The New Spam: Hello – How Are You?

Right now my email spam folder has nine emails unlike all the others. Though each claims to be from a different sender they’re all exactly alike. The subject is “hello” and the body is “how are you?” That’s it.

Like most spam its lineage is questionable. All the addresses are forgeries.

I opened a few to check the routing information. The first originated in Brazil. Another came from India. I suspect each of these spams comes from a different source. More than likely this is a botnet at work.

Someone has gone to a lot of trouble, but why? Seriously–this spam accomplishes nothing. There is no ad nor any payload (like a virus). Because most of the addressing info is forged these spams can’t report back on what they find.

This is a test for sure. But what’s being tested? I have no clue.

These “hello – how are you?” messages are one of two coordinated spam waves I’m currently seeing. The other contains snippets from various news stories run together into a large paragraph of unrelated sentences! Again it’s totally worthless to the spammer with no useful payload though it certainly requires a lot of resources.

Are you getting these to? I’d like to know.

Because so many of you are curious I’m including the source from one after the jump. The email was sent to a seemingly random, non-existent mailbox at geofffox.com. As with all my email it is then forwarded to a catch all box at Gmail.


Delivered-To: geoff.fox@gmail.com
Received: by 10.216.37.195 with SMTP id y45cs85491wea;
Sat, 18 Sep 2010 22:12:37 -0700 (PDT)
Received: by 10.216.1.6 with SMTP id 6mr6430080wec.24.1284873157025;
Sat, 18 Sep 2010 22:12:37 -0700 (PDT)
Return-Path:
Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53])
by mx.google.com with ESMTP id r51si8573803weq.7.2010.09.18.22.12.32;
Sat, 18 Sep 2010 22:12:37 -0700 (PDT)
Received-SPF: neutral (google.com: 74.125.82.53 is neither permitted nor denied by best guess record for domain of me+caf_=geoff.fox=gmail.com@geofffox.com) client-ip=74.125.82.53;
Authentication-Results: mx.google.com; spf=neutral (google.com: 74.125.82.53 is neither permitted nor denied by best guess record for domain of me+caf_=geoff.fox=gmail.com@geofffox.com) smtp.mail=me+caf_=geoff.fox=gmail.com@geofffox.com
Received: by mail-ww0-f53.google.com with SMTP id 13so1130768wwb.34
for ; Sat, 18 Sep 2010 22:12:32 -0700 (PDT)
Received: by 10.227.137.193 with SMTP id x1mr407017wbt.80.1284873152200;
Sat, 18 Sep 2010 22:12:32 -0700 (PDT)
X-Forwarded-To: geoff.fox@gmail.com
X-Forwarded-For: me@geofffox.com geoff.fox@gmail.com
Delivered-To: jfkppv@geofffox.com
Received: by 10.216.158.199 with SMTP id q49cs104064wek;
Sat, 18 Sep 2010 22:12:31 -0700 (PDT)
Received: by 10.204.82.136 with SMTP id b8mr5617871bkl.38.1284873151849;
Sat, 18 Sep 2010 22:12:31 -0700 (PDT)
Return-Path:
Received: from CQBSXPI ([213.132.238.38])
by mx.google.com with ESMTP id h12si16768445bkh.103.2010.09.18.22.11.46;
Sat, 18 Sep 2010 22:12:31 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning retaliatoryind85@radio-tsf.com does not designate 213.132.238.38 as permitted sender) client-ip=213.132.238.38;
Return-path:
Received: from [213.132.238.38] (port=5256 helo=r111)
by radio-tsf.com with asmtp
id 760651-000749-48
for
; Sun, 19 Sep 2010 08:11:32 +0300
Message-ID:
From: "Fannie Salazar"
To:
Subject: hello
Date: Sun, 19 Sep 2010 08:11:32 +0300
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
X-Mras: Ok

how are you?

54 Responses to “The New Spam: Hello – How Are You?”

  1. Lou Lange says:

    I have not received any yet, Geoff. But my e-mail filter program would catch it before it got to my mailbox.

  2. gary says:

    I gave up wondering about spam years ago, but I love reading your posts about it. you do the wondering so I don’t have to.

  3. Tom says:

    Nothing in any of my accounts.

    Just a notice about three new women who may want to meet me, and someone who wants to give me a great deal on Viagra. Wonder if the two are working together?

    Tom

  4. I was wondering if I was the only one, I have like 200’s of those messages.
    I think they want to find people that need attention a lot, and so, would be more likely to answer an email like that.

  5. Ben says:

    I’ve been seeing dozens of these all day as well (a few got through Gmail’s filter). I figured they were fishing for replies to store valid email addresses for a follow-up scam, but seeing as how you’ve found the returns bogus as well… I’m baffled.

  6. Hi Geoff,

    I’ve been receiving spam emails like those for years, with some spur like this one once in a while. I also have a site where I put some scam emails…

    http://dscam.m2osw.com

    But it is also a wonder why would they do that?! Sending a virus is also quite useless, but sending a totally fake email for nothing… Maybe a kiddo who was trying his robots. 8-)

    Alexis

  7. Al says:

    Yes, I received about 4 of these today.

  8. Josh says:

    Perhaps they are trying to bait you. Honestly if I had seen this email before reading your post, I would have replied with “Im well, do I know you.” At that point they might send another email with a link or sell my account to other spammers looking for live accounts.

  9. Heather says:

    I haven’t been recieving spam like that, but I have noticed lately that more crap is making it past Gmail’s normally excellent spam filters. Have you experienced that too?

  10. Geoff Fox says:

    This has gotten past Gmail sometimes along with the other spam I mentioned (non related news clips forming a very long, dense paragraph).

    Josh – AFAIK every address is forged so there is no way the sender could gain access to the returned/replied email.

  11. Adam says:

    I just checked Gmail’s spam folder…. Mostly just the usual phishing scams and people wanting to sell me pills for…uh…yeah…anyway….

    Have you looked at the *source* of the e-mail? Is it HTML or Plain Text…and if it’s HTML, does it have any embedded images in it? They could be using images and an identifier or something that’s sent back to the remote server to determine whether your email address is legit or not.

    -Adam

  12. Dennis Westler says:

    I have received this sort of spam for several years. Never that often or in great volume. I have always wondered what the purpose was. Generally an e-mail with a subject line like “Hello” coming from an unknown address is deleted unopened.

    Dennis

  13. Thanks a lot for the post!!!

    I have had about three of these “hello” messages daily, with no motive visible, from different people and e-mail addresses, all caught by my GMail (for Google Apps) Spam Filter.

    However, this morning, I received about 15 of those e-mails, from different people, and two managed to get through the filter. A bit concerned that they’ll all be in my inbox soon!!

    I wonder what they’re up to….

  14. Eastrockpark says:

    Good post.

    I have had about twenty of these so far today, all going into one e-mail account (the one published on the web). Haven’t seen them on any other, so the work spam filter (only other published account) is at least functional.

    Why indeed? Testing a spam distribution system in preparation for sending out something more nefarious?

  15. [...] Originally posted here: The New Spam: Hello – How Are You? — My Permanent Record [...]

  16. Dave Amphlett says:

    Have also received shed loads of these exact emails. Some of which are sneaking past gmail’s spam filter. Definitely an unusually large number of this message so is a concerted ‘campaign’. Found the same as you in terms of fake-ness of sources and lack of anything traceable in the message. My assumption is that they’re gathering data about the interaction with the SMTP servers they’re hitting. Many servers will reject invalid sender or receiver addresses synchronously (during the send operation), and maybe SPF failures might show up at that stage too?

  17. Dea7h says:

    @Geoff : I’ve recieved hundreds of those mails and started questioning my self just as you did.
    “Those mails were sent by zombies therefore the spammer can’t recieve the replies, so what’s the point of sending us such spam mails?”
    Then I googled “new spam “how are you?” ” and your page showed as 1st result.
    The only answer that came in my mind is “maybe they want to play with the spam filters, see how it will react as those spams look like normal mails.. and maybe make those filters tag the words “hello/how are you?” which will falsely block regular mails containing those words.”

    It still doesn’t make sense. This is an awful lot of trouble to go through. The spammer knows how to randomly switch out email addresses and the like. Switching body and subject text would seem just as easy. – Geoff

  18. Matt says:

    I’ve had loads of these and Gmail plants them in my priority inbox, presumably due to the benign content. I’m guessing that the spammers are trying to train our spam filters to believe the messages that follow are not spam. Someone shoot these morons whatever they’re doing it for.

