Gathan Beaga

where is my money, dude?

It started innocently enough. Just some vaguely threatening emails (from addresses slightly munged for reasons that will become clear later) over several months, their odd phrasing suggesting a non English speaking origin:

From: eddie@éggdöt.cøm
Date: Sun May 9, 2004 6:07:02 AM Pacific/Auckland
To: ?@?
Subject: where are you, man ?

We need to talk, ASAP. Call me.

And then, a few days later…

From: rrippe@ätt.cøm
Date: Mon May 17, 2004 6:06:42 AM Pacific/Auckland
To: ?@?
Subject: where are you ?

I need your opinion. Call me asap.

So what? But then came more, over the next few months:

From: cschott@nétégrity.cøm
Date: Sun Jul 11, 2004 4:28:21 AM Pacific/Auckland
To: ?@?
Subject: do you ignore me ?

I need answers to all questions ASAP.
Where are you, man ? What a problem ?


From: paul.moore@bms7.çøm
Date: Wed Aug 25, 2004 10:42:21 PM Pacific/Auckland
To: ?@?
Subject: question

what a problem, man ? Where is my money ?


From: info@møstmåssmédiå.cøm
Date: Sat Oct 16, 2004 8:59:17 AM Pacific/Auckland
To: ?@?
Subject: what the fuck is going on ?

man, answer me ASAP. Or you will have big problems!


From: hostmaster@séqüéncé.cö.ük
Date: Sun Oct 31, 2004 10:41:40 PM Pacific/Auckland
To: ?@?
Subject: where is my money, dude ?

You must return my payment back, or …


From: rmdupont@iqüest.ñét
Date: Thu Nov 25, 2004 4:48:14 AM Pacific/Auckland
To: ?@?
Subject: i have mailed you several times.

where is my money, dude ?

Then they start getting a bit grumpier…

From: jjames@jtds.çøm
Date: Fri Nov 26, 2004 5:09:23 AM Pacific/Auckland
To: ?@?
Subject: what the fucking shit is going on ?

where is my money, dude ?

Should I have been worried, just a little…?

From: dowd@bråinhät.côm
Date: Wed Dec 15, 2004 5:05:12 AM Pacific/Auckland
To: ?@?
Subject: what the fuck is going on ?

you have last chance to return my money!

Sometimes saying “fuck” just once is not enough:

From: ndhanks@gênévå.cøm
Date: Thu Dec 16, 2004 3:50:00 AM Pacific/Auckland
To: ?@?
Subject: what the fuck is going on ? – 2

you have last chance to return my money!


From: dnsadmin@syñåcør.cöm
Date: Tue Feb 8, 2005 4:16:09 AM Pacific/Auckland
To: ?@?
Subject: fuck, where is my money ?

Call me, dude!


From: sysadmin@chørdîånt.cøm
Date: Sun Feb 13, 2005 4:53:26 AM Pacific/Auckland
To: ?@?
Subject: dude, i wrote you 10 times…

Next time i will write to police!
Return my funds!!!

Now originally I thought these were all some sort of fishing expedition for valid email addresses. They don’t try to sell anything, and there’s no real “call to action”. The theory was that any recipients who replied to the messages would effectively be confirming for the spammer that their address existed and was good to receive more spam.

This assumes of course that all the “From:” addresses are somehow owned by the spammers. But many of the “From:” addresses would appear to belong to legitimate companies that are unlikely to be hosting spammers, either knowingly or unknowingly.

So the next possible explanation is that these are some kind of joe-job. This is supported by the messages on the home pages of three of the victims. If this is true then posting the “From:” addresses here only compounds the issue as these addresses will be sucked up by address harvesters and spammed directly to within a byte of their disk allocation (hence me munging their addresses, just in case). This explanation also makes some more sense, as at least some of the domains involved are owned by companies involved in security and anti-spam activities.

And there is a third explanation, described here. The story is that these emails are part of a scam to relieve the owners of the “From:” address’s domain of their domain name. This doesn’t quite make sense for at least some of the domains involved (like ATT and Chordiant) as these (fairly big) guys are unlikely to parted from their domain name that easily. But still, it’s more interesting.

So, after all that, if you are getting these emails don’t worry about them: just ignore them.

later: they keep on coming:

From: benioff@åol.çøm
Date: Tue Feb 22, 2005 1:19:15 AM Pacific/Auckland
To: ?@?
Subject: what is your phone number, dude ?

I want to call you imm.

still later: more and more (12 June 2005)

From: siteops@vøcüs.çom
Subject: return my money ASAP!
Date: 12 March 2005 5:55:56 AM
To: ?@?

Dude, you decide to cheat me ? Wrong way!

No message with this one:

From: paulo@micrøsöft.cøm
Subject: i am really angry
Date: 13 March 2005 9:11:00 AM
To: ?@?

And a few more over the last few months:

From: arely@pälcåp.côm
Subject: call me
Date: 20 March 2005 2:10:09 AM
To: ?@?

i already have some questions…

From: joelagolden@msñ.cøm
Subject: dude, i am still waiting your call
Date: 20 March 2005 7:40:42 AM
To: ?@?

Get up, i need your answer.

From: hostmaster@franklîncøvey.çom
Subject: hi, dude, do you remember me ?
Date: 7 May 2005 4:16:09 AM
To: ?@?

i need my money back!

From: fhp@unipréss.çom
Subject: why do you ignore me ?
Date: 13 May 2005 9:54:59 AM
To: ?@?


From: dns@loüdeyé.cøm
Subject: dude, i need my money
Date: 12 June 2005 7:05:16 AM
To: ?@?

I resist to wait. I need full moneyback, or …