Legend:  new window    outside link    tools page  glossary link   

Classic Spam: Plausible deniability in action

OK, why would a 100% male bachelor engineer at a low-profile privately-held engineering firm be getting an e-mail advertisement for womens’ underwear in his work in-box? Never mind, don’t answer that.

Long before Victoria’s Secret and others took the trade to the suburban shopping mall, Frederick’s of Hollywood fulfilled the nation’s vast need for naughty underwear for ladies through retail shops and phone/mail orders. Frederick’s must be feeling the pinch (ahem) of competition, since they are now resorting to spam as we see below:

Received: from exanpcn8.<<my-company>> ([])
  by exanpcn1.<<my-company>> with SMTP (Microsoft
  Exchange Internet Mail Service Version 5.5.2653.13)
  id K2R5SV2Q; Sat, 10 May 2003 20:48:38 -0400
Received: from xchnger.net (unverified) by EXANPCN8.<<my-company>>
  (Content Technologies SMTPRS 4.3.6) with SMTP id
  for <hidden>;
Sat, 10 May 2003 20:46:24 -0400
To: hidden
Date: Sat, 10 May 2003 21:07:13 -0500
Message-ID: <1052615233.7955@xchnger.net>
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
From: InternetSweeps<IS@leisure.wear.transmitr.net>
Return-Path: InternetSweeps<IS@leisure.wear.transmitr.net>
Reply-To: InternetSweeps<IS@leisure.wear.transmitr.net>
Subject: Summer Special: get 3 Free pairs of Panties
Mime-Version: 1.0
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META name=Ad content=LS005XI00574493FA>

<a href="http://www.internetsweeps.com/c.asp?
<img src=
fredericks/panty.jpg" border="0">
<table width="60%" border="0" cellspacing="0" cellpadding="0" align="center">
<td><font face="Verdana, Arial, Helvetica,
sans-serif" size="-2"><br>
The preceding message was sent to you as an
opt-in subscriber to InternetSweeps.
We will continue to bring you valuable offers
on the products and services
that interest you most. If you wish to
unsubscribe please click here:
<a href="http://www.internetsweeps.com/

<font face="Verdana, Arial, Helvetica, sans-serif"
size="-2">To unsubscribe via postal mail, please send request to:<br>
14000 Military Trail #208<br>
Delray Beach, FL 33484</font><br>

<img src="http://www.internetsweeps.com/o.asp?SC=20169&
Q=22753&EM=57449350" width=1 height=1>
<ldo qpea ads d f57449350{7454259A-6B5B-484B-BB51-
4439D27F5558}pg a;kldh ja; naj kgh lka jfhldk>
<asd f57449350{7454259A-6B5B-484B-BB51-4439D27F5558}p
ga;kldhja; na jkghlkajfh ldk>
<erfsl;fsu dt r;awei ofj;jk;cmv pd ofji[aq dlakw uert
onhf;gae rp>
<sd gfe rogh;adfjaer;{7454259A-6B5B-484B-BB51-
<ewqas df jkf;lakjdf ;vnlak a;jv;k lbvjd;ohiw';wg
ojk'bam gp ja'fkm>
<qie aldjf asdw qwe sdf57449350{7454259A-6B5B-484B-BB51-
4439D27F5558}pga;kl dhja; najkgh lk ajfhl dk>
<as df57449350 {7454259A-6B5B-484B-BB51-
4439D27F5558}pga; kldhja; najk ghl kajfhldk>
<fs daf{7454259A-6B5B-484B-BB51-4439D27F5558}dkl af
jaio;rha;lfhiddensad;sdfgk tr upgn a;lgj>
<ag v;erigl/a; legm jal;k vjal;hjf ;acj;qogjirn/
<dfl; ais fuiwqt[u wjf al;sdk;asdl kfj;a oisdflakaf>
<uareo dhfla {7454259A-6B5B-484B-BB51-4439D27F5558}
<ghirpwks 57449350 hidden hiddendmfahls>
<asdf57449350{7454259A-6B5B-484B-BB51-4439D27F5558}pga;kldhja; najkghlkajfhldk>
<ljvg ahiddenasdfa sdf sdfhidden>
<fasfas dfhiddenfasegf ava hiddenasdfas
fadfhiddencv asdf>
<adfads fasdfhiddena sdfa{7454259A-6B5B-484B-
<dfas dfa hiddena sdfhidden{7454259A-
<adnh ghri jmv[aqrghidden gfas dj;oi <<my-
address>>gj ajkl;g hn ero uihidden
<uareo dhfla {7454259A-6B5B-484B-BB51-4439D27F5558}
<gh irpwks 57449350 hidden hidden
<m;arj bg[aghiddenfgak l;gj paiohidden
akl;jdf ga l;phiddenf;lkag dfo;g>
<klajf sjkahg fhiddenajklaj gl;kz svj{7454259A-
<akdl;jf;lak gjav;mkfna;lkgjfg adf;gjk{7454259A-6B5B-
<flkasj asdlf kja;sdklfj>
<iueqalas df57449350{7454259A-6B5B-484B-BB51-
4439D27F5558}pg a;kld hja; najkg hlkajfh ldk>
<uareo dhfla {7454259A-6B5B-484B-BB51-4439D27F5558}
<ghirpwks 57449350 hidden hiddendmfahls></BODY>