    Hi Matt – I don’t think it’s a training exercise since repetitive spam will soon by labeled as such – not as real email. There’s something not obvious going on. – Geoff

  19. Chris says:

    I’ve had fifteen of these ‘Hello, how are you?’ things in the last twelve hours. I traced the first one back to the Czech Republic and didn’t bother with the rest. I have been feeling a bit run down lately, so I figured people on all continents were just concerned about my health and well-being :)

  20. Jack says:

    Had several similar mails on several addresses (different domains).
    Traced back only a few, all different countries.

  21. amy says:

    I’ve just cleared about a hundred of these over the past two days and started looking for some info on them. They are as described-all different except for the inane how are you. They are coming to my .edu address. Should I alert our completely inept IT folks?;>=

    Don’t bother Amy – there’s no way to find out anything yet. – Geoff

  22. I’ve gotten about a dozen of these over the last few days and have responded by sending them my social security number and my mother’s maiden name.

  23. mike sechrist says:

    Just checked my junk email file and what do you know there are two of them there.

  24. I have received more than 150 of these spam-mails. On Twitter there are many people asking the same questions as you are.

    Twitter:
    http://twitter.com/#search?q=hello%20-%20how%20are%20you%20spam

  25. Ralph says:

    Yep also got them. 34 as of yet.

    Best regards from Germany!

  26. Alexander Graf says:

    I started receiving those mails yesterday and up to now, about a hundred have landed in various of my inboxes.

    I agree with your assumption, there is something non-obvious going on here.

    Did you find out something about the X-Mras header? Which server/firewall/relay produces it?

    Also: Some of the emails are sent to a non-existant mailbox (i.e. 88c23b226b52@domain.org) which, like in your case, is forwarded to my gmail catch-all account. However, some of them are sent to legitimate mailboxes (contact@domain.com and even the correct firstname.lastname@domain.com). In all cases, the actual To: header is forged, though.

  27. Alex Romp says:

    I have also received quite a few of these. Because of the benign content, these sail through my spam server (Barracuda). If anybody figures out what they are, I’d love to know.

  28. Don says:

    RFC 822 allows for using X- prefix for user generated info. I have no idea what the “X-Mras: Ok” header means, but it seems to only show up in these emails. I created a filter to send any email containing “X-Mras” anywhere in the headers to a special folder. So far the only emails that show up there are these odd “Hello – how are you” type emails.

    This sort of email has been showing up for at least 2 years, off and on –the “X-Mras” field seems consistent in all cases (this may change).

    As pure speculation I think it may be an experiment with Bayesian auto learn features in some anti spam systems. Teach it any “X-Mras” token is ‘ham’. But that’s just a wild thought, as nothing else seems to come to mind. Well possibly some DNS hack, but that seems a slim possibility… maybe.

    If anyone knows where the “X-Mras” header originates, or what it means, I’d like to know.

    All I can say for sure it so far the only emails my filter has caught are these odd ones under discussion here.

    Thanks for setting up this site, Goff Fox.

    Perhaps others would try doing the same filter and see if they catch any false positives and report back if they do (or don’t for that matter). I’d like to set it to just delete these –if in fact the “X-Mras” header is only associated with these emails (again, so far, it’s worked 100% for me).

    Don.

  29. Don says:

    Sorry for the typo, that’s “Thanks, Geoff Fox”

    Don.

  30. lyrl says:

    I have three of these. As others have suggested, could the sender be using the idea of emails that don’t get bounced back went to a legitimate address? That would give them a list of valid email addresses. Would that be valuable?

  31. fletch00 says:

    I’ve received a few dozen of these tagged by our campus filter with 1/4 spam ‘#’ – so my filter currently shows them to me.
    I think its funny we’re spending this much effort trying to figure out the spammer’s “master plan” – in this case maybe we’re giving them way too much credit ;^P

    Dear Spammer – we are fine – although we think you made a mistake on your botnet job this time – are you feeling OK? ;)

  32. Pec says:

    Me too ! I’ve received 30 spams “hello, how are you” all different..
    It’s curious !
    What’s this !

