Spam

I need advice folks.


For almost...7 years I have kept my email address clear of spam. As in, no spam, at all. This email address is almost never given out online. I don't use mailto: with it either.

Now, I keep getting an email advertising Viagra.

Now, I am 27, I didn't sign up, honest!

Panda doesn't find anything (marks some games as suspicous though).

Ad Aware only finds cookies.

The advertisement comes from a different email address each time, and as a re:


Here are some of the headers and the body of the message:

Return-Path: <martyjn2ayfaqang@surfy.net>
Received: from [61.115.155.37] (HELO silver256)
by gci-net.com (CommuniGate Pro SMTP 4.1.5)
with SMTP id 3021595 for silver256@gci-net.com; Mon, 24 Nov 2003 04:01:01 -0700
Message-ID: <atitdhbu.1216895vzqijjmb@Klausfynzewsv>
From: "Klausf" <martyjn2ayfaqang@surfy.net>
Date: Mon, 24 Nov 2003 20:00:48 +0000
To: silver256@gci-net.com
Subject: Re: What Does The Blue Pill Do?
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=iso-8859-1

Return-Path: <wooduknbjzx@aussiemail.com.au>
Received: from [62.211.137.3] (HELO silver256)
by gci-net.com (CommuniGate Pro SMTP 4.1.5)
with SMTP id 2939658 for silver256@gci-net.com; Sun, 23 Nov 2003 02:30:25 -0700
Message-ID: <yyncb.2637874725uxxtoxmv@Blackzadmgxczih>
From: "Black" <wooduknbjzx@aussiemail.com.au>
Date: Sun, 23 Nov 2003 10:29:01 -0000
To: silver256@gci-net.com
Subject: Re: Good Enough For Her?
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=iso-8859-1

Return-Path: <wood2ihgznxupb@aussiemail.com.au>
Received: from [200.202.30.130] (HELO silver256)
by gci-net.com (CommuniGate Pro SMTP 4.1.5)
with SMTP id 2779382 for silver256@gci-net.com; Fri, 21 Nov 2003 09:52:29 -0700
Message-ID: <spejjjf.6745545429veoxctig@Gemstonesetcoeuxomxdgq>
From: "Gemstonesetc" <wood2ihgznxupb@aussiemail.com.au>
Date: Fri, 21 Nov 2003 14:53:33 +0300
To: silver256@gci-net.com
Subject: Re: What Does She Need?
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=iso-8859-1



Body:

COULD THIS LITTLE BLUE PILL CHANGE YOUR LIFE???

For MANY people it already has! Read testimonials of our current clients here

CHANGE YOUR LIFE NOW....CLICK HERE!

Discover a new world of Sexua1 Performance

Don't Miss Out - Yours Can Be Shipped Today!

(Right Now It's a Very Special Price: An Amazing $1.80, Per Dose)








-----------------------------------------------------------------------------------


Now here is where it gets odd. If I highlight the text, there are invisible (white characters).

Here is the same message, witht he invisible characters:




Body of message:

COULD THIS LITTLE BLUE PILL CHANGE YOUR LIFE???
yqtjwcvus xzfhlozijt rjnazhhbx
For MANY people it already has! Read testimonials of our current clients here
mobud jlnnyfiyyzalq
CHANGE YOUR LIFE NOW....CLICK HERE!

Discover a new world of Sexua1 Performance
yysbubkp jpalblew mcxxntdui yyunvurwe
Don't Miss Out - Yours Can Be Shipped Today!

(Right Now It's a Very Special Price: An Amazing $1.80, Per Dose) agcoymrtokwfw


wgoyqyOh a song etdkzgneithe way it goes and moves and doesitmlnchei super is the thing owcwhd the said, insfulofngce zltizducv



Now, if this is just regular spam, how can I block this entire domain?

Additionally, with the white characters, is something stranger happening, like a virus or trojan?

Ad Aware found just cookies.


Im going through an online scan now, but am looking for any help on this.


Thanks.

 

I know what the white text is, they just insert this rubbish so that you can't put a sentence into your spam blocker that would effectively filter out the message, mostly they don't even bother to change the colour of the text to white. You may well notice that they are now doing things to the wording like: V!AGRA. (note the exclamation mark where the I should be) this is also done to confuse spam filters.

 

gci-net.com is my ISP. Looking at the headers you could also figure out my email address


aussimail, well, heh, only thing they have is a sign up or mailto:

Incidently, he isn't just using aussiemail.

 

I don't think any paranoia is in order Adryn. You haven't been singled out for persecution, and these guys have no idea whether you actually NEED the pill or not.

They harvested another address at your ISP from somewhere, and now their software is generating random addresses there, based on what they harvested. And whatever doesn't bounce is solid gold to them, cuz they get to charge by the number of messages that get through to the POP server, not the sales generated by those messages. Bounces: nada; non-bounces: $.

The guys who are using silver123, gold234, and brass567 are getting them too. And so is my wife, who really doesn't need them (well, for herself, anyway!).