The New Spam: Hello – How Are You?

This is a test for sure. But what’s being tested? I have no clue.

Right now my email spam folder has nine emails unlike all the others. Though each claims to be from a different sender they’re all exactly alike. The subject is “hello” and the body is “how are you?” That’s it.

Like most spam its lineage is questionable. All the addresses are forgeries.

I opened a few to check the routing information. The first originated in Brazil. Another came from India. I suspect each of these spams comes from a different source. More than likely this is a botnet at work.

Someone has gone to a lot of trouble, but why? Seriously–this spam accomplishes nothing. There is no ad nor any payload (like a virus). Because most of the addressing info is forged these spams can’t report back on what they find.

This is a test for sure. But what’s being tested? I have no clue.

These “hello – how are you?” messages are one of two coordinated spam waves I’m currently seeing. The other contains snippets from various news stories run together into a large paragraph of unrelated sentences! Again it’s totally worthless to the spammer with no useful payload though it certainly requires a lot of resources.

Are you getting these to? I’d like to know.

Because so many of you are curious I’m including the source from one after the jump. The email was sent to a seemingly random, non-existent mailbox at geofffox.com. As with all my email it is then forwarded to a catch all box at Gmail.


Delivered-To: geoff.fox@gmail.com
Received: by 10.216.37.195 with SMTP id y45cs85491wea;
Sat, 18 Sep 2010 22:12:37 -0700 (PDT)
Received: by 10.216.1.6 with SMTP id 6mr6430080wec.24.1284873157025;
Sat, 18 Sep 2010 22:12:37 -0700 (PDT)
Return-Path:
Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53])
by mx.google.com with ESMTP id r51si8573803weq.7.2010.09.18.22.12.32;
Sat, 18 Sep 2010 22:12:37 -0700 (PDT)
Received-SPF: neutral (google.com: 74.125.82.53 is neither permitted nor denied by best guess record for domain of me+caf_=geoff.fox=gmail.com@geofffox.com) client-ip=74.125.82.53;
Authentication-Results: mx.google.com; spf=neutral (google.com: 74.125.82.53 is neither permitted nor denied by best guess record for domain of me+caf_=geoff.fox=gmail.com@geofffox.com) smtp.mail=me+caf_=geoff.fox=gmail.com@geofffox.com
Received: by mail-ww0-f53.google.com with SMTP id 13so1130768wwb.34
for ; Sat, 18 Sep 2010 22:12:32 -0700 (PDT)
Received: by 10.227.137.193 with SMTP id x1mr407017wbt.80.1284873152200;
Sat, 18 Sep 2010 22:12:32 -0700 (PDT)
X-Forwarded-To: geoff.fox@gmail.com
X-Forwarded-For: me@geofffox.com geoff.fox@gmail.com
Delivered-To: jfkppv@geofffox.com
Received: by 10.216.158.199 with SMTP id q49cs104064wek;
Sat, 18 Sep 2010 22:12:31 -0700 (PDT)
Received: by 10.204.82.136 with SMTP id b8mr5617871bkl.38.1284873151849;
Sat, 18 Sep 2010 22:12:31 -0700 (PDT)
Return-Path:
Received: from CQBSXPI ([213.132.238.38])
by mx.google.com with ESMTP id h12si16768445bkh.103.2010.09.18.22.11.46;
Sat, 18 Sep 2010 22:12:31 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning retaliatoryind85@radio-tsf.com does not designate 213.132.238.38 as permitted sender) client-ip=213.132.238.38;
Return-path:
Received: from [213.132.238.38] (port=5256 helo=r111)
by radio-tsf.com with asmtp
id 760651-000749-48
for
; Sun, 19 Sep 2010 08:11:32 +0300
Message-ID:
From: "Fannie Salazar"
To:
Subject: hello
Date: Sun, 19 Sep 2010 08:11:32 +0300
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
X-Mras: Ok

how are you?

59 thoughts on “The New Spam: Hello – How Are You?”

    1. I’ve been getting these recently but I did email one back and they eventually will send a link and in turn that would probably be a virus or some type of malware.

  1. Nothing in any of my accounts.

    Just a notice about three new women who may want to meet me, and someone who wants to give me a great deal on Viagra. Wonder if the two are working together?

    Tom

  2. I was wondering if I was the only one, I have like 200’s of those messages.
    I think they want to find people that need attention a lot, and so, would be more likely to answer an email like that.

  3. I’ve been seeing dozens of these all day as well (a few got through Gmail’s filter). I figured they were fishing for replies to store valid email addresses for a follow-up scam, but seeing as how you’ve found the returns bogus as well… I’m baffled.

  4. Hi Geoff,

    I’ve been receiving spam emails like those for years, with some spur like this one once in a while. I also have a site where I put some scam emails…

    http://dscam.m2osw.com

    But it is also a wonder why would they do that?! Sending a virus is also quite useless, but sending a totally fake email for nothing… Maybe a kiddo who was trying his robots. 😎

    Alexis

  5. Perhaps they are trying to bait you. Honestly if I had seen this email before reading your post, I would have replied with “Im well, do I know you.” At that point they might send another email with a link or sell my account to other spammers looking for live accounts.

  6. I haven’t been recieving spam like that, but I have noticed lately that more crap is making it past Gmail’s normally excellent spam filters. Have you experienced that too?

  7. This has gotten past Gmail sometimes along with the other spam I mentioned (non related news clips forming a very long, dense paragraph).

    Josh – AFAIK every address is forged so there is no way the sender could gain access to the returned/replied email.

  8. I just checked Gmail’s spam folder…. Mostly just the usual phishing scams and people wanting to sell me pills for…uh…yeah…anyway….

    Have you looked at the *source* of the e-mail? Is it HTML or Plain Text…and if it’s HTML, does it have any embedded images in it? They could be using images and an identifier or something that’s sent back to the remote server to determine whether your email address is legit or not.

    -Adam

  9. I have received this sort of spam for several years. Never that often or in great volume. I have always wondered what the purpose was. Generally an e-mail with a subject line like “Hello” coming from an unknown address is deleted unopened.

    Dennis

  10. Thanks a lot for the post!!!

    I have had about three of these “hello” messages daily, with no motive visible, from different people and e-mail addresses, all caught by my GMail (for Google Apps) Spam Filter.

    However, this morning, I received about 15 of those e-mails, from different people, and two managed to get through the filter. A bit concerned that they’ll all be in my inbox soon!!

    I wonder what they’re up to….

  11. Good post.

    I have had about twenty of these so far today, all going into one e-mail account (the one published on the web). Haven’t seen them on any other, so the work spam filter (only other published account) is at least functional.

    Why indeed? Testing a spam distribution system in preparation for sending out something more nefarious?

  12. Have also received shed loads of these exact emails. Some of which are sneaking past gmail’s spam filter. Definitely an unusually large number of this message so is a concerted ‘campaign’. Found the same as you in terms of fake-ness of sources and lack of anything traceable in the message. My assumption is that they’re gathering data about the interaction with the SMTP servers they’re hitting. Many servers will reject invalid sender or receiver addresses synchronously (during the send operation), and maybe SPF failures might show up at that stage too?

  13. @Geoff : I’ve recieved hundreds of those mails and started questioning my self just as you did.
    “Those mails were sent by zombies therefore the spammer can’t recieve the replies, so what’s the point of sending us such spam mails?”
    Then I googled “new spam “how are you?” ” and your page showed as 1st result.
    The only answer that came in my mind is “maybe they want to play with the spam filters, see how it will react as those spams look like normal mails.. and maybe make those filters tag the words “hello/how are you?” which will falsely block regular mails containing those words.”

    It still doesn’t make sense. This is an awful lot of trouble to go through. The spammer knows how to randomly switch out email addresses and the like. Switching body and subject text would seem just as easy. – Geoff

  14. I’ve had loads of these and Gmail plants them in my priority inbox, presumably due to the benign content. I’m guessing that the spammers are trying to train our spam filters to believe the messages that follow are not spam. Someone shoot these morons whatever they’re doing it for.

