Your Next Purchase at McDonald's is FREE!
Authentication-Results: hotmail.com; sender-id=none (sender IP is 22.214.171.124)
email@example.com; dkim=none header.d=216.0xa.00000106.0126; x-hmca=none
Received: from hmt6.sfsldfksdkllk ([126.96.36.199]) by BAY0-MC2-F25.Bay0.hotmail.com with Microsoft
Sun, 15 Jul 2012 16:32:40 -0700
Received: by hmt6.sfsldfksdkllk id h0d9hi0cd90u for <x>; Sun, 15 Jul 2012 16:32:12 -0700 (envelope-from
Received: by 216.0xa.00000106.0126 id PFHkQ+YrHOUhXlT30CaptYTa/JUSSVSI; Sun, 15 Jul 2012 16:32:12 -0700 (envelope-from
Date: Sun, 15 Jul 2012 16:32:12 -0700 (PST)
From: =?iso-8859-1?B?TWNEb25hbGQncyBTcGVjaWFsIE9mZmVyIA=?= <firstname.lastname@example.org>
X-OriginalArrivalTime: 15 Jul 2012 23:32:40.0545 (UTC) FILETIME=[202B4510:01CD62E2]
I'm Lovin' It
Your next purchase at McDonalds is Absolutely FREE (Up To $100)
It only takes minutes to earn your McD's ARCH Card!
The first thing you'll notice is the strange subject line. Spammers love to encode their subject lines into a Base64 string, rather than displaying them in raw text. This is not necessarily very difficult to decode, but all it does is make your spam filter work harder to analyse the e-mail. If you decode the subject line, it reads: "Your Next Purchase at McDonald's is FREE!" The word "FREE" will increase the spam score of the e-mail and encoding the subject line increases its chances of getting past your spam filter.
The second thing you'll notice is the strange From address. Yes, spammers even encode the From address and the spamvertised link. This form of encoding is not that advanced either, but attempts to prevent the spam filter from detecting blacklisted domains and IP addresses. The spammer does not use a domain name, but rather an IP address. The IP address however, is not displayed in its more common, dotted-decimal format, but certain parts of the address are converted to hexadecimal and octal values. In the example above, the IP address 216.0xa.00000106.0126 translates to 188.8.131.52. 216 is already in decimal format, 0xa is hexadecimal for 10, 00000106 is octal for 70, and 0126 is octal for 86.
The spamvertised link in this example contained the IP address 216.0xa.00000106.0132, which translates to 184.108.40.206. The complete link basically points to a redirection script, combined with the e-mail address of the spam victim, in order to see who clicked the link. This enables the spammer to determine who responded to the spam and which e-mail addresses are active. So if you click on the link in the original e-mail, you basically subscribe to more spam.
The body of the original e-mail also contained a huge number of random words, cleverly hidden in an HTML <style> element. This is not visible to the spam victim, but is used to modify the hash sum of the spam e-mail (also called hash busting). At the bottom of the example you will see a so-called unsubscribe link. The text is hidden in an image, once again to prevent it from triggering a spam filter. Clicking the link takes you a confirmation page that actually tells you that you have successfully unsubscribed, but remember this is an "unsubscribe link" from a spammer and serves only one purpose, to confirm that your e-mail account is active and that you click on links in spam e-mails, which you must NEVER do. To make matters even worse, the images in the e-mail is not embedded into the e-mail itself, but they are remotely served via some ASP script. So, unless your e-mail client blocks remote images by default, you will signal the spammer that you have read the spam e-mail, just by opening it.
Oh, and what about the physical address in the image? Do you really think a spammer will leave you his/her address? No.6 Pioneer Walk, #04-00 Golden Logistics Hub, Singapore 627751, is most likely a fake address or the address of a poor victim who has nothing to do with the spam. This address is used in a LOT of spam e-mails, so this poor guy or organisation probably receives a lot of hate mail.
The spamvertised link redirects to the following sites, in the following order:
Finally it redirects to a random porn site.
gtsmobi.com, gtsmobidistributed.com, and broker.to are all distributors of adult related content, specifically for mobile devices, so it has NOTHING to do with McDonalds and this is the last thing to take note of, the content of the e-mail. This is nothing new, most spammers prefer to use some enticing subject to lure their victims to the actual product, which is often not related to the content of the e-mail. In this example you think you are getting a free lunch, but you are bombarded with porn instead.
There ain't no thing as a free lunch my friend!
Related Cyber Criminal Profiles:No related profiles found.
Similar Spam Examples:Lose 2 dress sizes in 4 weeks! Fat-burning Raspberry Ketones 60% off Sale!
Increase your potential with ultrasound tech certification
Online Dating Spam - Beautiful Russian Women - RussianBrides.com
MySafeStreams.com Porn Spam - Hey! Can you text me please? Or hit me up on
Ziinga.com Fake Internet Account Suspension Spam