![Welcome to Orange Frog Productions Scams, Shams & Flim-Flams Section [Banner]](images/ssff/ofp_banner_ssff.jpg)
Links last last verified 08/03/2007
Page last updated 08/04/2007
Items on this page were researched by Bill Sanders (aka LYAO Editor or "-LE")
Please be sure to read my Malware Home Page
NOTE: All external links on this page open a new window.
Notes for All Four Examples
I want you to know that the first email I received, I clicked the link, even though it was the generic "Hi. Neighbor has sent you a greeting card", rather than a name I recognize, figuring my virus scanner would catch any bad things it tried to send my way. The page it went to was a white blank with a line at the top that said that my download would begin in 15 seconds or to "click here". This bothered me... No recognizable name and a DOWNLOAD instead of an online card? So I clicked the "X" to close the window. NOTHING! I clicked ALT-4, which closes the last window opened (note: If the window is explorer, it may close all instances). NOTHING. I did CONTROL-ALT-DELETE to open the Windows Task Manager. I found the application and clicked "End Task"... It didn't stop, and seemed to replicate itself (meaning another opened as the prior was closing.) OH BOY! What did I do now? I finally clicked START, Turn Off Computer, and RESTART. Slowly (and I will admit my system is slow, but this was like molasses in Winter!) my system began to shut-down. During the shut-down, my virus scanner kicked up a blank window. This window normally shows the virus being protected against. There was nothing there. After the reboot, I ran the full virus scan, and found... NOTHING. (I, personally, think I was lucky.) I ran a Spyware-Search & Destroy to clean off all the programs it found (and, yes... I DO get programs SSD looks for... Most are "tracking cookies" and some are "MRU Lists" (like the last set of pages you opened in your browser, etc.), and some I know about (SSD warns me when my home page is not "normal" as far as it's concerned, and some of those "tracking cookies" it finds are those that keep my username for that site online). SSD didn't find anything I could attribute to the email. So, I set the email aside to research for this page later.
I got the second email, later the same day, and recognized the wording immediately. While it was a "greeting card" from "school mate", the rest of the text was close enough that I didn't want to click the link. So, I did a little research On this one, the ISP listed as the base site was from Turkey (see below). Hmm... Carefully, I put the ISP only in my browser window, and clicked enter. The same 15 seconds to download screen appeared. I did the same things I did on the first one (above), and the same things happened. This time, though, I think I tried to close the window a little longer, and suddenly URL changed to a yahoo email setup. I didn't wait around to see what happened, but shut down windows again. Afterward, SSD showed nothing new (just my home page "problem"), and nothing was found in the virus scan, again.
When I got the third one, I didn't even try the site or the link, and decided I needed to get this page out ASAP. AND, I got the fourth one today (08/04/2007). Now, I may just be a little paranoid, and nothing bad may happen. But:
- when there's no recognizable name who sent me the email;
- when there's only an ISP, rather than a DNS name translation (ie: www.orangefrogproductions.com);
- when it goes to a page that will do a download rather than display a card;
- when it appears to either eat up all my processing, or even simply stops me from closing the window;
- when my virus scanner auto-protect kicks in even though blank;
I think I have the right to be.
Ok... Again, these MAY be legit, though I doubt it.
And I have been proven right. http://www.greetingcard.org/ has a warning about these email scam/phishing expeditions, and what to look for from legitimate card sites.
So, for senders of real online cards:
- Don't EVER NOT use your name when sending online cards - They may never be read!
- If you are the Neighbor or School Chum who sent me something, and it IS legit, please send me an email to let me know who you are.
- Be careful about who you send cards THROUGH.
For receivers of emails like this:
- There are many legitimate online card companies, some requiring money, and others free. Most will ask you to click a link in the email, and take you to their site. The link will probably look like "gobbledy-good" to you, but there should be a translated website NAME at the beginning, rather than an ISP. If so, make sure the name in the link and any other site names in the email match. (Most will only advertise themselves.)
- Make sure you recognize the name from whom the email is received. It will most-likely be sent from the card company, but the sender's name is usually requested and sent in the email. Don't respond or click the link in emails where you do NOT recognize the name.
- If you are in the habit of receiving online cards when there's no celebration (birthday, anniversary, holiday), watch for the signs that it's NOT legit, and don't open those.
