gothwalk: (Default)
gothwalk ([personal profile] gothwalk) wrote2004-01-12 10:05 am

Spam spam spam spammity spam

Sometimes, I really can't work out what spammers are after. A list I'm on was vigourously bombarded - about 50 copies got through before an admin got on the case - with a listing of reg codes for Microsoft stuff, up to and including a beta build of Longhorn. I can see why someone might send a single copy, but not 50. And there's no benefit in sight.

And there's a very well written one in this morning to Swiftpay from "Elizabeth Richson", saying that she writes for a website, has linked to us, and would we be interested in linking back to her? Apparently she found us by searching for a given search term, which is one that you'd reasonably find Swiftpay on. If it wasn't for the slightly klunky line of "My site is all about Finance - Misc too", I wouldn't even have glanced at the headers. But it turns out to be from a non-existent domain, and in something mildly mindboggling, googling for that name gives a total of two results, neither connected in any way to finance sites. So a mail asking for a link to a site which doesn't seem to exist, from an email address that can't be replied to, which was generated by a clever program tripped up only by the fact that the category the site is listed under didn't fit as a natural language noun. Why? How can anyone possibly profit by sending this?

[identity profile] valkyriekaren.livejournal.com 2004-01-12 02:11 am (UTC)(link)
Were there any attachments on the email? Could have been a virus thing?

[identity profile] kehoea.livejournal.com 2004-01-12 03:24 am (UTC)(link)

Jerry suggested something diabolical when I commented that I was receiving spam that didn't function as spam; it'll break Bayesian filters. As people click the "this-is-spam" button, the spam filter will start accepting stuff with no commercial motivation as spam, breaking email even more. (Of course, if I had any sense, I wouldn't propagate this meme any more.)

Within the last week, my old TCD class exchanged seven or eight emails, and two or three of them hit my spam folder. This is _much_ higher than the normal false positive rate for me; I can't imagine how annoying it would be for someone with a well-distributed address who had to deal with non-net-heads on a regular basis :-(

talking about spam ...

[identity profile] graylion.livejournal.com 2004-01-12 04:49 am (UTC)(link)
this gave me a slight shock:

Nigerian 419

Re: talking about spam ...

[identity profile] silja.livejournal.com 2004-01-12 06:04 am (UTC)(link)
I get those all the time!
Though usually, they are from the widow of a dictator/oil explorer/diamon miner, who wants me to help.

Or, lately (no idea why), I get a lot of spam similar to the above, except addressed to me as a cleric, from a African person who has found G_d and wishes to give me a certain amount of money for my ministry, but they need 1000 dollars or similar amount first to release the account. Lol- sometimes, they even say "your congregation need not know...."

Re: talking about spam ...

[identity profile] valkyriekaren.livejournal.com 2004-01-12 06:15 am (UTC)(link)
There are some very sinister ones of those going about which seem to target young women. They purport to be from a young West African man who wants to start a romantic relationship. And, wouldn't you just know it, his dad turns out to be the former Foreign Minister of Nigeria, or he needs an operation, or he wants you to send him the airfare so he can come over and woo you... horrible, insidious little emails playing on people's prejudices and insecurities.

(Anonymous) 2004-01-13 08:25 am (UTC)(link)
I got a similar message from the same person/domain for me it was aimed at in car lcd panels. Thought I'd check before I sent a reply and as you say the domain doesn't exist, then did a search for the name and found this posting which confirmed my fears. Well done chaps.

Elizabeth Richson

(Anonymous) 2004-01-16 11:25 am (UTC)(link)
Welcome to the club! Got the same kind of spam from Ms. "Richson" and found this page via Google. The domain elizabethrichson.com is shown to exist, registered to someone in Ohio, but the IP address in the email header maps back to China apparently (per traceroute). And the last leg of the traceroute shows a different domain name, 'tracypage.com', so the same IP address is probably being used for different domain names. Perhaps Ms. Page will soon make an appearance in these same spams.

