Wiz's Computer and Website Security Blog

August 30, 2014

It was only 6 days ago that I wrote a blog article declaring that the failed RNBI penny stock pump and dump scam had ended. As of Friday, August 29, it was replaced with a similar scam pumping the stock symbol: IRMGF.

Short and to the point, this new pump and dump scam is targeting the stock of a Toronto based company called Inspirational Mining Corp. A look at the long term charts reveals that the last time there was any real value for their stock was in 2011, when it reached a short term high of 45.5 cents per share. Since then it has been on a long slide down to the 3 cent range on year ago. It only recovered slightly, to the 6 cent range on August 25, 2014, the day on which the current pump and dump scam began!

Following the initial email spam blast, the price rose up to a high of 11.3 cents. The email spam subjects made claims about big news. The body text spoke about billions of dollars worth of metals being discovered by the company. However, if one takes a minute to read the company news, there is absolutely nothing about any major, or minor developments or discoveries. Rather, they posted this disclosure:

INSPIRATION MINING C (OTCMKTS:IRMGF) declared that the Corporation is not aware of any specific factors, other than information previously disclosed in its public filings, news releases or statements, which would result in the levels of trading activity and change in the share price recorded.

The emails you are receiving, with senders spoofing trading houses, subjects like: "Critical news information read now" - followed up with body text claiming (complete with all manner of typos): "Since the company discovered 4billion worth of proven metal reserves it has become the target of Walstreet invesstors looking to cash in on the rush." There is nothing to back up this claim. It is total bullshit!

My junk folder has been receiving about 10 of these a day and so will yours. Disregard any that make it through your junk filters. Delete on sight. Do not be fooled into buying this stock during a pump and dump scam campaign. You will be among the losers.

Stay safe, both online and offline. Have a happy Labor Day weekend.

Posted by Wiz at 11:37 AM | Permalink

back to top ^

August 24, 2014

It has been two months since the last appearance of a fraud campaign pumping and dumping shares of the worthless company: Rainbow International (RNBI). On August 23, it returned from the dead in a new spam campaign (as also noted here).

While some spam traps may have received RNBI spam a week earlier that me, the scam is ongoing right now. Beginning Friday afternoon and continuing through this post, spam is once again spewing out from compromised, infected computers that are part of a spam botnet. I hope that this article may save some innocent potential victims from falling into this renewed stock fraud scheme.

Since I last wrote about the RNBI pump and dump scam, on June 23, 2014, the only thing that changed was that the value per share plummeted to almost zero. This happened because there was no news or development from the company and because the people who ran the last pump had dumped their shares for whatever they could sell them for. As always happens, the last ones in suffered the greatest losses. This is typical of all Ponzi schemes.

It is not my job to point my finger at any particular person or persons who are responsible for these ongoing scams. I am but a watchman warning you of "Danger, Will Robinson!" When, not if, you begin receiving fake news alerts promoting RNBI, don't get fooled into buying up shares and thinking you are going to join the winners. Instead, do your due diligence and read the actual facts about this shell company and the people manipulating it and the value of its stock. Just do a Google search for: "RNBI pump and dump scam"

Note, that the nature of the pump and dump spam emails changes almost every day. The "From" header is always spoofed and includes words that are chosen to fool gullible recipients into thinking they were sent by a legitimate company. The return path is an invalid recipient. The links to unsubscribe, or read the terms they claim you agreed to, are dead links to non-existent websites. The disclaimers bear no merit, because everything in these pump and dump email messages is bogus. The messages are composed from a spam template, with different sentences dropped into specific places.

As before, I anticipate that the pump will become desperate as time passes and the spammers, who have purchased millions of shares for almost nothing, don't see the ROI they expected. False claims about the company's alleged ventures and plans are the primary tactic they use to pump up the stock. Spammers invent news out of their imaginations, then blast out a new round of junk email. Eventually, as before, they may stop using actual text and begin embedding the spam message inside inline images. If you have images turned off by default in your email client, all you'll see is a plea to enable images (inside an HTML "alt" attribute) so they can get you to see the scam.

