I?ve just received what appeared to be a message from eBay who
(purportedly) ?sent this message on behalf of an eBay member via My
Messages?.

As usual, my Spam Filter (McAfee) blocked some pictures ?to help
prevent the sender from identifying my computer?. However, it gave me
the option to ?Click here to download pictures?. Anticipating that it
was a genuine message, I then downloaded the blocked pictures.

In fact, it was a spoof: 

?Hi, Is the item still available for sale? Let me know because I'm
online and I can pay you right now. Thank you, xxxxxxxxxx?

I knew immediately because I do not sell anything on ebay.

Further checking revealed that the Item # doesn?t exist; and the
sender is not a Registered User.

Moreover, although the message claimed that ?Your registered name is
included to show this message originated from eBay? my Registered Name
was not, in fact, included.

I was requested to respond to the message via a ?Respond Now? button
but, of course, I haven?t.

Naturally, I have reported this to ebay.

However, I do not understand why my Spam Filter blocked some pictures
?to help prevent the sender from identifying my computer?.

Please explain and also advise whether or not the sender may now be
able to identify my computer because I downloaded the pictures.

And does it matter anyway?

Many thanks!

Bryan

Hello Bryan,

Thank-you for your question.

I have had a few of these emails myself from "eBay" and they are sadly
increasing in regularity.  Thankfully Gmail (my email spam filter) is
rather good at picking scams such as these up due to the enormous
number of emails they can scan coming through their system (and the
ability of users to report scams such as these).

The reasoning behind why someone would send you the email is mainly
for three things - to gain control of your eBay account, to gather any
private information it can on you and to verify that your email
address exists.

The first of these reasons is obvious - if a person gains control of
your account they can use it for illegal purposes and essentially
assume your identity online for whatever purpose they have in mind. 
For instance, they could use your account to sell illegal wares, to
use your reputation to enhance theirs or simply to harvest your
contact information (full name, credit card details, address,
telephone numbers etc).

Verifying your email address is also a profitable business for people
to be in - once they have verified an email address they can add you
to a mailing list which they can then sell on for money to large
corporations.  If the spammer was motivated they could also build up
several more focussed mailing lists depending on what you have
bought/sold through eBay.

This is where your spam filter comes to good use and is preventing the
seller from identifying your computer.  You are aware that it is
simple to place links in an email that appear to be from a company but
in fact when you click on a link it actually takes you to another site
(a phishing attack).  A similar thing can be done with images - when
you request to see the image you are essentially visiting the website
in order to see the image.

In the writing of the email the spammer can make the link to the image
include and pass on to him various pieces of information about you
such as, but not limited to, your computer's IP address (where your
computer lives in effect - thus pinpointing where in the world you
live) and your email address (because you are reading the email and
the spammer has been notified that you are looking at the images he
now knows your email address belongs to a real person).  Both of these
can be valuable pieces of information for market research.

Try going to this website and see what information you are giving away
for free: http://www.ip2location.com/

In my case, they have identified where I live (within 10 miles) and
who I get my internet connection from.  If a spammer (or a sales
person) had the time and inclination, he could then use this
information to sell me alternative internet service providers in my
area.  If I had clicked on the links in the email he may also have
access to my exact home address and telephone numbers.

Viruses and malicious code can also be hidden within certain types of
image files due to the way Microsoft Windows displays these images. 
See this BBC article for some background:
http://news.bbc.co.uk/1/hi/technology/4566504.stm

The code hidden in the images could potentially log every key you type
when you access, for instance, your banking website (thus enabling him
to log in to your bank and spend your money as he pleases).  It could
send emails to everyone in your address book (or simply harvest them
as other "live" email addresses for more mailing lists).  It could
start deleting vital files from your computer.  It could email
documents from your "My Documents" folder where many people keep their
private details.  There are countless possibilities as to what the
malicious code could do and this is why it is vital that users keep
up-to-date with security patches (as Microsoft do try to solve
critical flaws as soon as possible via http://www.windowsupdate.com).

Without seeing the exact coding of the email it is impossible to tell
what tricks the spammer is up to (it may still be difficult even with
the exact coding as the spammer is likely to have encoded the
information - he wouldn't want someone just to steal this information
from him as it is valuable!).

In summary, at the very least by downloading the pictures the spammer
now knows that someone at your IP address exists (he can do this by
looking at what IP addresses requested to see his image in his website
webserver logs).  You may or may not notice a small surge in spam
emails to your email address but hopefully that is all that will have
happened.

I hope this answers your question but if you do require more
information on the subject I will be happy to help out more.  I am
reluctant to explain the techniques exactly as it could easily give
people ideas to try these techniques out for themselves and I would
rather I received less spam than I already do!