Re: Elizabeth Richson

(Anonymous) 2004-01-20 06:54 pm (UTC)(link)
Same nut tried go get me to allow reverse link at my site (www.aller-stead.com/martin, which is designed only for high school students). She said she was in the same line of work ... Electronics. What a load of crap.

Sounds like a nut to me.

martin aller-stead
toronto

Busy, busy girl.

[identity profile] petit-chou.livejournal.com 2004-01-16 11:36 am (UTC)(link)
I got hit, too! (I found you through Google -- you're Elizabeth Richson's number one fan!)

I cracked up because my site (a regular personal site with a focus on DIY tutorials and recipes) was noted as being "all about Business - Industrial Supplies, too." That Elizabeth! Such a smart cookie!

I got one two

(Anonymous) 2004-01-16 01:20 pm (UTC)(link)
Hi, im a webmaster from th UK and i got one of those Elizabeth Richson emails too, but as my site was a school site the email said it was related to education

Your Reference to a spam by Elizabeth Richson with no URL and no functional e-mail return address

(Anonymous) 2004-01-17 12:15 am (UTC)(link)
I received a similar spam directed at my site. You are correct in assuming there can be little purpose for such a communication.

I believe an anti-spam software provider deliberately spams people with enormous amounts of garbage before conveniently offering to provide a solution. The solution will not work, of course, but the "anti-spammer" makes a profit. In fact the "anti-spammer" is the actual "spammer."

Just a thought. God Bless. Michael W. Neely, Editor - The AV Hub (http://www.avhub.net)(mwneely@dslextreme.com)

I am also puzzled

(Anonymous) 2004-01-23 11:04 am (UTC)(link)
Your final remarks, "Why? How can anyone possibly profit by sending this?" sum up my feelings exactly. I started a response to the email, explaining that my site was NOT about exclusively about "Home / Garden" but then I decided to poke a bit and see what her site was (I actually DO run a site that distributes articles and at least a couple have been home and garden themed, so 'her' email was not entirely off base). Now I'm just confused.

Most pointless spam ever.

- Tiffany
tconroy AT ccna DOT ca

(Anonymous) 2004-01-31 02:42 am (UTC)(link)
I also received the same email, which did relate to my website. I did a bit of digging and found out who it is and have reported them.

The following information may be of interest:

Neotrace information

Domain Name: ELIZABETHRICHSON.COM
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Name Server: NS1.INTERCOM.COM.CN
Name Server: NS.INTERCOM.COM.CN
Status: ACTIVE
Updated Date: 18-dec-2003
Creation Date: 18-dec-2003
Expiration Date: 18-dec-2004

Whois info for, elizabethrichson.com:
Registrant:
apple
2198 Apple dr.
Columbus, OH 43212
US

Domain name: ELIZABETHRICHSON.COM

Administrative Contact:
Johnson, Muliya billrichson@yahoo.com
2198 Apple dr.
Columbus, OH 43212
US
410-678-8768
Technical Contact:
Customer Service, EV1 Servers domains@ev1servers.net
2600 SW Freeway
Suite 500
Houston, Texas 77098
US
+1.7133337873 Fax: +1.7139429332



Registration Service Provider:
Everyones Internet, domains@ev1servers.net
http://www.ev1servers.net



Registrar of Record: TUCOWS, INC.
Record last updated on 18-Dec-2003.
Record expires on 18-Dec-2004.
Record created on 18-Dec-2003.

Domain servers in listed order:
NS.INTERCOM.COM.CN
NS1.INTERCOM.COM.CN

Re:

(Anonymous) 2004-02-02 10:11 am (UTC)(link)
i got the same message

my guess is that it's some automatic program that's trawled sites for email addressess written somewhere on them and is spamming just to provoke a response - once you reply and therefore let them know the email address is active you will get put on another spam list for the usual porn/viagra stuff.

Re: Reporting Elizabeth Richson

(Anonymous) 2004-02-15 07:39 pm (UTC)(link)
You mention that you reported this. To whom did you report this?

