Current Status

This blog is not frequently updated because most case-by-case scam reports are now listed in subordinate blogs. At this point in time, most of my efforts are targeted at documenting employment scams in the Suckers Wanted blog.


Pump and Dump: Recent Activity

I'm still catching up on my backlog after taking time off for other projects. Today's catch-up concentrates on the stock fraud spam -- and there's been quite a bit of it. There are two ways I could group these: either by stock symbol, or by targeted address. I'll start with a summary by address, then move on to a more detailed report by stock symbol.

I have a large number of email addresses, some of them less active than others, and some of them spam-free! Of the addresses which are currently active, three of them have received stock-pumping spam in the last couple of weeks. One of these is my "legacy" address, an ".org" address that's been around since before 2000. It was harvested years ago, and appears on spam lists all over the place. I actively block incoming mail from known spam sources (including all of China and Korea), and still get quite a bit of spam in that account. The second address is an odd one: I don't actually consider it mine. It was more or less inherited when one ISP bought out another, and it peeves me no end that this merger is the only reason I get spam there. Not that it matters -- it's basically pure spam, so I don't have to sort wheat from chaff. Let's call it "address X". The last address usually attracts job-scam spam, and it happens to be a ".au" address. Call it "address A".


A grand total of nineteen stock spams, covering six stocks. The most prominent is the infamous CDGT, which featured in seven spams across two accounts. EDEX -- a newcomer to my inbox -- made an enthusiastic showing with five instances in one account only. Also not to be ignored are PGCN and CWTD, both seen in the past, with three and two spams respectively, spread over the same two accounts. SNFX.PK and VSUS are newcomers with one appearance each.

Note that there is overwhelming evidence linking the CDGT and PGCN spams sent to account X. These were sent in approximately the same time-frame, using the same HTML format, and in one case shared the same sender address and subject line, despite originating at completely unrelated IP addresses! Whether or not the CDGT and PGCN spams sent to the other accounts are from the same spammer is an open question.

Let's look at them in detail, in order of receipt.

StockAddressSource IPWHOISDate Received
PGCNX220.79.250.110KORNET (Korea)Tue, 21 Jun 2005 07:52:35 -0000
PGCNX61.249.157.113SHINBIRO-INFRA (Korea)Tue, 21 Jun 2005 18:49:29 -0000
CDGTX24.176.247.234RNO-NV-24-176-240 (USA)Tue, 21 Jun 2005 18:52:59 -0000
CDGTX211.246.161.241SCSNET-CATV-SEOKYUNG (Korea)Wed, 22 Jun 2005 10:10:56 -0000
CDGTX210.49.220.108OPTUSINTERNET-AU (Australia)Wed, 22 Jun 2005 19:32:49 -0000
CDGTX220.80.17.106KORNET-HOTLINE2003305226 (Korea)Fri, 24 Jun 2005 07:57:28 -0000
SNFX.PKLegacy195.33.210.107TR-SUPERONLINE-980318 (Turkey)Fri, 24 Jun 2005 09:35:31 +0000
CDGTX200.168.62.134(Brazil, not playing nice with WHOIS)Wed, 29 Jun 2005 08:09:37 -0000
EDEXX84.9.91.202Bulldog (London, UK)Thu, 30 Jun 2005 03:59:17 -0000
EDEXX82.227.96.2FR-PROXAD-ADSL (France)Thu, 30 Jun 2005 15:47:26 -0000
EDEXX211.175.42.210ASCB (Korea)Thu, 30 Jun 2005 19:12:20 -0000
EDEXX61.38.31.32BORANET-1 (Korea)Sun, 3 Jul 2005 04:22:08 -0000
EDEXX81.172.85.46ES-RETECAL-20030114 (Spain)Sun, 3 Jul 2005 15:54:07 -0000
CDGTA66.180.123.113NETBLK-CBEY-2BLK (USA)Tue, 5 Jul 2005 04:43:45 -0000
CDGTA200.232.145.73(Brazil, still not playing nice.)Tue, 5 Jul 2005 14:28:43 -0000
CWTDX58.120.244.176HANANET (Korea)Fri, 8 Jul 2005 06:09:43 -0000
PGCNLegacy24.132.32.66A2000-AMSTERDAM6 (Netherlands)Fri, 08 Jul 2005 14:47:35 +0000
VSUSX211.206.146.105HANANET (Korea)Sat, 9 Jul 2005 07:52:04 -0000
CWTDLegacy82.114.184.228YEMEN-NET-ADSL (Yemen)Mon, 11 Jul 2005 12:15:05 +0000

I don't have a lot to add, except to point out the notable absence of China as a spam source in this list, and the conspicuous preponderance of Korean sources. In case there was any doubt, Korea is a festering hole of compromised Windows boxes on broadband connections, and the rest of the world would do itself a huge favour by blocking all outgoing email from that country -- if not severing the Internet connection altogether. I have no doubt that my legacy account would be receiving vastly more spam, were it not for my active attempts to refuse all email from Korea. What a disgrace.

No comments: