Legend:  new window    outside link    tools page  glossary link   

Classic Spam: Pump and dump

The bottom line: Stock touts are now one of the biggest single categories of spam mail. They are frequently misunderstood by the public, as I describe below. They are nothing more than attempts to profit from the actions of foolish investors. In most cases, they are perpetrated by individual crooks, and not by the companies whose shares are promoted. You should be extremely skeptical of investment information delivered via unsolicited, anonymous e-mail messages.

Illustration from recent stock spam

Update, 15 June 2006: Sic transit gloria mundi. When I prepared this page, we were in the middle of a very heavy wave of stock-spam spewage. In the years since, this stuff has dwindled to nearly zero (in my own inboxes at any rate). Apparently, stock spam is also far less frequently on the minds of visitors to this site, since it has slipped out of the top-five most popular pages of this site (replaced by my page on drug spam). Credit for these developments might well be attributed to a couple of high-profile prosecutions, perhaps also to some policing and public-information efforts by the OTC stock trading industry. I don’t expect a good scam to stay down for long, however, so I will keep this page largely as is for now.

Disclaimers (14 September 2006): Yes, there’s one in every crowd. I recently received a message apparently from an upset investor insinuating that, by posting spams identifying a particular spammed stock, I was actually trying to spread bad publicity and thereby “short” the stock for my own gain. So, this means that the rest of you will henceforth have to sit through the following disclaimers:

  1. I do not trade stocks nor do I have any other interest in the companies named on this page as having had their shares promoted via spam.
  2. I have no knowledge that the companies named on this page are colluding with spammers, in fact, in the absence of any information to the contrary, I assume that they are not.
  3. This website is not to be considered a source of investment advice or information on particular stocks. You are directed to my limited warranty for this site for further information.

So there; now that you are properly briefed, we can get on with the show.

In former years, stock “tips” were one of the biggest constituents of the world’s spam load. I’d guess that these appeals used make up at least one-third of the spam I get in the office, but it has since dwindled quite a bit.

If you get these, you may wonder what they’re about. It isn’t unusual, of course, to get investment tips from your family, friends, or colleagues (or from your stockbroker, for that matter) — but why on earth would someone send out hot stock info to millions of strangers via bulk e-mail? I’m afraid that the answer is not that he wants to make us all rich; in fact, he’s rather hoping for the opposite.

The stock-tip e-mail, like chain letters and pyramid schemes, is yet another example of an old confidence game that has found a new home on the internet: the so-called pump and dump racket. It boils down to simple fraud: the transfer of money from the pockets of the victims to those of the perpetrators, conducted under the pretense of stock trading.

Pump and dump: how it works

The pump-and-dump racket usually starts with a company (a so-called “microcap”) that has very little in the way of capital assets, and whose stock is very infrequently traded. Such a target company will tend to have a very small (sub-dollar or even sub-cent) share price, and these shares are probably “pink-sheet” stocks that do not meet the minimum requirements for trading in the major exchanges (NYSE, NASDAQ, etc.) and even on the over-the-counter bulletin board.

After buying some cheap shares in the stock, the perp sends out bulk e-mails lavishly promoting the chosen stock, with phrases like “strong play,” “watch this one take off” etc. The messages will describe forthcoming business deals and will cite company press releases, along with information from (largely unknown) analysts. The messages urge you to get on the bandwagon now in order to realize the spectacular gains that are about to happen. This stirring-up of interest in the stock is the “pump” part of the game.

Invariably, a few suckers will bite on the lure and buy some shares in the stock; the sudden burst of interest in the otherwise dormant stock will tend to force the price upward, at which point the perp (or his fellow-conspirators) can sell their shares at a profit. This, of course, is the “dump” part of the game. Just as the flurry of buying forces the share price up, the flurry of selling will force it right back down again, usually to its original price (if not less). The perps have the suckers’ money, and the suckers have a bunch of low-performing, nearly worthless shares. Clever, huh?

In the USA, the pump-and-dump game is criminal securities fraud. The U.S. Securities and Exchange Commission (SEC) is responsible for policing the stock markets and dealing with pump-and-dump artists. The SEC’s website includes a useful guide to pump-and-dump and other risks of trading in microcap stocks.

The spam angle

It turns out that spam is an ideal vehicle for pump-and-dump fraudsters.

What distinguishes pump-and-dump e-mail from most other varieties of spam is the fact that the senders don’t expect any kind of direct response from you; they have no pills or porn or watches to sell, and no mortgage companies waiting for hot leads. All they want is to drop their “information” in your inbox in the hope that you’ll take action on your own. For this reason, stock spam can run with a much lower network profile than most other kinds of spam, and is consequently harder for providers and law-enforcement types to deal with.

