Jump to content
Sign in to follow this  
MyNameHere

Where did this email come from?

Recommended Posts

I have to admit that I'm a bit ignorant here, but...

I received an email message apparently from someone I know with a Yahoo mail address. It had my address and several others, some of which l also know through the "sender." The recipients were formatted like this:

emailid <emailid[at]domain.com>

The body of the email was a link that began with a legitimate domain but ended with a very odd string of characters: "http://www.newsmediaguild.org/way/vwvvgufjl?lclmzkadur"

I was immediately suspicious, mainly because of the list of recipients, but also because of the link and the fact that there was no other message.

I used Google to find the legitimate domain and visited its website. It did not appear to have a web folder with the name that was given in the link ("way"). I found out that following the link would take me not to the legitimate website but to "http://e-fxnews.com," which labels itself as "Fox News" but actually is a spamvertising site.

When SpamCop parsed the email, it indicated that it did not originate with Yahoo but from "virtua.com.br" relayed through Yahoo.

What I'm wondering is this:

  1. Because the recipients were all people that the sender knows, does that mean the sender's Yahoo account was hacked, even though the mail didn't originate from there--or how did the spammer know who is on the sender's contact list?
  2. How does the redirection of the link work?

Thanks!

Share this post


Link to post
Share on other sites
I received an email message apparently from someone I know with a Yahoo mail address.

What I'm wondering is this:

  1. Because the recipients were all people that the sender knows, does that mean the sender's Yahoo account was hacked, even though the mail didn't originate from there--or how did the spammer know who is on the sender's contact list?
  2. How does the redirection of the link work?

This is very common. The Yahoo account "could" have been accessed and the owner should change their password and let their contacts know someone is sending spam using their email address.

Also, if an email was "CC'ed" to all of the contacts, then forwarded again and somewhere a spammer got/received that email which lists all of those email addresses they then just increased their spamming list. This happens allot when everyone wants to "Forward" a "really good joke" to everyone they know, and they "Forward" to their friends, and they "Forward" to their friends... the list of email addresses grows...!

hxxp://www.newsmediaguild.org

A site with a "weak" password that was Hacked and then used for email spam so this site is reported and keeps the main sites open longer as they are not reported as often.

Same redirection:

hxxp://www.newsmediaguild.org/way

hxxp://www.newsmediaguild.org/way/vwvvgufjl?lclmzkadur

The redirection code is in the sub-directory "way".

The code string at the end of the URL just tells the spammer who initially sent the spam email URL and who gets credit for the redirection. In this case "vwvvgufjl?" starts the redirection and is a tracking code, "lclmzkadur" tells them who spammed it (something like that, not a coder here).

You can also see these type of tracking codes in any newsletter you receive. They let the sending site know you received the email and which link was clicked.

hxxp://e-fxnews.com

FAKE NEWS SITE - Site is used as a Redirection to Illegal Internet Pharmacy/Supplement, Replica or Work-From-Home Scam site.

"Looks real don't it"... Thats the intent, to make the visitors think its real and click the links. Note: all of the links go to the same site...

http://www.storeberryrasp.com

Spamvertized site - An Internet Pharmacy/Supplement Weight-Loss Scam site. "Pharmacy spam" brands promoting medications, herbs, supplements, Weight-Loss, devices and augmenting body parts.

There are sooo many of these...

[edit - "payload" storeberryrasp link broken, please don't post these links folks - you are doing the spammer's work for him when you do, and risk the reputation of this site besides]

Edited by Farelf

Share this post


Link to post
Share on other sites

I agree that it could have started as a problem with a "hacked" Yahoo account. In recent mont months I've encountered news items about both BT (British Telecom) and Telecom New Zealand customers experiencing problems with their accounts - both ISPs use Yahoo.

Share this post


Link to post
Share on other sites

Thanks, folks! Very educational.

Additional info: The account holder suspected it could have been someone hacking a Facebook account to get email addresses, though I don't know how that would work, either.

Share this post


Link to post
Share on other sites
Thanks, folks! Very educational.

Additional info: The account holder suspected it could have been someone hacking a Facebook account to get email addresses, though I don't know how that would work, either.

They have their ways. Sneeky bas[at]$#ds are very determined to get that email out...

Share this post


Link to post
Share on other sites

Amusing side note: SpamAssassin dumped the email notification of MainID's first post into my Held Mail.

:D

See my edit note on that post 84259[/snapback]. The ironies are manifold. But many thanks to MainID for the analysis and explanation - as you say, most educational.

Share this post


Link to post
Share on other sites

See my edit note on that post 84259[/snapback]. The ironies are manifold. But many thanks to MainID for the analysis and explanation - as you say, most educational.

Thanks for the info about "live" URLs. I wasn't sure how to handle those myself, but then I found the general rule here (item #5f).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×