In this newsletter, I thought some readers would enjoy seeing the steps in finding out the details of yet another e-mail scam: fraudulent click-throughs.
On Dec. 23, 2000, I received an HTML invitation from a stranger to try a "new game." Unimpressed by the warmth of the invitation and suspicious of any attachment, I looked at the source code and found some peculiar aspects:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
TARGET="_top" onmouseover="window.status='CLICK IT';return true">
<font size="+1">click here</font></A><IMG
SRC="http://www.whispa.com/tracking/exposure.dll?263589" WIDTH=1 HEIGHT=1
BORDER=0><br><br>To join new game for free<br>No charge</p>
The source suggested that the intent of this information was primarily to track responses, not to convey information.
I then turned to the Sam Spade 1.14 network utility (see http://www.samspade.org/ssw/ for details of this useful freeware) and quickly found that the headers were forged.
Between the asterisks below is what the program returned to me (note that the commentary -- e.g., "My comments are just hints" -- is the program's, not mine.):
12/27/00 16:22:21 Input
The Received: headers are the important ones to read
My comments are just hints, and should be considered only
an opinion. I may have guessed wrong, or things may have
changed since I was written
Received: from mgw-mp.sric.sri.com (mgw-mp.sric.sri.com
[188.8.131.52]) by spdmgaae.compuserve.com
(8.9.3/8.9.3/SUN-1.9) with ESMTP id PAA02807 for
<email@example.com>; Sat, 23 Dec 2000 15:13:11 -0500
This received header was added by your mailserver
spdmgaae.compuserve.com received this from mgw-mp.sric.sri.com
(IP addresses match)
Received: from mailgw1.netvision.net.il ([184.108.40.206])
by mgw-mp.sric.sri.com (Netscape Messaging Server 3.6)
with ESMTP id AAA14C6 for
<firstname.lastname@example.org>; Sat, 23 Dec 2000
mgw-mp.sric.sri.com received this from mailgw1.netvision.net.il
(IP addresses match)
Received: from mailgw.netvision.net.il
(c2189.racs.surfree.net.il [220.127.116.11]) by
mailgw1.netvision.net.il (8.9.3/8.9.3) with ESMTP id
WAA00219 for <email@example.com>; Sat, 23 Dec 2000
22:12:33 +0200 (IST)
mailgw1.netvision.net.il received this from someone claiming
to be mailgw.netvision.net.il
but rreally from 18.104.22.168(c2189.racs.surfree.net.il)
All headers below may be forged
Subject: new game try it
Date: 23 Dec 2000 22:14:52 +0200
Visiting the proposed URL (http://www.findcommerce.com/tracking/sarefer.dll?HostBannerID=263589) simply forwarded me to a "not found" page at:
Visiting the hidden URL (http://www.whispa.com/tracking/exposure.dll?263589) resulted in no response at all; trying to backtrack through the directory tree resulted in closed connections.
Checking the registration of "whispa.com" (easily done using SamSpade) showed the registrant to be a London company Global Market Ltd., with this contact information:
Administrative Contact, Billing Contact:
Leo, Scheiner (SL2005) leo@NETCOMUK.CO.UK
Global Market Ltd.
29 Fairholme Gardens
44 181 346 0770 (FAX) 44 181 346 8316
Digiweb, Inc. (HDI2-ORG) hostmaster@DIGIWEB.COM
4716 Pontiac Street
College Park, MD 20740
301-982-1688 Fax - 301-982-9782
The registration for "findcommerce.com" is the same.
The Tech Contact phone number had been disconnected. The U.K. number city code 181 had been changed to 208, and I was able to get through to the changed number.
I spoke with Leo Scheiner, the administrative contact, who turned out to be a good guy. He very kindly explained the situation. The company normally counts hits on banner ads; it has nearly 100,000 subscribers. These subscribers are paid according to how many people click on those banner ads from their sites.
In this case, the perpetrator was a sleazy operator. It seems that this crook was trying to generate revenue by fraudulently generating clicks on his assigned URL. He did so by using unsolicited commercial e-mail to trick gullible people into creating fruitless clicks on his assigned URL.
MORAL: Don't click on URLs that you receive in junk e-mail.
This story, "On the case with Sam Spade " was originally published by Network World.