Intro:

    This all started from me being spammed by some "Online Adult Dating Service" spam email. Of course my Spam Assassin caught it, and labeled it appropriately though. I guess I just had some weird inclination to go look around. No, no, not at the dating service, but at the website. You see, the website was buried in some folders, and just seemed odd to me. It only took me a minute or two, and I then realized there was no index file on the root of the web server. You know what that means don't you?


The email:

    I use MailWasher to preview my emails, so I have some extra protection from all that garbage that fills my inbox constantly. I might add as well, there was an unsubscribe link in the email as well. It's not visible there, but I viewed the complete header and saw it. I have included a slightly edited text version of the email which you can view right here if you would like.

(1) The email preview

The webpage:

    Picture 1 is a picture of the website doing referrals to Sexsearchcom.com. Their affiliate program makes a webmaster $20 USD a pop, so I could see why webmasters would want to promote it. Big money! Against my better judgment, err, using my better judgment, I've edited the picture so you won't see anything explicit. Use your imagination of what nipples look like, or whatever. Also note the link in the address bar, as it is buried in a strange way to view a website in. Unless of course you publish content such as ours. And yes, I still use IE 6...cough...

(2) The webpage as viewed from the link in the email	(3) The root!

    Navigating to the homepage via my address bar, (onlinemeetandcheat.biz) you would see what is above. Really, go take a look now at picture 3 if you haven't already. The whole website is open. Ok, technically it's not really the "root" per say of the website, actually, it's the public html space of the website. Which is exactly where an index file is supposed to be. In other words, when you go to any website, your browser loads the index file. No matter if the page is html, php, or the likes. Without an index file, your browser just shows you the files and folders of the web space.

    So, I then started probing around. The first thing was, what was in that remove.txt file? Much to my surprise, I wasn't really thinking then, it contained email addresses. LOTS OF THEM! I didn't really realize how many until later on.


The website files:

    Since we already know what was in the remove.txt, lets probe around a bit more shall we? Next on the agenda was the nomore.htm and the remove.php. I downloaded the nomore.htm, and looked at the source. Basically what happens is the remove button (which does some simple verification to make sure it looks like an email address) sends your text you entered into the remove.php, which appends it to the end of the remove.txt file. The remove.txt file could be loaded into a mailer, to send or remove, the later being very doubtful, your address then.

(4) Remove

    So what do we have then? Well, we have a spammer that sent emails without permission. Also, we have a remove option, that you never agreed to accept emails from, so if you did put your email address in the remove, you've just confirmed your email address for more spam. Which you can see below. I'll elaborate after the pictures.

(5) doo@aol.com	(6) Shows in the text file
(7) made up email	(8) Both are there

    Pictures 5 and 7 show the confirmation that the script gives. Pictures 6 and 8 show that they have been added to the remove.txt file. I downloaded the text file after each submission to make sure it worked. I of course erased all the email addresses around the two that I entered for the privacy of other people. You will notice I did use my own domain for the last one. More on that in a bit.

    Lastly for this section, I found a readme.txt in the "referral" website area. Interesting huh? Nothing we could use to get back at this loser. Or is there? I'm not going to go probing around with that ID#. Going further on my part would be illegal. As in posing as someone else to try and find out more information. I won't go there.

(9) Ok, this guy is a real moron

So who owns this website?:

    Easily figured out by doing a whois is right? Unfortunately, all the info is bogus. Hmm, wonder who does the hosting? No real need to worry, and/or complain the the web host, this website has a limited lifespan. You can though...

Wait, didn't you create an email address on your own domain?:

    Why yes, answering my own question. And yes, I edited the pictures so it is missing one number, or letter. I'm the only one that knows what that email address is, and it is unpublished anywhere. I'll let you know at the end of this write up, if anything became of it.

(10) Account created

Back to the remove.txt:

    Loading up the email address file in M$ Word 2003, I can find out a bit more info on it. The below picture about sums it up. The final text file that I grabbed was on May 1st. It was 487kb. Yes, that is 390 pages. The 22,171 words, well, that is 22,171 email addresses. I'd like to note that some of them are doubled up. Probably a duplicate every page or so, and some are obviously random typing to make it look like an email address. Regardless, a great deal of them appear to be legitimate. Think about how scary that is? Especially because anyone could have gotten that list as easily as I have been for about a month.

