Pump and Dump: Recent Activity
I'm still catching up on my backlog after taking time off for other projects. Today's catch-up concentrates on the stock fraud spam -- and there's been quite a bit of it. There are two ways I could group these: either by stock symbol, or by targeted address. I'll start with a summary by address, then move on to a more detailed report by stock symbol.
I have a large number of email addresses, some of them less active than others, and some of them spam-free! Of the addresses which are currently active, three of them have received stock-pumping spam in the last couple of weeks. One of these is my "legacy" address, an ".org" address that's been around since before 2000. It was harvested years ago, and appears on spam lists all over the place. I actively block incoming mail from known spam sources (including all of China and Korea), and still get quite a bit of spam in that account. The second address is an odd one: I don't actually consider it mine. It was more or less inherited when one ISP bought out another, and it peeves me no end that this merger is the only reason I get spam there. Not that it matters -- it's basically pure spam, so I don't have to sort wheat from chaff. Let's call it "address X". The last address usually attracts job-scam spam, and it happens to be a ".au" address. Call it "address A".
| Address | Stock | Count | Total |
|---|---|---|---|
| Legacy | SNFX.PK | 1 | 3 |
| PGCN | 1 | ||
| CWTD | 1 | ||
| X | CDGT | 5 | 14 |
| PGCN | 2 | ||
| EDEX | 5 | ||
| CWTD | 1 | ||
| VSUS | 1 | ||
| A | CDGT | 2 | 2 |
A grand total of nineteen stock spams, covering six stocks. The most prominent is the infamous CDGT, which featured in seven spams across two accounts. EDEX -- a newcomer to my inbox -- made an enthusiastic showing with five instances in one account only. Also not to be ignored are PGCN and CWTD, both seen in the past, with three and two spams respectively, spread over the same two accounts. SNFX.PK and VSUS are newcomers with one appearance each.
Note that there is overwhelming evidence linking the CDGT and PGCN spams sent to account X. These were sent in approximately the same time-frame, using the same HTML format, and in one case shared the same sender address and subject line, despite originating at completely unrelated IP addresses! Whether or not the CDGT and PGCN spams sent to the other accounts are from the same spammer is an open question.
Let's look at them in detail, in order of receipt.
| Stock | Address | Source IP | WHOIS | Date Received |
|---|---|---|---|---|
| PGCN | X | 220.79.250.110 | KORNET (Korea) | Tue, 21 Jun 2005 07:52:35 -0000 |
| PGCN | X | 61.249.157.113 | SHINBIRO-INFRA (Korea) | Tue, 21 Jun 2005 18:49:29 -0000 |
| CDGT | X | 24.176.247.234 | RNO-NV-24-176-240 (USA) | Tue, 21 Jun 2005 18:52:59 -0000 |
| CDGT | X | 211.246.161.241 | SCSNET-CATV-SEOKYUNG (Korea) | Wed, 22 Jun 2005 10:10:56 -0000 |
| CDGT | X | 210.49.220.108 | OPTUSINTERNET-AU (Australia) | Wed, 22 Jun 2005 19:32:49 -0000 |
| CDGT | X | 220.80.17.106 | KORNET-HOTLINE2003305226 (Korea) | Fri, 24 Jun 2005 07:57:28 -0000 |
| SNFX.PK | Legacy | 195.33.210.107 | TR-SUPERONLINE-980318 (Turkey) | Fri, 24 Jun 2005 09:35:31 +0000 |
| CDGT | X | 200.168.62.134 | (Brazil, not playing nice with WHOIS) | Wed, 29 Jun 2005 08:09:37 -0000 |
| EDEX | X | 84.9.91.202 | Bulldog (London, UK) | Thu, 30 Jun 2005 03:59:17 -0000 |
| EDEX | X | 82.227.96.2 | FR-PROXAD-ADSL (France) | Thu, 30 Jun 2005 15:47:26 -0000 |
| EDEX | X | 211.175.42.210 | ASCB (Korea) | Thu, 30 Jun 2005 19:12:20 -0000 |
| EDEX | X | 61.38.31.32 | BORANET-1 (Korea) | Sun, 3 Jul 2005 04:22:08 -0000 |
| EDEX | X | 81.172.85.46 | ES-RETECAL-20030114 (Spain) | Sun, 3 Jul 2005 15:54:07 -0000 |
| CDGT | A | 66.180.123.113 | NETBLK-CBEY-2BLK (USA) | Tue, 5 Jul 2005 04:43:45 -0000 |
| CDGT | A | 200.232.145.73 | (Brazil, still not playing nice.) | Tue, 5 Jul 2005 14:28:43 -0000 |
| CWTD | X | 58.120.244.176 | HANANET (Korea) | Fri, 8 Jul 2005 06:09:43 -0000 |
| PGCN | Legacy | 24.132.32.66 | A2000-AMSTERDAM6 (Netherlands) | Fri, 08 Jul 2005 14:47:35 +0000 |
| VSUS | X | 211.206.146.105 | HANANET (Korea) | Sat, 9 Jul 2005 07:52:04 -0000 |
| CWTD | Legacy | 82.114.184.228 | YEMEN-NET-ADSL (Yemen) | Mon, 11 Jul 2005 12:15:05 +0000 |
I don't have a lot to add, except to point out the notable absence of China as a spam source in this list, and the conspicuous preponderance of Korean sources. In case there was any doubt, Korea is a festering hole of compromised Windows boxes on broadband connections, and the rest of the world would do itself a huge favour by blocking all outgoing email from that country -- if not severing the Internet connection altogether. I have no doubt that my legacy account would be receiving vastly more spam, were it not for my active attempts to refuse all email from Korea. What a disgrace.
No comments:
Post a Comment