]]>Let’s take a look at source of the email (i.e. ‘view source’) below, and the picture of the email we received originally. We have highlighted our text in blue to separate it from the email attachments.
Delivery-date: Thu, 12 Apr 2007 05:18:21 -0500
Received: from [18.104.22.168] (helo=mail.integracom.net)
Received: (from root@localhost) by mail4.integracom.net (8.11.3/8.11.3)
id k4V0OhN38045; Thu, 12 Apr 2007 18:34:27 -0800 (PDT envelope-from root)
Date: Thu, 12 Apr 2007 18:34:27 -0800
From: “Customer Support” <email@example.com>
Subject: Support Request
<p>Thank you for using the digital locker at Windows Marketplace.</p>
<p>This email confirms that you have successfully purchased:</p>
<p>Microsoftr Windows Vista Ultimate UPGRADE<br/>
Reseller: Circuit City</p>
<p>You can now access your license or licenses that have been delivered to your digital locker.</p>
<p>To download your new software, open your <a href=”http://g.msn.com/WMHFUSEN/102146″>digital locker</a> and choose a download method. We recommend that you use the digital locker assistant to help you download and install your software, make a backup CD of the software, and view your license information. Learn more about how to use the digital locker assistant <a href=”http://g.msn.com/WMHFUSEN/102150″>here</a>.</p>
<p>If you’d like to use your Internet browser to download the software instead, click Use Browser File Download in your digital locker to download software.</p>
<p>Learn more about using the digital locker and read the answers to frequently asked questions <a href=”http://g.msn.com/WMHFUSEN/102152″>here</a>.</p>
<p>If you need to change your billing information, contact information, download preference or other digital locker information, visit your <a href=”http://g.msn.com/WMHFUSEN/102148″>Profile page</a>.</p>
<p>For assistance with your digital locker account please contact our <a href=”http://g.msn.com/WMHFUSEN/102091″>Support Team</a>.</p>
<p>Thank you again for using the digital locker at Windows Marketplace.</p>
<p>Enjoy your new software!</p>
The email actually looks like this:
—-End Attached Picture—-
The blue links are links to the original msn.com website. For example, http://g.msn.com/WMHFUSEN/102152, actually opens the help page at Windows Marketplace. This is the only thing that is real in the entire email. The rest are scams.
1) Obviously, the receiver did not buy the software in most cases. If he did, it could be just plain lucky that he receives a scam email about the product he just bought.
2) As you can see in the attached picture, my email software automatically rejects loading the picture from the site. From the view source, we see that the image file is actually ‘<img src=”http://22.214.171.124/rnd.gif.php?jpg=XXXXXX@XXXXXXXXXX.com”>’. A check on the IP whois leads to a server in Beijing, China.
The picture is actually a PHP script file. We can foresee the least it can do is to confirm that you are reading your email, and that they can spam you even more. Or it can probably do more than that.
3) The IP address, 126.96.36.199 in the header leads us to a company in Beijing, China.
Anyway IP address tracking does not always imply that the scammer is located at the same place. The scammer could have used compromised server there and send out mails via proxy.
In most cases, I would have deleted the email as similar ones are often badly written. In this case, the email appears to be copied from the original email that could have been issued to a real customer. The scammer simply inserted his code into the email, setup the file, and send out the mail as spam.