It’s usually pretty easy to spot spam but sometimes it’s not. Case in point was today when I got an email from sarah.russell@gmail.com that sounds like she could be a long lost friend. The red flag was that it included a link to a zip file. NEVER NEVER click on a zip file unless you’re specifically expecting it!! You risk getting hacked or getting a virus or other bad things. Here’s the full content of the email:

Update: Thanks to Jerry for investigating & finding that the target included a hidden exe file. Also, Stephen reports that the real domain owner replied to his email and said his site had been hacked recently. Hopefully, we won’t see any more of this spam. 

Subject: hiiiiiiiiiiiiii
Sarah Russell [sarah.russell@gmail.com]
Sent: Friday, October 08, 2010 3:49 PM
To: Ross Jones

Hiiiiiiiiiiiiiiiii there, it’s Sarah here, it was such a long time we didn’t contact each other, how is it going with you there ? I heard that you got a new job, didn’t you? Is everything ok there ? Hey, can you believe it! I got married to Timothy ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give me your current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding :

http://www.timothyhansen.com/pictures/wedding/weddingpix.zip

Let’s keep in touch then.

Love,

Sarah & Timothy

Sorry Sarah. I don’t remember Sarah Russell & I don’t know Timothy Hansen.

I didn’t click on the link for the zip file & I don’t think you shouldn’t either. Theat website may have been hacked to have some virus attack your computer when you click the link. Spammers are getting more & more sophisticated these days. Be careful about what you click on & what you believe.

Below are the full details of the email I got:

Received: from barracuda.ctcnetworks.com (67.216.165.137) by
edison.stylenet.com (192.168.1.3) with Microsoft SMTP Server id 8.1.436.0;
Fri, 8 Oct 2010 15:50:38 -0500
X-ASG-Debug-ID: 1286571057-651498160001-ZlUuMX
Received: from mta162.anp.se (mta162.anp.se [88.131.62.162]) by
barracuda.ctcnetworks.com with ESMTP id I5a6oVf3iBhhQzTU for
<xxx@xx.com>; Fri, 08 Oct 2010 15:50:57 -0500 (CDT)
X-Barracuda-Envelope-From: 3e8.c.14430916.J5050-676353@mta162.anp.se
List-Unsubscribe: <http://www.anpdm.com/oa/676353/4345594775404A514B78434159>
X-Destination-ID: sarah.russell@gmail.com
X-MailingID: 14430916::0::0::676353::0::0
From: Sarah Russell <sarah.russell@gmail.com>
To: ross@xxx.com
Message-ID: <ACD7D1D46CA64A86B47E4DF414FB2250@gmail.com>
Date: Fri, 8 Oct 2010 22:49:59 +0200
X-ASG-Orig-Subj: hiiiiiiiiiiiiii
Subject: hiiiiiiiiiiiiii
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-8276E71F14CD4411B7215E60FC0883E2″
X-Barracuda-Connect: mta162.anp.se[88.131.62.162]
X-Barracuda-Start-Time: 1286571057
X-Barracuda-URL: http://barracuda.ctcnetworks.com:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at ctcnetworks.com
X-Barracuda-Bayes: INNOCENT GLOBAL 0.0228 1.0000 -1.8727
X-Barracuda-Spam-Score: -1.87
X-Barracuda-Spam-Status: No, SCORE=-1.87 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=3.0 KILL_LEVEL=4.5 tests=HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.43117
Rule breakdown below
pts rule name              description
—- ———————- ————————————————–
0.00 HTML_MESSAGE           BODY: HTML included in message
Return-Path: 3e8.c.14430916.J5050-676353@mta162.anp.se

Tags:

50 Responses to “Sarah & Timothy Hansen weddingpix.zip Spam”

  1. Life Alert says:

    I googled this and I can’t believe that it’s actually spam. I just got it today as well!

