News items for tag spam - Koos van den Hout

2016-04-29 Virus mail overstressing the mime parser 2 years ago
This does not work as planned in mutt:
Subject: hi prnt
Content-Type: multipart/mixed; boundary=31BE31246BD934D65C63831D7238

Content-Type: multipart/alternative; boundary=31BE31246BD934D65C63831D7238

Content-Type: text/plain; charset=UTF-8

Content-Type: text/html; charset=UTF-8

<div dir="ltr"><br></div>

Content-Type: application/zip; name=""
Content-Disposition: attachment; filename=""
Content-Transfer-Encoding: base64
X-Attachment-Id: f_519392564

Shows as
  I     1                      [text/plain, 7bit, us-ascii, 0K]
  I     2                       [text/plain, 7bit, utf-8, 0.1K]
  I     3                        [text/html, 7bit, utf-8, 0.1K]

Tags: , , ,
2016-03-14 High numbers of e-mails trying to infect systems 2 years ago
The attempts to infect systems via malicous javascript in e-mail are quite high at the moment, all trying to fake some urgency to make me open it without checking. Some recent samples:
Your credit card has been billed for $187,11. For the details about this transac tion, please see the ID: 12824622-12824622 transaction report attached.

NOTE: This is the automatically generated message. Please, do not reply.
Archive:  /tmp/
  Length      Date    Time    Name
---------  ---------- -----   ----
     4055  2016-03-14 13:44   finance_LutQLF.js
---------                     -------
Read the rest of High numbers of e-mails trying to infect systems

Tags: , ,
2016-01-27 Virus mail on the rise 2 years ago
The last weeks the virus mail trying to make me open Word/Excel files with macro virusses is on a serious rise. Mostly attached (so mail virus scanners seem to be losing again) and sometimes trying to make me download the file from some website. Abusing names of well-established companies.

The most devious type I saw was trying to convince the receiver he/she had damaged a car and had to pay up soon or police would be involved, find the pictures (with .jpg.exe names) at this link.

Any document sent to you unsollicited is suspect.

And from the stupid e-mail disclaimer copied from the 'innocent' company:
E-mail may be susceptible to data corruption, interception, unauthorised amendment, viruses and unforeseen delays, and we do not accept liability for any such data corruption, interception, unauthorised amendment, viruses and delays or the consequences thereof. Accordingly, this e-mail and any attachments are opened at your own risk.
As if they had seen this coming! And they should learn about digital signatures.

Tags: , ,
2016-01-26 Weer spam voor een Belg 2 years ago
Deze keren spam voor een Belg van: Eerder, eerder, eerder.

Tags: ,
2015-12-16 Suspect 'invoice' mail showing an interesting error 3 years ago
The flood keeps coming, this time with an interesting error:
Dear Customer,

Our records show that your account has a debt of $295.{rand(10,99)}}. Previous a
ttempts of collecting this sum have failed.

Down below you can find an attached file with the information on your case.

[-- Attachment #2: --]
I guess the spammer had a bit of a problem with the spamming macro language!

The .zip file contains
  Length      Date    Time    Name
---------  ---------- -----   ----
    22333  2015-12-16 20:27   invoice_GeL0XY.js
---------                     -------
    22333                     1 file
Which is a really obfuscated javascript.

Tags: , ,
2015-12-16 Suspect 'invoice' mails keep coming 3 years ago
It is a whole flood of suspect mails this week, mostly trying to be an invoice or sometimes order confirmation. Containing .xls files, .doc files, or javascript or java applet.

I don't have the environment to research these completely but I expect them all to contain some form of malware aimed at the Windows operating system.

Tags: , ,
2015-12-14 Next suspect mail flood: "Invoice 14 12 15" from "Thunderbolds Limited" 3 years ago
And the next flood of suspect e-mail messages:

This message contains 2 pages in PDF format.

[-- Attachment #2: fax00163721.xls --]
[-- Type: application/, Encoding: base64, Size: 105K --]

[-- application/ is unsupported (use 'v' to view this part) --]
Probably more malware droppers. It seems some botnets are in great need for new systems to abuse.