For the purveyors of real online cards:
- Make sure the site from which you send cards, and to which you send readers of sent cards have a translated DNS name. Do NOT just use the ISP.
- Get the senders' names and make sure THAT is sent in emails to receivers.
- Do NOT call showing a page a "download". Downloads imply moving a program or something from your servers to the readers. Basically, first let them read it, and, if it's downloadable, give them the option to download it.
- There should be NO pause from a redirect page to where the viewer can read the card. If you change the names of cards or links, use the HTACCESS on your system to forward to the new ones.
Now, on to the Examples:
Things I Did, Below
I, personally, receive email in HTML format. The following was received (and looked) like I received it.
- I removed my email addresses. These came to various accounts and some no longer exist. There are places on this site you can get hold of me if you wish or need to. They are protected from spambots using JavaScript, but all you have to do is click on them.
- All scammer and related email addresses, and any actual website links have been changed, at least putting spaces into them. They appear as underlined blue links, though they aren't.
- Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
- All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.)
Examples
Malware Email Example 009
Received 08/02/2007
To: <my home email address - removed>
Sent: Thursday, August 02, 2007 3:41 AM
Subject: You've received a greeting ecard from a Neighbor!
Hi. Neighbor has sent you a greeting ecard.
See your card as often as you wish during the next 15
days.
SEEING YOUR CARD
If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:
http:// 86.122. 128.44/ ?a3db573383e1a7a85955ab65e85
Or copy and paste it into your browser's "Location" box (where Internet addresses go).
We hope you enjoy your awesome card.
Wishing you the best,
Postmaster,
funnypostcard.com
[I left names and links (except mine) in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]
Example Email 009 Headers
08/02/2007
Return-path: <txn @ kerzner.com>
Received: from mta0.manage.insightcom.com ([172.31.249.150])
by msb2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3
2006))
with ESMTP id <0JM400BMVYPPZR30 @
msb2.manage.insightcom.com> for
<my home email address - removed>;
Thu, 02 Aug 2007 03:41:49 -0400 (EDT)
Received: from mxsf09.insightbb.com ([172.31.249.123])
by mta0.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3
2006))
with ESMTP id <0JM400LYVYPNI3I0 @
mta0.manage.insightcom.com> for
<my home email address - removed>
(ORCPT <my home email address - removed>);
Thu,
02 Aug 2007 03:41:49 -0400 (EDT)
Received: from unknown (HELO mxip09.insightbb.com)
([172.31.249.123])
by mxsf09.insightbb.com with ESMTP; Thu, 02 Aug 2007
03:41:49 -0400
Received: from rrcs-67-52-168-34.west.biz.rr.com
([67.52.168.34])
by mxip09.insightbb.com with SMTP; Thu, 02 Aug 2007 03:41:48
-0400
Received: from vhr.ryd ([152.179.83.125]) by
rrcs-67-52-168-34.west.biz.rr.com
with Microsoft SMTPSVC(6.0.3790.1830); Thu, 02 Aug 2007
00:41:47 -0700
Date: Thu, 02 Aug 2007 00:41:47 -0700
From: "funnypostcard.com" <txn @ kerzner.com>
Subject: You've received a greeting ecard from a Neighbor!
To: <my home email address - removed>
Message-id: <000601c7d4d8$94ef6590$7d53b398 @
vhr.ryd>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
Content-type: text/plain; format=flowed; charset=Windows-1252;
reply-type=original
Content-transfer-encoding: 7bit
X-Priority: 3
X-MSMail-priority: Normal
X-IronPort-AV: E=Sophos;i="4.19,211,1183348800";
d="scan'208";a="866175"
Original-recipient: rfc822;<my home email
address - removed>
Notes for the above
Most of my notes are above, in the opening statement of this page. I did try to find out where this email was from:
- Kerzner.com appears to be a resort company based out of New York. I doubt this is where this email came from. I know no one at Kerzner, nor do I believe I know anyone out of New York.
- 152.179.83.125, (think link in the email) could not be located by GeoBytes' IP Address Locater
- 67.52.168.34 is in Palm Desert, California
- The rest are tied to Insightbb, my home provider.
So, we have an email, that came from somewhere unknown, using the email address of a company based out of New York, through a California email server, thence to my provider. If I'd have looked here, first, I might have been even MORE suspicious.