  2. Brian says:

    Thank you!!!! I got the same one…had no clue who that was & found this through Google…no viruses so far…am running everything I’ve got to protect it right now.
    Many thanks!
    BC

  3. Anjali Hart says:

    THANK YOU! I just got the same email … a little weird because lots of what she said was actually true. And since I have a big mail list, I get lots of email from people who I don’t remember. I always check before I click on a link though – thanks for posting that you’d gotten the same thing.

    Anjali

  4. Hansen SPAMMER says:

    Well, Sarah Russell, er um, Hansen’s hubby , Timmy, claims his daddy’s address, as listed below.

    James F Hansen

    1124 Gomer St
    Hayward, CA 94544-4316

    (510) 782-3390

    Well, that’s the address he used to register his website: http://www.timothyhansen.com

    TOTAL SCAM! TOTAL SPAM! TOTAL SPYWARE!

    Call his daddy, and tell him Timmy needs a spanking!!!

  5. Anonymous says:

    I just got the same email about an hour ago…I really thought she knew me until she never once mentioned my name….the .zip link was the tell-tale sign that it was a bogus email…clever but not clever enough for this fox.

  6. lc says:

    i got it too

  7. My long lost buddy “Sarah” actually came in from an email server that services one of my websites. I was suspicious from the get go due to the email address it came in on. So I read it, and it made me stop for a minute and think….”Do I know this person?…now here is the rub, the part that really pisses me off…the copy in the email is good, at least it hooked me momentarily…why does a person with talent like this have to put energy into behavior or motives that could be toxic? Stupid. Like so many people in today’s society who try to take short cuts, the easy way out, the con game, why not just do it right the first time? Takes the same amount of time, with less energy…and…..you don’t have to be constantly looking over your shoulder –if you are indeed the the con man. If this is Hansen a word of advice: Shape up dude! One day you will be caught in a alley facing another dude who we will call the truth. Have a bad day you deserve it.

  8. Jeff says:

    I clicked on it. I have a MAC so I am not sure if the can hack it. Any ideas of what to do so I have no issues??

  9. T says:

    If you’re on the mac you’re more than likely safe. Almost all these viruses are for windows based PCs but to be safe do a quick scan. Go to macupdate.com, search for antivirus software and download a free virus scanner. Let it run once and if you’re clean, you can uninstall the virus scanner or save for another time. You wont have to run frequent scans if you’re on a mac but it’s good to do it every once in a while.

    I got the same mail but didn’t download the link.

    Hope this helps.

  10. Andrew says:

    Argh
    I have an old GF called Sarah Russell so I opened it
    grrrrrrrr

  11. Wedding Pix Gone says:

    Looks like Tim removed his “wedding pix”.

    Nice job Ross, posting this fraudster’s “game”. Appears he’s wising up and covering his tracks.

    Individual people CAN make a difference!

    Hats off to you and your blog!

  12. Amy says:

    I opened it too! And clicked the link. The weird thing is I am actually starting a new job next week, so it totally fit. What should I do?

  13. David says:

    Just got this email on the 8th, looked at it today 10th web site is still up.

  14. DavidM says:

    Thank you for the post!! I got an email from “Sarah Norman” five minutes ago. Her last name was changed. mmmm.

    Thank God for the google! 🙂

  15. Annemarie says:

    I got this under the name “Sarah Norman” with this link: http://www.timothyhansen.com/photos/wedding/

    with no .zip at the end – luckily I thought twice before clicking it!

  16. Emiley says:

    I just got it to on 10-11-10.

  17. JeffY says:

    Thank you for the Post!!! I just got this and it sounded suspicious so I googled it and I am so glad that I did!! Mine was also Sarah Norman. I’m going to forward this to the people in my organization. Be careful out there!!!

  18. Kelley says:

    I got this one too. And Timmy (or..?) is improving. He/she’s removed the .zip extension from the end of the URL and addressed my by my first name… spelled correctly even. Here’s the text of my email:

    ***
    Hiiiiiiiiiiiiiiiii Kelley, it’s Sarah here, it was such a long time we didn’t contact each other, how is it going with you there ? I heard that you got a new job, didn’t you? Is everything ok there ? Hey, can you believe it! I got married to Timothy ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give me your current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding :

    http://www.timothyhansen.com/photos/wedding/

    Let’s keep in touch then.

