ScamCheck on Aisle 1!

Scammers and spammers — they’re everywhere!
Syskitty

I confess — I’ve been a White Hat Scam hunter (translation: systems administrator who uses their “mojo” to track down spammers and scammers)  back in the day (which would be mid 1990’s.) I lurked on a number of boards and learned some of the tricks of the trade from people who were a whole lot better than I was. And I learned some pretty amazing things (like… you really aren’t as anonymous as you THINK you are on the Internet!)
In those days we tracked down the “$5.00 scam letter (which occasionally rears its ugly head even now) among other scams and spams.  We went up against people like Sanford Wallace, and for the real scumbags we sent letters to state attorney generals and Internet Service Providers.  The spammer (or scammer) would get their internet account canceled.

 

It’s kind of a dying art these days, as the Internet has gotten a lot more complex. But it’s not something I’ve totally forgotten. It disgusts me when I encounter people who think that they should be given money for simply breathing and I particularly despise scams and scammers who target the poor and the desperate. So part of the blog is dedicated to scams and spams — the ones that spam my webmaster’s in-box in spite of the fact blasting spam at a domain is a Really Stupid  Tactic.
I don’t go looking for them. They come looking for me. I think that makes them fair game.
But the thing is, I have the tools and skills to look them up and fire a letter off to the server administrators who are hosting the spammers (or put the server on the “Black Hole list”, meaning that most of the email they’re spamming will be rejected by email accounts across the planet.)  Most folks don’t, and a lot of folks fall for these scams or email links that virus up their computers and steal their personal information.

 

     So — suppose you get an email from Medicare in your in-box. Suppose you wondering if the thing is legit.

That’s a darn good question.  There’s a few easy things you can do to check whether or not it’s legit:

RULE #1 — IF YOU DIDN’T ASK THIS COMPANY TO CONTACT YOU, IT’S ALWAYS SPAM!  That means “don’t click, don’t click that ‘unsubscribe’ button, send it straight to your spam (bulk mail) folder.  Yes, even if it’s from your favorite politician.  Unless YOU gave them your email, this is a dangerous piece of email.

  SCUMBEEZLE CHECK — Somewhere in your email options is a button or clicky-link that says “show full headers” (or “view full headers” or something with “headers”.)   Google has a page of instructions on this.

You will get something mysterious.  It looks something like this (I have gone in and changed the domain extensions (.org, .com, etc) so they don’t actually point to the domains:

 

Oooh — looky here!

From Medicare Mon Jul  4 22:24:41 2011 <–Totally bogus name
X-Apparently-To: webmaster@mymail.cqm via 98.138.91.87; Mon, 04 Jul 2011 15:33:00 -0700
Return-Path: <info@kohengooma.ooo> <– Apparent culprit
X-YahooFilteredBulk: 64.33.98.8 <– This is the REAL culprit!
Received-SPF: softfail (transitioning domain of kohengooma.ooo does not designate 64.33.98.8 as permitted sender) <– some dastardly dog hijacked a domain name!
X-YMailISG: XalyYg8WLDtmlHDfMIDbrm.BM7AtJnWyPyCWjhQ8h.sdr1yH
Bv6nzIgiTHEqlVxz1fqfriM3OFcwumqBJJi1i3gRgkylEDojS9NAoqTMdbL3

(and about 15 more lines of code, deleted because we don’t want to stare at HexCodeGarbage)

X-Originating-IP: [64.33.98.8] <–___ That owlhoot!
Authentication-Results: mta1475.mail.mud.yahoo.coo  from=kohengooma.ooo;
domainkeys=pass (ok);  from=kohengooma.ooo; dkim=pass (ok)
Received: from 127.0.0.1  (EHLO plus10.host4u.nnn) (64.33.98.8) <–Where it’s really from
by mta1475.mail.mud.yahoo.com with SMTP; Mon, 04 Jul 2011 15:33:00 -0700
Received: from aqlo218.kohengooma.ooo ([173.255.5.218]) <– hijacked server
by plus10.host4u.nnn (8.11.6/8.11.6) with ESMTP id p64MWxT01770
for <dave@friendsinbusiness.com>; Mon, 4 Jul 2011 17:32:59 -0500 <– Invisible Dave has all the fun…
(blather-blah-code-deleted)
From: “Medicare” <info@kohengooma.ooo> <–No, I totally don’t believe that Medicare has suddenly started using kohengooma email.
Date: Mon, 4 Jul 2011 18:24:41 -0400
Mime-Version: 1.0
To: <dave@friendsinbusiness.coo> <–good ole’ Invisible Dave!
Message-ID: <3875372478112524401.13279382336a7315328617d7a72308c4.1130907882@aqlo218.kohengooma.oo>
Subject: Learn More About Medicare Advantage Plans today.

If you click, you’re going to need a Medicare policy for your computer because there’s a virus or trojan waiting at the other end of that email!

HERE’S THE MAIN POINTS TO LOOK FOR IN THE HEADERS

Header keys:

  • “Softfail”
  • Mismatched domain name and real name
  • X-Originating-IP
  • EHLO not matching the domain where it’s supposed to come from

There’s more to it than this, but that’s the “quick and dirty” about how you track down the telltale signs of spam scams when they end up in your mailbox.

 

3 Responses to “ScamCheck on Aisle 1!”

  • This is good. I am certain this will help me with what I’m doing. I am going to share this with my friends.

  • hello,this is an excellent article,I found it on bing and I love it very much,I agree with you, it help me a lot in decision,but I still have some questions with the last part,can you explain it for me ?I need your answer,and I will be back again!