本文转自
http://techblog.avira.com/en/
A Japanese scam with some twists June 23, 2009, 10:03 am
Everyone knows about the already classic “Advanced Fee Fraud”, also known as the “Nigerian Scam” (http://en.wikipedia.org/wiki/Advance_fee_fraud). But, not everybody has seen the Japanese version of this scam (Figure 1).
 Fig. 1: The Japanese scam
This is a very fancy scam: We usually see the same old story aboutvery rich men who were killed by the government and the poor relativestrying to get the money out of the 3rd world country with your help.But this one is different.
First of all, it thinks big. Very big… really, I have never seensuch an idea before: “I made this money through a contract awarded tome by the ministry during the relocation of OSAKA AIRPORT”. And it getseven better: “I am not safe if I go back to Japan because I did notfinish the contract“. So now the Osaka airport should be somewhere… onthe road? This is really nice, isn’t it?
If you have a look at the main header, you see the From, Reply-Toand Sender fields. The sender field isn’t seen in an email very oftenbecause it is somehow in a gray area. According to RFC 822, this fieldshould be used only when the person submitting the message to thenetwork is different than shown by the “From” header field. Because ofthis, it should be authenticated, but what kind of authentication isnot clear. Some mail clients expect that the email address used in thisfield can be used to reach the sender, others do not. Because of thisuncertainty, most email clients prefer either to remove this fieldcompletely or to add a hidden field in the headers with the name“X-Sender”.
So, is our “Japanese contractor” using deprecated mass mailing software?
Note that there is no “To:” field. Of course, any decent anti spamproduct will penalize this email when it detects something like this.
According to the other headers, the email is supposed to have beensent though Gmail. There are even the DKIM headers and a new headercalled “X-Google-Sender-Auth”. Google doesn’t add something like thisthough. All these indications show that the spammer has used a specialsoftware to send mass mailing though the Gmail. It is really sad to seethat Google doesn’t enforce a clear email sending policy though itsservers.
But, because of these twists in the email, I assume that thespammers thought it wouldn’t be so bad to have an escape route. This iswhy the Reply-To email address points to yahoo.com.hk (Yahoo! HongKong).
Unfortunately for the spammer, after all this trouble just to sendthe email, it made the same mistakes which all the Fee Fraud emailsmake: It uses known keywords like “million dollars”, “Att: My name is”,it tries not to add the formal way of addressing in the From text (“Mr.”) but then uses an email address called mr.otoya22@gmail.com and theformal addressing in the Subject. These are also other important hintswhich can help an automated system for spam detection to safely markthis email as a scam.
Avira Antispam detects this email with a “Very High” spamprobability without even calling any Realtime Blacklists - no wondersince we see so many spam indicators. As usual, Avira advices to neverrespond to such emails and never trust such persons who promise hugeamounts of money.
Sorin Mustaca
Manager International Software Development
Tags: 419, Advance Fee Fraud, e-Crime, Spam
使用GOOGLE翻译了一下,大家将就看下
一个日本的曲折骗局
大家都知道的已经经典的“预付费欺诈” ,也称为“尼日利亚骗局” ( http://en.wikipedia.org/wiki/Advance_fee_fraud ) 。但是,并不是每个人都已经看到了日文版的这个骗局(图1 ) 。
这是一个非常花哨的骗局:我们通常会看到同样的老故事,非常有钱的人谁杀害了该国政府和穷人的亲属试图获得资金的第三届世界国家与你的帮助。但是,这一次是不同的。
首先,它认为大。非常大的...真的,我从来没有见过这种想法前: “我这笔钱通过一个合同,我部在搬迁大阪机场” 。它会更加美好: “我不是安全的,如果我回到日本,因为我没有完成的合同” 。所以,现在的大阪机场某处...应的道路上?这是非常好的,是不是?
如果你有看的主要标题,您会看到从,回复和发件人领域。发件人字段是没有看到在一封电子邮件中往往因为它是某种在灰色地带。根据符合RFC 822 ,这一领域应只用于人时提交的信息,网络是不同所表现出的“发件人”标题字段。由于这一原因,应当验证,但什么样的身份目前尚不清楚。一些邮件客户端期望,所用的电子邮件地址在这一领域可以用来达到发件人,有的不需要。由于这种不确定性,大多数的电子邮件用户端倾向于删除此领域完全或添加一个隐藏字段标题中的名称的“ X -发件人” 。
所以,是我们的“日本承包商”用废弃的大量邮件软件?
请注意,不“ : ”字段。当然,任何像样的反垃圾邮件产品将惩罚此邮件时,发现像这样。
根据其他标题,电子邮件理应虽然已发送的Gmail 。甚至还有的DKIM头和一个新的标题所谓的“ X -谷歌,发件人验证” 。谷歌不会购买这样的了。所有这些迹象表明,垃圾邮件发送者使用了一种特殊软件,发送大量邮件的Gmail虽然。这真是令人痛心地看到,谷歌不执行明确的政策,但发送邮件的服务器。
但是,由于这些曲折的电子邮件中,我认为,垃圾邮件发送者认为不会如此糟糕了一条退路。这就是为什么在回复的电子邮件地址点yahoo.com.hk (雅虎香港) 。
不幸的是垃圾邮件发送者,毕竟这只是麻烦发送电子邮件,表示了同样的错误,所有的费用作出欺诈电子邮件:它使用已知的关键词,如“万美元” , “瓦特:我的名字是”不要尝试购买正规方式处理的文本( “先生” ) ,但当时使用的电子邮件地址称为mr.otoya22 @ gmail.com和正式处理的主题。这也是其他一些重要的提示,可以帮助一个自动化系统的垃圾邮件检测安全标志此电子邮件作为一个骗局。
查杀反垃圾邮件侦测此电子邮件, “非常高”垃圾邮件的可能性,甚至呼吁任何实时黑名单-难怪,因为我们看到这么多的垃圾邮件的指标。像往常一样,查杀建议不要回应这类邮件,从不相信这些人谁承诺巨额资金。
|
发表于 2009-6-28 03:35:29
米有看懂
发表于 2009-6-28 07:53:34