    Love,

    Sarah & Timothy
    ***

    Thanks for posting this. It was good enough for me to google it, but I’ll be hitting “delete” instead of the link.

  19. Lee Smith says:

    I got it today — tried to get to the website but couldn’t.
    Glad to see it’s spam and not a long lost friend whom I simply didn’t remember.

  20. Robert says:

    Just got it today, and it smelled like fish. Deleted it.

  21. Cheryl says:

    I got the same email 10/13/10 at 2:28pm! Some people need to get a life!

  22. R says:

    I got it the “great news” too.
    Appears that Sarah and Tim are looking for some quick wedding gifts from the LinkedIn in database.

  23. Courtney says:

    I got the same email today from Sarah Norman. I thought it was real because I did just get a new job. Just to be sure I googled it. Thanks for posting this!

  24. Linda says:

    THANK YOU SO much for posting this…I got this and it sounded so believable…(I am glad I did not go to that wedding, ha ha)

  25. Jessica says:

    I got this email too (thank you for writing about it, otherwise I would have thought I met this person and forgot about them!) except it was Sarah Norman, and she was sending a regular link, not a zip file. But everything else was the same. It was so bizarre! I don’t like that spam is getting smarter!

  26. Andrew says:

    I got it too – to my work Email. Obviously Spam – I copied the Email address to a personal Email account…congratulating her on her wedding then asked if She and Timmy would like to come over so he can watch me do her in the ass…..Probably doesn’t go anywhere…just wanted to make a point and it made me chuckle.

  27. Pablo Navarro says:

    I just got it and am really glad I googled it before I opened the link. Thank you for posting this!

  28. Katie says:

    Just got it too. First thing I did was Google Sarah instead of clicking the link since I didn’t recognize her name. Thanks for the postings here!

  29. Michele says:

    THANK YOU, I also recieved this today, and googled her. Thought it was one of my students. GRRRR. I clicked the link but didnt’ open the zip. Forwarded your site and the e-mail to my IT person at work. We’ll send out a warning!

  30. Cato says:

    Amy, sorry to be rude, but you should a.)throw your computer away, b.) buy a new one with the money from your new job, and c.) think before you click on indiscriminate links to zip files.

  31. P says:

    I got it today and it actually had my name on it. Click it but when i saw it was a zip file not a website I closed it. Googled their name and found this website. Thanks

  32. jimbo says:

    Just got the email and was prompted to open the zip file.

    I’m guessing this guy doesnt know his site is being used for this purpose because no spammer is this stupid.

  33. CVZ says:

    Just got this email as well. It included a link.

    It was pretty clear that this was spam, because it doesn’t make very specific references to the wedding. When I get emails from people I haven’t heard from in so long that I can’t quite remember their names, they generally provide more information to give context.

    I might also add that, like many spam emails, this one looks like it was written by someone with an uncertain grasp of English. “It was such a long time we didn’t contact each other” isn’t something a native speaker–certainly not someone named “Sarah Russell” (or “Sarah Anderson” in the version I got)–would write. That’s often a giveaway.

  34. Perry says:

    Got the same – don’t click!

  35. Jerry says:

    I got it and downloaded the file to see what was in it. It was a zip file which I move to another computer not on my network and unzipped it. I scanned it for viruses but found none. I then opened it, it contain 3 jpg files which were wedding pictures. This is what you should be careful of, the jpg files has a hidden ext. “exe”. Remember I did this on a computer off of my network so I am not sure what the exe are going to do but I reimage the machine.

  36. jodieee says:

    I knew it had to be spam since I’ve been out of work for 3 years and still no NEW JOB! HA! Caught ya! I Googled it and found this blog. Thanks so much for posting it!

  37. Stephen says:

    I e-mailed the domain name owner, X@hotmail.com and actually got a response from “Tim.”