    Hi Matt – I don’t think it’s a training exercise since repetitive spam will soon by labeled as such – not as real email. There’s something not obvious going on. – Geoff

  15. I’ve had fifteen of these ‘Hello, how are you?’ things in the last twelve hours. I traced the first one back to the Czech Republic and didn’t bother with the rest. I have been feeling a bit run down lately, so I figured people on all continents were just concerned about my health and well-being 🙂

  16. I’ve just cleared about a hundred of these over the past two days and started looking for some info on them. They are as described-all different except for the inane how are you. They are coming to my .edu address. Should I alert our completely inept IT folks?;>=

    Don’t bother Amy – there’s no way to find out anything yet. – Geoff

  17. I started receiving those mails yesterday and up to now, about a hundred have landed in various of my inboxes.

    I agree with your assumption, there is something non-obvious going on here.

    Did you find out something about the X-Mras header? Which server/firewall/relay produces it?

    Also: Some of the emails are sent to a non-existant mailbox (i.e. 88c23b226b52@domain.org) which, like in your case, is forwarded to my gmail catch-all account. However, some of them are sent to legitimate mailboxes (contact@domain.com and even the correct firstname.lastname@domain.com). In all cases, the actual To: header is forged, though.

  18. I have also received quite a few of these. Because of the benign content, these sail through my spam server (Barracuda). If anybody figures out what they are, I’d love to know.

  19. RFC 822 allows for using X- prefix for user generated info. I have no idea what the “X-Mras: Ok” header means, but it seems to only show up in these emails. I created a filter to send any email containing “X-Mras” anywhere in the headers to a special folder. So far the only emails that show up there are these odd “Hello – how are you” type emails.

    This sort of email has been showing up for at least 2 years, off and on –the “X-Mras” field seems consistent in all cases (this may change).

    As pure speculation I think it may be an experiment with Bayesian auto learn features in some anti spam systems. Teach it any “X-Mras” token is ‘ham’. But that’s just a wild thought, as nothing else seems to come to mind. Well possibly some DNS hack, but that seems a slim possibility… maybe.

    If anyone knows where the “X-Mras” header originates, or what it means, I’d like to know.

    All I can say for sure it so far the only emails my filter has caught are these odd ones under discussion here.

    Thanks for setting up this site, Goff Fox.

    Perhaps others would try doing the same filter and see if they catch any false positives and report back if they do (or don’t for that matter). I’d like to set it to just delete these –if in fact the “X-Mras” header is only associated with these emails (again, so far, it’s worked 100% for me).

    Don.

  20. I have three of these. As others have suggested, could the sender be using the idea of emails that don’t get bounced back went to a legitimate address? That would give them a list of valid email addresses. Would that be valuable?

  21. I’ve received a few dozen of these tagged by our campus filter with 1/4 spam ‘#’ – so my filter currently shows them to me.
    I think its funny we’re spending this much effort trying to figure out the spammer’s “master plan” – in this case maybe we’re giving them way too much credit ;^P

    Dear Spammer – we are fine – although we think you made a mistake on your botnet job this time – are you feeling OK? 😉

  22. Yes, I have been receiving the exact message from various senders since Friday Sept 17th. There have been so many that I have lost count. Easily over 3 dozen e-mails so far. They are being sent to me via my grad school account which is forwarded to my yahoo. The “To” line doesn’t even make sense, since it’s not my actual e-mail. I wonder what this is all about…

    If this continues, I plan on contacting my grad school tech dept to see if they can do something about it. Something similar happened a few years back (also through my grad school .edu account). Tech support mentioned that the anti-spam software/filters had to be upgraded.

  23. Yes, I’ve received a flood of these emails to my personal domain this weekend. First a torrent to an alias I no longer use so disabled that, then later a batch to my regular address.

    This morning I arrived back at work to discover various people, typically those at director level, also received hundreds between them! Quite an offensive attack.

  24. I have been received at least 20 of these all weekend. But today i have been receiving e-mails from random people with the header ‘report’ and saying ‘Sending my report. Have a great weekend.
    Cheers’
    It then has an attachment.
    Any ideas how i can block them?

