home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

Classic Spam: the “Free stuff” racket

The bottom line: As with any other sort of offer made on the internet (or anywhere else), you should consider exactly what the offeror wants you to do in exchange for your “free stuff” (which probably won’t be “free” after all).

OK, hands up: who among you out there would want to get a free iPod if there were no strings attached to the offer? Aha, just what I thought. Well, here's your chance — or then again, maybe not.

Return-Path: hidden
Received: from domdaeof.com ([172.18.12.134])
  by vms052.mailsrvcs.net (Sun Java System Messaging Server
  6.2-2.05 (built Apr 28 2005)) with ESMTP id
  <0IMF0065V549BGD0@vms052.mailsrvcs.net> for
  hidden; Tue, 06 Sep 2005 18:26:37 -0500 (CDT)
Received: from domdaeof.com (63.243.148.112)
  by sv4pub.verizon.net (MailPass SMTP server v1.2.0 - 080905135255JY+PrW)
  with SMTP id <1-14083-68-14083-76415-2-1126049190> for
  vms052pub.verizon.net;
Tue, 06 Sep 2005 18:26:37 -0500
Date: Tue, 06 Sep 2005 16:26:29 -0700
From: "For Music Lovers" <formusiclovers@domdaeof.com>
Subject:
=?iso-8859-1?B?QmV0dGVyIHRGhlIGxhc3Qgb25lLCBzdGlsbB1cyBzY290dC4=?=
X-Originating-IP: [63.243.148.112]
To: "not my nickname" address-hidden
Reply-to: hidden
Message-id: <0c948980056608e.1126049189@domdaeof.com>
MIME-version: 1.0
X-Mailer: Version 5.02.1409.9636
Content-type: multipart/alternative;
boundary="Boundary_(ID_HvZpHcft8ku9bBwKwQKJAw)"
Sun-Java-System-SMTP-Warning: Lines longer than SMTP allows found and wrapped.

--Boundary_(ID_HvZpHcft8ku9bBwKwQKJAw)
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 8BIT

Would you like a new Apple® iPod® Photo 60GB just for participating in a special promotion?
http://domdaeof.com/gopar/funny number/1/?email=hidden

Do you love music? Participate and see if you.re eligible to receive a FREE* Apple® iPod® Photo 60GB. It stores up to 15,000 songs and 25,000 photos!
This promotion is sponsored exclusively by Superb Rewards and is subject to participation terms and conditions. Receipt of the membership incentive gift requires completion of offer terms, including: age and residency requirements, registration with a valid email address, completion of user survey, sponsor promotions and shipping address verification. Upon completion of all requirements, we will promptly ship your membership incentive gift to your verified shipping address. You may review the status of your account via the member account area at anytime. Participation eligibility is restricted to US residents 18 and over. The trademark owners above have not endorsed this promotion, nor are they affiliated or connected with this promotion in any way. This is a limited time promotion and may expire in the near future. Restrictions may apply. If you no longer wish to get Superb Rewards emails, visit the un-subscribe page on the Superb Rewards site
http://domdaeof.com/go/funny number , or you can write us at: Superb Rewards, 123 N. Congress Ave. #351, Boyton Beach, FL 33426.








This advertising has been sent to you by NeedYourOpinion-info.
26910 Sierra Hwy #124 - Santa Clarita, CA 91321

http://domdaeof.com/link/funny number/



--Boundary_(ID_HvZpHcft8ku9bBwKwQKJAw)
Content-type: text/html; charset=iso-8859-1
Content-transfer-encoding: 7BIT

