Spam with fat

[Farelf]

managed.com (the otherwise undistinguished inheritors of an infamous name) have excelled themselves. Not content with sending the biggest spam on the planet they just sent me something bigger yet - 419kb in its received form - http://www.spamcop.net/sc?id=z1882857053z9...87a6ea50f4656dz

Okay, we brought it on ourselves - some filters allow stuff over a certain size through, assuming spam is not likely to be more than (whatever) kb. How silly, managed.com, for one, knows no moderation. Sheesh, imagine getting this stuff over a dial-up connection at 56 kb/s. Ample justification for 'termination with extreme prejudice' of the responsible party. They're mainsleeze, how come they're not shut down under CAN spam? Hmm

Domain name: MANAGED.COM

Administrative Contact:

contactprivacy.com

That which dear old Rooster warned us of. Well, anonymity is not supposed to extend to protection in cases of misdemeanor or felony IIRC. I guess CAN spam violation is neither. It's BOTH in my book.

Anyway, I claim the inaugural record - 419kb worth of solitary abuse (no, that sounds a bit suss - KISS, 419kb in a single spam). Anyone seen anything to top that?

[rconner]

I claim the inaugural record - 419kb worth of solitary abuse (no, that sounds a bit suss - KISS, 419kb in a single spam). Anyone seen anything to top that?

So, was the body just the one gigantic JPG attachment or what?

I get spams all the time offering me access to several gigabytes of solitary abuse, but of course the gigabytes aren't in the actual spam (I have to provide a credit card to get to them). So, I don't think I can top you for sheer size. However, this one merits a personal best for most complicated spam: http://www.rickconner.net/spamweb/analysis07.html

-- rick

[Farelf]

So, was the body just the one gigantic JPG attachment or what?

I didn't check whether it was single attachment or multiple, nor am I sure what the usual style of these clowns might be in that regard. I am emotionally wed to the notion of getting rid of excess bulk at the first opportunity having cut my teeth on first generation PCs (the ones on which a 4k OS was *huge* and Tiny Basic at 1.9k a boon, maximizing space for applications as it did)

...this one merits a personal best for most complicated spam: http://www.rickconner.net/spamweb/analysis07.html...

Utterly fantastic - must be the work of a bright kid. He must be found and neutered lest he later produce like/similar progeny.

Looking at the current parsing of my bloated spam, I see the routing of abuse reports has changed since submission (and I refreshed the cache before I submitted it and all ...

Tracking link: ht tp://flukra.hillmangroup.net/81Hn80461ebun7211ux53he5681cgE8MGU

[report history]

Cannot resolve ht tp://flukra.hillmangroup.net/81Hn80461ebun7211ux53he5681cgE8MGU

Reports regarding this spam have already been sent:

Re: 65.75.151.240 (Administrator of network where email originates)

Reportid: 3104244644 To: abuse#managed.com[at]devnull.spamcop.net

Re: ht tp://flukra.hillmangroup.net/81Hn80461ebun7211ux53he5681cgE8MGU (Administrator of network hosting website referenced in spam)

Reportid: 3104244645 To: abuse#managed.com[at]devnull.spamcop.net

If reported today, reports would be sent to:

Re: 65.75.151.240 (Administrator of network where email originates)

tech[at]srhostingu.com

So yes, hillmangroup.net is gone but I broke the links anyway. And I wonder if any of the routing of other examples formerly binned to abuse#managed.com[at]devnull.spamcop.net have changed too? Must look when I get a sec.

[Farelf]

One curious thing, these oversized spams (and bulk submissions containing one or more of them) seem to sail straight through my ISP's usual blocking of submissions to SC. One of the few instances where lack of blocking inwards is matched by lack of blocking outwards. So that is a good thing. I have seen a filter rule somewhere, elsewhere to the effect that > (whatever)k is passed as non-spam which is maybe part of the rationale for these ludicrously bloated items. Or perhaps "they" have simply forgotten/don't care about crafting lean graphics (sheesh, the vast number of 'inconvenienced electrons' ... no way to 'save the planet').

Anyway, symmetry of effect inwards and outwards would be consistent with such a rule applying. Otherwise some form of heuristics may apply because being passed inwards is certainly no guarantee of being passed outwards. Which is plurry unfair (yet another inequity in an uncaring universe, but I digress).

[Farelf]

Why me? This one http://www.spamcop.net/sc?id=z1900394652zc...a6a215f64c0c18z

came with a 1.286Mb scan0003[1].JPG attachment. Which has no recognizable viral content (no hits on VirusTotal scan, hash values

MD5...: ed70fc8a90cc832229357df138944469

SHA1..: 71660858a3108b19fec7ca856805e0dea3638f32

... hmmm we won't bother with SHA256 or SHA512, I've yet to hear of a simultaneous collision being demonstrated on both MD5 and SHA1).

Anyway, I can see why these peanuts strive for anonymity behind their obscure Cote d'Ivoire server address - sending these things must be chewing up half the country's GNP (well, 0.000000001% anyway). New record claim of 1.286Mb. At least it is useful in getting the email submission of the weekend's junk through to SC (past the ISP's filters, by way of clarification¹).

Anyone else seeing these monsters? Has to be 'limited distribution', probably one shot mail-out, not worth bothering with I'm thinking.

¹on edit

[rconner]

Anyway, I can see why these peanuts strive for anonymity behind their obscure Cote d'Ivoire server address - sending these things must be chewing up half the country's GNP (well, 0.000000001% anyway).

