Hello – How Are You. The Spamming Continues

This is an immense undertaking–that’s for sure. And as far as anyone can see there is absolutely no benefit to the spammer–zero! I’d like to know why he’s doing it.

What the heck is going on? Yesterday I wrote about a spam message making its way across the Internet.

Subject: hello
Message: how are you

As has happened a few times in the past I blogged about something esoteric, poorly covered and curious. There was no one else ‘covering’ this news. Google deemed me the authoritative source. Search: “hello how are you spam” and you come to me.

No problem. I’m glad to help.

My blog traffic began to spike overnight as geeks and nerds from around-the-world tried to figure out what was going on. If you read through the comments you’ll see how perplexed everyone is. Why would a spammer send out millions of emails with absolutely no payoff on his end?

Every possible justification for the spam led to a dead end, save one.

RFC 822 allows for using X- prefix for user generated info. I have no idea what the “X-Mras: Ok” header means, but it seems to only show up in these emails. I created a filter to send any email containing “X-Mras” anywhere in the headers to a special folder. So far the only emails that show up there are these odd “Hello – how are you” type emails.

This sort of email has been showing up for at least 2 years, off and on –the “X-Mras” field seems consistent in all cases (this may change).

For the non-geeky RFC 822 is the 1982 set of rules which govern email. The rules allow you to add your own parameters for your own purpose without telling anyone why. The only requirement is they start “X-.” These spam messages all contain “X-Mras: OK” a combination not seen in any other email.

Does “X-Mras: OK” mean or do anything? We still don’t know, but the more people who dive into this the more likely it will make sense… at some point… just not now.

Earlier I wrote how I received a few handfuls of these messages. I was wrong.

It was possible some were getting ‘stuck’ at the geofffox.com spam box and never making it to Gmail. When I went there and checked the first screen of results showed 20 spams. At the bottom of the page it said, “20 of thousands.”

I’s difficult to say with any authority the resources being pressed into service to send the “hello – how are you” spam. This is an immense undertaking–that’s for sure. And as far as anyone can see there is absolutely no benefit to the spammer–zero!

I’d like to know why he’s doing it.

5 thoughts on “Hello – How Are You. The Spamming Continues”

  1. It’s possible that this is just an ego trip for someone who has a screw loose. A puzzle that really isn’t a puzzle. A wild goose chase. No purpose, but perhaps a bored teenager somewhere in a distant place trying to drive us nuts. I once saw graffiti on a sign high above the Major Deegan Expressway. Why would someone do that? 1) to show off; 2) because they can; 3) to make you wonder how they did it.

  2. The last one I received was also close to 19-09-2010 / 20:28 CET. Although these type emails have been arriving in clumps, but sporadically, for several years. So they may start again –or never.

    Some digging around leads me to suspect that the X-Mras header is only in emails that originate via ‘mail.ru’ ==the largest free e-mail service of the Runet (short for Russian Internet).

    I don’t get much email from ru, so I can’t yet say that the X-Mras header exists only in email from mail.ru, but so far that is the only emails I can find it in.

    So possibly my ‘sort to a special folder’ filter for these ‘H-HAY’ emails simply catches mail from ru… it also may mean that the place of origination for these is via the free email service of the Runet.

    That doesn’t necessarily translate into ‘Russian Spammer’, as Runet is many services (Russian Twitter, email, etc.) and can be used by people from about anywhere.

    On the other hand it does probably mean that these emails are actually originating from the Runet service, if the X-Mras header is in fact tied to mail.ru.

    OK, so that’s about all I’ve come up with.

    Well except for one little theory –just for the ‘Cloak and Dagger’ crowd…

    If you just wanted to communicate a simple message that would reach some one without actually being tied to them, one might just send this exact sort of email, as spam –or perhaps I should say ‘having the appearance of spam’. But as spam that is not very likely to get lost in an email filter… and it would not need (or want) a valid reply to or any return method –or want to link to any website (increase the likely hood of auto-deletion as spam).

    Of course the message is not the ‘How are you’ –that is simply a code phrase that who ever it’s intended for will be able to understand as a message (get out the phrase=message code book).

    I mention this because these type emails have happened over a period of several years, the exact messages are not the same (Hi – How have you been, or Hello – haven’t heard from you in awhile, etc.)

    Not a bad little message drop system, no?

    Don.

  3. I have been getting the same message, “Hello, how are you”. However, it doesn’t come in my email, but instead pops up on my browser. It was doing it on IE when I opened IE. Now, it came up on Google Chrome when I clicked on a news item link on NASDAQ.

Leave a Reply to h4xp3t Cancel reply

Your email address will not be published. Required fields are marked *