Wiz's Computer and Website Security Blog

September 14, 2014

This is a brief article describing a technique I use to block the current spate of email spam containing links to domains ending in the .EU (Europe) extension. It also demonstrates how to block certain other domains commonly used by Russian and Ukrainian spammers and cybercriminals.

I'd like to point out that spam operations that are based in Russia and The Ukraine have for a long time been setting up websites ending in the domain extension .RU (Russia). I still detect and delete a lot of .RU domain link email spam messages. But, the trend seems to be shifting now to spammers registering domains ending in .EU (Europe). Perhaps the rules for registering those domain names is less stringent than those required to obtain a .RU domain (Proof of Russian citizenship or residence).

Whatever the reason for the change in domain extensions, the outcome is the same. If you click on a link in an email spam message for weight loss panaceas, the .EU web page you land on will look exactly the same as one ending in a .RU domain name. That's because almost all of the weight loss scams and fake pharmacy sites are built using the same templates. Even the script names are the same on most of these spamvertised websites.

If your email system/provider/client allows you to create Regular Expressions spam filters, use the ones I've created to block virtually all spam containing links to .EU (and Russian) domains.

Wiz's Regular Expressions spam filter for .EU spam domain links.

For web-mail systems (using a web browser), log into your email account and locate its options link. Look at all available options for blocking spam, and see if one exists that allows for Regular Expressions. If so, start a new spam filter, where the message body contains, or matches this Regular Expression (aka: RegExp): http://[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.eu/\?.+

If you use a desktop email "client," like Microsoft Outlook, or Mozilla Thunderbird, which allow for complex spam rules, or if you use the desktop spam filtering program MailWasher Pro, open the program, locate where you create spam or email filtering rules, and add this filter for the message body contains or matches the RegExp: http://[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.eu/\?.+

If you receive your email via a website you have hosted by a major Apache server based web hosting company, like Bluehost, you will likely have some advanced account or user spam filtering options available in your cPanel {control panel). My websites are hosted by Bluehost and here is how I am filtering out 100% of spam with links to .EU domains.

1. Log into your (shared, VPS, dedicated, etc) hosting account.


2. Go to your Control Panel (cPanel) and find the Email section


3. Look for an icon labeled Account Filtering, or similar.


4. Click on the filtering icon and find a link to create a new email filter.


5. Create a new filter and give it a name, such as: ".EU Spam Domain Link"


6. Create a rule for the message "Body"


7. Select the criteria: "matches" or "contains" or "containing" Regular Expression (or RegExp)


8. Copy and paste: http://[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.eu/\?.+


9. Choose if you want to Discard the message, or reroute it to another junk email account you may have created.


10. SAVE the filter


11. Go back to the filters page. The filter should begin deleting or redirecting all spam messages containing .EU links matching my filter, within a few minutes.

I know that spammers change the nature of their links from time to time. As that happens, I will update my spam filters. This is especially true for the custom MailWasher Pro spam filters I write and publish.

Here is another spam domain link filter that detects a broader range of domain extensions used by Russian and Ukrainian spammers. It consists of three separate lines of Regular Expressions for the message body. Set the filter to Body, Contains/Matches/Containing Regular Expression. Set the multiple lines to the OR condition, so any match will trigger the filter.

• http://(www\.)?(.+\.r[uo]/|.+\.r[uo](\r|\n|\s)|.+\.ua)|.+\.[se]u(/|\b)|.+\.by(/|\b)


• www\.[a-z0-9-]{1,16}\.ru(/.+)?


• <a href=(3D)?'[a-z0-9\.]{4,}\.ru'>

Note, that this filter set also detects the .EU spam, just in a different way.

I hope this helps keep you and yours safe from possibly dangerous drugs and herbs being spamvertised all the time. Never, ever buy anything that arrives via unsolicited spam email for dubious websites! Watch out for bad spelling and grammar. They are usually dead giveaways that something is wrong.

Posted by Wiz at 4:03 PM | Permalink

back to top ^

September 7, 2014

One week after the second pump and dump stock scam failed to take off in the same month, spammers have reverted to one of their long time standbys: weight loss and fake pharmacy spam.