BTW: It appears that www.funnypostcard.com is a legitimate card company.
NOTE: If someone sent you directly to this example, please be sure to read about my experience with this (and the like) email.
Malware Email Example 010
Received 08/02/2007
From: greeting-cards.com
To: <my home email address - removed>
Sent: Thursday, August 02, 2007 5:17 PM
Subject: You've received a postcard from a School mate!
Hi. School mate has sent you a postcard.
See your card as often as you wish during the next 15 days.
SEEING YOUR CARD
If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:
http:// 89.212.163.86/ ?ae57a4a6c198eb161d496d2989907cd64e28cae
Or copy and paste it into your browser's "Location" box (where Internet addresses go).
We hope you enjoy your awesome card.
Wishing you the best,
Postmaster,
greeting-cards.com
[I left names and links (except mine) in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]
Example Email 010 Headers
08/02/2007
Return-path: <rcae @ interlog.com>
Received: from mta2.manage.insightcom.com
([172.31.249.154])
by msb2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3
2006))
with ESMTP id <0JM6008NN0KOHWH0 @
msb2.manage.insightcom.com> for
<my home email address - removed>;
Thu, 02 Aug 2007 17:19:36 -0400 (EDT)
Received: from mxsf07.insightbb.com ([172.31.249.123])
by mta2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3
2006))
with ESMTP id <0JM6000F60KO7N51 @
mta2.manage.insightcom.com> for
<my home email address - removed>
(ORCPT
<my home email address - removed>);
Thu,
02 Aug 2007 17:19:36 -0400 (EDT)
Received: from 216.117.230.55.allwest.net (HELO
mxip09.insightbb.com)
([216.117.230.55]) by mxsf07.insightbb.com with ESMTP;
Thu,
02 Aug 2007 17:19:35 -0400
Received: from cpe-76-184-144-222.tx.res.rr.com
([76.184.144.222])
by mxip09.insightbb.com with SMTP; Thu, 02 Aug 2007
17:19:35 -0400
Received: from gsk.fhw ([27.97.136.53]) by
cpe-76-184-144-222.tx.res.rr.com
with Microsoft SMTPSVC(6.0.3790.0); Thu, 02 Aug 2007
16:17:32 -0500
Date: Thu, 02 Aug 2007 16:17:32 -0500
From: "greeting-cards.com" <rcae @ interlog.com>
Subject: You've received a postcard from a School mate!
To:
<my home email address - removed>
Message-id: <001801c7d54a$89ed6080$3588611b @
gsk.fhw>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2499
X-Mailer: Microsoft Outlook Express 5.50.4133.2499
Content-type: text/plain; format=flowed; charset=Windows-1252;
reply-type=original
Content-transfer-encoding: 7bit
X-Priority: 3
X-MSMail-priority: Normal
X-IronPort-AV: E=Sophos;i="4.19,215,1183348800";
d="scan'208";a="748189"
Original-recipient: rfc822;<my home email address - removed>
Notes for the above
Most of my notes are above, in the opening statement of this page. I did try to find out where this email was from:
- interlog.com forwards immediately to http://www.ca.inter.net/, and appears to be a Canadian internet services company. I doubt this is where this email came from. I know no one at interlog, and only know a couple of people from Canada, and they were not school mates!
- 89.212.163.86 (the link in the email) is from Ljubljana, Slovenia. Duh... What?
- 27.97.136.53 could not be located by GeoBytes' IP Address Locater
- 76.184.144.222 is from Dallas, Texas
- 216.117.230.55 is from Evanston, Wyoming
- The rest are tied to Insightbb, my home provider.
So, we have an email, that came from Slovenia, using the email from a Canadian internet service provider through a (appears to be) faked email header, through Texas and Wyoming email servers, thence to my provider. If I'd have looked here, first, I might have been even MORE suspicious.
BTW: It appears that http://www.greeting-cards.com/ is a legitimate card company.
NOTE: If someone sent you directly to this example, please be sure to read about my experience with this (and the like) email.
Malware Email Example 011
Received 08/02/2007
From: greetingCard.Org
To: <one of my email addresses -
removed>
Sent: Thursday, August 02, 2007 6:38 PM
Subject: You've received a postcard from a School mate!