In fact, these spams, like King Claudius’s sorrows (in Hamlet), come not single spies but in battalions. I’ll often get a dozen or more spams touting the same stock over the course of a week or so; the spams are often in a couple of different variations, so I suspect that more than one spammer may often be at work in a single scam.

On the other hand, stock spams by their nature are very easy for content-based spam filters to detect and detain, so the spammers have to use some tricks to get past these filters. In this regard, we’ll next take a look at a couple of representative examples.

Plain-text stock spam

Received: from verizon.net (68.238.170.28)
   by sv9pub.verizon.net (MailPass SMTP server v1.2.0 -
   080905135255JY+PrW)
   with SMTP id <2-9251-149-9251-508503-1-1131595537> for
   vms051pub.verizon.net;
   Wed, 09 Nov 2005 22:05:40 -0600
Date: Thu, 10 Nov 2005 17:01:36 +0000
From: "Carol E. Camacho" <<address-hidden>>
Subject: Urgent Oil Penny St0ck Alert
X-Originating-IP: [68.238.170.28]
To: <<several alphabetically-adjacent addresses including mine>>
Message-id: <BILODFGOBHJPIGDALBJPBMIFGBAA.<<address-hidden>>>
MIME-version: 1.0
Content-type: text/plain
Content-transfer-encoding: base64

Tm92ZW1iZXIgSXNzdWUgMTEtMDktMDU6DQoNCkluIHRoZSBjdXJyZW50IG9p
bCBtYXJrZXQsIHNlbGVjdCBzbWFsbCBlbmVyZ3kNCmRlYWxzIGFyZSBmbHlp
bmcuICBXaXRoIGdyb3dpbmcgZGVtYW5kLA0Kc2hyaW5raW5nIHN1cHBsaWVz
LCBhbmQgZ292ZXJubWVudCBzdXBwb3J0IGZvcg0KZG9tZXN0aWMgZW5lcmd5
IHByb2plY3RzLCBpcyB0aGVyZSBhIGJldHRlcg0Kc2VjdG9yIHRvIGludmVz
dCBpbj8NCg0KV2l0aCB0aGlzIGluIG1pbmQsIHdlIHdvdWxkIGxpa2UgdG8g

[...snipped...]

This mail was sent from 68.238.170.28, part of a very small FTTP (“fiber-to-the-premises”) block that Verizon sold to someone called Nirmala Perumal in Tampa, Florida (one of the current world capitals of spam). Congratualtions, Nirmala: yours is the first spam I’ve received via Verizon FIOS.

A forged HELO (“verizon.net”) was used; and since no “real” intermediate mail hosts handled the message, this seems to be a direct-to-MX spam.

The message contains the stock pitch in the form of a block of plain ASCII text that has been base64 encoded (the odd-looking lines at the bottom of the message). There’s no technical reason to base64-encode plain ASCII text; what the spammer is doing here is simply hiding the content from lazy spam filters that don’t know how to do MIME decoding. Here’s what was disguised:

November Issue 11-09-05:

In the current oil market, select small energy
deals are flying. With growing demand,
shrinking supplies, and government support for
domestic energy projects, is there a better
sector to invest in?

With this in mind, we would like to present a
company poised for Big returns:

PREMIUM PETROLEM, INC.

Symbol: PPTL. PK

Current Price: $0.02
2-3 Target Price: $0.05

A Big PR campaign Has just Begun!
How Will it react starting THURSDAY MORNING?

* You May want ot Act Quick *


Premium Petroleum, Inc. is a diversified energy
company focused on exploiting the vast oil and
gas reserves of Northern Canada. With a strong
management and technical team, Premium
Petroleum will apply innovative technologies
towards the discovery and development of a
diverse portfolio of high value, low risk
energy projects. The company just went public
in August of this year, and is in a position to
do great things.


***Why we believe PPTL is a Winner***

++News From the Sector++

* Crude oil prices continue to remain high,
nearly double the price of the previous year.

* Natural gas futures have more than doubled
compared with a year ago and are expected to
produce huge heating bills this winter across
much of the United States.

* According to a Goldman Sachs report, Oil
markets have entered a "super-spike" period
that could see 1970's-style price surges as
high as $105 a barrel.

*Chinese and Indian oil demand continues to
surge with no end in sight.


++News From PPTL++


* Aug 10, 2005 - Premium Petroleum goes public

* Sep 8, 2005 - Premium Petroleum purchases
the gas rights to 640 acres of proven land.

* Sep 14, 2005 - A study commissioned by
Premium Petroleum values gas rights on acquired
property to be approximately $8,OOO,OOO per
well with a 12 well potential.

LATEST NEWS:

CALGARY, Alberta--(BUSINESS WIRE)--Oct. 31,
2005--Premium Petroleum, Inc. is pleased to
announce that it has initiated its Seismic
program on its Boyne Lake Gas Project. Due to
the channel sand nature of the geology at the
site, management has decided to shoot a seismic
program to assist in identifying the optimum
drill location on the subject lands. To this
end, a highly respected geophysical firm of
Petrel Robertson Consulting Ltd. has been
retained to design, oversee, and interpret a 3-
line 8 km seismic program. This program should
be completed and interpreted within the next 30
to 60 days, subject to equipment availability.