  25. Richard, I believe that email is probably an ‘ordinary’ spam / virus. These ‘hello’ emails are fairly unique in their sparseness, frequency and volume, and the suddeness with which they started and stopped.

    A few minutes ago I had another ‘hello’ email with the X-Mras: Ok header, X-Mailer: Microsoft Windows Mail and so on, only with a slightly longer body:

    “hio
    someone showed me your profile and trust me i like you
    do you want to see my pic?

    please contact me directly at
    mayeabbateitmd@hotmail.com

    Nothing else in the body at all. As per the others, this was relayed through what’s probably an ISP’s relay, but crucially now invites a response. I wonder if the attack is beginning again, or this is another ‘regular’ spam? Interesting!

  26. I’ve gotten 100’s of undeliverable mail for something I never sent. I think to do with pharmaceuticals. It was a widespread virus. I updated Macafee and it’s gone. Every week I get a message that the scan was clean but it obviously wasn’t.
    Hey Jeff. Are we going to lose our tomatoes tonight? We’re in a low spot in Woodbridge and always get the first frost.

  27. As mentioned by someone else earlier, some times you have a hidden packet in the email (although those hello did not have it…)

    I got such a load today:

    http://dscam.m2osw.com/notes-from-last-week

    It included a JavaScript that would hit a web page on a “random” website. I was too late and that HTML page was already removed so I could not see what that part would have done to you. The email was pretty empty otherwise.

  28. This past saturday morning, about once per hour from 3 am until 9 am, I got 6 spams to the same account from these IP addresses:

    62.24.127.28
    217.203.84.22
    78.3.224.9
    79.115.208.166
    178.90.69.185
    87.252.227.84

    My SMTP server rejects all connection attempts from IP’s located in Russia, China and all of South and Central America.

    These spams were all similar in that:

    – The subject was simply – hello
    – The body was simply – how are you?
    – The header contained a second Return-Path: line (unusual for the direct-to-mx spam I usually get)
    – The header contained a second Received: line that contained a port=nnnn and helo=(string) parameter (which I believe is indicative of Exim software).

    There seems to be some history of abuse using servers running Exim where the operators are having a hard time securing them or even properly logging their operations.

  29. I received many of these on differents account on one of my domains (only one domain)
    Googleapps for my domain dont filter these, so they income. I report them to googleapps but actually they continue to income.
    I think I’m going to set à filter to automaticaly send them to trashcan .

    Hello from France (Europe)

  30. I have received some as well.
    No one has really mentioned the from addresses they are getting them from. Is it possible that the accounts are bogus but they do forward to a catchall. As many of us have them setup.
    Another thought is that the test is to see the population this receives online as well as harvesting information that way. Someone could be trying out some new code technique and we are all obliging them with information on how well it is working.

    (HERE IS AN EXAMPLE THAT CAME IN)
    From: – Sun Sep 26 21:14:50 2010
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    Return-Path:
    Delivered-To: DOMAIN.com-USER.NAME@DOMAIN.com
    Received: (qmail 5585 invoked by uid 399); 26 Sep 2010 22:18:30 -0000
    X-Virus-Scan: Scanned by clamdmail 0.15 (no viruses); Sun, 26 Sep 2010 18:18:30 -0400
    Received: from unknown (HELO ironport5.opentransfer.com) (76.162.254.116) by mail9.opentransfer.com with SMTP; 26 Sep 2010 22:18:30 -0000
    Received: from unknown (HELO MYQKHHZ) ([211.173.132.78]) by ironport5.opentransfer.com with ESMTP; 26 Sep 2010 18:18:23 -0400
    Return-path:
    Received: from [211.173.132.78] (port=9800 helo=ssssdde8e6d6ac) by mx1.rasecurity.com with asmtp id 64555D-0009E2-22 for ; Mon, 27 Sep 2010 07:18:16 +0900
    Message-ID:
    From: Chauncey Ashley
    To:
    Subject: hello
    Date: Mon, 27 Sep 2010 07:18:16 +0900
    MIME-Version: 1.0
    Content-Type: text/plain; format=flowed; charset=”iso-8859-1″; reply-type=original
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Windows Mail 6.0.6001.18000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
    X-Mras: Ok
    X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on localhost
    X-Spam-Status: No, score=1.6 required=5.0 tests=FROM_ENDS_IN_NUMS,SUB_HELLO autolearn=disabled version=3.0.2
    X-Spam-Level: *