Re: Elizabeth Richson

(Anonymous) 2004-02-18 05:11 pm (UTC)(link)
I too have received the same email........Tryed to plug in her info to no avail. Also look out for SARAH@SARAHPAGE.COM
this too has the following email and is registered to TUCOWS,INC.


<<I'm a web master, and I was just searching Google for iron baby bed. I found your domain, bunintheoven.biz ranked 30, which is pretty cool. My site is all about Home / Garden, too . Maybe we should link up? I wouldn't be stealing any of your sales, because all I do is write informational articles...not selling anything on my site at all. And most of my visitors write back to say that they love the fact that I only write good, quality info. As a matter of fact, I've got a pretty loyal following of people that come back over and over again (they use the site as a reference), so if you link to me, you should get some pretty good traffic from it -- which is always nice. Anyway, let me know if you'd like to swap links. I've already linked to you, and will keep it up there for a few days until I hear back. Hope to hear from you soon! Elizabeth Richson RAC IM: 503779. << Her domain names are registered to WWW.TUCOWS.COM

I received the same

(Anonymous) 2004-02-02 08:39 pm (UTC)(link)
Yes, count me as one of the baffled recipients of the email from Elizabeth Richson.

Amazingly the email was correct in verifying my site has having to do with Java Programming - also Elizabeth Richson also mention that she would like to exchange links with me as her site is about "computers - software" too.

What's the deal with this?

And there were no links on the email - so who ever who sent the email would not know if I opened the email.

And since the email return path was wrong - elizabeth richson would not recieved bounce emails.

Very puzzling

Re: I received the same

(Anonymous) 2004-02-03 06:00 am (UTC)(link)
Hello all… I’M Clive Webmaster for the writer’s voice where we have 6,500 files of stories and Poems all text files, so it is not unlikely to be found by the search engines because we have 120 mg of text. Our site sells nothing and was found by Elizabeth Richson looking for terrycloth -- not going to find it on my site. This must be a verification to find out what primary addresses are, from what are used on the website. I receive 500 to 600 e-mails a day and causes me real grief because I have to check to see if it is a submission coming in under a different mail address.

When anyone wants to link me from their site I want to see what and who they are and if I wish to be associated with them or their site. The http://www.writers-voice.com is a family orientated type-site and I protect it.

I have also received spam to the web-mail forms I have placed on my site to handle poem and story submissions. The one below I got many times a day causing me real time loss from working my site.
----------------------------------------------------------------
Title: spaininpain@aol.com
To: spaininpain@aol.com
From: spaininpain@aol.com
Subject: pc(3D1B0737,Title)2yoa
jsa

I think as long as large drug manufacturers are allowed to sell to people that will use this type of sales and marketing we will never be rid of it.

Clive
Webmaster
The Writers Voice

Possible motive?

(Anonymous) 2004-02-04 12:42 pm (UTC)(link)
I did a nslookup on the originating IP and saw that the IP also hosts a domain called echeckservice.com

Possibly, they're getting ready to start collection bank account information?

They seem to have some kind of automated address harvesting bot, they sent the message to all of the addresses on my "contacts" page.

Re: Possible motive?

(Anonymous) 2004-02-05 06:48 am (UTC)(link)
I'm one of you guys. Madame Elizabeth hits me too this morning.
I can't figure out what's behind this spam.

Interesting...

[identity profile] palp.livejournal.com 2004-02-09 02:00 pm (UTC)(link)
I got hit by this as well, this afternoon. The email stated that my site was ranked #32 in Google for 'bad breath picture', which it certainly is not. It's also not in the Health - Beauty category as claimed. The interesting thing, however, is that the email was sent primarily to our donations email address, and was cc'd to me and the other admin on the site. Either these addresses are being harvested by a person, or they have a very clever bot gathering them, because it seems it would otherwise be difficult for them to gather just those three addresses. And, as to the goal of this - I am also at a loss to explain it.

Re: Interesting...

[identity profile] palp.livejournal.com 2004-02-09 02:04 pm (UTC)(link)
The other thing which I forgot to mention, is the tag at the bottom of the email:

Elizabeth Richson
RAC IM: 431280.