Further information:
http://www.whatismyip.com (try getting your IP address from here then
entering it into the following site)
http://www.geobytes.com/IpLocator.htm?GetLocation
http://www.wired.com/news/infostructure/0,1377,64178,00.html
http://en.wikipedia.org/wiki/Ip_address
http://en.wikipedia.org/wiki/Geolocation

---

Request for Answer Clarification by probonopublico-ga on 28 May 2006 03:44 PDT

Hi Pal

No this is not a dreaded RAC but just a big thank you for the prompt response.

I guess living in the same part of the world helps.

I will now study the links, etc. at my leisure but, at first glance,
you seem to have answered my question more than adequately.

All the Best

Bryan

---

Clarification of Answer by palitoy-ga on 28 May 2006 04:14 PDT

Hi Bryan,

No problem.  If you do come up with any further questions on this
subject or anything is not clear, please let me know.

BTW - did you ever work out which county has produced the most fast
bowlers for England?  You got me thinking and now I am writing a
script to discover the answer!

palitoy-ga

Hi Pal

You really are a great pal.

I've done A Virus Scan and everything's OK (allegedly).

Anyhow, I'm confident that I can sleep tonight.

It's been an enlightening experience and, of course, I shall now be more careful.

Many thanks for your help.

All the Best 

Bryan

Another ebay scam, wow. I wonder how they got your email when you dont
even have an ebay account!
Since you displayed those images - I really think you should revert
your registry. Just do a System Restore to an earlier point of "System
Checkpoint"

Though, hijack-this log would be even better!

Hi sonoritygenius-ga,

I do have an ebay account (although I only ever buy) but they didn't
figure out my Registered Name.

I guess that they picked up my email address from somewhere and just
hoped that I would have an ebay account.

I've also had phishing attempts supposedly from banks where I don't
even have an account.

I suppose that if they send enough stuff out some of it is going to stick.

Thanks for your advice about doing a System Restore to an earlier
point of "System Checkpoint" but I dunno how to do this.

Could you please explain?

Many thanks!

Bryan

Sure! Its a feature that comes with latest version of Windows: i.e
Windows XP Home and Windows XP Professional (though possibly also for
ME, 2000)

Its a cool feature that allows you to restore your computer
registry/and settings to an earlier time - if - and when - the present
configuration is in suspect of having malware (or unwanted pests hehe
;)

I hope you have Windows XP! 
if so click Start > All Programs > Accessories > System Tools > System Restore 

Than click Restore to an earlier point, a calendar-like will show up -
click a date 2-3 days prior to present day or whenever you recieved
the email, and click Ok and it will automatically do everything else!!

Hope it works.. :)

Hello Bryan,

I saw sonoritygenius-ga's comment saying it might be helpful to
perform a "System Restore".  I do not believe that this would be
helpful in this case - this is usually used when you have installed a
piece of software that has corrupted your system - although this might
have happened by viewing the images it is *highly* unlikely - and
restoring your system to an earlier time may cause more problems than
it is worth.  My experience with System Restore is that it does
restore your PC to an earlier time but still leaves unwanted files
behind (it just makes it more difficult for your PC to find them!).

The most likely scenario here is that the spammer has simply harvested
your email address and marked it as belonging to a human (rather than
a computer)!

Do you have access to Anti-virus software and Anti-Spyware software? 
It would certainly be worth your while running this to ensure nothing
sinister is lurking on your PC now.

System Restore: http://en.wikipedia.org/wiki/System_Restore

polly's probably right, that email probably did not install any
keyloggers that monitor what you do and type.. but I am not sure how
spammers operate so I dunno hehe

but whenever you have a program giving you problems, it sure can be
helpful to revert the settings back! :)

@Probono

I use something called MailWasher
- it is not the most brilliant software, but it does what I want

It collects all Emails from one or more accounts without deleting them
at the Mailserver, and allows you to poke around looking at them.

You can then delete them if suspicious. Because it is very crude, it
cannot do more than display the text source.

For my mail reader I use a very old version of Eudora, since malware
writers target new stuff it rather makes sense to avoid new things.

If you are using XP then it makes sense to set up a User Account that
has b*gger all rights
- set up so it can't install programs and has no write access to just
about everything.

A little paranoia does no harm - sometimes it is justified

Hi sonoritygenius-ga ...

Or can I just call you 'Genius'?

I do have XP Pro on this machine.

Hi frde-ga ...

I tried MailWasher once but I cannot now recall why I stopped using it.

Thanks anyway.

Kindest regards to you both.

Bryan

Thanks for the 5-star rating and generous tip.  They are both appreciated.

I would also like to second frde-ga's tip of using Mailwasher.  It is
an excellent piece of software (although it is beginning to look a
little dated).  I used to use Mailwasher as my spam filter too until I
discovered that you could use Gmail just as easily.

I own my own domain name and I divert all the email sent to that
domain name to my Gmail account.  My Gmail account then kindly filters
the spam for me (less than 5 spam emails get through a week out of
several hundred emails).  The beauty of using Gmail is it indicates
when it believes an email is phishing for information :-)  I only ever
give out my domain name email address and anyone who emails my Gmail
account directly is treated as spam immediately.