<HTML>
<HEAD>
<BASE HREF='http://domdaeof.com/'>
<TITLE>Free Ipod</TITLE>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
style5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small; }
style6 {font-size: 9px}
-->
</style>
</HEAD>
<BODY bgcolor="#FFFFFF" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<div align="center">
<p class="style2"><span class="style5"><a href="gopar/funny number/?email=hidden">Click here to claim your Apple&reg; iPod&reg; Photo 60GB</a></span></p>
<TABLE id="Table_01" width="500" height="332" border="0" cellpadding="0" cellspacing="0">
<TR>
<TD width="500" height="205"><A href="gopar/funny number/?email=hidden"> <IMG src="sites/00004026/images/ipodphoto60gb_emc_d30_01.gif" width="500" height="205" border="0"></A></TD>
</TR>
<TR>
<TD width="500" height="85"><A href="gopar/funny number/?email=hidden"> <IMG src="sites/00004026/images/ipodphoto60gb_emc_d30_02.gif" width="500" height="85" border="0"></A></TD>
</TR>
<TR>
<TD width="500" height="42"><A href="gopar/funny number/?email=hidden"> <IMG src="sites/00004026/images/ipodphoto60gb_emc_d30_03.gif" width="500" height="42" border="0"></A></TD>
</TR>
</TABLE>
<BR>
<SPAN class="style2"><!-- l stre --><span class="style5"><a href="gopar/funny number/?email=hidden"><!-- e soothed if I play the piano -->Click here to claim your Apple&reg; iPod&reg; Photo 60GB</a></span></SPAN><BR>
<BR>
<BR>
<table width="640" height="119" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="640"><div align="justify"><A href="gopar/funny number/?email=hidden"><IMG src="sites/00004026/images/SuperbRewards.gif" width="642" height="127" border="0"></A></div></td>
</tr>
</table>
<p>&nbsp;</p>
</div>
<p align="center"><font size=1 face="Verdana">To not receive these offers anymore, please click <a href="link/funny number/">here</a></font></p><br><center><img src='images/funny number/spacer.gif'></center><br>
</BODY>
</HTML>



--Boundary_(ID_HvZpHcft8ku9bBwKwQKJAw)--

Just as the spam in my inbox was dwindling down to an almost negligible number of hardcore warez-watches-drugs-’n-mortgage pitches, these weasels began moving the number back up again. I received as many as three a day from this particular outfit for the past several months until I begain using a simple content filter to block them (for the moment). The fact that these guys seem to have two ISPs and at least two net blocks in their pockets tends to indicate that they're going to be around for a good while longer.

Free stuff? What's the deal?


U2 can win an iPod (or not).
First, just what's the pitch here? To be honest, I'm less interested in the nature of this scheme than in the mechanics of the mailings that support it; however, my brief research has inspired me to create a new corollary to my spam rule #1: any offer made via spam is automatically suspect.

Although I haven't tried these free-stuff rackets out myself, I have read some accounts of these schemes on the web. Basically, although they don't come out and say so right off the bat, the organizers (the people who put up the websites and send the mails) want to recruit you to become a (possibly uncompensated) salesman for their various sponsor firms.

Bright young third-age biz-school types might like to call this "viral marketing" (in which the sales pitch is transferred from person to person, one relationship at a time, like the common cold or athlete's foot), but the older term "pyramid scheme" might be a more apt description (at least according to one online source at http://www.uglx.org/scam2).

If you were to follow the web link included in one of these pitches, you would no doubt find that you can't get your "free" iPod (or computer, or game console, or TV set, or gift certificate, etc.) until you, er, "complete our sponsors' programs." "Completing a program" appears to entail persuading a number of folks to buy into various commercial offers, like new credit cards, satellite TV subscriptions, record clubs, and the like (these business then pay a "referral fee" to the organizer, from which money the free trinkets are supposedly disbursed). Your "downline" buyers are also induced to join the program in order to get their own iPods.

If you manage to make the sales to fulfill the rather complicated requirements of these schemes, and if you do so within the stipulated time limit (e.g., 90 days), then you will get your iPod. Or, maybe you won't; apparently the operators of these programs, or their sponsors, aren't always diligent about recording sales, and at least one participant has complained about getting rooked out of his free gizmo.

Of course, many folks do manage to struggle through and get their iPod, and they can often be seen posting to online forums to vehemently defend these schemes. However, the mathematics of the pyramid scheme (of which the chain letter and the Ponzi racket are other examples) dictate that most of the people who participate won't get anything. If these schemes go on for any length of time, the vast majority of participants will be at the very ends of the "downlines" and won't make enough sales to win the prize (i.e., they can't convince enough other people to participate, or can't buy enough themselves); those sales that they do make will therefore be completely uncompensated. Probably, then, a large majority of the sales made from such schemes will not require the organizer to ship any iPods.

