“Verify this email is yours” spam

Yesterday I got an unusual email spam. It hit my inbox on Fastmail, coming from my Google account. The spam link was embedded in the actual email address, using the plus notation that Gmail supports. On Fastmail, the link wasn’t clickable, but on Gmail it was. When I checked Gmail, the email had been moved into Spam, so I guess they were dealing with many copies of this. Surprisingly, the link is still clickable, even with the email in the Spam folder.

I thought I hadn’t received spam like this before but looking at it again, I think I did. Just once.

The email came from “Google <noreply@google.com>”, and the spammers used some online service that requires verification. They stuffed the spam link into the email address. Here’s what it looks like on Gmail:

A spam email I received. I have obscured the spam link in this ALT text:

Verify this email is yours
[my email]+~New~messages~Read-[spam link]#@
googlemail.com
This email address was recently entered to verify your email address.
You can use this code to verify that this email belongs to you.
793352
If this wasn't you, someone may have mistyped their email address. Keep this code to yourself, and no other action is needed at this moment.
The Google Accounts team

They added a “#” character at the end of the link, so the @googlemail.com part of the email would become an anchor tag. Pretty clever, pretty devious. The link goes to a 404 now, but had an image with a link yesterday.

So, be careful if you get any email verification emails. Especially if you weren’t expecting it. It’s probably spam.

When you move IP, move all the IPs

I recently moved the server hosting this site and my photoblog to a new Linode. About time too as the old one was full of cruft built up over a decade of upgrades. It had finally reached the point where I had trouble finding new dpkg files for software that wasn’t as ancient as my installation. Updates would stop in the next year or two as well, which was a huge problem.

When I did move, I pointed the DNS at my new server and all seemed fine. That is, until I saw an email from Google on Friday saying a new user had been added to the search console for www.inphotos.org!

I don’t use the www hostname on any of my sites, and didn’t actually have a search console property set up on that site. I don’t remember now if I had to create one, but when I eventually logged into it, I found an “Ian Trader” already in there. He was a validated user, too.

He had been allocated the IP address of my old server. He saw that www.inphotos.org still pointed at it and asked Google to validate his ownership by uploading a HTML file to his server.

A screenshot from the Google search console showing the ownership verification details of the attacker who created a validated account on www.inphotos.org
A screenshot of my browser showing the validation file the attacker used to gain access to the search console for www.inphotos.org

Yikes! Quick as I could, I checked the DNS and found that yes, www.inphotos.org was still pointing at my old IP address! Damn.

Fixing it was fairly easy, I thought. I removed that user, and removed the www hostname.

However, Ian had one more trick up his sleeve. He had put a sitemap on www.inphotos.org, and it led to 129,864 fake links that Google could not index.

Screenshot of the "page indexing problems" chart from Google Search Console showing 129,984 problematic pages since last Wednesday.

It looks like he was setting up a malware server with the names of books on each page:

/c/pdf/upload?PUB=new_apostolic_church_hymn_collection_songs&blackhole=017
/c/pub/go?EPUB=hawker_battery_charging_instruction_manual&daily=034
/c/pub/list?BOOK=a_shade_of_vampire_7_a_break_of_day&dua=047
/c/pub/list?EPUB=ib_vietnamese_past_paper_2013&monument=094
/c/pub/list?PDF=lowepro_user_manual&codevember=001
/c/pub/list?PDF=suzuki_swift_owners_manual_2009&bubbley=087
/c/pub/upload?PUB=caravaggio_ediz_illustrata&particles=015
/c/pub/upload?PUB=mi5_and_me_a_coronet_among_the_spooks&sassy=021
/c/pub/url?BOOK=radiation_detection_and_measurement_solutions_manual&delapan=081
/c/pub/visit?EBOOK=mercruiser_hp_engine_manual&daily=009
/d/book/data?PUB=gossie_and_gertie_gossie_friends&particle=016
/d/book/file?DOC=engine_repair_manual_for_f550&dribbble=005

I fixed those with some simple mod_rewrite rules, so visiting those URLs should take you back to the homepage. Google is validating my fix now. Besides, that fake sitemap is gone, so I expect Google to forget about them soon, I hope.

So, when you’re moving websites around, make sure you update all the DNS records for your sites. I may not have noticed for a good while if he had set up the redirect scripts on his server correctly and didn’t go into the search console.

A Mastodon account is an email to spammers

This morning I received a spam email where the spammer accidentally CCed everyone, instead of BCCing them. They also seemed to have spammed many people named Donncha, so hopefully none of them reply-all asking to unsubscribe.

It’s not the first time, but they included an “email address” that isn’t an email address. They used my @donncha@mastodon.ie Mastodon account. They also included my Gmail address, which is how I received the email.

A screenshot showing the text:
donncha.o
donncha.o
donncha.o
donncha@
donncha@
donncha@
donncha@
donncha@
donncha@
donncha@
donncha@
donncha@
donncha@
donncha@
donnchagi
donnchah‹
donncham

I started receiving email to this blog’s @donncha@odd.blog address and to photoblog’s @donncha@inphotos.org address too, but I’ve blocked them already.

Screenshot from Fastmail showing an email alias is disabled.

If you publish the address of your self-hosted Mastodon account, you might want to make sure you don’t have an email address there too, or you’ll start to get unwelcome emails.

BTW – you should pay for your email, especially if you have self-hosted domains. Fastmail is great. Here’s the post I wrote about Fastmail when I switched over last year.

Spam as Gaeilge

Tá seic do chiste ($ 2.5 milliún) curtha i dtaisce againn trí roinn Western Union tar éis ár gcruinnithe deiridh maidir le do chiste. Níl le déanamh agat ach teagmháil a dhéanamh le Stiúrthóir Western Union, an Dr. Ferdinand Umeh trí sheoladh ríomhphoist, tabharfaidh sé treoracha duit maidir le conas do chiste iomlán a fháil.