Here's some background information to bring you all up to speed. During August, 2014, spammers who play the "Penny Stocks" conspired and purchased huge amounts of two little known companies, which I wrote about here and here, at extremely low prices per share. They then rented a "Botnet" that enslaves hundreds of thousands, to millions of infected personal and business computers to blast out huge volumes of spam email messages promoting those stocks. If you are reading this, you are probably a recipient of penny stock email scams.

In essence, these people use fake news and outright lies to pump up excitement in the stocks they have purchased on the cheap. Using flamboyant terminology, stock spammers try to generate a sense of ground-floor urgency in their messages, promising huge returns of investments to the spam recipients. What most folks may not realize is that these messages are part of a "pump and dump" scam, where the only winners are the puppet masters pulling your strings. They set target prices and sell out once those targets are reached. This happens when enough people are fooled into throwing their money away by purchasing a much of the worthless stocks as they can afford.

Once the scammers sell off their shares, at a profit thanks to the "scammees," the value per share drops through the floor, and fast. There is usually a flurry of activity as victims try to sell out to late comers before they lose everything. In a few days, it is over and the stock tanks.

When the pump and dump scams end, spammers turn to other usually profitable scams, like the current blast of weight loss herbs and illicit prescription drugs sold through Russian fake pharmacies..

Weight loss scams, all promoted by spam email or social network posts, are a long time fallback used by spammers who belong to affiliate networks run by the cyber criminal underground. Most of these networks operate out of Russia and The Ukraine, where lax cyber-laws allow such activity to go unchecked, unless they scam their own people. Then the axe falls.

If the wording of a typical weight loss email sounds like others you have received, it is because the spammers sending out the email blasts are using templates supplied by the affiliate program itself, or by their mentors. This is all illegal activity in most enlightened countries. The purpose of the emails is to get overweight people to click on links in the message body. Those links take them to a website that was also created from a spam template. That website will use smiling images of actors dressed like doctors and nurses, unrealistic user reviews and false claims that no prescription is required - to trick viewers into thinking that the berry or herb, or coffee bean extract being promoted there will help them lose weight.

The fake websites often borrow images of Dr. Oz, who promotes various dubious weight loss junk on his TV show. The wording of these spam emails plays on the emotions of people who are seriously overweight and promises results beyond anything they have been able to achieve using normal solutions. As in most online scams, people tricked into purchasing these spamvertised pills and herbs will not get the weight loss they were promised. Some will get sick, others will suffer digestive tract troubles and others will just realize they got scammed.

In the case of fake pharmacy spam, the method is the same as the weight loss scams. Emails often spoof brand names of prescription drug companies, offering them at very low prices, with no prescription required. The usual suspects are Viagra and Cialis. Other drugs are usually thrown into the messages. The people clicking on the links end up at a fake pharmacy web page, run by a spammer who is an affiliate for a major illicit drug operation in Eastern Europe (mainly Russia, Romania and The Ukraine). The website links are usually to domains registered in Russia, using such extensions as: .eu, .ro, .ru. and .su. Sometimes, the spam messages conceal the domain extension by using a URL shortening service, which instantly redirects you to the target website.

It is unsafe and illegal for US citizens to purchase and import controlled prescription drugs from offshore or non-US pharmacies. It is a felony if you get caught. Some trucking companies who have been delivering these packages are the subject of Federal Indictments, with Fed Ex currently charged with aiding and abetting a criminal enterprise, for delivering packages of unlicensed, unsafe controlled substances causing death of some recipients in the USA. It will be interesting to see how that plays out!

Most of the scams I wrote about are delivered via email. How many get through depends on who your email service provider and ISP is, what type of spam filtering you have available and what additional solutions you employ to stop spam from actually reaching your inbox.

I hope this helps to stop somebody, somewhere from clicking through to buy something fake and [possibly dangerous, or to avoid falling for a penny stock pump and dump scheme.

Posted by Wiz at 1:17 PM | Permalink

back to top ^