Tags: , ,
2015-12-14 Suspect mails "FW: Scan from a Samsung MFP" 3 years ago
Multiple e-mail messages the last hour or so with:
-----Original Message-----

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please

This message has been scanned for malware by Websense.

[-- Attachment #2: Untitled_14102015_154510.doc --]
[-- Type: application/msword, Encoding: base64, Size: 123K --]

[-- application/msword is unsupported (use 'v' to view this part) --]
I don't have the means to research the .doc file completely but when I get unsollicited office files it can only be malware.

Update: I'm not the first to notice this: New Word malware: FW: Scan from a Samsung MFP - mxlab who researched the file and indeed found malware.

Tags: , ,
2015-12-02 Geluksrelatie spam 3 years ago
Ineens een opvallende stijger in de spam die me opvalt: die spam stuurt alsof je op een andere manier contact had gezocht met een vrijgezelle dame en het handig is als je verder contact zoekt via die site. De logica dat die dame dan wel de ontvanger kan benaderen maar toch via die site zou moeten werken ontgaat me een beetje. Voorbeeld:
Bedankt voor je reactie ik ben wel wat laat met reageren maar dat komt omdat ik het erg druk had de afgelopen tijd. Ik probeer je daarom nu nog even te bereiken via dit mailtje. Aangezien ik enorm veel reacties had gekregen op mijn oproep heb ik besloten om mezelf [1]hier in te schrijven. Buiten het feit om dat je met mij in contact kan komen zijn er nog [2]veel meer mensen die op zoek zijn naar een serieuze relatie want we willen toch allemaal gewoon gelukkig zijn? Ik kan wel een heel verhaal op gaan hangen maar als je echt serieus bent en je wil contact dan weet je hoe je mij kunt bereiken.
Opvallend is dat hier weinig klachten over terug te vinden zijn, eentje maar via trustpilot als negatieve review van

Tags: ,
2015-12-01 Malware linked to recent Brussels lockdown 3 years ago
It must take a special kind of evil to try to spread malware under the guise of information about the recent Brussels lockdown. From the e-mail message:
Federale Politie
Commissariat de Police
Directorate of the special units (DSU)
We kregen een terreuralarm met betrekking tot uw zakelijke omgeving.
Worden geadviseerd om de beschermende maatregelen (SECURITY TIPS) als gehecht aan jezelf, je bedrijf volgen en uw gezin beveiligd
Nous avons eu une alerte terroriste concernant votre secteur d'activité.
Être conseillé de suivre les mesures de protection (Conseils de sécurité) tels qu'ils sont joints pour vous garder, votre entreprise et votre famille fixée
Best regards,
Catherine De Bolle,
General Commissioner
Commissariat de Police
Rue du College 1,
1050 Brussel, Belgium
P: 032 2 515 71 86
E: commisioner(a)
With some shady files attached. Scanning them with virustotal gives that the .zip file contains the Java/Adwind malware.
Read the rest of Malware linked to recent Brussels lockdown

Tags: , ,
2015-10-12 The GAP: clothingstore and megaspammer 3 years ago
Someone entered an e-mail address that ends up with me in the spamlist of The GAP. The GAP sends out one or two marketing spam mails per day so this gets irritating quite fast. No verification whether the e-mail address was the right one or interested in these messages.

It seems The GAP does this via exacttarget, where the Exacttarget anti-spam policy says:
You should only receive email from our system from some client of ours that you recognize signing up to receive email from. Our clients certify that all email addresses used in our system are opt-in names that have given permission to the client to send them email.
So I also notified exacttarget.

