Burobjorn on Tue, 13 Nov 2007 15:57:59 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [Nettime-nl] Re: Melding over de radioactive besmetting van Amsterdam

Ruud H.G. van Tol wrote:
Marja Oosterman schreef:

Subject: Melding over de radioactive besmetting van Amsterdam
Flauwe grap of ernst??

Ernst! Het is namelijk beDoeld om je naar de in de tekst genoemde links te lokken. De betreffende webstek probeert Windows-PC's te besmetten.

<spam> Het is never nooit niet te vroeg om op Ubuntu over te stappen.

Het is inderdaad nep. Zie ook onderstaande stukje wat ik gisteren op mn blog publiceerde...

Weirdest spam ever…

I just got two spam messages both containing the same message. That’s not unusual, but the message of the emails was. I got curious and took a closer look…

No haiku spam , no penis enlargements(neah, not going to link this one. I had my share of aspiring but clearly illiterate porn actresses/actors), no vicodin , no russian dacha’s (yes, I really got these!) for sale nor am I asked to assist in transfering a large sum of money so that my Nigerian friend can safely leave the country with his fortune. None of these were present in the message used in the spam I received. There were also no attachments to the spam message which is odd. Nowadays spammers do anything to penetrate through spamfilters using images, pdf files and apparently even mp3 files to get their sleazy messages across. More often than not I get spam message with attachments. These ones however were just plain HTML messages.

What also sets these two messages apart is that they are in Dutch, which is also rare for me. Now the contents of message is just plain strange. It talks about the Dutch city Amsterdam having been contaimenated with radio-active radiation and it states that the government does not openly acknowledge this, but only in private. I like that last sentence. They’re willing to admit it, but only in private. For those able to read Dutch:

Op internet-forums is er een melding verschenen over een stevige explosie in een nederlandse Atoomcentrale in de buurt van Amsterdam.
De getuigen beweren dat die explosie op 4 november rond 15 uur plaatsvond. Een inwoonster van de stad belde haar familie op en vertelde
dat er in de stad de telefoonaamsluitingen worden uitgeschakeld, zodat de mensen niemand konden opbellen.
Zij beweert ook dat er inderdaad een explosie, zelfs een heel ernstige, op het Atoomsentrale plaatsvond en dat de radioactive wolk zich op
dit moment snel verplaatst.
De overheid bevestigt deze informatie niet officieel maar wel tijdens de prive gesprekken.
Toch plaatsen de inwoners op het internet fotos van de gevolgen van de explosie en diens slachtoffers.

In this message there is ony one link cloaked with another link, both are Geocities urls and both point to the same site. That seems odd. Why cloak a url when both are pointing to the same address? Why are both untrusted and non-popular websites instead of popular and ‘trusted’ websites as most spammer tend to do, so people are easily tricked in clicking the link? That doesn’t make any sense to me. The ip address used by the site ( is according to the whois database part of a Chinese ip range as you can see:

    inetnum: -
    netname: HOSTFRESH
    descr: HostFresh
    descr: Internet Service Provider
    country: HK
    admin-c: PL466-AP
    tech-c: PL466-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-HK-HOSTFRESH
    mnt-routes: MAINT-HK-HOSTFRESH
    remarks: Please send Spam & Abuse report to
    remarks: abuse@hostfresh.com
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    remarks: This object can only be updated by APNIC hostmasters.
    remarks: To update this object, please contact APNIC
    remarks: hostmasters and include your organisation’s account
    remarks: name in the subject line.
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    changed: hm-changed@apnic.net 20060612
    changed: hm-changed@apnic.net 20060613
    changed: hm-changed@apnic.net 20061018
    source: APNIC

    person: Piu Lo
    nic-hdl: PL466-AP
    e-mail: ipadmin@hostfresh.com
    address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
    phone: +852-35979788
    fax-no: +852-24522539
    country: HK
    changed: ipadmin@hostfresh.com 20071025
    source: APNIC

The accompanying webpage tries to trick you into downloading somekind of executable file (seems targeted at machines running Windows) called iPIX-install.exe I tried to install it (don’t try this at home…), but get a 503 service unavailable message. According to this post on 22th of octobre from the German Chip security blog this piece of malware was not well-detected by most virus and/or mallware scanners at that time, so be careful!

This has to be the weirdest spam I had in ages. The whole message feels to me as a sort 21th century version of Orson Welles’ radioplay of H.G. Wells’ War of the Worlds . Instead of the radio, email is now the medium and stage. Instead of entertaining (or frighten…) people with sound, this message aims to ‘frighten’ (in a quite amateuristic way) people using somekind of conspiracy or sci-fi text while in the meantime infect as many machines as possible.

I wonder what kind of people create these annoying, horrible yet intruiging storytelling ‘artworks’ also known as spam?

ps: for the spam vigilantes among us, here are the original messages including headers (spam1.txt , spam2.txt) saved as plain text for your own private digital forensics fun. Enjoy! I already sent an abuse email, but feel free to do this as well.

link: http://www.burobjorn.nl/blog/?p=281


met vriendelijke groet,
Bjorn Wijers

* b u r o b j o r n .nl *
digitaal vakmanschap | digital craftsmanship

Concordiastraat 68-114
3551 EM Utrecht
The Netherlands

phone: +31 30 2444 101
* Verspreid via nettime-nl. Commercieel gebruik niet
* toegestaan zonder toestemming. <nettime-nl> is een
* open en ongemodereerde mailinglist over net-kritiek.
* Meer info, archief & anderstalige edities:
* http://www.nettime.org/.
* Contact: Menno Grootveld (rabotnik@xs4all.nl).