Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: spam email (how did they do that)
6 points by electrichead on March 6, 2012 | hide | past | favorite | 3 comments
So I received an email this morning in my gmail supposedly from "MSNBC". The itneresting this about this spam email is that there was only one link, which was not even coded as a link (this is a text-only email), and the URL goes to http://on.msnbc.com/zV9UfI?<my email>

So the question is: why would they want me to click on the link? Have they somehow put a redirect on msnbc.com ?

Email source below:

Delivered-To: <my email>@gmail.com Received: by 10.68.25.225 with SMTP id f1csp70201pbg; Tue, 6 Mar 2012 04:27:06 -0800 (PST) Received: by 10.220.179.132 with SMTP id bq4mr1797830vcb.40.1331036826055; Tue, 06 Mar 2012 04:27:06 -0800 (PST) Return-Path: <reguvenatewellness11285@sc.rr.com> Received: from cdptpa-omtalb.mail.rr.com (cdptpa-omtalb.mail.rr.com. [75.180.132.120]) by mx.google.com with ESMTP id 3si5506943vct.131.2012.03.06.04.27.05; Tue, 06 Mar 2012 04:27:06 -0800 (PST) Received-SPF: pass (google.com: domain of reguvenatewellness11285@sc.rr.com designates 75.180.132.120 as permitted sender) client-ip=75.180.132.120; Authentication-Results: mx.google.com; spf=pass (google.com: domain of reguvenatewellness11285@sc.rr.com designates 75.180.132.120 as permitted sender) smtp.mail=reguvenatewellness11285@sc.rr.com Return-Path: <reguvenatewellness11285@sc.rr.com> Authentication-Results: cdptpa-omtalb.mail.rr.com smtp.user=reguvenatewellness11285@sc.rr.com; auth=pass (LOGIN) X-Authority-Analysis: v=2.0 cv=TvJkdUrh c=1 sm=0 a=XKGNf7EIzzoA:10 a=8DfUPBxvO0QA:10 a=IkcTkHD0fZMA:10 a=dJ0-dG6DAAAA:8 a=pGLkceISAAAA:8 a=QK1GopW9Fw9adpgECroA:9 a=6KscT9JeKKuDAi2QTlIA:7 a=QEXdDO2ut3YA:10 a=A_n0Eqh96AUA:10 a=MSl-tDqOz04A:10 a=KMr8SRDwdKKXQwftM2uIcw==:117 X-Cloudmark-Score: 0 Received: from [10.127.132.174] ([10.127.132.174:59992] helo=cdptpa-web23-z02) by cdptpa-oedge01.mail.rr.com (envelope-from <reguvenatewellness11285@sc.rr.com>) (ecelerity 2.2.3.46 r()) with ESMTPA id A5/35-17039-892065F4; Tue, 06 Mar 2012 12:27:04 +0000 Message-ID: <20120306122704.ZV0XM.40945.root@cdptpa-web23-z02> Date: Tue, 6 Mar 2012 7:27:04 -0500 From: "newsletter@msnbc.com" <reguvenatewellness11285@sc.rr.com> To: <my email>@gmail.com Subject: MSNBC's "Solution to Easy Weight-Loss" MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Sensitivity: Normal X-Originating-IP:

Excerpt: "Tired of being fat and feeling slow? Looking to feel better and remove those extra lbs? I know you are and I was too! This an all natural fatloss supplement that is guaranteed to work!."

Read more at: http://on.msnbc.com/zV9UfI?<my email>@gmail.com This is a complimentary e-mail provided by MSNBC.



Using wget, yes, there is a 301 redirect to some page about acai berries.

The on.msnbc.com domain seems to be setup to redirect all links to some other page. Not sure if this is part of an exploit on that service, or if you can somehow pay to advertise there or what.

It's interesting. A lot of people probably trust the msnbc.com domain name.


It's actually a version of Bit.ly check out made-up URL http://on.msnbc.com/fsdhfjksd76f.

Possibly done via DNS?


It leads to http://noslims.info/?787254572 "Acai Berry Diet Exposed: Miracle Diet or Scam?" - a fake news ad.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: