Post Feed
Comment Feed

About Me

My MP3 Player

Guns N' Roses - Appetite for Destruction Moby - Play Guns N' Roses - Lies Nine Inch Nails - Ghosts I

New Comments

2017 Archives

July All Archives...

Ecard Spam

Friday, July 6th, 2007

I recently received a few particularly nasty spam emails that were masquerading as ecard notifications. Basically when you send an ecard the recipient is emailed saying they have a card and to click on some link to retrieve it. These messages operate the same way, only the url links to some zombie cable/dsl computer and serves some sort of nasty software.

Return-Path: <>
Received: from ( [])
     by (*****) with SMTP id l645CkBd011052
     for <joe@evi***>; Wed, 4 Jul 2007 01:12:47 -0400
Received: from kkgtt.rtkoa ([]) by 
     with Microsoft SMTPSVC(6.0.3790.0); Wed, 4 Jul 2007 07:12:43 +0200
Message-ID: <002101c7bdf9$f3984ee0$9fe2c3ad@kkgtt.rtkoa>
From: "" <>
To: <joe@evi***>
Subject: Independence Day Party
Date: Wed, 4 Jul 2007 07:12:43 +0200
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Antivirus: avast! (VPS 000753-2, 2007-07-03), Outbound message
X-Antivirus-Status: Clean

Hi. Friend has sent you a postcard.
See your card as often as you wish during the next 15 days.


If your email software creates links to Web pages, click on your 
card's direct www address below while you are connected to the Internet:


Or copy and paste it into your browser's "Location" box (where Internet 
addresses go).

PRIVACY honors your privacy. Our home page and Card Pick Up have links to our 
Privacy Policy.

By accessing your card you agree we have no liability. 
If you don't know the person sending the card or don't wish to see the card, 
please disregard this Announcement.

We hope you enjoy your awesome card.

Wishing you the best,
Mail Delivery System,

Lets take a second to analyze this email. The first "Received:" header mentions ""; email doesn't come from routers. This must refer to some little cable/dsl router that his hiding a bunch of PCs behind it. One (or more) of them is probably a zombie. Then check out the "from" header, it mentions, but the actual email address is something at

In the body the first thing you probably notice is the articulate use of the english language, always a dead give away. Then the URL they want you to click on contains just an IP address, not a hostname. I covered up the first number so nobody mistakenly clicks on it, but the IP belongs to a southern California residential Roadrunner customer. They also specifically mention privacy, saying the policy is available on their website, but no links are provided.

Being the curious nerd that I am, of course I followed the link (minus the query string) to see where it goes. I used a program to fetch the source code of the page rather than looking at it in a browser, just in case there was some nasty code in there that my browser would activate. This is what I got:

We are currently testing a new browser feature. If you are not able to view this ecard, 
please <a href="/ecard.exe"%gt;click here</a> to view in its original format.

So it basically is prompting me to download some executable program that will most likely own-up on my computer. Since this kind of thing is always about money, I'm sure that ecard.exe program turns your computer into a zombie (spamming this same email out and serving "ecards" itself) and most likely records everything you do, your passwords, bank and credit card numbers and steals your identity.

This is a great example of how effective social engineering can be. Who doesn't like receiving ecards, nobody! Add to that the fact that it was sent on an actual holiday, though not really a big card sending holiday, I'm sure a lot of people got these spam messages and clicked on the links.

Comments (2) Subscribe

#1 - Jul 7, 2007 at 7:28 AM
You should load up Virtual PC 2007 (now free from MS) and run ecard.exe on it. You can turn off networking so it can't escape from your virtual sandbox. You could also run a program like InCtrl5 or SpyMe Tools to scan the computer before and after and detect exactly what files and reg keys it changed. has a tool called Rootkit Revealer which I think you're familar with that might be necessary too.
#2 - Jul 7, 2007 at 9:09 AM
Yeah, that's something I've been meaning to do for a while. I'd love to see exactly what gets changed and how much damage is really done by these nasty programs. Maybe I'll work on that this week at work while it's still slow...

Make a comment!

Numbers from below


Email Address

Website URL

Remember me