I can't figure out what RAC IM refers to. However, that seems to be the only potentially valid contact method supplied with the email?

Elizabeth Richson

(Anonymous) 2004-02-18 07:39 pm (UTC)(link)
Hi I received an email and she wanted me to post this link on my site
Born (http://www.discountshoeguide.com/Born.html)
Has anyone gotten this?

Re: Elizabeth Richson

[identity profile] rossga9.livejournal.com 2004-02-19 03:27 pm (UTC)(link)
Hi everyone.
I got the Elizabeth richson spam yesterday as an email from Sarah at Sarahpage. It sounded quite genuine, as the facts were right. If this is a spam bot, it's incredibly sophisticated. I have a site offering rental accommodation in france, and "Sarah" said she'd found my site in google while looking for a rental cottage in the Loire valley. She presented herself as a travel writer, and asked for a return link.
As she gave no address to link to, I presumed that she was just a bit amateurish, so emailed back to ask for an address to check out before linking to it. this is what I got back:
startquote:
"Like I said before, I'm already linked to you. You can link to me here with this code: Holiday Valley
I added you into this directory of hand reviewed sites called High Index. I submit things to them as an editor, and got you up as a featured listing in the following category: http://www.highindex.com/Regional/Europe/France/Regions/Poitou-Charentes/Vienne/Travel_and_Tourism/Lodging/
You can click on that link if you want to check it out.
Thought you might like that. Anyway, I'll leave you up there for a few days until i hear from you. If i don't hear back, I will have to take the link down. Thanks again. I look forward to swapping links with you soon!"
endquote:
I followed up the links.
Holiday valley was a link to a site called
http://www.ellicottvillerentalguide.com/
which seems perfectly normal - it's quite genuine, and listed in Yahoo.
Presumably Sarah was not in the least bit responsible for the listing in highindex.com, which is also a real web index by the look of it.

Can anyone see where this one is going? Cos I don't. It's a pretty elaborate hoax, but seems pretty pointless. It can't be big time, cos otherwise there'd be more about it on the Web. It took me a long time to find this forum !! Our site does not handle money nor take payments, is protected by firewalls and spybots and almost all spam mail is filtered out by careful word lists.
There's more information about this puzzling spam on
http://www.fneeb.co.uk/news/archives/00000110.php
but no more clue as to what it's up to....

[identity profile] trinityc.livejournal.com 2004-02-20 02:45 am (UTC)(link)
Very strange. I had one to my work address this morning, claiming that 'my site' www.archives.org.uk came up 12th on Google for "sheep skin cleaning", and that her site deals with "Auto - Parts / Accessories" too. I was just preparing a gentle email explaining that it's not my site, my name's just on there because I'm one of the training officers for the Society of Archivists, and we probably come up on that search because some of the documents we deal with are written on parchment which is treated sheepskin...then I thought I'd check her out, discovered several links on Google including this one, and here I am!

Is this the most irrelevant example of this email?! Car accessories...archives...hmmmm! It's common for people not to know what we do, but the spambots have clearly been utterly baffled by this one! I've been falling about laughing all morning...
ext_34769: (Default)

Re:

[identity profile] gothwalk.livejournal.com 2004-02-20 02:52 am (UTC)(link)
My best theory so far is that it's a test of a viral marketing robot or script. It's evidently working pretty well, too.

[identity profile] trinityc.livejournal.com 2004-02-20 03:24 am (UTC)(link)
It does sound like it...it's certainly different! *is still highly amused by it all*

Heh.. looks like you're the best resource for ms Richson

(Anonymous) 2004-02-22 11:32 pm (UTC)(link)
Anyway, I got this one as well and it was interesting seeing everyones responses to this. From what I gather, this is what the spammer does:
1. EMails you with an effective social engineering marketing hook. There's no link to her site, and elizabethrichson.com doesn't allow web traffic (when I tried it).. So one would think it was a legit email by a user that just forgot to tell where she linked you at.
2. Richson emails you again later on, wondering why you didn't link her site (automated bot again). This time, however, she gives you a site to link back to...