My company’s incoming mail host neglected to capture the authoritative IP address of the host that left the message, and an nslookup on xchnger.net didn’t yield an address; however, whois indicated that the domain was registered to an outfit in Palm Springs, very close to the postal address given in the spam. I can’t really say the header is forged (since I don’t have an address to work with), but I can say that “xchnger.net” is not a fully-qualified mail host name, so we’re damn close.

The message itself contains lots of gibberish text in what appear to be bogus HTML tags. Possibly these data mean something to the spammer, or possibly they are just camouflage (although my address is quoted over 20 times within the body, which inclines me toward the former). This message relies upon the inserted image (see the link in red) to do the pitch for Frederick’s, and doesn’t have much in the way of “real” text that could be scanned by a content filter. There’s also a helpful beacon link (in green) to tell the spammer that I’ve opened the message.

Both of these domains, by the way, appear to have been affiliated with TheAdManager.com, another one of the “pin-striped” corporate spam houses that emerged some years back to do the dirty work for otherwise-respectable “mainsleaze” businesses. TheAdManager operated behind a multiplicity of suspicious-looking domains (as compiled by http://www.cluelessmailers.org/) such as “edealsdaily.com” or “offercatch.com.” When I visited their official abuse policy page (since taken down), I saw their numerous claims to be strictly “permission-based” or “opt-in” (right next to an advertisement for one of their clients), and when I visited their opt-out page (also long gone), I found an ad for anti-spam software (gotta love that). Elsewhere on the site, I found out how TheAdManager could help me “monetize” my mailing list (I shudder to think what that means).

Now that we have a bit of a picture of what TheAdManager is all about, we can see what may be happening here: Frederick’s apparently contracted with TheAdManager to do some mailing. No doubt Frederick’s marketing people were reassured by promises of “100% opt-in” like those on the page mentioned above.

Of course, whether Frederick’s actually swallowed these claims is not really important, since the claims still give them “plausible deniability,” as we used to say during the Iran-Contra scandal. Complain to Frederick’s about their use of spam, and they’ll just politely direct you to deal with the remailer who sent the spam (whom, by the way, they will not identify for you).

Using the feedback form on the Frederick’s website, I submitted the following note along with a copy of the spam (which apparently got mangled by Frederick’s mailback software):

I have just received the attached unsolicited e-mail sent on your behalf by a remailer. I have never at any time given permission to be sent such mailings, and this was sent to my work address which I do not use for personal correspondence. You should strongly reconsider the use of spam to promote your products.

Richard C. Conner, P.E.

(quoted message omitted)

A day or so later, I got back the following response:

Dear Customer,

We are sorry that you are having difficulty unsubscribing from Frederick’s e-mail offers. Since some of these e-mails are NOT sent by Frederick’s but rather by third parties, please follow the unsubscribe instructions on the individual e-mails you receive.

These instructions may include:

1. Replying to the e-mail with “unsubscribe” in the subject line

2. Clicking on a link

3. Cutting and pasting links into your Web browser if they are not “clickable”

If you have tried these steps and you are still receiving e-mail offers, please forward one of the e-mails to us at unsubscribe@fredericks.com <mailto:unsubscribe@fredericks.com> and we will try to unsubscribe you ourselves.

We value your business and apologize for any inconvenience this may have caused.

Thank you for choosing Frederick’s of Hollywood.

Yvonne Martin
Customer Service Department
(602) 760-2111

Ms. Martin’s reply reminds me of the wonderfully cynical passage from a Dashiell Hammett short story in which the private-eye hero on duty in Mexico contemplates a sign reading “Only Genuine Pre-War Bonded American Whiskies Served Here” and wonders how many lies could be contained in a single sentence.

First, Ms. Martin calls me a customer (which I am not), then sympatizes with my plight at being unable to unsubscribe from Frederick’s mailings (which I was not trying to do), refers me to the individual mailer responsible for the spam (and doesn’t bother to name that firm herself), instructs me how to remove myself from lists (which is precisely what I don’t want to do), values my business (which I haven’t given), and thanks me for choosing Frederick’s of Hollywood (dammit, that’s precisely the point — I didn’t choose them!).

Frederick’s of Hollywood shows you what you can kiss
if you don’t like their e-mail marketing policy.

 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2006, Richard C. Conner ( )

07005 hits since March 27 2009

Updated: Sat, 06 May 2006