You eclipse me again, I've never before gotten any spam from Ivory Coast. This message seems to have a distinct 419 aroma to it, maybe the perp typed up the dead-foreigner pitch as a business letter and then scanned it while he was ordering another iced chai at the Internet Cafe.

I have this picture in my mind of a bunch of Ivorian locals sitting around the local backbone drop watching the big messages leave town, just like the old guys in the movies used to hang around the depot to watch the big steam trains arrive and depart.

-- rick

[Wazoo]

just like the old guys in the movies used to hang around the depot to watch the big steam trains arrive and depart.

Sheesh .. still happens <g> Of course, these days they charge admission to be 'at' the depot for these viewings. And usually, it's the whole family there, right along with the old guys.<g>

RFD network airs films made for those folks that can't get to the depot (or afford the ride) ... OK, probably more focused to the collectors and such, but ....

Quite in contrast to Farelf's misuse of so many electrons, all that mechanical action is still a sight to behold.

[Farelf]

You eclipse me again, I've never before gotten any spam from Ivory Coast.

I always say I just have .AQ to go to complete my collection of TLDs but sure, .CI is rare enough.

This message seems to have a distinct 419 aroma to it, maybe the perp typed up the dead-foreigner pitch as a business letter and then scanned it while he was ordering another iced chai at the Internet Cafe.

OK - raised curiosity levels. The graphic is a 1673x2315 pixel scan (slightly skewed) of an A4 'business letter' - A4 being a fraction narrower (almost 1/4") than letter and almost 3/4" longer so that would make it about 200 DPI - supposedly from a travel agency in Berkshire, England (PO Box nominated) offering to arrange all sorts of stuff including immigration visas for no fee prior to completion. Well, apart from the 'visa processing fee' of $355 of course being payable in advance. And they have a GMail address. Can't see why I would want to immigrate to the UK - that's where all those convicts came from - but I digress . Anyway, advance fee and/or identity theft I'm thinking. Characteristically, the wording is just that touch "off" apart from being muddled and the signatory styles himself "Mr." - and the font is Comic Sans for pity's sake.

...just like the old guys in the movies used to hang around the depot to watch the big steam trains arrive and depart.

Wazoo often speaks of "flashbacks" - that gave me the olfactory equivalent, the smell of coal smoke from (must be) 55-60 years ago, as strong and real as can be. Nobody mention horses .

Sheesh .. still happens <g> Of course, these days they charge admission to be 'at' the depot for these viewings. And usually, it's the whole family there, right along with the old guys.<g>. ...

Word is out one of the nicest local attractions of that sort is about to be discontinued. Liesurely valley journey by steam train, pulling mostly diner cars, the meal being a major focus of the experience, local produce figuring strongly. And I never got to go . Ah well, there is another on a different line I think. Dum vivimus vivamus .

[qjvgpuryy]

Wazoo often speaks of "flashbacks" - that gave me the olfactory equivalent, the smell of coal smoke from (must be) 55-60 years ago, as strong and real as can be. Nobody mention horses .

Better horses (or even cows) than pigs.

[Farelf]

And now, one of over 11MB - http://www.spamcop.net/sc?id=z3829502112z6...b8eca11a2e47a7z (I wasn't sure before whether my account would handle more than 10MB, now I know it can).

2 attachments, "Secret_millioners.mp3" of 6MB 'and a bit' and "Приглашение в NewPro.doc" some 1.7MB - the doc file being somehow "locked" - couldn't send it to VirusTotal, couldn't even determine hash values. MS-Word encryption doesn't block either of those processes. Fortunately, my Russian correspondent was kind enough to inform me his missive about the vast riches to be made working on the internet from home is not spam, not a pyramid scheme and the attachments do not contain a virus as is easily determined by AV scanning. Thus, by the prime principle that "spammers lie" we know there is a high probability all of those assertions are false. So I deleted the attachments at that point (unfortunately losing their precise statistics due to going momentarily - I hope - cross-eyed when closing various windows).

Can't see that one making it into many inboxes (size alone would overload many accounts) but I am intrigued by the locked .doc - how do they do that? This is why I switch off ISP spam and virus filtering, so I can learn something every now and then. But when something interesting comes along I don't understand it. Grrrr.

VirusTotal upload attempt resulted only in a dialog box saying the file couldn't be opened. Windows Explorer Properties menu integrated 3rd party hash utility tab (Tweak.com) had no values and all functions greyed out (usually only seen for hidden read-only system files) but attributes (general tab and "advanced") showed all normal (no hidden, no read-only, ready for archiving etc.) Properties menu - general tab also said it came from another computer and might be blocked for protection. Unblocking did nothing obvious - VirusTotal upload still blocked and hash values still unavailable. MBAM, SAS and NIS found nothing amiss (not to mention Windows Malicious Software Removal Tool, carrying on as usual which is to say silently) - but I have reduced confidence in all of that with the blocking capabilities of the file already evident.

Mime detail was:

Content-Type: application/msword

Content-Disposition: attachment;

filename="=?koi8-r?Q?=F0=D2=C9=C7=CC=C1=DB=C5=CE=C9=C5_=D7?=

NewPro.doc"

Content-Transfer-Encoding: base64

I suppose I could have sent a text file of the base64 code for the .doc part to VT but didn't think of it. Few AVs know how to handle such files anyway (and if it was encrypted as well as whatever else it was ... unlikely any of them would react).

11.somethingMB for Pete's sake.