The mails I get from these folks usually play up the "free stuff" hook pretty heavily, but hide the personal-selling aspect of the scheme; in fact, it wasn't until I researched this page that I learned of the selling requirement. Instead of coming out and telling you they want you to sell stuff, they often babble about "product testing" or try to hook you by inviting you to express your opinion on some trivial matter ("Coke vs. Pepsi," "Addidas vs. Nike," "Bush vs. Kerry" and so forth), implying that merely by stating your opnion you will get your prize.

I don't see anyone making the case for these schemes being even technically illegal (tho' my legal opinion is worth less than a chance at a free iPod), but they do deserve your most skeptical perusal. Now, onto the spam aspect.

Clean spam, for a change

One interesting aspect of this particular message (which is pretty typical of the dozens I've gotten from these folks) is the fact that the headers are fairly clean and unforged. The HELO is given as "domdaeof.com (63.243.148.112);" using nslookup, I see that domdaeof.com resolves to 63.243.148.102, while 63.243.148.112 resolves to mx9.domdaeof.com; this is close enough for a cigar (although perhaps not for a free iPod). Nor have they added any bogus routing lines; they are pretty straightforward about the origins of the message.

On the other hand, they have MIME-encoded their subject line (using the encoded-word scheme):

Subject:=?iso-8859-1?B?QmV0RoYW4gdGhlIGxhc3Qgb25lLCBzdGlsbCBBzY290dC4=?=

This decodes to (I obfuscated the nickname):

Subject: Better than the last one, still on us nickname hidden.

There's no technical reason why this subject line had to be encoded, since it consists only of plain 7-bit ASCII text. However, as we know, spammers often encode subject lines to keep lazy spam-filters from scanning them for trigger words.

Throughout their onslaught on me, they used my e-mail address correctly, but consistently paired it with the same incorrect nickname on the To-address line (see the yellow highlight in the spam message above). This nickname, which I've hidden, was unfamiliar to me and did not match my name in any way. This seems to be clear evidence of the use of net scraping, or other unethical means of address collection — if they had my e-mail address legitimately, they'd have had my nickname as well, or at least they would not feel compelled to make up a nickname.

This message contains no "neutral" text to confuse Bayesian filters, although other messages from these folks did have such text.

Smooth sailing for the free-stuff people

What could account for the longeivity of these spammers despite the relative lack of camouflage and the constant re-use of the same IP addresses, mail hosts, and web domains?

Normally, most spammers have to resort to stealing service from open relays or proxies in order to move their mail, and have to host their websites with no-questions-asked "bulletproof" offshore providers. They have to keep a very low profile to delay or evade detection. These guys, on the other hand, have been sending their mail from, and hosting their websites at, the same group of addresses for a very long time now. These addresses are in North American (ARIN-managed) blocks that are listed as belonging to them. Clearly, then, these aren't your typical nomadic whack-a-mole spammers.

Sampling some of the messages I've received from this outfit, I find that their mail hosts and their websites reside almost exclusively in two distinct net blocks:

net block
(CIDR notation)
owner usable addresses upstream providers
63.243.148.0/24 MailCompanyX 254 (1-254) Teleglobe (63.243.0.0)
63.143.148.32/27 Voipack 30 (33-62) Winstar (63.140.0.0)
FCG Doghouse (63.143.0.0)

Filtering out free stuff

Because most spammers flit from address to address, and from domain to domain, like flies on a hot skillet, it can be very difficult to construct specific mail filters to deal with specific spammers. Thanks to their fixed net presence, however, the MailCompanyX guys are a notable exception, giving us several ways to shunt their appeals away from our inboxes.

The simplest technique, however, is derived from the fact that these guys have consistently used the same fake e-mail nickname for me for lo these many months; I simply went to my ISP's website and set my e-mail preferences to trash any message in which that nickname appears in the To-address field. This seems to be working, although they may eventually pick a new nickname for me and thereby get around the filter.



 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   


(c) 2003-2007, Richard C. Conner ( )

05377 hits since March 27 2009

Updated: Sat, 18 Aug 2007