Wednesday, January 16, 2013

Legitimate Business Proposal Spam

By Michael Seese

The other day, I received the following "legitimate business" proposal.

What? No poisoned hyperlinks? Boring!

And do you suppose he realizes that if I read the "To:" line I see "undisclosed-recipients"

Yeah, I feel special.

Remember kids, if you want to make a small contribution to the infosec effort, forward your SPAM emails (with full header info) to


  1. Citibank called me recently to tell me there was a problem with my savings account. I was understandably outraged, as I hadn't even been informed that I even had an account with Citibank.

    I demanded to know what they were doing to secure the hundreds of thousands of dollars that I (as far as he knew) had in that account.

    I kid you not, the background chatter on his end died out completely. No doubt everyone in the room had gathered around at the sight of dollar signs in his eyes.

    After a few stuttering attempts, he finally managed to assure me that he would take care of everything if I could give him my account information.

    I told him I would have to get it from my files. I went upstairs, made a pot of coffee and put a couple of leftover pancakes in the toaster oven to heat. They're very yummy with coffee. I make them with chocolate chips and ground cardamom...

    I actually forgot about the call until I came back to my office and found the phone sitting by my keyboard. He was still there.

    "So it's light blue," I said, "and it can sleep two very comfortably."
    "Pardon me, sir?"
    "You called about the sofa bed we advertised on Kijiji, right?"
    "Ummm, no.. This is Citibank security..."
    "Do you need a couch for your office?"
    "Not really."
    "Then please don't tie up this line," I chided him. "I'm trying to sell a sofa bed."

    I have to say, those Citibank employees use some very shocking language...

    1. Brilliant! I'm amazed they called. After all, phone calls take time; one of the reasons that SPAM is profitable is that the cost (in terms of time and effort) to send millions of emails is no different from the cost to send one. But a phone call is time-intensive. And even though they no doubt spoofed the number for caller ID, as long as they sat on the line you probably could have called the phone company from your cell and gotten a trace.

      And chocolate chips in pancakes ARE great. They're good in waffles, too, though I suggest the mini chips.

  2. Oh yeah, definitely the mini chips for waffles. They just dont have the volume for the big chips. Try grinding up some cardamom (maybe two or three pods for a three person batch) it plays nicely off the taste of the chocolate.

    I think the guy pretending to be from Citibank is probably from the same outfit that also pretends to be from 'Windows Security'. Last week I asked him which floor. He didn't catch on right away so I told him there were three floors on my house and we had a heck of a lot of windows. I wasn't really concerned about any of my windows above ground floor, though. I mean, you'd hear if a ladder suddenly bumped up against the side of your house, right?

    Again, pretty shocking language for a Microsoft employee.