Classic Spam: White-hat spammer?

This e-mail message reads almost like an adventure story: the hero penetrates the murky underworld of the spammer and steals its deepest secrets to bring back and reveal to us all (for a small donation, at any rate). Can we trust this "white-hat" spammer? Let's take a closer look.

Return-Path: <<address-hidden>>
Received: from unknown (HELO temqube.teac.com.my) (210.19.150.132)
by scgin.cesmail.net with SMTP; 28 Aug 2002 19:43:45 -0000
Received: from rly-ip02.mail.aol.com ([10.1.1.3])
by temqube.teac.com.my (8.10.2/8.10.2) with SMTP id g7SJhSg12723
for <deleted>; Thu, 29 Aug 2002 03:43:29 +0800
Received: from tot-tn.proxy.aol.com (tot-tn.proxy.aol.com
[152.163.207.1]) by rly-ip01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with ESMTP id VAA14375; Wed, 28 Aug 2002 11:28:46 -0400 (EDT)
From: <millersk@excite.com>
Message-Id: <bXeOy4Au@rly-ip02.mail.aol.com>
Subject: Do you want to know who is sending you junk mail?
Reply-To: Impro@zybermail.com
Mime-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Date: Wed, 28 Aug 2002 12:44:32
X-Mailer: Eudora Lite Vers 4.04
X-Date: Wed, 28 Aug 2002 12:44:32



<html>
<head>
<title>index.page</title>
<P>
<FONT FACE="arial, helvetica" SIZE=4 COLOR="#000000">
Attention anti Spammers.
</P>
<P>

We have been fighting spam for years and thanks to all
anti spammers we have made a difference! But now lets take action
from a different approach. Let's contact the spammers directly.
</P>
<P>
Face it, reporting it to abuse, spam cop, using softwares, etc.
are effective yet limited.
We started our fight out of frustration years ago and about 2 years
ago decided to work "under cover" and develop a close rapport with
a large spam network full of get rich quicks, mlms, diet plans,
porn...and even the relentless University Diplomas.
</P>
<P>
We purchased their software, took their technical support, etc.
They even told us how to avoid "antis" attempt to filter them
and how to get around it. All along these people also encouraged
us to "sell them anything..who cares".
</P>
<P>
Well, we care and we know you do. Why not contact them directly
and learn how to pass THEIR filters. Learn how to truely return mail
to their email box.
</P>
<P>
We have the names, email addresses, telephone numbers, websites,
physical addresses, etc, and most of all techniques to send it
right back to them.
</P>
<P>
We have spent endless hours and several thousand dollars on this
"hobby" turned night job.
</P>
<P>
Please donate whatever you'd like from $2.00 - $7.00 and we'll
get the information right out to you.
</P>
<P>
Thank you,
</P>
<P>
Impro Research</P><P>
<A href=https://www.paypal.com/xclick/business=EMIcorp2002%40
yahoo.com&item_name=Info+you+requested&item_number=001

</A>


<P>
<B>
For more Information
CLICK HERE

</B>
</P>
</FONT>

</body>
</html>
</P>

What is he urging us to do?

First, let's ask what Mr. White Hat proposes that you do about spam: he suggests you track down the senders and deluge their own personal mailboxes with copies of their spewage. This seems like a satisfying bit of revenge -- but it is no more than that: revenge.

My objective where spam is concerned is simply to stop it, not to attack or harrass anyone. I fail to see how launching a slow-motion mail bomb of the sort proposed here will do anything to advance this objective.

In other words, we need to keep rule #5 in mind. Trying to flame or abuse the spammer won't stop spam. What will stop it is reporting it and having his resources taken away from him.

What is he selling?

Frankly, I can't tell what Mr. White Hat is trying to sell me. Apparently, he wants to send me personal information about spammers (their names, addresses, etc.). I don't know in what form he is going to send it to me (in an "e-book", on a CD-ROM, on a secure website or FTP site, tied to a rock thrown through my window, etc.). Sure, he's not asking a lot of money, but even so I'd like to know what I'd be getting before I pay.

One thing to look out for when a spammer tries to sell you nothing more than information ("e-books" etc.) is whether you might be able to get this same information just as easily (and more cheaply) yourself. In this case, we can visit The Spamhaus Project at http://www.spamhaus.org/ and consult their ROKSO database ("Registry of Known Spam Operations") for all the info we could ever want on lots of different spammers (if you are interested in that sort of thing).

Actually, I wouldn't be at all surprised if what I got back for my five bucks (if I got anything at all) would be nothing more than the URL for The Spamhaus Project.

Do we know him?

Mr. White Hat presents very little in the way of credentials. We don't have a return mail address (at least, not one that is likely to work). We have a company name (which doesn't yield anything useful in a Yahoo search), but no address or phone number. There's no website we can visit to see for ourselves what he's about (although he evidently intended to include one in the message, see red highlight).

What we do know about him is that he has forged the header of the message: the from-host names do not match their IP addresses in the first two Received lines (highlighted in blue), and he's trying to pin blame for the message on AOL when in reality it came from an IP address (210.19.150.132) in Malaysia.

While we're focusing on the message, notice that the PayPal link (highlighted in green) will not work, because it wasn't properly constructed. The initial <A> tag isn't closed properly, and there's nothing (no text or picture) inside the anchor that you could click on. The folks at Impro must have wondered why those contributions didn't pour in. Evidently, they don't know how to build a proper web page, which makes me further doubt their credentials as spam experts.

The bottom line

Our White Hat spammer is just that — a spammer. He's forged his message header and transmitted the message from an offshore relay host. He's asking payment in advance for goods that are not completely described and that may be available elsewhere for free. Furthermore, and more fundamentally, he's violated rule #2.


(c) 2003-2006, Richard C. Conner ( )

03108 hits since March 28 2009

Updated: Sat, 06 May 2006