Bryan, if you are interested in setting a system up like this please
let me know and I can post some more instructions here.

Many thanks, Pal

I'll keep your offer in mind.

Regarding the English Fast Bowlers, no I didn't get the answer I was seeking.

I took a look at Answerfinder's List and thought I bet my great pal
will have great fun writing a script for this.

So, because I didn't want to spoil your fun, I am still in the dark.

Go on .... Amaze me!

Thanks again

Bryan

I'm still working on the list of bowlers, I've parsed the list of
English cricketers to remove any non-fast/fast-medium bowlers and
should have the results tomorrow.  Since we won the 2nd Test today I
now have time on my hands, I shall finish this tomorrow!

Only UK-born fast/fast-medium bowlers count and the county that they
first played for counts as the team that provided them to the English
cause, is that correct?

Great stuff, Pal

They don't necessarily have to have been born in England.

For example: Devon Malcolm, Phil de Freitas, Chris Lewis and 'Syd'
Lawrence would be OK even if they weren't born in England (I don't
know whether they were or not).

And, of course, the two Jones from Wales (Simon and his dad, Jeff) are also OK.

The County that they first played for gets the credit; subsequent
Counties don't count.

Good Luck!

Bryan

The results are in.

First, this is what I did... I parsed the information given on the
Cricinfo website for each cricketer who has played for England and
extracted their place of birth and their first English county cricket
team.  The only players I counted where players who using Cricinfo's
information were fast or fast-medium bowlers (medium-fast did not
count).

Place of birth - number of players
==================================
Australia - 3
Barbados - 1
Buckinghamshire - 1
Cheshire - 6
Co Durham - 1
Derbyshire - 11
Devon - 1
Dominica - 1
Essex - 7
Gloucestershire - 2
Guyana - 1
Hampshire - 3
Hereford - 2
Huntingdonshire - 1
India - 1
Ireland - 1
Jamaica - 2
Kent - 8
Lancashire - 13
Leicestershire - 4
Lincolnshire - 1
London - 16
Middlesex - 5
New Zealand - 1
Norfolk - 1
Northamptonshire - 2
Northern Rhodesia - 1
Northumberland - 1
Nottinghamshire - 12
Scotland - 1
St Vincent - 1
Staffordshire - 3
Surrey - 9
Sussex - 2
Wales - 4
Warwickshire - 4
Wiltshire - 1
Worcestershire - 3
Yorkshire - 17

First county - number of players
================================
Derbyshire - 16
Durham - 3
Essex - 11
Glamorgan - 6
Gloucestershire - 4
Hampshire - 8
Kent - 14
Lancashire - 15
Leicestershire - 5
Middlesex - 10
Northamptonshire - 5
Nottinghamshire - 12
Somerset - 7
Surrey - 16
Sussex - 3
Warwickshire - 5
Worcestershire - 5
Yorkshire - 10

So it looks like if you want your son to be a future English
fast/fast-medium bowler, the place to be born is Yorkshire or
alternatively you should look to making him play for Surrey or
Derbyshire!

Amazing!

Very many thanks, Pal.

I am mightily impressed.

Was it all done with Java?

All the Best

Bryan

@Probo

You probably found that Mailwasher created crashes

I autoload absolutely no Applications, on startup I manually load
MailWasher and wait for it to settle down, then I quickly manually
load the other Apps that I like to keep running.

The original version, and the oldish version that I currently have,
are not particularly well written - it is in Delphi, a language I
know, and I'm distinctly unimpressed by the implementation.

However, despite those drawbacks, it does /exactly/ what I want, which
is to safely screen and manually examine all incoming mail.
I'm not concerned whether it thinks it is Spam (I don't really trust
Spam detectors) but I'm very concerned about zapping viruses.

I also suggest that you set up your browser to disable ActiveX
controls, letting those things run is like executing a remote program
on your machine.

Hi Bryan,

It was done with a little Perl scripting and minor human tweaking. 
Basically Perl fetched each of the 633 pages from the Cricinfo site
and told me the information that I needed from each page, it was a lot
quicker than reading each page myself!

Sorry Lancashire did not come out on top!

palitoy-ga

Wow, Pal

This Pearl woman sounds very helpful.

Is she also glamorous?

Envious of Hove

:-) Perl is very handy and she loves doing boring, tedious and
repetitive tasks.  Sadly she is not as glamourous as Ruby, the
new(ish) girl on the block :-)

Hi,

 I think it is useless to make a discussion about spoof emails for 
a long time.

All emails from ebay, paypal, amazon, stormpay and other famous
big companies will always call you by the name.

If paypal sends you an email they start with Dear Karl Smith
not Dear Customer.

My gMail 99% of the time trashes these messages instantly. 
I delete them myself the rest if they don't begin with
Dear Karl Smith. They are all spoof.

Regards,
Delete Spyware
http://www.deletespyware-adware.com/