Unsurprisingly, the anti-spam filters targeting the RNBI pump and dump that I composed in June, for MailWasher Pro, are still detecting and deleting the new round of RNBI scams. If something changes, I will update my Pump and Dump filters and upload them to my server. If you are a registered user of MailWasher Pro and haven't been using my filters, why not give them a try? They are free for the taking. You can learn about MailWasher Pro here.

Posted by Wiz at 1:35 PM | Permalink

back to top ^

August 21, 2014

Right now, in the middle of August, 2014, weight loss scams are the prevalent type of email spam flooding our inboxes. This trend has been going on for several weeks now. If you are tired of manually deleting this crap, check out my custom email spam filters for MailWasher Pro.

What is MailWasher Pro?

MailWasher Pro is a software anti-spam solution that runs on Windows computers and on smartphones. It works with email "clients" that use the POP3 and IMAP email systems. The program acts as a gatekeeper, or doorman, intercepting your incoming email messages before you download them into your actual chosen email reader. It evaluates the content of incoming messages, using multiple methods of detection, to determine if an email is (probably or absolutely) good or spam. If it is evaluated as good, it is listed as such in the MailWasher Inbox, in a green bar. If it is determined to probably or absolutely be spam, it is marked as spam, in a light red colored bar.

MailWasher uses a friends list, a blacklist, consults SpamCop and other major spam reporting organizations, and even maintains its own FirstAlert spam detection system. It contains a Bayesian detection (learning) filter that you can help train to determine what you consider to be good or bad email.

I have been a registered user of MailWasher for a really long time; almost since version 1. One of the other methods it uses to determine if a message is a goodie or a baddie is through user composed spam filters. The program contains all the necessary analysis routines to parse the entire source code of each incoming message and check it for words and phrases, whether in plain text or regular expressions, to mark them as spam, or allow them through if there is no match. You still have the final say.

Custom Spam Filters

I was an early adapter to the MailWasher Pro spam filter system. I have been composing and publishing my custom MailWasher Pro spam filters for a number of years now. There have been two different incarnations of MailWasher. The original version was numbered and ended in version 6.5.4. It worked well on early versions of Windows, from Windows 95 and 98 up to Windows XP. However, the program did tend to bog down if you used a lot of custom spam filters. The old version doesn't run as well on newer versions of Windows as on XP and older.

In 2010, Firetrust, the makers of MailWasher, released a completely redesigned version of MailWasher Pro. It uses a totally different type of database and file system and a much more efficient filter engine which doesn't bog down the program. Better yet, these newer versions are written to run on modern versions of Windows: (XP), Vista, 7, 8 and 8.1.

Right now I am using MailWasher Pro 7.3.2, which is the current release. I have no complaints.

I have continued my spam fighting efforts by updating existing spam filters I wrote a while ago, and by composing new filters to detect and delete emerging spam threats. As I mentioned at the beginning of this article, the most prevalent type of spam I am seeing this month is promoting useless weight loss herbs. The spam is distributed by infected computers that have been forced into what are known in the business as "botnets." These hapless computers are sent spam templates by remote control, along with huge lists of recipients, like you and me. Then they are ordered to transmit spam emails in bulk to us.

If you are a recipient of weight loss email spam messages and are looking for a workable solution to delete them automatically, MailWasher Pro is one of the best methods I know of. The prerequisites are that you must receive your email over the POP3 or IMAP protocols and use a desktop email "client" to send and receive email. Windows Live is my preferred email client. It is freely available from Microsoft. Mozilla Thunderbird is another popular email client.

If you use a desktop email client, you can purchase a license for MailWasher Pro, download and install it, download my custom MailWasher spam filters, then disable automatic checking for email in your email client. Set MailWasher to check for new messages every so many minutes (I use 12 minutes). Review all of the new messages in safe, plain text and if any need to be deleted, click the delete checkbox next to that message. When you've finished marking unwanted, or read messages for deletion, click on the big button labeled: "Wash Mail."

You should be warned that a lot of my custom filters are already set to automatically delete known spam, which includes 100% of the current weight loss scams. You can change the action to manually delete them if you want to. Or, on those that I set to manual, if you trust my filter, set it to auto-delete. This can save you having to be aggravated while looking at 10 or more almost identical email scams sent from different botted computers that are in these spam botnets. My auto-delete filters really save me a lot of time that would otherwise be wasted reading items in the MailWasher or Windows Live inbox, just to see if they need to go.

When MailWasher has deleted all the messages I don't want, or need to keep, I go to my email client (e.g., Windows Live Mail) and click on Send/Receive. It then downloads and saves email messages that are actually important to me.

I know that even the best written spam filter can sometimes get it wrong. So, if you or MailWasher delete a message that shouldn't have been classified as spam, click on the Recycle Bin tab along the top of MailWasher Pro. Find the wrongly deleted message, click on it to highlight it, then click on the "Restore" button. If you have configured the email accounts properly, under Settings > Accounts, that message will be resent to you. The first filter stops further processing of spam filters for restored messages.

I have written an entire web page devoted to my MailWasher Pro spam filters. This page gives an in-depth description of how the program works. You can download it and try it out for free for 30 days, after which you need to either register or uninstall it. The cost to register it varies with the term (including a lifetime license) and there is a 90 day money back guarantee if you can't figure it out or aren't happy with it.

Posted by Wiz at 12:55 AM | Permalink

back to top ^

August 1, 2014

I just discovered an email scam that harvests the email addresses of active accounts, simply by opening an apparently blank message. The message contains no visible content or links, yet steals your email address and adds it to a database used by spammers.

How does the blank email steal your email address?

Each of these messages I have intercepted contains a simple subject, like: Whatup," or "What's up?" The From contains somebody's first name, like Dwight, Joan, etc. You won't recognize the domain it spoofs. The body text is blank to the eye, although there are a few lines of HTML code that don't render anything when displayed in your email client.

There is an image tag embedded inside these messages, but no image is displayed. That is because the alleged image is actually a php file named unsubscribe.php. The email address of each intended recipient is hard coded into the "query string" appended to /unsubscribe.php. If you simply preview these messages in an HTML capable email reader that allows images to be downloaded, your email address is sent to that file and is instantly added to a spam database.

The domains currently being used end in the .us extension and begin with "more." The servers are in a colocation datacenter. Thus far, one of their accounts has been suspended and says so if you investigate the URL

The purpose of this spam run is to accumulate a fresh list of active email accounts to be used in upcoming spam runs. Judging by the size of the list - plainly readable on the server - a lot of people are being tricked into adding their email accounts to the list.

In fact, the first spam messages just arrived to the account that inadvertently opened one of those messages. The subjects are: "Medicare Enrollment Begins Soon. Notice #20477368" and "Announcement: A natural supplement for sufferers of Neuropathy."

It may be a little late for some, but, if you use MailWasher Pro to filter out spam emails, I just wrote a spam filter to delete these harvester messages automatically. Grab the new filter, labeled PHP Image Tag Email Harvester, up high on the list of my MailWasher Pro Spam Filters (direct link). I also added a filter that detects a .us domain extension, anywhere in the source code.

If you aren't familiar with MailWasher Pro, read about it here.

Non-MailWasher email users can stay protected by blocking images from unknown sources. Or, read your email in plain text only, thus avoiding loading the .php fake image.

Additionally, one can create a spam filter that flags any emails containing a domain link or image tag containing the .us domain name extension. In my experience, the only email links I have seen using that extension come from spamvertised websites, and from the email harvesting fake image tag emails.

Posted by Wiz at 11:23 AM | Permalink

back to top ^