Tags: ,
2015-10-12 Spamcop gets misled by google redirects 3 years ago
For a while I've been seeing output like this from the spamcop parser:
Resolving link obfuscation
Removing google re-director:
chopping username "" from URL: http://usg=AFQjCNGsbJ19ztGW0DPjE3HCshzN0jWOdg
Tracking link: http://usg/=AFQjCNGsbJ19ztGW0DPjE3HCshzN0jWOdg
No recent reports, no history available
usg is not a hostname
usg is not a routeable IP address
Cannot resolve http://usg/=AFQjCNGsbJ19ztGW0DPjE3HCshzN0jWOdg
There is an obvious error in the parsing, and this has been going on for a while. With a browser I do get redirected to as expected. The domain registration was updated today (always a bad sign) but it does not seem to be working at the moment.

Tags: , ,
2015-10-01 More misdirected mail for wi-fi use 3 years ago
Right from the inbox, two mails with:
The e-mail address (koos was recently registered for a WiFi Plus account at Tim Hortons. In order to complete the registration process and fully activate your account, please click the link below: Activate my account. Account verification is mandatory. Completing the registration will also remove the restriction on your account. If you are unable to click the above link, copy and paste the following link into your web browser address bar:
I'm not going to visit the verification link, that will probably get me some spam. As it is, this is reasonable: nothing unless I verify that the e-mail address is valid for this purpose.

Tags: ,
2015-09-11 Meer spam voor een Belg 3 years ago
Ruim 3 jaar later is er de laatste weken weer een opmerkelijke stijging van spam die denkt dat ik een bedrijf in België ben. Dezelfde bedrijfsnaam en e-mail adres die ik eerder zag in spam die veroorzaakt werd door adreslijsten van Email-Packs.

Recente bedrijven die de fout maken deze frauduleuze en waardeloze lijsten aan te schaffen en te gebruiken voor het illegaal benaderen van mensen:

Tags: , ,
2015-08-28 One huge Joe-Job for Best Movers Toronto 3 years ago
Over the last two weeks I received an enormous amount of spam advertising Best Movers Toronto. Hundreds of messages. Absolutely no use to me and a really bad way of advertising.

Some searching gave me the idea someone else is trying to destroy the reputation of Best Movers Toronto. Reports about the moving market around Toronto suggest scams happen regular and competition is strong, so maybe some of the scammers got annoyed.

From earlier targeted spam it is clear one of my mail addresses is flagged as 'will report spam' with some spammers, so I get targeted in these attempts to destroy the reputation of others.
Read the rest of One huge Joe-Job for Best Movers Toronto

Tags: ,
2015-05-24 Easy tracking of spam/phishing 3 years ago
I just received a PayPal phish on an account I generated to access but never managed to order something, so I guess they had a databreach.

Tags: , ,
2015-03-23 Unexpected facilities at CPAN 3 years ago
From the spambox:
How are you doing today, I am miracle 24 yearls old girl, i saw your profile today at googlesearch - i like it, then i decided to contact you for going into deep rellastionship between me and you
I know CPAN is a lot, but I never saw it as a dating site.

Tags: , , ,
2014-12-19 (#) 4 years ago
Ik denk dat Univé een betere spammer e-mail marketing bedrijf moet inhuren. Uit de tekstversie van de laatste nieuwsbrief:
Subject: Uw kans om het nieuwste boek van Jamie Oliver te winnen.

                      U  N  I  V  É


  U heeft een bericht van de ASN Bank ontvangen.
  Omdat uw systeem niet automatisch de HTML versie opent,
  kunt u niet de complete e-mail bekijken. Wij verwijzen
  u graag naar onze website om over onze nieuwe
  website over duurzaam beleggen te lezen.

Tags: ,
2014-12-10 (#) 4 years ago
Sommige slechte spam vertalingen worden van zichzelf weer erg grappig:
Ik schrijf u thismessage met tranen en verdriet en ik weet dat deze massage zal u verrassen

Tags: ,
2014-12-05 (#) 4 years ago
Lots of spam the last few days for Since is a website where stolen credit card information is traded where you have to pay to get in I don't think they really want to advertise themselves. So this is probably a joe-job. Which won't work much since is hiding behind cloudflare.

Tags: ,
⇐ Newer news items for tag spam  Older news items for tag spam ⇒
, reachable as PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews