Stray Thought 0
If spamming is so lucrative, why can’t spammers hire competent translators?
Received in my spam trap account:
Subject: Send me txt message
Issue #333 – August 28, 2009
Editor: Kears Christeen
In this issue:Something bothers me, I can’t understand one thing:
Why men prefer to avoid their own wives or girlfriends and lie, being scared of their male incompetence in bedroom, instead of just swallow one blue pilule and be her insatiable James Bond?
By the way those pilules cost less in our web-store!
The email originated from Romania from a domain called Bogdan Turcanu, which, when pumped through the Google translator, seems to be a fairly innocuous personal techy website. A resume posted on the site indentifies Bogdan Turcano as the webmaster.
My guess is the site is pwned by a botnet from a host god knows where.
Most mail clients hide headers by default, but you can normally find a way to look at them; they aren’t too hard to figure out. Here are the headers; the bold portion is the address of AIM account, which I use primarily as a spamtrap. You can trace the path of the email through the various servers by working backwards through the list in the Received lines.
Also, note how the spam program replaced the actual email address with my own:
Return-path: <xxxxxxx@aim.com>
Received: from rly-df03.mx.aol.com (rly-df03.mail.aol.com [172.19.156.16]) by
air-df02.mail.aol.com (v125.7) with ESMTP id MAILINDF021-53f4a97eb9639b; Fri,
28 Aug 2009 10:37:40 -0400
Received: from client-G-23.telecomsv.ro (client-g-23.telecomsv.ro
[89.40.148.23]) by rly-df03.mx.aol.com (v125.7) with ESMTP id
MAILRELAYINDF038-53f4a97eb9639b; Fri, 28 Aug 2009 10:37:10 -0400
From: “Christeen Omeh” <xxxxxxx@aim.com>
To: xxxxxxx@aim.com
Subject: Send me txt message
Message-ID: <5526CFL.3018DE4.8307638737KCOBRHNOHTOOXKI1575@client-G-23.telecomsv.ro>
Content-Type: text/html; charset=”iso-8859-1″
MIME-Version: 1.0
X-AOL-IP: 89.40.148.23
X-Mailer: Unknown (No Version)
Date: Fri, 28 Aug 2009 10:37:41 -0400
Here’s the WHOIS based on the header information (I didn’t have to go to Sam Spade to run “whois”; it comes with Linux:
inetnum: 89.40.144.0 – 89.40.151.255
netname: SC-MARILUC-COM-SRL
descr: SC MARILUC COM SRL
descr: Str. Jean Bart, Nr. 4 Bl. 80,
descr: Sc. D, Ap.6 Suceava 720168
country: ro
admin-c: LIM8-RIPE
tech-c: BT1083-RIPE
status: ASSIGNED PA
remarks: Registered through http://www.jump.ro/ip.html
mnt-by: RO-MNT
mnt-lower: RO-MNT
mnt-routes: MARILUC-MNT
source: RIPE # Filteredperson: LUCACI IONUT MARIUS
address: SC Mariluc Com SRL
address: Jean Bart, Nr. 4 Bl. 80, Sc. D, Ap. 6
address: Suceava Suceava 720168
phone: +40-744-544598
fax-no: +40-230-517747
e-mail: mariluc@telecomsv.ro
nic-hdl: LIM8-RIPE
mnt-by: MARILUC-MNT
source: RIPE # Filteredperson: Bogdan Turcanu
address: Calea Nationala 71
address: Bl, G9, sc. C, ap. 13
address: Botosani, Romania
remarks: My website:
remarks: http://www.bogdanturcanu.ro
phone: +40-740-092943
e-mail: bogdan@bogdanturcanu.ro
e-mail: bogdan@netgrup.ro
nic-hdl: BT1083-RIPE
mnt-by: NETCOM-ACTIV-MNT
source: RIPE # Filtered% Information related to ‘89.40.144.0/21AS41858’
route: 89.40.144.0/21
descr: SC Mariluc Com SRL
origin: AS41858
mnt-by: MARILUC-MNT
source: RIPE # Filtered
