Monday, March 02, 2009

An interesting spam and analysis

I just noticed an interesting spam mail into my mailbox recently. Unlike other spams this mail had a different intent (read it to know). No product marketing, no wealth transfer etc., no phishing intention. The only justification I can think of was to get in touch and create a friendship and then collect the necessary info. Anyways here is the mail (as-is):

======================================================
Hello Dear,

how are you today I hope that every things is ok with you as it is my great pleassure to contact you in having communication with you starting from today, please i wish you will have the desire with me so that we can get to know each other better and see what happened in future.

I will be very happy if you can write me through this mail for easiest communication and to know all about each other, and also give you my pictures and details about me, i will be waiting to hear from you as i wish you all the best for your day.

your new friend.
Miss. Aminata.
======================================================

I was curious to just figure out if this is not a possible spam from any of my friends. I wanted to take it forward and reply if I had suspected any of my friends for this, but unfortunately it was not. The mail's SMTP header was as follows:

From Aminata Sankoh Thu Feb 26 15:47:48 2009
Return-Path:
Authentication-Results: mta209.mail.re4.yahoo.com from=yahoo.co.th; domainkeys=pass (ok); from=yahoo.co.th; dkim=neutral (no sig)
== strip little ==
Received: from [124.108.114.83] by t2.bullet.mail.sg1.yahoo.com with NNFMP; 27 Feb 2009 01:34:30 -0000
Received: from [127.0.0.1] by omp103.mail.sg1.yahoo.com with NNFMP; 27 Feb 2009 01:34:30 -0000
Received: (qmail 47623 invoked by uid 60001); 26 Feb 2009 23:47:48 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.co.th;
h=Received:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
b=6DW+LjgIGtkj1fBUv41AyHZOGKeVZljOv8/lXgJLCNujOTjsjqX+R3yacDOW9Q080JdDCUuW+yBnhwnbUEpBFmILXgS2JDP6H4lVIqtCcuZ9WOgVok/2lLLwQ3ZP585/JAanJUjrOGzEBoeo8biUWzqLKHqNht4rlW7Lks12pOw=;
Received: from [41.208.161.138] by web76716.mail.sg1.yahoo.com via HTTP; Fri, 27 Feb 2009 06:47:48 ICT
Date: Fri, 27 Feb 2009 06:47:48 +0700 (ICT)
From: Aminata Sankoh
Reply-To: amina_luv8@yahoo.com
Subject: Hello Dear
To: aminsankoh@yahoo.co.th
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1397759359-1235692068=:47230"
Content-Transfer-Encoding: 8bit
Message-ID: <445714.47230.qm@web76716.mail.sg1.yahoo.com>
Content-Length: 2417

== end-of-headers ==

There are few interesting things to be noticed:
  • Server authentication through domainkeys passed. So this email has been sent by the given email address from yahoo.co.th. That makes it easier to track further.
  • This email has been sent from IP address 41.208.161.138. A simple search and this IP address belongs to country Senegal in Africa -- oh ok that throws my friends out of the list.
  • The email has been addressed to the sender's address and all those bunch of people targeted are in BCC probably.
Few things which aren't clearly justified:
  • The relevant yahoo webserver (web76716.mail.sg1.yahoo.com) seems to be located geographically in Singapore. Possibly because the yahoo mail's domain was co.th (not sure if yahoo has a separate server for Thailand; maybe it wasn't available at the time of creation of the yahoo account - never mind). Maybe the user from Africa wanted to pretend to be in Thailand.
  • The reply-to address points to another email id in the yahoo.com domain. Maybe she/he sends multiple emails from different different email accounts and want to easily catch hold of the bakara(s) who replies, by diverting all the replies to one email box -- so just check one mailbox for replies?? possible.
Obviously I chose not to reply. Just beware of such mails.

5 comments:

  1. >>>> I was curious to just figure out if this is not a possible spam from any of my friends <<<<

    :-)))))))))))))))) rofl

    ReplyDelete
  2. Hello Gerald!

    It's nice to find others who are "spam curious" :P and wondering what the motives for these things could possibly be. I applaud you for detailing the tools that someone wanting to research origins of messages can use. Definitely it's stuff to think about, technology is bringing so many challenges to authenticity...

    I wrote an essay on The Influence of Pervasive Filtering on Message Delivery which you may or not find interesting:

    http://realityhandbook.livejournal.com/80989.html

    My journal as a whole outlines some of my eerie dream-journeys which are very much like the Matrix. You seem to have some diverse interests in art/technology and even spam... so maybe you would find something worth reading in there!

    Regards,
    æ

    ReplyDelete
  3. Your article is pretty interesting too. Specially, I should give it to you for writing such an article 3 years back!!!

    ReplyDelete
  4. From: This sender is DomainKeys verified"Aminata Sankoh" <aminata3@att.net

    Hello My Dearest,

    How are you? i hope all is well with you, i hope you may not know me, and i don't know who you are, My Name is Miss Aminata, i am just broswing now and i see your email address and it seems like some thing touches me all over my body, i started having some feelings in me which i have never experience in me before, so i became interested in you, l will also like to know you the more,and l want you to send me a email so that l can give you my picture for you to know whom l am.I believe we can move from here and see where nature will take us! I am waiting for your mail (Remeber the distance or colour does not matter but love and good caring matters alot in life).

    WITH LOVE ,
    MISS AMINATA.

    ReplyDelete