“WESTERN UNION”

You’d think that after going to all the trouble to hack a mail server the spammers would realise that 99% of people in Ireland speak English and the vast majority don’t speak any Irish at all.

Gmail picked it up as spam anyway. Better luck next time.

Opt-Out of all the spam!

I’ve been getting a ton of CBD expo spam for months. Spamassassin picks up most of it, and Gmail collects the rest in the Spam folder.

However, today one got through so I scrolled down to the unsub link and saw it was sendgrid. I recognise them from previously reporting spam. I have no idea if it made a difference but I like to think it did.

So, despite the prevailing advice that you don’t unsubscribe from spam I clicked unsubscribe. I opted-out of that email, and then I saw the greyed out “View Opt Out Preferences” button.

That’s not exactly the friendliest thing to do, making it look like it isn’t active but I clicked on it and discovered a treasure trove!

This spammer has been busy, but Sendgrid allows you to unsubscribe from them all in one click.

“But Donncha, now the spammer knows your email is real!”

Yeah, it’s been inundated with spam for years already. I’m planning on shutting it down sooner or later anyway because I’ve moved most of my logins to service specific email aliases for easy tracking of spam sources. It’s paid off a couple of times too.

Your DNA results are now ready!

This was a weird email to receive since I have never sent off a DNA sample to any company.

Dear Friend,

Your DNA results are now ready!

The results of your DNA sample reveal information about your distant ancestors, including how and when they moved out of Africa and the various populations they interacted with over thousands of years of migration. We hope you enjoy exploring your chapter of the human story.

Sure enough, it’s spam from The National Geographic. The linked page allows you to buy the Geno 2.0 Next Generation kit.

I used to have an NG subscription years ago but I gave it up. I wasn’t reading it, and the issues were collecting dust in a corner. Looks like they’re harvesting their email lists. Anyone else get this email?

Irish Water Phishing Emails

I must have been half asleep when I clicked the link in this email, but Gmail hadn’t caught it yet even though it’s an obvious phishing attempt, so be warned if you get an email warning of “urgent maintenance” of your account. Then again, it’s probably a bad site to phish, since most people are boycotting them. I bet there’ll be people on Facebook complaining that they were sent these emails, even though they’re protesting it! 🙂

Screen Shot 2016-06-09 at 10.55.45

The from address is at Telefonica, and the login link goes to a page at 3i6e5.16mb.com which is a convincing Irish Water login page, looking very like the original.

Screen Shot 2016-06-09 at 10.58.40

Opening both pages in two tabs and switching between them shows no jumps in spacing or changes at all. Irish Water haven’t been around that long either so it’s not as if we’re all familiar with how they compose their email correspondence. Mark as spam and don’t let the bad guys win.

Finbarr Galvin SMS Spam

Finbarr Galvin Ltd Spam SMS

I guarantee I will not be buying my next car from Finbarr Galvin Ltd and you probably shouldn’t either if you want your personal data to be respected. I should have known I’d be SMS spammed by Finbarr Galvin Ltd again. They’re a car dealer in the town of Bandon, Co Cork for those who don’t know them. I bought a car off them around seven years ago, which I traded in for another car two years later.

So, I haven’t had any business dealings with them in seven years.

In the time since then I’ve received a couple of advertising text messages, the last being about two years ago when I remember a lengthy phone call with a sales assistant to get them to remove me from their sms list. They didn’t have an “opt out” method that time.

I’ve tried to remove myself from their list now by texting OPTOUT to 50123 as stated in this text message, but haven’t heard back yet. If I was to judge by my previous attempts to unsubscribe, they probably have to manually remove my number using a chisel on stone tablets or something similarly archaic. This is part of the reason I’m making this blog post, as a reminder for the next time I get spammed by them.

I’m also publishing this because Finbarr Galvin Ltd should only send advertising text messages to customers they have had dealings with and received express permission to message them, in the last twelve months. I told them this that time I talked to that sales assistant:

Marketers may send you electronic mail for direct marketing purposes where:

(i) You have given them explicit consent to do so within the last twelve months, or
(ii) they have obtained your personal contact details in the course of a sale to you of a product or service within the last twelve months, they informed you of their identity, the purpose in collecting your contact details, the persons or categories of persons to whom your personal data may be disclosed and any other information which is necessary so that processing may be fair, and the direct marketing they are sending is in respect of their similar* products and services only, and you were given a simple cost-free means of refusing the use of your contact details for direct marketing purposes at the time your details were initially collected, and where you did not initially refuse the use of those details, you are given a similar option at the time of each subsequent communication. (If you fail to unsubscribe using the cost-free means provided to you by the direct marketer, you will be deemed to have remained opted-in to the receipt of such electronic mail for a twelve month period from the date of issue to you of the most recent marketing electronic mail).

They certainly shouldn’t be using my personal details for advertising purposes after seven years. I hope that OPTOUT text to 50123 was “cost-free”.

Bah.

Extortion by Email Spam

Spammers are getting desperate. I received the following email a few days ago, which somehow got through Gmail’s spam filter:

From: “germes”
To: “donncha” <.....>
Subject: RE: Hello
Date: Sun, 24 Mar 2013 15:37:20 +0000

Hello You received this message because this is an email list for mass mailings. We analyze the list and remove a lot of email. pay you $ 2 or 2 euro, and we will remove it from the list of spam Email newsletters.

webMoney purse
Z180596051821
E943924283321

I presume they meant to say that I pay them to remove my email address from their mailing list rather than the other way around!