How to filter fake membership and e-card spam mails

The Internet community has been pestered with yet another wave of spam mails recently. The new type of spam contains fake membership information and e-cards.

The spammers use two attack vectors if you click on the IP link that is listed in those emails. They try to convince you to download a program called Secure Login Applet which is nothing more than an infected executable named applet.exe and also probe your computer to see if it can be exploited by several known vulnerabilities.

The mails are send out with various subjects such as Internet Dating, Member Details and New Member Confirmation and contain (fake) username and password information as well as a link that is always shown as an IP address. I created a screenshot of one of the messages that I received today, take a look:

I was not able to identify any recurring information used in the header of the emails but fortunately for us the body contains information that are present in every spam mail send out by the spammers up until now.

You always find a link to an IP address in those mails and we can use this information to filter out these emails. I will explain a step by step tutorial on how to setup the filter in Thunderbird, other mail clients should offer a similar functionality.

• Open Thunderbird
• Create a new mail folder where the spam that is found will be moved into
• click on Tools > Message Filters
• Choose an account and click on New
• Name it accordingly, something like Membership Spam will do;
• Hit the + button in the top form eight times and edit all nine filters the following way
• Select Body instead of Subject in the first pulldown menu
• Leave the second pulldown menu unchanged
• Add http://1 to http://9 in the nine textfields in the third pulldown menu (one at a time)
• Change the mail folder to the folder that you created before creating the filter and click on ok

If you have done everything correctly it should look like the following:

This mail filter makes sure that every mail that contains a link to an IP address will be moved to a folder that you specify. I decided to move the mails instead of deleting them right away because it is theoretically possible that you do receive an IP link in a mail that is not spam.

If you think that this is highly unlikely you can change the move to command into delete to delete the spam mail right away. Let me know if you have any questions or difficulties setting up this filter.