  33. [...] – How Are You. The Spamming ContinuesWhat the heck is going on? Yesterday I wrote about a spam message making its way across the Internet.Subject: hello Message: how are youAs has happened a few times in the past I blogged about [...]

  34. Grace says:

    Yes, I have been receiving the exact message from various senders since Friday Sept 17th. There have been so many that I have lost count. Easily over 3 dozen e-mails so far. They are being sent to me via my grad school account which is forwarded to my yahoo. The “To” line doesn’t even make sense, since it’s not my actual e-mail. I wonder what this is all about…

    If this continues, I plan on contacting my grad school tech dept to see if they can do something about it. Something similar happened a few years back (also through my grad school .edu account). Tech support mentioned that the anti-spam software/filters had to be upgraded.

  35. Dan says:

    Yes, I’ve received a flood of these emails to my personal domain this weekend. First a torrent to an alias I no longer use so disabled that, then later a batch to my regular address.

    This morning I arrived back at work to discover various people, typically those at director level, also received hundreds between them! Quite an offensive attack.

  36. Richard says:

    I have been received at least 20 of these all weekend. But today i have been receiving e-mails from random people with the header ‘report’ and saying ‘Sending my report. Have a great weekend.
    Cheers’
    It then has an attachment.
    Any ideas how i can block them?

  37. Dan says:

    Richard, I believe that email is probably an ‘ordinary’ spam / virus. These ‘hello’ emails are fairly unique in their sparseness, frequency and volume, and the suddeness with which they started and stopped.

    A few minutes ago I had another ‘hello’ email with the X-Mras: Ok header, X-Mailer: Microsoft Windows Mail and so on, only with a slightly longer body:

    “hio
    someone showed me your profile and trust me i like you
    do you want to see my pic?

    please contact me directly at
    mayeabbateitmd@hotmail.com

    Nothing else in the body at all. As per the others, this was relayed through what’s probably an ISP’s relay, but crucially now invites a response. I wonder if the attack is beginning again, or this is another ‘regular’ spam? Interesting!

  38. nancy says:

    I’ve gotten 100’s of undeliverable mail for something I never sent. I think to do with pharmaceuticals. It was a widespread virus. I updated Macafee and it’s gone. Every week I get a message that the scan was clean but it obviously wasn’t.
    Hey Jeff. Are we going to lose our tomatoes tonight? We’re in a low spot in Woodbridge and always get the first frost.

  39. Chris says:

    Just started getting these “hello” emails 18th Sept 2010, only 4 to date

  40. As mentioned by someone else earlier, some times you have a hidden packet in the email (although those hello did not have it…)

    I got such a load today:

    http://dscam.m2osw.com/notes-from-last-week

    It included a JavaScript that would hit a web page on a “random” website. I was too late and that HTML page was already removed so I could not see what that part would have done to you. The email was pretty empty otherwise.

  41. Don says:

    See my post at: http://www.geofffox.com/MT/archives/2010/09/19/hello-how-are-you-the-spamming-continues.php#comment-7573

    I think it is the most likely explanation of this type of email.

    Don

  42. Spam Guy says:

    This past saturday morning, about once per hour from 3 am until 9 am, I got 6 spams to the same account from these IP addresses:

    62.24.127.28
    217.203.84.22
    78.3.224.9
    79.115.208.166
    178.90.69.185
    87.252.227.84

    My SMTP server rejects all connection attempts from IP’s located in Russia, China and all of South and Central America.

    These spams were all similar in that:

    – The subject was simply – hello
    – The body was simply – how are you?
    – The header contained a second Return-Path: line (unusual for the direct-to-mx spam I usually get)
    – The header contained a second Received: line that contained a port=nnnn and helo=(string) parameter (which I believe is indicative of Exim software).

    There seems to be some history of abuse using servers running Exim where the operators are having a hard time securing them or even properly logging their operations.

  43. [...] From AmazonI’m posting this more to attract other interested parties than anything. Last weekend I posted an entry about a mysteriously benign spam that was going out by the millions. This afternoon it’s something new though I suspect [...]