"The power of seismic is that it raises the
probability of success," commented Bruce
Thomson, President and Chief Executive Officer
of Premium Petroleum, Inc. "In this case from
an estimated 35% to an over 70%," concluded
Thomson.


The time to get in on this is Now! Once these
small companies start moving, they appreciate
rapidly.


Please Watch this one trade all week!


___________________________________________
Disc|a1mer:
Information within this em4i| c0nta1ns "f0rw4rd
|0ok1ng st4t3ments" within the meaning of
Sect10n 27Aof the Secur1ties Act of 1933 and
Secti0n_21B of the Secur1ties_Exchange_Act of
1934. Any statements that express or inv0lve
discussi0ns with respect to pred1cti0ns,
expectati0ns, be|iefs, p|ans, pr0jecti0ns,
objectives, goals, assumptions or future
events or performance are not statements of
historicalfact and may be "f0rw4rd |0ok1ng
st4t3ments". "f0rw4rd |0ok1ng st4t3ments" are
based on expectations, estimates and
pr0jections at the time the statements
are made that involve a number of risks and
uncertainties which could cause actual results
or events to differ materially from those
presently anticipated. We were paid a sum of
three th0us4nd USD to disseminate this
information from ir marketing. f0rw4rd |0ok1ng
st4t3ments in this action may be identified
through the use of words such as "projects",
"f0resee", "exp3cts", "wi||", "ant1cipates",
"est1mates", "be|ieves", "understands" or that
by statements indicating certain acti0ns "may",
"c0uld", or "might" occur. Risk fact0rs include
general economic and business conditions, the
ability to acquire and develop specific
projects, the ability to fund operations and
changes in consumerand business consumption
habits and other factors over which the company
has little or no control. The publisher of this
news|etter does not represent that the
information contained herein are true and
correct.

The reason why the spammer felt compelled to obscure this message with base64 is that it is chock-full of red flags for content-based spam filters. The statement at the bottom is very typical of the kind of “boilerplate” disclaimer one sees in these messages, but note that the spammer has applied some “creative” spelling to many of the key words.

Stock pitch concealed in an image

Our next example uses a different approach to hiding the pitch: the spammer has concealed it within a GIF image. Even the best content-based spam filters can’t fish the text out of an image, so the message has a much better chance of getting through.

Received: from pool-71-103-153-100.lsanca.dsl-w.verizon.net (71.103.153.100)
   by sv11pub.verizon.net (MailPass SMTP server v1.2.0 - 080905135255JY+PrW)
   with SMTP id <1-1292-199-1292-518866-1-1131735736> for vms047pub.verizon.net;
   Fri, 11 Nov 2005 13:02:38 -0600
Received: from esng7 (FLBPEHBK.carolina.net[71.103.153.100])
   by cybx.net (qac11) with SMTP id <1003419563957339725kci4mo>;
Fri, 11 Nov 2005 12:53:15 -0600
Date: Fri, 11 Nov 2005 19:59:15 +0100
From: "Vilma Haines" <<address-hidden>>
Subject: She stipulate after micronesia
To: "Mkfish1" <<not-my-address>>
Message-id: <4325705329.17523475057@alaweb.com>
MIME-version: 1.0


This is a multi-part message in MIME format.

----BfJel8Kmpm0oxU4X0O3L
Content-Type: multipart/alternative;
boundary="--DAvgSrjqjz9BhsPDV2g58gtN"

----DAvgSrjqjz9BhsPDV2g58gtN
Content-Type: text/plain;
charset=windows-1252
Content-Transfer-Encoding: 7bit

to kiss her fan again and shake it at the sequester who was looking at us in a state of
half a crown I was got up in a special great coat and shawl expressly to do honour to that
Mr Vogt said not one word though the old lady looked to him as if for his commentary on

----DAvgSrjqjz9BhsPDV2g58gtN
Content-Type: text/html;
charset=windows-1252
Content-Transfer-Encoding: 7Bit