Hi. School mate has sent you a postcard.
See your card as often as you wish during the next 15
days.
SEEING YOUR CARD
If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:
http:// 71.238.193.38/ ?5e8517a32e6b9ea6878b
Or copy and paste it into your browser's "Location" box (where Internet addresses go).
We hope you enjoy your awesome card.
Wishing you the best,
Postmaster,
greetingCard.Org
[I left names and links (except mine) in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]
Example Email 011 Headers
08/02/2007
X-Message-Status: s1:0
X-SID-PRA: greetingCard.Org <ubx @ bhimnathwala.com>
X-Message-Info:
txF49lGdW43UjwAIPcUFJ6dzG0FxoqiHxPKKvCsf2GPvE048V7Fc9BzckEUzeKUs
Received: from mail.lothianoil.us ([208.180.242.9]) by
bay0-mc8-f4.bay0.hotmail.com with Microsoft
SMTPSVC(6.0.3790.2668);
Thu, 2 Aug 2007 15:46:08 -0700
Received: from wp.pc ([137.163.75.124]) by
mail.lothianoil.us with Microsoft SMTPSVC(6.0.3790.0);
Thu, 2 Aug 2007 17:38:39 -0500
Message-ID: <000f01c7d555$df255250$7c4ba389 @ wp.pc>
From: "greetingCard.Org" <ubx @ bhimnathwala.com>
To: <one of my email addresses -
removed>
Subject: You've received a postcard from a School mate!
Date: Thu, 2 Aug 2007 17:38:39 -0500
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="Windows-1252";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4131.1600
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4131.1600
Return-Path: ubx @ bhimnathwala.com
X-OriginalArrivalTime: 02 Aug 2007 22:46:08.0637 (UTC)
FILETIME=[EACA2AD0:01C7D556]
Notes for the above
Most of my notes are above, in the opening statement of this page. I did try to find out where this email was from:
- bhimnathwala.com doesn't even appear to be registered at this time, so there's no indication of whence it came.
- 71.238.193.38 (the link in the email) is from Keego Harbor, Michigan
- 137.163.75.124 could not be located by GeoBytes' IP Address Locater
- 208.180.242.9 is from Bella Vista, Arkansas
- lothianoil.us appears to be a New York energy company
- The rest are tied to Insightbb, my home provider.
So, we have an email, that came from a fictional email address through a (appears to be) faked email header, through Arkansas email servers, thence to my provider. If I'd have looked here, first, I might have been even MORE suspicious.
BTW: It appears that http://www.greetingcard.org/ is a legitimate card company. In fact, they have a warning about these emails on their site.
NOTE: If someone sent you directly to this example, please be sure to read about my experience with this (and the like) email.
Malware Email Example 012
Received 08/04/2007
From: americangreetings.com
To: <my home email address - removed>
Sent: Saturday, August 04, 2007 3:26 PM
Subject: You've received an ecard from a School mate!
Hi. School mate has sent you an ecard.
See your card as often as you wish during the next 15
days.
SEEING YOUR CARD
If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:
http:// 75.61.82.5/ ?14655dc21c83715e8517a32e6b9ea
Or copy and paste it into your browser's "Location" box (where Internet addresses go).
We hope you enjoy your awesome card.
Wishing you the best,
Webmaster,
americangreetings.comx
[I left names and links (except mine) in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]
Example Email 012 Headers
08/04/2007
Return-path: <zzp @ jaka.cz>
Received: from mta0.manage.insightcom.com
([172.31.249.150])
by msb2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3
2006))
with ESMTP id <0JM900FBEKO1XX30 @
msb2.manage.insightcom.com> for
<my home email address - removed>;
Sat, 04 Aug 2007 15:26:25 -0400 (EDT)
Received: from mxsf09.insightbb.com ([172.31.249.123])
by mta0.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3
2006))
with ESMTP id <0JM9008D5KNWBK90 @
mta0.manage.insightcom.com> for
<my home email address - removed>
(ORCPT <my home email address - removed>);
Sat,
04 Aug 2007 15:26:25 -0400 (EDT)
Received: from houseboatingworld.com (HELO
mxip06.insightbb.com)
([75.126.254.163]) by mxsf09.insightbb.com with ESMTP;
Sat,
04 Aug 2007 15:26:25 -0400
Received: from 205-179-82-202.client.dsl.net
([205.179.82.202])
by mxip06.insightbb.com with SMTP; Sat, 04 Aug 2007
15:26:24 -0400
Received: from ihcd.hdb ([137.156.67.207]) by
205-179-82-202.client.dsl.net
with Microsoft SMTPSVC(5.0.2195.5329); Sat, 04 Aug 2007
15:26:52 -0400
Date: Sat, 04 Aug 2007 15:26:52 -0400
From: "americangreetings.com" <zzp @ jaka.cz>
Subject: You've received an ecard from a School mate!
