Heathrow calling

Here’s a weird spam I got last night:


The route taken through Customs is mainly determined by your point of departure and whether you are bringing into the country more duty payable goods than your free allowance. For those passengers who have flown in from outside the European Community (EC), their baggage will have a white tag and they must pass through either the Red or Green channel according to the amount of duty free goods they have. Those passengers arriving from countries within the EC should use the Blue channel, and their baggage will have green-edged tag.

As part of our routine check and based on the above, we have a consignment in your name; you are advised to come to the office address below

Customs office
Terminal 3
Heathrow Airport

You are required to come with the following:
1. Your ID
2. Diplomatic Tag either white or green-edge tag.
3. Non Inspection document

Your appointment time is 10am GMT, failure to comply; we will have over the matter to Metropolitan and the FBI. I am the officer in charge of your matter.

Thomas Smith
UK Customs
Heathrow Airport

It’s weird, because it contains no advertisement, and no links. There’s nothing “encoded” in it -  it seems to be an old version of this notice.

So why would a spammer waste valuable botnet cycles on sending me the email? The only explanation I could come up with is “a boy who cried wolf” attack. You send this email a few times, and the Baysian filtering systems train themselves that this is a good email (i.e. “ham”). Most Baysian spam filtering systems have a loopback mechanism where spam email is used to train the system further, and ham email is used to teach the system what “good” email is. If this email is seen a few times and considered ham, spam filters will accept something similar to it that contains a link. That link, can be the spam or phishing attack.

Another guess is that it’s simply used to verify email addresses – you read that a scary Customs agent from Heathrow wants you in his office first thing tomorrow morning, and you quickly reply to ask what it’s about; the spammer (whose reply-to address is different than the “From”) gets a confirmation that your email address is valid, maybe with some more details like your phone number. This is a plausible explanation but it seems like too much hard work just to get some valid email addresses.
Any other guesses?

  • Andrew from Vancouver

    Another explanation is that this spam was just a test of his new bot and any text would do.

    Another explanation is that sometimes a cigar is just a cigar: the spammer screwed up.

    Spammers use templates as well as cut and paste. They are a persistent lot of buggers but they do sloppy work.

    So a zillion people will receive their spam where they send out the template with the variables NOT replaced, or they send out a phishing spam that targets one bank but uses the name of some other bank, or they send out test text to everyone in their list instead of only to their test accounts, or they edited the scam text badly and forgot the payload text.

  • http://www.BeyondSecurity.com Aviram

    @Andrew – good point. However, this is no sloppy work: The email is composed of two parts (one found on the Internet and the second, asking me to meet him on 10am tomorrow was taken from elsewhere or composed from scratch). The “From” Email is very genuine, what I would expect a Thomas Smith to have – the reply-to is however different.

    You might be right that it’s a version 0.9 that went out prematurely, but there might be more to that.

  • Chris

    I just got this. My guess is that replying to the email gets you into a discussion with Mr. Smith about some fees that you have to pay to get this non-existent package through customs.

    What’s annoying me is that the reply address is a live.co.uk address (which redirects to bing.com = Microsoft). Tried to report it but Microsoft seem to have no facility for reporting scammers using their webmail services.