  44. Jean-Louis says:

    I received many of these on differents account on one of my domains (only one domain)
    Googleapps for my domain dont filter these, so they income. I report them to googleapps but actually they continue to income.
    I think I’m going to set à filter to automaticaly send them to trashcan .

    Hello from France (Europe)

  45. [...] Second Coming: “Hello – How Are You” SpamIt’s back. The “hello – how are you” spam is once again flying across the Internet. I didn’t notice until a few new comments posted on [...]

  46. Dark says:

    I have received some as well.
    No one has really mentioned the from addresses they are getting them from. Is it possible that the accounts are bogus but they do forward to a catchall. As many of us have them setup.
    Another thought is that the test is to see the population this receives online as well as harvesting information that way. Someone could be trying out some new code technique and we are all obliging them with information on how well it is working.

    (HERE IS AN EXAMPLE THAT CAME IN)
    From: – Sun Sep 26 21:14:50 2010
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    Return-Path:
    Delivered-To: DOMAIN.com-USER.NAME@DOMAIN.com
    Received: (qmail 5585 invoked by uid 399); 26 Sep 2010 22:18:30 -0000
    X-Virus-Scan: Scanned by clamdmail 0.15 (no viruses); Sun, 26 Sep 2010 18:18:30 -0400
    Received: from unknown (HELO ironport5.opentransfer.com) (76.162.254.116) by mail9.opentransfer.com with SMTP; 26 Sep 2010 22:18:30 -0000
    Received: from unknown (HELO MYQKHHZ) ([211.173.132.78]) by ironport5.opentransfer.com with ESMTP; 26 Sep 2010 18:18:23 -0400
    Return-path:
    Received: from [211.173.132.78] (port=9800 helo=ssssdde8e6d6ac) by mx1.rasecurity.com with asmtp id 64555D-0009E2-22 for ; Mon, 27 Sep 2010 07:18:16 +0900
    Message-ID:
    From: Chauncey Ashley
    To:
    Subject: hello
    Date: Mon, 27 Sep 2010 07:18:16 +0900
    MIME-Version: 1.0
    Content-Type: text/plain; format=flowed; charset=”iso-8859-1″; reply-type=original
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Windows Mail 6.0.6001.18000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
    X-Mras: Ok
    X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on localhost
    X-Spam-Status: No, score=1.6 required=5.0 tests=FROM_ENDS_IN_NUMS,SUB_HELLO autolearn=disabled version=3.0.2
    X-Spam-Level: *

  47. Pril says:

    I get one or two a week and glad to know it’s just a test. My only suggestion is never reply back. I think that’s what they are testing. maybe some string of events that will allow you to accept something if you type “who is this” or Great you or some other variable.
    that’s was my only thought!

  48. Jeff Meyer says:

    Dear other Geoff:

    I and several people on my school’s staff are getting these. We have a fairly secure server that uses Symantec’s enterprise level spam blocker, but these are nor screened. They are definitely weird.

    Jeff

  49. Mell says:

    I too am receiving the “Hello” emails. All it has is “Hello” as a message subject (or “Hi”, “Hey”, etc.) and the body says “Hello” as well. There are no attachments. These are coming into my work email repeatedly and has been for a couple of weeks now. I just delete them but am starting to wonder what is going on here. Personally, I believe it is a phishing scam. If you reply, then you get bombarded with spam emails, so that’s why I don’t respond to them. Of course, I am not an IT person, but it’s just common sense.

  50. Antonio says:

    I just receive this e-mail which forwarded automatically to all my contacts and someone from Colombia (according to google) opened my account and changed my password.

    if anyone have any relation information according to this issue where they account get literally attacked who should anyone inform?

    Regards

    Antonio

  51. Me Ed says:

    I got at least a hundred emails today almost all in Russian. I took Russian 38 years ago in college but I don’t now what these say. I just recognize the alphabet. The few in English are all for Viagra etc. For a while they were coming in as fast as I could delete them. I’ve been at work the past 9 hours so I don’t know if they stopped yet.

  52. Steve says:

    Latest links to an .ru domain… And it came from the email address of a relative

    Hi!  
    Have you already seen it? ” http://asenergo.ru/yh/breakingnews.php”

     

  53. frank says:

    I started to get these lately

    September 28 2014

    are you getting these again?

Leave a reply

Current ye@r *