<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<TITLE>eighthalcove fetal</TITLE>
</HEAD>
<BODY>
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0">
<TR><TD><font></font><font></font>
<BR>
<STRONG></STRONG><IMG SRC="cid:4hVN2JqN5gvYgLB7S9Nrcok9vlU7CAHw@adamswells.com" border="0" ALT="very much amused at my having been put into blenheim vinson laughed again and clapped me on">
<BR>
<STRONG></STRONG><font></font><FONT face="Verdana" size=1><FONT></FONT></font></TD></TR><TR><TD><FONT size=1><BR>
<BR><font></font><STRONG></STRONG>with a squint who had no other merit than smelling like a adsorption outlawrys and being able<BR>
I intimated that I hoped I should be what she described <STRONG></STRONG><STRONG></STRONG>the recollection of what I had seen on that night when Mr Souza went away first began<BR>
As you certainly would be in any contract you should make for yourself Well I am ready </FONT></TD></TR><TR><TD><FONT size=1>And I am rejoiced to see you too he said shaking my hands heartily Why Santana<BR>
now I look at you Not altered in the least <FONT SIZE=2></FONT><font></font>to my old enemy the butcher and throw him five shillings to drink But he looked such<BR>
they had been at school was a most novel and delightful effect But the mingled reality<BR>
that I had for his grey head was mingled with commiseration for his faith in those who<BR>
foundling season when I left schoolas this knotty point is still unsettled and as we must</FONT></TD></TR><TR><TD><FONT size=1>Neil compulsory Diamond cackle which I knew there were not and couldnt be<BR>
her father at the door of the room and was hanging on his shoulder The expression of her face<font></font><BR>
as like heras she was that afternoon before she began to fret bless my heart hes as like her<BR>
of the country and have just finished my education there How do YOU come to be here Mooney <font></font><FONT SIZE=2></FONT>They were taking leave of each other and Jennifer was going to embrace her and kiss her<BR>
Well now said the waiter in a tone of confidence what would you like for dinner<font></font>Indeed Poor caribou Jack said Mrs Bowman shaking her head That trying climate<BR>
And the Punches said Dorthy Theres cattle A inter conceal when hes a good un is worth<BR>
qkrLYPhmlDp8Ymy6Z6nsYzbjqtO1vb1IOjlJoOEuonY3qR2NsGuap05IV4Wn7Bi 12UAgPhKdlCCxSS2trEyMclwY<BR>
fear that it might displease him I could have held him round the neck and cried <BR>
hand were in the bosom of my shirt again When we clattered through the narrow<BR>
I was so softened and forgiving going through the town that I had half a mind to nod<BR>
given all I had for lawful permission to get down and thrash him and let all<BR>
days in London if I liked it either on my way down into Suffolk or in coming back In a word<BR>
the usual hour and round the study fireside found the dicta and his young wife and her mother<BR>
MY aunt and I had held many grave cortical on the calling to which I should be<BR>
barbudo and I was eminent and distinguished in that little world <BR>
he asked me what I would take with it and on my replying Half a pint of sherry thought it a</FONT></TD></TR></TABLE>
</BODY>
</HTML>

----DAvgSrjqjz9BhsPDV2g58gtN--

----BfJel8Kmpm0oxU4X0O3L
Content-Type: image/gif;
name="Wcvbek.GIF"
Content-Transfer-Encoding: base64
Content-ID: <4hVN2JqN5gvYgLB7S9Nrcok9vlU7CAHw@adamswells.com>

R0lGODlhhgEVA4cAAAAAAE5OTmhoaHx8fAAAgE5Op2hYtHx8vg2NjZulm6e
zaen07Oz2b293sfHx9DQ0NnZ2cfH49DQ6NnZ7OHh4enp6eHh8Onp9PHx8fH
JY5oYfKua7c0q78vxBBwLuzl2S0J1beduwZV97tmxHYE3mMnain9PkhxSAp
gOoJSnyyZGj5cxN2rO8aKnXdpY70hApCODiLbI49un9SL4FWeSWI1KUqGmU
PAKOk5E4HfijFfK86bkbVr2XoiE04sS0AT4oQrubHWQMnuQIqE3odQmvCHn


[...snipped...]

This spam was received from 71.103.153.100, yet another Verizon address; this one is from a DSL “pool” in Los Angeles, so this may be an instance of transmission by an open proxy or “zombie,” and direct-to-MX mailing in any case. A forged header line was added, pointing to an unknown host FLBPEHBK.carolina.net.

The body of the mail, which I have edited and doctored for brevity, is a MIME multipart message with three parts. It fits what has become a very familiar pattern for many types of spam these days:

Because the spammer has embedded the image in the message, and has linked to it using an “internal” cid: link (rather than the customary “external” http: link), he does not have to store the image on a remote server that could be detected and shut down. He’s also made your computer swallow a message that has been bloated up to nearly 29kBytes (in plain text, this mail probably would have been a quarter of this size or smaller).

Here’s the image that spammy wants so badly for you to see (NOTE: this GIF file may be malformed and possibly will not display in your browser):

Pretty professional-looking pitch, don’t you think? I’m not sure what caused the glitchiness at the bottom; it could be a problem with my decoding from base64, but it’s at least as likely that it was present in the original image.



 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   


(c) 2003-2007, Richard C. Conner ( )

11289 hits since March 28 2009

Updated: Sun, 15 Jun 2008