(11) Word 2003 word count

    How about some domain analysis on who unsubscribed. I picked 6 domains off the top of my head, and did a search. They are, Excite, Hotmail, Netzero, Netscape, AOL, and Yahoo. My immediate guess would be AOL for the most submitted. Well, that wasn't the case though. I mean, who knows where this bozo got his list from to begin with. Many places actually sell email addresses, and there are plenty of spiders that scour the web harvesting email addresses too.

Excite	Hotmail	Netzero
Netscape	AOL	Yahoo

    Ok, I'll tell you the winner. It's Yahoo, with 1,538 entries. AOHELL only had 378. Sorry, I couldn't hold back anymore poking one at AOL24218. Heh, sorry again. So, the rest are miniscule, but feel free to click the thumbnails to get a look if you are curious. And hmm, what does that mean? Well, it means there is a tremendous amount of other domains listed in the text file. As aforementioned, a great many look legit.


One more reason not to unsubscribe from some websites:

    I found this online pharmacy. Yeah, go figure. While I probed around, I didn't really find anything other than the site was obviously a freaking scam. I did go grab their remove html. Just look at what the remove button (form) is called. Now that can't be ok, uh, good I mean.

(12) Ok then....

So what happened to that site?:

    Spamming eventually catches up to the spammers. Somehow I seriously doubt you'll see a website back online at onlinemeetandcheat.biz. Well, until it gets gobbled up by some lame domain squatters that put up cool web search sites.

    Of course somehow I think that this isn't the last we'll see of this particular spammer. He probably has many other websites, and loads of unsolicited email going out all the time. Especially with all those fresh email addresses harvested from unsubscribing.



 The email address I created:   

    Nearly a month later, I still haven't received any spam into that account that I set up just to see if I would get some spam sent to it. I'm not saying it won't happen, but I'm fairly confident it will. Unless by chance the domain got shut down before whoever could get the file off of it. Doubtful though. I'll update this article if needs to be in the future. So if you did learn something about spam emails, great. If anything, think about the security of some websites, and who you can trust with your information. A simple email address can be revealing if there is enough information about you on the web. Identity theft is at an all time high at the moment, so try and be safe online.


Closing:

    So let that be a lesson, or a heads up, about unsubscribing from anything you never agreed to receive. Not that there aren't legitimate websites that you get newsletters, or special offers from, say, Newegg, or the likes. Even if someone else signed you up for something as perhaps a joke or whatever, make sure the company is reputable before giving away any information. Even if they aren't on the ResellerRatings site, that doesn't mean they aren't legit. Google stuff about companies, offers, and you'll find the truth eventually. Or just plain delete them.

    Some emails even have unsubscribe options that appear to be legitimate, like emails that said you agreed to receive offers, and you signed up on such and such a date/time, and even has a bogus IP address to make it look like you went somewhere and entered your email address. My advice, keep the delete button handy. That sort of stuff could be considered bulk email. I've seen a lot of emails that even say they confirm to the CAN-SPAM Act, but aren't legit.

    There are many ways to control the amount of spam you receive in your inbox. A lot of your ISP side stuff works phenomenally. While this isn't the time and place to let you know of some of your options for spam control, I'll probably do an article about that in the future.


Closed:

    NO! I will not send you the text file. Don't ask. I'm deleting it now to protect the privacy of others. Which is much more than you could say for one such so called webmaster. On that sour note, here's an uplift. I hope you enjoyed this write up. Thanks for coming by! Until next time...


Update 06/16/05:

    Due to some lack of time, and lack of checking the email that I setup to see if my email would be used or not to receive spam, well, I checked my email. You may or may not have noticed, that I didn't disclose that email address anywhere. I edited the pictures to not show the first letter of the email address. The missing letter was "o". Go check again above if you want. With that being said...

(Spammed!)

    Yes indeed. I received two emails in my on9421 account. And like I said, that wasn't disclosed anywhere, it wasn't used anywhere. No web spider crawled my site and got the email, it wasn't published. Unless these spammers are really hitting everything on a domain, which I don't think is the case, but seriously though...on9421, boy that's sure easy to guess. So for the other 22,000+ people that were on that list, luckily it has only been two emails so far. I can go delete my account. It was worthless to me other than this test.

    I may keep the on**** email addie going for a while longer. I don't think any account crawler can really pick it up with the info here, in the context it was published in. So in this case, proof positive that some sites are just plain out there to give you more spam...Ugly isn't it?



 

Home ^^^