On the case with Sam Spade

RELATED TOPICS

In this newsletter, I thought some readers would enjoy seeing the steps in finding out the details of yet another e-mail scam: fraudulent click-throughs.

On Dec. 23, 2000, I received an HTML invitation from a stranger to try a "new game." Unimpressed by the warmth of the invitation and suspicious of any attachment, I looked at the source code and found some peculiar aspects:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>

<head>

<title>Untitled</title>

</head>

<body><P ALIGN=CENTER>

<A

HREF="http://www.findcommerce.com/tracking/sarefer.dll?HostBannerID=263589"

TARGET="_top" onmouseover="window.status='CLICK IT';return true">

<font size="+1">click here</font></A><IMG

SRC="http://www.whispa.com/tracking/exposure.dll?263589" WIDTH=1 HEIGHT=1

BORDER=0><br><br>To join new game for free<br>No charge</p>

</body>

</html>

The source suggested that the intent of this information was primarily to track responses, not to convey information.

I then turned to the Sam Spade 1.14 network utility (see http://www.samspade.org/ssw/ for details of this useful freeware) and quickly found that the headers were forged.

Between the asterisks below is what the program returned to me (note that the commentary -- e.g., "My comments are just hints" -- is the program's, not mine.):

***

12/27/00 16:22:21 Input

The Received: headers are the important ones to read

My comments are just hints, and should be considered only

an opinion. I may have guessed wrong, or things may have

changed since I was written

Sender: Lisa@netvision.net.il

Received: from mgw-mp.sric.sri.com (mgw-mp.sric.sri.com

[128.18.23.110]) by spdmgaae.compuserve.com

(8.9.3/8.9.3/SUN-1.9) with ESMTP id PAA02807 for

<mkabay@compuserve.com>; Sat, 23 Dec 2000 15:13:11 -0500

(EST)

This received header was added by your mailserver

spdmgaae.compuserve.com received this from mgw-mp.sric.sri.com

(IP addresses match)

Received: from mailgw1.netvision.net.il ([194.90.1.14])

by mgw-mp.sric.sri.com (Netscape Messaging Server 3.6)

with ESMTP id AAA14C6 for

<mkabay@atomictangerine.com>; Sat, 23 Dec 2000

12:12:38 -0800

mgw-mp.sric.sri.com received this from mailgw1.netvision.net.il

(IP addresses match)

Received: from mailgw.netvision.net.il

(c2189.racs.surfree.net.il [212.3.197.189]) by

mailgw1.netvision.net.il (8.9.3/8.9.3) with ESMTP id

WAA00219 for <mkabay@atomictangerine.com>; Sat, 23 Dec 2000

22:12:33 +0200 (IST)

mailgw1.netvision.net.il received this from someone claiming

to be mailgw.netvision.net.il

but rreally from 212.3.197.189(c2189.racs.surfree.net.il)

All headers below may be forged

Message-Id: <200012232012.WAA00219@mailgw1.netvision.net.il>

From: Lisa@mailgw1.netvision.net.il

To: mkabay@atomictangerine.com

Subject: new game try it

Date: 23 Dec 2000 22:14:52 +0200

Mime-Version: 1.0

Content-Type: text/html

***

Visiting the proposed URL (http://www.findcommerce.com/tracking/sarefer.dll?HostBannerID=263589) simply forwarded me to a "not found" page at:

http://www.safe-audit.com/unavailable.html?INVHBID

Visiting the hidden URL (http://www.whispa.com/tracking/exposure.dll?263589) resulted in no response at all; trying to backtrack through the directory tree resulted in closed connections.

Checking the registration of "whispa.com" (easily done using SamSpade) showed the registrant to be a London company Global Market Ltd., with this contact information:

Administrative Contact, Billing Contact:

Leo, Scheiner (SL2005) leo@NETCOMUK.CO.UK

Global Market Ltd.

29 Fairholme Gardens

London

N3 3ED

UK

44 181 346 0770 (FAX) 44 181 346 8316

Technical Contact:

Digiweb, Inc. (HDI2-ORG) hostmaster@DIGIWEB.COM

Digiweb, Inc.

4716 Pontiac Street

College Park, MD 20740

US

301-982-1688 Fax - 301-982-9782

The registration for "findcommerce.com" is the same.

The Tech Contact phone number had been disconnected. The U.K. number city code 181 had been changed to 208, and I was able to get through to the changed number.

I spoke with Leo Scheiner, the administrative contact, who turned out to be a good guy. He very kindly explained the situation. The company normally counts hits on banner ads; it has nearly 100,000 subscribers. These subscribers are paid according to how many people click on those banner ads from their sites.

In this case, the perpetrator was a sleazy operator. It seems that this crook was trying to generate revenue by fraudulently generating clicks on his assigned URL. He did so by using unsolicited commercial e-mail to trick gullible people into creating fruitless clicks on his assigned URL.

MORAL: Don't click on URLs that you receive in junk e-mail.

This story, "On the case with Sam Spade " was originally published by Network World.

RELATED TOPICS
What’s wrong? The new clean desk test
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies