoners op het internet fotos van de gevolgen van de explosie en diens slachtoffers.
In this message there is ony one link cloaked with another link, both are Geocities urls and both point to the same site. That seems odd. Why cloak a url when both are pointing to the same address? Why are both untrusted and non-popular websites instead of popular and ‘trusted’ websites as most spammer tend to do, so people are easily tricked in clicking the link? That doesn’t make any sense to me. The ip address used by the site (58.65.238.36) is according to the whois database part of a Chinese ip range as you can see:
inetnum: 58.65.232.0 – 58.65.239.255
netname: HOSTFRESH
descr: HostFresh
descr: Internet Service Provider
country: HK
admin-c: PL466-AP
tech-c: PL466-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-HOSTFRESH
mnt-routes: MAINT-HK-HOSTFRESH
remarks: Please send Spam & Abuse report to
remarks: abuse@hostfresh.com
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20060612
changed: hm-changed@apnic.net 20060613
changed: hm-changed@apnic.net 20061018
source: APNICperson: Piu Lo
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
country: HK
changed: ipadmin@hostfresh.com 20071025
mnt-by: MAINT-HK-HOSTFRESH
source: APNIC
The accompanying webpage tries to trick you into downloading somekind of executable file (seems targeted at machines running Windows) called iPIX-install.exe I tried to install it (don’t try this at home…), but get a 503 service unavailable message. According to this post on 22th of octobre from the German Chip security blog this piece of malware was not well-detected by most virus and/or mallware scanners at that time, so be careful!
This has to be the weirdest spam I had in ages. The whole message feels to me as a sort 21th century version of Orson Welles’ radioplay of H.G. Wells’ War of the Worlds . Instead of the radio, email is now the medium and stage. Instead of entertaining (or frighten…) people with sound, this message aims to ‘frighten’ (in a quite amateuristic way) people using somekind of conspiracy or sci-fi text while in the meantime infect as many machines as possible.
I wonder what kind of people create these annoying, horrible yet intruiging storytelling ‘artworks’ also known as spam?
ps: for the spam vigilantes among us, here are the original messages including headers (spam1.txt , spam2.txt) saved as plain text for your own private digital forensics fun. Enjoy! I already sent an abuse email, but feel free to do this as well.
UPDATE: Apparently this particular spam message attracted some more attention. Even the mainstream media such as nu.nl are reporting about it: “Opnieuw golf aan virusspam over ‘kernramp’ “Â
I just received the same spam and did a search and found your entry in your blog. I was also of the opinion that it was the weirdest spam I ever received especially because it talks about a disaster in the city Amsterdam, where i happen to live. So I am assuming most of the people who receive this spam can’t read dutch so I will translate for there amusement:
There has been some report on internet forums about a severe explosion in a dutch nuclear power plant near Amsterdam.
The witnesses claim the explosion took place around 15:00 on November the 4th.
One of the resident of the city called her family to tell that they where shutting down the telephone connections so nobody could call anyone.
She also claimed that there indeed has been a very serious explosion at the nuclear power plant and that a radio active cloud was spreading fast.
The government hasn’t confirmed this officially but they did so during private meetings.
Still the inhabitants of the city are uploading photo’s of the result of the explosion and of the victims.
@Kahless
Thanks for translating! I was a bit lazy
I received this email yesterday, saved headers and everything too. Since I am located in Amsterdam this was clearly nonsense to me.
What worries me is that this could be the beginning of a trend. If spam is now made up of ‘intruiguing’ text that ‘could be true’, readers will be more inclined to visit the sites mentioned in it. My concern is now lukewarm but could warm up if this trend develops. If you receive spam with nonsensical words and snipped sentences it’s clear you should not pay attention. But this ‘could’ be real. Except if you live in Amsterdam
[...] to a well-known cybercrime hosting operator in Turkey. It also seems this attack is a rerun of other similar attacks late last [...]
Hi,
I received the particular spam, but in Finnish. It says that there has been an explosion in nuclear power plant near Mikkeli, Finland.
The thing is, there is no nuclear power plant near Mikkeli!
The link in the mail eventually forwards to a webpage which tries to install a trojan horse.
My analysis (in finnish): http://ernvall.com/site/2008/02/20/uutinen-suomen-ydinsaastumisesta/
[...] huijausta on yritetty ennenkin ja eri kielillä. Yhden kuvauksen löysin viime syksyltä hollannin kielellä, ja myös saksankielinenversio on [...]