In the beginning of May I received the first mail from the lost space traveller in search for a 4 Dimensional Warp Generator # 52 4350a series wrist watch, a GRC79 induction motor, a couple of warp stabilizors and other Sci-Fi gadgets. I was very puzzled at the time. Since then, I have kept getting about another mail like this a week. The reward still seems to be $5,000, but the email address for returing tips has changed.
Looking at my search stats pages, I realize there must be more and more recepiants of these mails. Since my first mail, I have had 776 search queries containing the word dimensional, 300 of them just in the last week!
There are several theories of the purpose of these mails, and this page is growing. Here are the contents this far:
Mike: Hoax and Tracking codes
Bruce J: Setup for fund scam (added 7/9 2003)
Did anyone respond?
What do you think?
I received the mail below from Mike, who has a theory about the purpose of these mails:
I am glad to see I am not the only one getting these strange emails.
I look at the names and parts listed and I am trying to figure out if the guy who sent it is pulling our leg or actually thinks he can get the parts.
From what I see it is a hoax; the parts requested are a mish-mash of common computer and electronic parts smushed together with phrases and comments from such SCI-Fi shows as Star Wars and Star Trek.
These parts do not exists or only exist as part of a SCI-fi show.
Dimensional Warp is from Star Wars and things like the temporal displacement is from Star Trek.
Crystal ionization is something that can be done but you need a linear accelerator not a wrist watch. Capacitors are for electricity not time, ….
You ask about the random junk at the bottom of the email. (And you will notice it is also on the email subject line as well.) This is for the spammer to trace who they emailed and when. It is a combination of junk and binary encoded data to help them track who they sent the email to and to see if the email address is real.
This type of message, which seems harmless or even a joke, gets a lot of return email, web chatter and IM messaging traffic which is then parsed for the code in the email and they can then tell that your email address is in use. And so they add your name to their known good email addresses and they can then sell your email as a confirmed email.
They also do web searches based on the embedded codes.
By posting the emails with the code to your web site you are telling them your email is good and then you get even more junk mail.
(Please do not post my email address with this message if you do post the message.)
My answer to Mike:
Yes, I think I’ve figured the codes as to be some kind of tracking device as well. Still, using html messages there are infinitely easier ways to do this. I guess the main reason must be for us to reply to either the sending address or the address in the mail, and thereby expose ourselves and our email addresses to further spam mail.
But you might be right. I’ve been receiving one or more of these per day for the last week, and even if nobody else publishes the whole thing I did a couple of Google searches for ”my codes”:
szooxk wxnul t cnuk ygqnkyogqg
yzkd fy hvjr egv fwfwqsate
And sure enough, both pointed nicely to N!kkes Index. (Even if Google did give me some spelling advice 🙂
However. It’s still such a strange way to collect spamable email addresses that I find it well worth the trouble of publishing them (even if it might mean exposing myself to more spam).
So, if you’re right I guess I should change the codes just a bit, to screw their results up…
P.S. Don’t worry about your email address. I only publish addresses to spammers or people who really deserve it. Never to those of my visitors that are kind enough to give me some feedback.
I’m still not 100% convinced that Mikes theory is correct. It seems far to far fetched to send out secret codes, just in hope people will post them on the web. I’m more leaning towards the theory that the sites owning the return addresses stated in the mails (not the given from adresses) have something to do with this. If they have a CPA advertising program, a couple of hundret thousand intrigued self-appointed detectives like myself would be welcome…
Setup for federal fund hoaxes
Bruce J supports the scam theory, and adds an explanation about the codes:
I believe the comments that it is email address verification is correct. The numbers that are on the bottom also allow them to track rejects (bounces) from sendmail programs.
Considering the size of the Internet now, it takes a while to get through all of the addresses. Timeouts on invalid connections take time. And rejects can inflame either the admins on systems that the bounce back occurs on as well as inflame the targeted systems admin (because the undeliverables go the postmaster addresses). Admins generally talk to other admins resulting on a Spammers account getting yanked, and the Spammer getting ‘known’.
This message is so bizarre that people do not get up at arms about it and fry(anti-Spam flame?) the ISP over the sender. The receiver feels a bit of pity and feels that the guy has so completely lost it that it really isn’t worth pursuing.
Checking the metrics on the items: (relevant IP addresses), The most recent one I received originated from the IP address 22.214.171.124 belonging to http://ws.arin.net/cgi-bin/whois.pl?queryinput=126.96.36.199
The message asks for a reply to firstname.lastname@example.org. There is also a website at www.federalfundingprogram.com and both federalfundingprogram.com and www.federalfundingprogram.com map to the same IP address of 188.8.131.52 belonging tohttp://ws.arin.net/cgi-bin/whois.pl?queryinput=184.108.40.206
If you look at the website, the format is similar to some of the ‘scam’ sites that I have come across (sites with little on them forwarding to other sites). This looks like one of the scams for the government grant programs. (the download is an executable for the grant guide.. or so claimed.. I didn’t download it because it was an executable from unknown origins and could potentially insert an IRC bot on my system).
The actual download website is hosted on yet another machine located at IP address 220.127.116.11 belonging tohttp://ws.arin.net/cgi-bin/whois.pl?queryinput=18.104.22.168
The chain of forwards is constructed so that if the first machine gets pulled, all that the Spammer has to do is map the IP address to the next in line.
PS: It would be interesting to track the IP addresses used on each of these messages… there might be a pattern.
PS: Don’t reveal my Email Addr.
My response to Bruce:
Thanks for the additional explanation about the codes. Yes, that makes a lot of sense, even if I doubt spammers of this size bother to check the bounces that thoroughly.
And your idea about checking the IP metrics is very interesting. I’ll do it on the mails I have saved. The last ones (but not all) has the exact same response address as yours (email@example.com).
Just have to walk the dog first…
P.S. Your email address is as safe guarded as my passwords.
OK. As promised in my reply to Bruce’s mail I have started comparing the details of the mails I have received this far.
Three different email addresses has been used for responding (the from-address is of course different in every one). The mails are almost identical except for some formatting and some other small details. It is (mildly) interesting to see how these have changed over time:
May 9, 2003
Title: Needed Equipment i j jiqxruq
Responce address: firstname.lastname@example.org
May 17, 2003
Title: I Need a Reliable Vendor jmtn
Responce address: email@example.com
June 26, 2003 (2 mails) and July 6, 2003 (2 mails)
Title: Dimensional Warp Generator Needed xchrfcvg
Responce address: firstname.lastname@example.org
July 8, 2003
Title: DWG Needed mderudq l
Responce address: email@example.com
The change over time might indicate the original scam has been taken over by someone else I think, however, it is a bit strange that I only got one mail yesterday. More to follow…
Did anyone respond?
Have you responded to a mail like this? I would really like to hear about it. And maybe that will have to be the next step in this process. I’ll set up a new address for it somewhere.
Dave Hill has, [link1586:in his ongoing mail conversation with Bob Smith who claims to be the time traveller, come to this conclusion about it all:
As far as theories go, I think everyone is wrong. The numbers at the bottom are from using a standard bulk mailing program that does that automatically. He’s also not trying to promote any product, he’s just having fun.
Follow his mailthread with ”Bob Smith”. Click here!
Do you have theory of your own?
Tell me about it! My email address is posted on the bottom of the page (in a mostly spam safe format), and just as was the case with Mike and Bruce, you won’t have to worry that I will post your address. That only happens to spammers.