Merry Christmas, I get an email last night promising me I'd be making within 45 days $3500 to $5500 monthly. All I need to do is exactly as the email says. And I'll know exactly what I'm getting into with no pre-enrollment stage fee. Signed, some guy named Robert Chin. Hey, I might be one of the lucky 200 people able to participate in this program after they ask me some private confidential information like how much the family household income is, how many children we have, what are social security numbers are, right on down to how much hair I have on my pinky toe.
So lets take a look at this first snapshot which starts off the email under Outlook Express:
[click to enlarge]Some more snapshots:
[click to enlarge]
[click to enlarge]
Go ahead, submit your contact information and click one of the Interested buttons and your information gets sent to:
http://www.prequal.tutoreverything.com/optout/process.php
Press it without entering data and you get back "Invalid email address entered". Some kind of backend filtering is going on in that script. Visit http://www.prequal.tutoreverything.com/ and its "under construction".
When I first got the message of course OE advises me that a remote image is trying to display itself:
http://www.veretekk.com/cgi-local/makelog.pl?Pre-qual==College=Page,http://www.prequal.tutoreverthing.com/email.html,ra=ngler1
Sure enough this brings back a GIF89a image type. But, who is Veretekk now?
Here is what they had to say right in the META tags: "
Veretekk's unique lead service provides the most targeted and exclusively yours leads to help improve your marketing efforts, shorten your growth cycle and grow your business. Whether you are a small distributor or a Heavy Hitter, receive the most receptive rejection free prospects almost immediately when you subscribe. Now make a serious income with the new Veretekk Affiliate program."
There is a whole lot of javascript coding going on here: http://veretekk.com/code/menu.drop.js. But lets move on as we're looking at this from a high level. The copyright is owned by Inetekk.com on this page and images link to there. They also bill themselves as "Inetekk affiliate leads and marketing technologies".
So if you send email, it doesn't actually go via email right? Well certainly it can't because the domain tutoreverthing.com has no MX record:
[click to enlarge]
Precisely why you have to HTTP POST to a web address. So how did this email get to me? Well of course, both domains so far are owned by Inetekk from a WHOIS query. The email header tells me it came from host.sonnexh.com:
[click to enlarge]
So I check the IP for that system and it comes back on the SpamCop blacklist:
http://www.spamcop.net/bl.shtml?69.16.200.238. More details are provided:
http://www.spamcop.net/w3m?action=blcheck&ip=69.16.200.238. Cause of blacklist:
SpamCop users have reported system as a source of spam about 10 times in the past week. Historically, "In the past 54.5 days, it has been listed [on SpamCop] 7 times for a total of 8.4 days". There are of course other neighborhood hosts with spam reports:
Lets keep in focus, this is the relaying IP. The source sender is an ADSL modem on the Pacbell network:
adsl-69-235-176-173.dsl.irvnca.pacbell.net (IP: 69.235.176.173).
Lets get back to sonnexh.com, a web hosting company. An abuse relay test of host.sonnexh.com reveals that its an open mail relay. At the very least, it appears to accept a message for relay. Not a good thing. Is this a compromised box? If you HTTP visit host.sonnexh.com, it comes up with a cPanel page. Well, sonnexh.com, a self-billed reliable and economical hosting company, is registered by Josue Salazar in Costa Rica. The technical and admin contact Manish Singh resides in India.
So the email comes from what appears to be a hacked into server, yet SpamCop shows the IP is a regular on its blacklist, so is it really compromised or does Sonnex hosting part of this? Any actual email replies (and those on WHOIS) go back to GMail. But then, who is the person on the Pacbell DSL account? A compromised user who doesn't know they are compromised?
It all starts with the home and business computer. Set up proper updates and security to prevent being compromised. If we all harden our systems, we can prevent many nefarious things from happening. CastleCops has just such a tutorial called the
Malware Removal and Prevention Procedure. Read it and spread the love.
So who makes the money within 45 days? I doubt its the email receiver, and likely think its a scammer.
by Paul Laudanski, Microsoft MVP Windows-Security