  31. I get one or two a week and glad to know it’s just a test. My only suggestion is never reply back. I think that’s what they are testing. maybe some string of events that will allow you to accept something if you type “who is this” or Great you or some other variable.
    that’s was my only thought!

  32. Dear other Geoff:

    I and several people on my school’s staff are getting these. We have a fairly secure server that uses Symantec’s enterprise level spam blocker, but these are nor screened. They are definitely weird.

    Jeff

  33. I too am receiving the “Hello” emails. All it has is “Hello” as a message subject (or “Hi”, “Hey”, etc.) and the body says “Hello” as well. There are no attachments. These are coming into my work email repeatedly and has been for a couple of weeks now. I just delete them but am starting to wonder what is going on here. Personally, I believe it is a phishing scam. If you reply, then you get bombarded with spam emails, so that’s why I don’t respond to them. Of course, I am not an IT person, but it’s just common sense.

  34. I just receive this e-mail which forwarded automatically to all my contacts and someone from Colombia (according to google) opened my account and changed my password.

    if anyone have any relation information according to this issue where they account get literally attacked who should anyone inform?

    Regards

    Antonio

  35. I got at least a hundred emails today almost all in Russian. I took Russian 38 years ago in college but I don’t now what these say. I just recognize the alphabet. The few in English are all for Viagra etc. For a while they were coming in as fast as I could delete them. I’ve been at work the past 9 hours so I don’t know if they stopped yet.

  36. Latest links to an .ru domain… And it came from the email address of a relative

    Hi!  
    Have you already seen it? ” http://asenergo.ru/yh/breakingnews.php”

     

  37. I started getting these a couple of weeks ago. I recognizes them as spam by how they always capitalize the starting letter: Hello There or they type Hello 😉 and add a emoticon. I think they are just fishing or testing the spam filters. Nov 2015

  38. I get these alot
    Mostly some random name in my request forms on my website and it is exactly as you proclaimed
    Here is my thou g ht on this
    Take this one to the bank.
    Google yahoo and bing now are merger online
    And they are generating bugs in our websites to stop the AI
    Now if I am wrong
    Let me conclude every spam. Caller i n the world uses a vpn a robo dialer and google AI cloud server
    They provide the computer free data on the cloud and they are now triggering spam through email and cell text sms facebook and google plus
    It justifies them. Putting up a local platform they are only offering the companies who verify and now pay them 22.00 a call off the same link that was free not to me i paid great money to rank my companies on google so this tells me since they started that in 2017
    The spam has tripled and my true call volume has decreased in actual business by 75%
    By the way since early sept of 2017 I have spent 10000 on organics
    No adwords at all.
    This justifies their loss in income
    Idid not pay google to rank on google
    I paid a web master.
    That certified google partners agrees that even though I spent money to rank
    I did not give it to google
    Final thought
    Google was built by the worlds best hackers
    I believe they found away to control the web
    I do mean control it.
    Geof
    Like is like a box of chocolates
    However instead of eating one to find one I like
    I choose to look at all the chocolates in the box
    And remember which one I see every time
    The one we can not avoid
    Goverment take over of the www.
    Hopefully you can add some good solutions

  39. Hi

    sorry for reanimating the discussion. I am receiving these mails on one of my accounts since two days ago in a hourly to bi-hourly interval from two different IPs in NL and two different sender addresses. Subject is always “Hi” and the content varies. Either just Hello or
    Hello!
    how are you?
    do you have news from last day?

    Very strange phenomenon.

    Regards from Germany,
    Erik

Leave a Reply

Your email address will not be published. Required fields are marked *