I see this as doing two things. If there is a unique identifier in the link in the second email, then visiting that link will bump up the link ratio of that person. So score one for them. If you happen to link the site from your site, then google sees it as an "important link" and ups that site's PageRank. Another score for the spammer. If you link the site using a unique identifier, then anyone clicking on the link from your site will up the click ratio of the spammer again.. score 3.

This is something I've not encountered before, but sounds like a damned good marketing social engineering scheme.. But hey, now you know what's up (maybe, I could be entirely wrong since I've only gotten the initial email).

Tech
www.livingearthherbs.com

(Anonymous) 2004-03-09 04:41 pm (UTC)(link)
I've had the same emails and so it far it seems legit as Elizabeth Richson has added links on real sites: see email train below.
Are you guys paranoid or am I naiive??? We'll have to wait and see.


----- Original Message -----
From: "Elizabeth Richson" <elizabeth@elizabethrichson.com>
To: <webmaster@medicalcentre.net.au>
Sent: Wednesday, March 10, 2004 11:12 AM
Subject: RE: Re: medicalcentre.net.au ranked # 13 in Google for diabetes gestational ketones


> Hey -- it's Elizabeth. Thanks for the reply.
>
> Like I said before, I'm already linked to you. You can link to me here with this code: Ketones (http://www.lowcarbfoodauthority.com/ketones.html)
>
> I added you into this directory of hand reviewed sites called High Index. I submit things to them as an editor, and got you up as a featured listing in the following category: http://www.highindex.com/Health/Conditions_and_Diseases/Endocrine_Disorders/Pancreas/Diabetes/Nutrition/
>
> You can click on that link if you want to check it out.
>
> Thought you might like that. Anyway, I'll leave you up there for a few days until i hear from you. If i don't hear back, I will have to take the link down. Thanks again. I look forward to swapping links with you soon!
>
>
> Elizabeth
>
>
> -----Original Message-----
> From: webmaster@medicalcentre.net.au
> Sent: 9 Mar 2004 21:57:51 GMT
> To: elizabeth@elizabethrichson.com
> Subject: Re: medicalcentre.net.au ranked # 13 in Google for diabetes gestational ketones
>
> You haven't mentioned your site name or URL
>
> Paul O'Brien
>
>
> ----- Original Message -----
> From: "Elizabeth Richson" <elizabeth@elizabethrichson.com>
> To: <webmaster@medical-centre.com.au>
> Cc: <webmaster@medicalcentre.net.au>; <info@medicalcentre.net.au>
> Sent: Saturday, March 06, 2004 6:17 AM
> Subject: medicalcentre.net.au ranked # 13 in Google for diabetes gestational
> ketones
>
>
> > I'm a web master, and I was just searching Google for diabetes gestational
> ketones. I found your domain, medicalcentre.net.au ranked 13, which is
> pretty cool.
> >
> > My site is all about Health - Weight Loss, too . Maybe we should link up?
> I wouldn't be stealing any of your sales, because all I do is write
> informational articles...not selling anything on my site at all. And most of
> my visitors write back to say that they love the fact that I only write
> good, quality info. As a matter of fact, I've got a pretty loyal following
> of people that come back over and over again (they use the site as a
> reference), so if you link to me, you should get some pretty good traffic
> from it -- which is always nice.
> >
> > Anyway, let me know if you'd like to swap links. I've already linked to
> you, and will keep it up there for a few days until I hear back. Hope to
> hear from you soon!
> >
> > Elizabeth Richson
> > RAC IM: 769482.
> >
>

(Anonymous) 2004-03-11 05:10 am (UTC)(link)
Whoever they are, they sent me a similar email but it was from "Dora Casso" dora@doracasso.com - but a whois on that domain also points to billrichson@yahoo.com which is how I found this site.

I think it is a bit suspect too. Maybe they are putting together a "hand picked" index, but the methods don't give me any confidence.

Nor am I really "ranked # 8 in Google for zilog z80" :-)

Kean.