Online Pharmaceutical Spam with Policy Restricitions Being Lifted
[Previous Example] [Share This Page] [Back To The Main SHPAMEE Index] [Next Example]
VERY IMPORTANT INFORMATION, READ THIS FIRST: The example and associated information published on this page are subject to the SHPAMEE Terms Of Use. Please familiarise yourself with these terms before viewing or using any information on this page.
Header:
X-Account-Key: account8
X-UIDL: x
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: x via 217.146.182.123; Sun, 06 Jul 2008 17:48:22 +0000
X-YahooFilteredBulk: 217.164.201.149
X-Originating-IP: [217.164.201.149]
Authentication-Results: mta106.mail.ukl.yahoo.com from=tbtlaw.com; domainkeys=neutral (no sig)
Received: from 217.164.201.149 (HELO 10B4CA30) (217.164.201.149)
by mta106.mail.ukl.yahoo.com with SMTP; Sun, 06 Jul 2008 17:48:20 +0000
Received: from ha5.octigon.com (ha5 [217.164.201.149])
by ha5.octigon.com (Cyrus v2.2.12-Invoca-RPM-2.2.12-8.1.RHEL4_BB) with LMTPA;
Sun, 06 Jul 2008 14:39:30 -0400
X-Sieve: CMU Sieve 2.2
Received: from mx5.octigon.com (internal.octigon.com [217.164.201.149])
by ha5.octigon.com (8.13.1/8.13.1) with ESMTP id lB5Jfb6P577186
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for x; Sun, 06 Jul 2008 16:33:30 -0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----_=_NextPart_603_01C61944.30DEA76D"
Subject: Our policy restricitions
Date: Sun, 06 Jul 2008 13:40:30 -0500
Message-ID: <x@scrupulosity.GHYH.LOCAL>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Our policy restricitions
Thread-Index: Apq3eJWnO3txCaFYCEegZ7uHYIA7w==
From: "ED Supply Store" <PfizerMeds.superbtop@tbtlaw.com>
To: x
X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on localhost
X-Virus-Status: Clean
Trusted-Delivery-Validation-State: Not validated
Body:
RESTRICITIONS / POLICIES HAVE BEEN LIFTED:
Starting June 30th, 2008 we will be lifting all restrictions on any of our Pfizer & Lilly ICOS pharmaceutical orders.
Our products will remain restriction free until July 11th, 2008.
FURTHER INFORMATION:
We NO LONGER require medical consultations or prescriptions on any of our products.
We are not sure how long our products will be offered restriction free but if you order from our site during this period then you will be exempt from any restrictions that may occur in the future.
SHIPPING?
We still ship our products via express postage (2 - 3 Days).
Our packaging will remain discrete to ensure your privacy.
SITE LOCATION:
Comments:
Related Cyber Criminal Profiles:
No related profiles found.Similar Spam Examples:
Canadian Pharmacy Spam - Worlds best pain killers hereObfuscated Image Online Pharmacy and Drugstore Spam
Quit smoking spam - The most effective anti-smoking method
Drugstore Pharmacy Spam - Are generics as good?
Spammers using Opera's revolutionary e-mail client
Related Malware Samples:
No related malware samples found.[Previous Example] [Share This Page] [Back To The Main SHPAMEE Index] [Next Example]
Why send an e-mail like this after the 30th of June?
They decided on their own to lift the restrictions, why end the restriction free period only after 11 days? The answer is simple, the spammer is creating a false sense of urgency, just like any other form of deceptive advertising, to encourage the recipients to buy this junk before the restriction free period "expires". At the end of July they will send another e-mail with yet another restriction free period of 11 days (or more).
First it is Pfizer & Lilly ICOS pharmaceutical orders only, now it is restriction free orders for any of their products (they most likely deal in Pfizer and Lilly ICOS only). But this should flash warning lights immediately. They speak as if you can order prescription drugs without a prescription. Only a backyard doctor or pharmacist will do business like this. Never buy any drugs from cheap spammers like these, you will be risking your life if you ever do.
Noticed that the same message is repeated twice, only in a different format? The one part is an embedded, base64 encoded, JPEG image and the other part is formatted in HTML. The spammer is merely improving his chances of delivering the message to his recipients. If an e-mail client blocks the image part, the spammer hopes that the HTML part will still be displayed. But the e-mail is constructed in such a way, that both parts are displayed to the recipient simultaneously. An e-mail client like Thunderbird will handle the image part as an attachment if you view the message body as plain text. This is most probably what the spammer tried to achieve.
It has to be mentioned that the contents of each part in this e-mail is not exactly the same. The one part contains a reference to www.TotalPfizerLilly.com and the other one contains a reference to www.superbtop.com, however both are linked to the website www.superbtop.com. We are not entirely sure why the spammers followed this route but it is most likely done to increase the click-through rate of this spam campaign.