To: <my home email address - removed>
Message-id: <002d01c7d6cd$6943a8b0$cf439c89 @ ihcd.hdb>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
Content-type: text/plain; format=flowed; charset=Windows-1252;
reply-type=original
Content-transfer-encoding: 7bit
X-Priority: 3
X-MSMail-priority: Normal
X-IronPort-AV: E=Sophos;i="4.19,220,1183348800";
d="scan'208";a="3660745"
Original-recipient: rfc822;<my home email address - removed>
Notes for the above
Most of my notes are above, in the opening statement of this page. I did try to find out where this email was from:
- jaka.cz appears to be a kid camp in the Czech Republic. I doubt this is where this email came from. I only know one person who MIGHT be in the Czech Republic , he/she was related, not a school mate! And, he/she would not be using an email address I wouldn't recognize.
- 75.61.82.5 (the link in the email) is from Chicago, Illinois. (GeoBytes' IP Address Locater)
- 137.156.67.207 could not be located, so was probably faked.
- 205.179.82.202 is from Westfield, New Jersey
- 75.126.254.163 could not be located
- houseboatingworld.com appears to be based out of Herndon, VA, and not responsible for the original email.
- The rest are tied to Insightbb, my home provider.
So, we have an email, that came from the Chicago, using a Czech Republic kid's camp email through a (appears to be) faked ISP, through New Jersey, then another faked ISP, then through email servers owned by houseboatworld.com, thence to my provider. If I'd have looked here, first, I might have been even MORE suspicious.
BTW: AND, I KNOW that www.americangreetings.com is a legitimate card company.
NOTE: If someone sent you directly to this example, please be sure to read about my experience with this (and the like) email.
UPDATE: August 21, 2007 - PLEASE NOTE: Since I created this page, I have received other examples recently at the rate of at least two a day. I believe they've also changed from using the "ecard" to other lures. Please see this followup page to see examples (no headers, but the actual emails as I received them). Also note that I did NOT take any of the links. Because of my experiences prior to these emails and with the above, I will not longer click on ANY link with an unresolved DNS (not a real site name - just the numbers in "999.999.999.999" format). Remember, too, that the visible link can contain whatever they wish. Be sure to check the underlying link. Some email clients will allow you to roll over the link, and the underlying link will show in the status bar. If yours does this, use it.
A "named link" does NOT look like "Orange Frog Productions", but like "http://www.orangefrogproductions.com". If you roll your cursor over THESE example links, both with show "#" in the status bar of your browser (bottom left corner). Normally the "#" is followed by something else (roll over the Table-of-Contents links, below to see what I mean.) No matter what the link LOOKS like (either of the above, for example), the UNDERLYING link is the one that shows on the status bar. If they don't match, don't go to another spot on the page (these will have a "#" in them after the page's URL), or contain only numbers (in 999.999.999.999 format - the IP), then you will have NO CLUE where the link will take you.
BE VERY CAREFUL ABOUT TRUSTING LINKS THAT HAVE NO NAME!
Check out: Urban Legends Reference Pages (Snopes): 'Postcard from a Family Member' virus
Send comments/questions about this page to Bill Sanders at:
Go to
More Email Examples (Greeting Card or Postcard)
Go to Malware
(Viruses, Adware, Spyware) Home page
Go to Malware Examples Home Page
Send email to Bill Sanders
()
with questions or comments about this page or site.
This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the:
CSS and
HTML 4.01
validators from W3C.
NOTE: All CSS validates except the "New Window Buttons"
which include some invalid code (ie: hacks),
added PicoSearch Tables,
and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is
prohibited without express written consent from William D.
Sanders.
