Identity Theft : 2003

Spammers routinely forge the From: line in their junk emails, causing the inevitable flood of bounces, auto-acknowledgements and complaints to land in some innocent third-party's inbox. Like so many other domain names, obliquity.com is sometimes used in these forgeries.

August

Bounced messages started filling up the inbox of one of our UK academic email addresses this month. They were undeliverable Base64-encoded junk emails advertising assorted domains selling Internet Investigator, a widely "spamvertised" piece of software.

This spammer also attacked Unixhub.com.

In each of the examples listed below, the spam originated in the CHINANET Shanghai province network (61.169.0.0 - 61.173.255.255). The URLs of the advertised sites were slightly obfuscated but turned out to be various files at these sites:

At the time of this spam run (early August 2003), both brightsunshine.net and domeafavor.net resolved to IP address 61.173.42.236 (again, located in the CHINANET Shanghai province network) and were registered to Alex Yang of Shanghai.

Interestingly, the source code of the order form at these web sites contained the line <input type="hidden" name="reseller" value="alex">

It would seem that the reseller's identity is "alex" which is suspiciously similar to the name of the registrant of the advertised domains.

Sample Headers

Email addresses of innocent third parties have been deleted from these headers to preserve their privacy. (In actual fact, most of these email addresses no longer exist; hence the bounces.)

Example 1

             Received: from [deleted] ([61.171.255.241]) by 
                       mc9-f5.bay6.hotmail.com with Microsoft 
                       SMTPSVC(5.0.2195.5600); Thu, 7 Aug 2003 04:09:53 -0700
           Message-ID: <339a01c35cc4$f5729b20$dae9dcbc@pys>
             Reply-To: [our academic email address]
                 From: [our academic email address]
                   To: "a.kenney" [deleted]
                   Cc: [deleted],
                   Cc: [deleted],
                   Cc: [deleted],
                   Cc: [deleted],
                   Cc: [deleted],
                   Cc: [deleted]
              Subject: nnkyq nzsbnhbng Use this cmpany whenever you need info
                 Date: Thu, 07 Aug 2003 05:19:09 -0400
         MIME-Version: 1.0
         Content-Type: multipart/alternative;
                       boundary="----=_NextPart_F3D_E9EC_F84907B0.404C3806"
           X-Priority: 3
    X-MSMail-Priority: Normal
             X-Mailer: Microsoft Outlook Express 6.00.2462.0000
            X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000
          Return-Path: [our academic email address]
X-OriginalArrivalTime: 07 Aug 2003 11:09:56.0618 (UTC) 
                       FILETIME=[6F45E6A0:01C35CD4]

Example 2

             Received: from  simcoparts.com ([61.171.248.193]) by
                       rly-xh04.mx.aol.com (v95.1) with ESMTP id
                       MAILRELAYINXH45-4a13f3279e6139; Thu, 07 Aug 2003
                       12:10:19 -0400
           Message-ID: <147d01c35cfb$794c0e00$d5e7cd17@fptvul>
             Reply-To: [our academic email address]
                 From: [our academic email address]
                   To: "jonmalanga" [deleted]
                   Cc: [deleted], 
                   Cc: [deleted], 
                   Cc: [deleted], 
                   Cc: [deleted]
              Subject: txuojk gnjuzwebg Use these guys for all your data
                       collection
                 Date: Thu, 07 Aug 2003 21:49:23 +0600
         MIME-Version: 1.0
         Content-Type: multipart/alternative;
                       boundary="----=_NextPart_5A0_F6C6_EABE9B95.F9F0FE5D"
           X-Priority: 3
    X-MSMail-Priority: Normal
             X-Mailer: Microsoft Outlook Express 6.00.2462.0000
            X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000
             X-AOL-IP: 61.171.248.193
    X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0

Example 3

          Return-Path: [our academic email address]
             Received: from rly-xi01.mx.aol.com (rly-xi01.mail.aol.com
                       [172.20.116.6]) by rly-st01.mail.aol.com 
                       (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id TAA02660; Thu,
                       7 Aug 2003 19:56:45 -0400 (EDT)
                 From: [our academic email address]
             Received: from  email.msn.com ([61.171.255.178]) by
                       rly-xi01.mx.aol.com (v95.1) with ESMTP id
                       MAILRELAYINXI13-4bd3f32e71e169; Thu, 07 Aug 2003 
                       19:56:22 -0400
           Message-ID: <b0f401c35d3f$151ada30$9631ded5@papjudgh>
             Reply-To: [our academic email address]
                   To: "klokan" [deleted]
                   Cc: [deleted],
                   Cc: [deleted],
                   Cc: [deleted],
                   Cc: [deleted],
                   Cc: [deleted]
              Subject: lvclmt xbwaycicr Want to know about the people you 
                       hire beforehand?
                 Date: Fri, 08 Aug 2003 02:53:21 +0300
         MIME-Version: 1.0
         Content-Type: multipart/alternative;
                       boundary="----=_NextPart_931_A1E0_F51E3A17.FCFDF7D9"
           X-Priority: 3
    X-MSMail-Priority: Normal
             X-Mailer: Microsoft Outlook Express 6.00.2600.0000
            X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
             X-AOL-IP: 61.171.255.178
    X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0

September (86 bounces)

Someone sent out junk emails advertising a web site at IP address 69.60.4.240 which resolved to MyPillsRx.com, a Florida-based online pharmacy. This spammer also attacked a number of other domains, including (but probably not restricted to) art101.com, jimmiespheeris.com, mrp3.com, porterfield.net, thrush.com, unicorn.com.us and whitis.com. Read more about it at Wired News.

At the time of this spam run, IP address 69.60.4.240 belonged to Internet America LLC which is associated with Boca Raton-based spammer Eddy Marin.

Forged address
Random letters and numbers
Sample subject lines
Are you in pain?
Are you one of the millions that suffer from pain?
Do you suffer from pain?
Online prescriptions with free Fedex shipping
Want to relieve your pain?
Bounces
86