[SpamCop-List] trash from Opt-In, Inc.
Michael Chaney
spamcop-list
Wed, 22 Aug 2001 21:46:18 -0500
I got no less than two spams from Opt-In, Inc. within a period of ten
minutes (see the .spam group). This company puts on a facade of being a
legitimate opt-in list builder, but they are in fact spammers.
I first found out about them through their site "greetking.com". They sent
a carpet-bomb spam to *@home.com, and happened to catch my unpublished
@Home address in the attack. The spam claimed that I had a card waiting
for me at greetking.com, and provided a link to click on. I knew it wasn't
personalized since a look at the header revealed 20 other close names to
mine that the same message was sent to. As an aside, this spam was the
first case of URL shrouding that I had encountered:
> It's ugly, but here's the breakdown. It kinda makes sense, basically
taking
> advantage of IE's very lenient parser.
>
> http://www.greetking.net
> 74913813613029759828424968481903|36841789845198922487812465580020@
>
> Everything up to the first @ sign is treated as a "username:password"
pair,
> sans password. That means that www.greetking.net isn't considered the
host.
> This kind of makes sense.
>
> Host:
> 3457898348|2163321656
>
> IE ignores everything here up to the @ sign. The rest of it,
> 98117634218729458742427818979882, is the host.
> 98117634218729458742427818979882 mod 2^32 = 1066463786, which you
recognized
> earlier is 63.144.242.42.
>
> The rest of it is the path, apparently the :8080 is put in to throw us
off.
> My guess is that they have an apache rewrite rule to fix this up and turn
it
> into /greetings/login or something.
>
?36841789845198922487812465580020/74913813613029759828424968481903:8080?3727
>
4281801195844827250209544044/greetings/logi
> n
>
> This seems to be a pretty smart way to shroud your url.
Here's the original spam itself:
Return-Path: <greetking>
Received: from mh1-sfba.mail.home.com ([24.0.95.132])
by femail4.sdc1.sfba.home.com
(InterMail vM.4.01.03.00 201-229-121) with ESMTP
id
<20001110093727.COHV26316.femail4.sdc1.sfba.home.com>
for <mdchaney>;
Fri, 10 Nov 2000 01:37:27 -0800
Received: from mx1-sfba.mail.home.com (mx1-sfba.mail.home.com [24.0.95.136])
by mh1-sfba.mail.home.com (8.9.3/8.9.0) with ESMTP id BAA19302;
Fri, 10 Nov 2000 01:38:52 -0800 (PST)
Received: from mail. (ip157.toronto88.dialup.canada.psi.net [154.20.82.157])
by mx1-sfba.mail.home.com (8.9.1/8.9.1) with SMTP id BAA02307;
Fri, 10 Nov 2000 01:38:48 -0800 (PST)
Message-ID: <W708z2c4WvYFpraPaoN4n>
From: "greetking" <greetking>
Reply-To: ecards
Subject: You have received a greeting card.
Date: Fri, 10 Nov 2000 04:24:56 -0400 (EDT)
MIME-Version: 1.0
Content-Type: TEXT/HTML; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Apparently-To: <mdcharl>
Apparently-To: <mdchard>
Apparently-To: <mdchapman>
Apparently-To: <mdchapma>
Apparently-To: <mdchang>
Apparently-To: <mdchaney>
Apparently-To: <mdchandler>
Apparently-To: <mdchand>
Apparently-To: <mdchan>
Apparently-To: <mdclp>
Apparently-To: <mdclover>
Apparently-To: <mdcline>
Apparently-To: <mdclifton>
Apparently-To: <mdclifford>
Apparently-To: <mdcliff>
Apparently-To: <mdclick>
Apparently-To: <mdcleve>
Apparently-To: <mdclements>
Apparently-To: <mdclement>
Apparently-To: <mdclemens>
Apparently-To: <mdclegg>
Apparently-To: <mdcleary>
Apparently-To: <mdcle>
Apparently-To: <mdclc>
Apparently-To: <mdclayton>
Apparently-To: <mdclay>
<html>
<head>
<title>
Greet King Greeting Card Notification
</title>
</head>
<body>
<b>Greet King Greeting Card Notification</b><br>
<br>
You have received an electronic greeting card. Please click on the link
below to pick up your greeting card.<br>
<br>
If prompted, your card pickup code is: LAJFJ<br>
<br>
<a
href="http://www.greetking.net/hpickup.html?pickupcode=LAJFJ&mdc">Retrieve
Greeting Card</a>
<br><br>
If you have any trouble retrieving your greeting card or need related
support please contact our
global rapid response support team at greetking
<br><br>
<b>Greet King</b><br>
My Kingdom for a Card.<br>
</body>
</html>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The trick is to get the recipient to click on the link. Note the URL,
which ends with "&mdc". Note that all the "Apparently-To" headers have
names that start with "mdc". They had a bit of Javascript on the page
which matched up the first three letters of the email address that you
entered with that text. After you enter an email address (or anything that
starts with "mdc"), you are taken to a page that asks for your life
history. They have a privacy policy which is humorous, basically "we're
selling your information, deal with it". After that, you're taken to your
"card", and you find out that there isn't one.
But, now Opt-In, Inc. can say that you "opted in". I put in an address to
see what they would do, and they immediately began sending junk to it.
They did, to their credit, honor the remove request.
That is, they honored it on the "legit" side.
The latest spams claim that I subscribed to their "Grail" list. But
they're using "domains(a)michaelchaney.com", which is an address that
appears only one place: my whois records. Yes, I have specifically told
Network Solutions to not sell that address, and I have no reason to believe
that they have. Anyway, Opt-In is making the claim that I joined the list
voluntarily, which is a blatant lie.
The president of Opt-In, Inc., Steve Hardigree, gets good press about being
a legitimate opt-in emailer. Hopefully, anyone reading this can consider
the evidence against them and draw the correct conclusion.
By the way, you might wonder how I know that greetking.com is owned by
Opt-In, Inc., particularly since Opt-In goes to such lengths to hide the
connection. Opt-In used to actually list their other sites on the main
site, and I actually stumbled across it one day from another spam a few
months after my original spam from greetking. From what I can tell, they
no longer have the list up there.
Michael
--
Michael Darrin Chaney
mdchaney
http://www.michaelchaney.com/