    Hello,

    To all concerned, I apologize for the email below , my site was recently hacked and I am taking the necessary steps to rectify the situation. I apologize for any inconvience this may have caused.

    Tim

    For tips and Ideas on how to get started online
    Check out http://www.xxxxxx.com

  38. Greg says:

    Thanks so much to everyone for posting these comments. My wife just got this message, asked me “do we know a Sarah Norman?” and we couldn’t think of one, although we do know several people with the same last name. The website seemed legit but voices in our heads said that it was phishing or another scam – and your comments here prove it!

  39. pam says:

    just got the same message and couldn’t remember a sarah norman. looked suspicious and I googled it and found this blog. Don’t people have anything better to do with their time…I hardly have time to do the laundry!

  40. Andrew says:

    I got this today too. Weird thing is that I got it in my work email, which is always filtered and spam free. The only thing I can think of is that I tried a new recruiting tool recently and had to give my email address fro replies. My work email address is too random to just guess it. I used ZipRecruiter. If anyone else has had the same issue after using this, maybe that’s one of the ways they are getting email addresses.
    Just a thought.

  41. Ellie says:

    I just got the email this afternoon, and it was Sarah Norman. Sorry Sarah, but i haven’t changed my number in 6 years, had the same job for 15 so looks like you’re out of luck. My file didn’t have a .zip attached. Andrew’s post made me laugh too. BTW, I’m not on Linkedin or ZipRecruiter and I don’t use internet email soooo not sure how they found me.

  42. Trice says:

    OMG!!! I just got this email on my job. No link attached other than the wedding pixs link. What a shame people do craziness like this. I’m reporting it to my job. What are the hackers after?

  43. Nina says:

    I just got this yesterday! What threw me was the poor grammar of the email as if English was not their first language. So glad that I did not open it! That would hsve been difficult to explain to my boss!

  44. Don Z says:

    I got this at work. In browsing Pipl this might be the Sara in the Internet Marketing “marriage” with Tim (http://sarah-russell dot net/). Sounds like they are just trying to drum up some business for themslves by driving us to their site and getting their hit count up.

    If he is the marketing superstar he says he is, until he puts up an apology on his website, I’m thinking he really is behind this spam scam. Call his dad’s phone number I say, and ask for Timothy’s cell number.

    Thanks for picking this up and posting it Ross Jones!

  45. Doug from Philly says:

    I got it, as well, but fortunately, it had been quarantined by Gmail’s SPAM filter.

  46. Kris says:

    Nice huh, I opened it…What is supposed to happen now??

    Hiiiiiiiiiiiiiiiii Kristina, it’s Sarah here, it was such a long time we didn’t contact each other, how is it going with you there ? I heard that you got a new job, didn’t you? Is everything ok there ? Hey, can you believe it! I got married to Timothy ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give me your current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding :

    http://www.timothyhansen.com/photos/wedding/

    Let’s keep in touch then.

    Love,

    Sarah & Timothy

  47. Sharon says:

    My boss got it and sent it to me to check out. She’s a social worker and wasn’t sure if she might really know this person. Hers was Ashley Anderson who just married Mike. It was pretty impressive. Thanks for your info. We send out a companywide memo about it and I’m sending the info to my friends.

  48. Rachel says:

    Anyone know if this does anything harmful if you click on the link and if so a place to go that has instructions on how to clean it?

  49. RobQ says:

    The ZIP file contains Mariposa/ButterflyBot. Symantec calls it W32.Pilleuz. Mcafee has some other name. You may recall Mariposa was in the news a few months ago due to a group of hackers in Spain being arrested for using it. If you install it on your computer the/some hackers gain complete control of your computer. They commonly use the trojan to steal financial information, but also email addresses for their next wave of attacks. Symantec suggests the trojan also alters your web browsing. Any thumb drives (USB drives) you attach to an infected computer will also become infected.

  50. Erica says:

    It was hard to find your posts in google search results.
    I found it on 13 place, you should build some quality backlinks , it will help you to get
    more visitors. I know how to help you, just search in google – k2 seo tips and
    tricks

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>