Online Pharmaceutical Spam with Policy Restricitions Being Lifted
X-Apparently-To: x via 22.214.171.124; Sun, 06 Jul 2008 17:48:22 +0000
Authentication-Results: mta106.mail.ukl.yahoo.com from=tbtlaw.com; domainkeys=neutral (no sig)
Received: from 126.96.36.199 (HELO 10B4CA30) (188.8.131.52)
by mta106.mail.ukl.yahoo.com with SMTP; Sun, 06 Jul 2008 17:48:20 +0000
Received: from ha5.octigon.com (ha5 [184.108.40.206])
by ha5.octigon.com (Cyrus v2.2.12-Invoca-RPM-2.2.12-8.1.RHEL4_BB) with LMTPA;
Sun, 06 Jul 2008 14:39:30 -0400
X-Sieve: CMU Sieve 2.2
Received: from mx5.octigon.com (internal.octigon.com [220.127.116.11])
by ha5.octigon.com (8.13.1/8.13.1) with ESMTP id lB5Jfb6P577186
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for x; Sun, 06 Jul 2008 16:33:30 -0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: Our policy restricitions
Date: Sun, 06 Jul 2008 13:40:30 -0500
Thread-Topic: Our policy restricitions
From: "ED Supply Store" <PfizerMeds.firstname.lastname@example.org>
X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on localhost
Trusted-Delivery-Validation-State: Not validated
RESTRICITIONS / POLICIES HAVE BEEN LIFTED:
Starting June 30th, 2008 we will be lifting all restrictions on any of our Pfizer & Lilly ICOS pharmaceutical orders.
Our products will remain restriction free until July 11th, 2008.
We NO LONGER require medical consultations or prescriptions on any of our products.
We are not sure how long our products will be offered restriction free but if you order from our site during this period then you will be exempt from any restrictions that may occur in the future.
We still ship our products via express postage (2 - 3 Days).
Our packaging will remain discrete to ensure your privacy.
Why send an e-mail like this after the 30th of June?
They decided on their own to lift the restrictions, why end the restriction free period only after 11 days? The answer is simple, the spammer is creating a false sense of urgency, just like any other form of deceptive advertising, to encourage the recipients to buy this junk before the restriction free period "expires". At the end of July they will send another e-mail with yet another restriction free period of 11 days (or more).
First it is Pfizer & Lilly ICOS pharmaceutical orders only, now it is restriction free orders for any of their products (they most likely deal in Pfizer and Lilly ICOS only). But this should flash warning lights immediately. They speak as if you can order prescription drugs without a prescription. Only a backyard doctor or pharmacist will do business like this. Never buy any drugs from cheap spammers like these, you will be risking your life if you ever do.
Noticed that the same message is repeated twice, only in a different format? The one part is an embedded, base64 encoded, JPEG image and the other part is formatted in HTML. The spammer is merely improving his chances of delivering the message to his recipients. If an e-mail client blocks the image part, the spammer hopes that the HTML part will still be displayed. But the e-mail is constructed in such a way, that both parts are displayed to the recipient simultaneously. An e-mail client like Thunderbird will handle the image part as an attachment if you view the message body as plain text. This is most probably what the spammer tried to achieve.
It has to be mentioned that the contents of each part in this e-mail is not exactly the same. The one part contains a reference to www.TotalPfizerLilly.com and the other one contains a reference to www.superbtop.com, however both are linked to the website www.superbtop.com. We are not entirely sure why the spammers followed this route but it is most likely done to increase the click-through rate of this spam campaign.
Related Cyber Criminal Profiles:No related profiles found.
Similar Spam Examples:Canadian Pharmacy Spam - Worlds best pain killers here
Obfuscated Image Online Pharmacy and Drugstore Spam
Quit smoking spam - The most effective anti-smoking method
Drugstore Pharmacy Spam - Are generics as good?
Spammers using Opera's revolutionary e-mail client