Some Spammer Has a Crush on You

ewhac writes "Salon is running an article about how that cryptic email saying someone has a crush on you may not be what it seems. Portrayed as services to foster romance, some voice concern that some such sites -- two with falsified WHOIS records -- are preying on people's insecurities to build spam lists and directed relationship graphs (who knows who). One site in particular, SomeoneLikesYou, has the temerity to demand you subscribe to an affiliate marketing program or cough up $14.90 before it will hand over the email address of your alleged crush.

A friend of mine and I were bit by SomeoneLikesYou in the last week. The scam is elegant in its simplicity. The site teases you with an email claiming to know someone who likes you, then makes you guess who it might be by submitting their email address(es). Each of those addresses receives a teaser email just like yours. Rinse, repeat. I ignored the message -- obviously a fake; I couldn't possibly be anyone's crush :-) -- but my friend took the bait and fed it some demographic data and email addresses. Once she realized what was going on, she wrote to everyone apologizing for any spam they may have received. She also sent a nastygram to the site's operators.

It should be pointed out that there is no proof that SomeoneLikesYou is doing anything nefarious with the data they're collecting. However, their credibility is not strengthened by their faked WHOIS records and their meaningless doubletalk on privacy issues (the declaration, "We send precisely zero e-mail advertisements," says nothing about the behavior of their partners/affiliates.)"

awwwww damn

[gatesh8r]

I sent in my money and all she sent me was spam. And here I thought she was going to send me a nude pic and hours of hardcore action.

Oh No!

[thogard]

I just checked my logs and it appears that my antispam software just deleted a message about someone who likes me without me getting a chance to read it. Maybe its time to go back to the old method of just hitting delete now that the carpal tunnel syndrome is almost gone on the finger I use on the delete key.

Those things are spam + social engineering

[Montag2k]

I have an e-mail address that I have used to register for exactly one thing: AOL Instant messenger. I've never sent any other e-mail through this account, I've never published the address on the internet, or anywhere else for that matter. Yet apparently someone who has a crush on me has managed to get that e-mail address and report it to Crushlink! I don't even want to log on to the site to get onto their opt-out list because I don't trust them enough not to sell my address once they have verified that there is an actual person behind it.

Argh, I hate spam.

This is obviously a ploy.

[yeoua]

This is obviously a plot... who the hell in their right mind would have a crush on me?!?!

Re:This is obviously a ploy.

[krog]

these guys sent "someone has a crush on you!" messages to thousands of MIT students. talk about blowing your cover. :)

We did this in primary school

[stere0]

SOME GIRL: I know somebody who's got a crush on you
ME: Oh yeah? Who?
SOME GIRL: Will you pay me if I let you have a guess?
ME: I don't care, I'm rich, there you go. Is it SHE?
SOME GIRL: No. Nice try, though.

[later...]

SOME GIRL: Hey OTHER GIRL, I know somebody who likes you
SHE: Oh yeah? Who?
SOME GIRL: Will you pay me if I let you have a guess?
SHE: There you go. Is it stere0?
(note: I didn't have facial hair in primary school)
SOME GIRL: No.

I overheard them, and this is how SOME GIRL got rich by doing this to the whole school and how I got my first kiss a couple of weeks later. :-D

Re:We did this in primary school

[Hoi+Polloi]

What school was this, Ponzi Elementary?

It's FAKE?!

[joshua404]

I spend $15,000 on this engagement ring for nothing?!

in Germany they do this on mobile phones

[mario]

funny, some weeks ago I received a SMS on my mobile with the same content, telling me: Someone who is too shy has a crush on you.
To find out dial: 0190-whatever

0190 is in Germany the dialing prefix for Premium rate-services (from 1 to 10 euros/minute)

I didn't call but looked in the newsgroups if someone has: works exactly the same way you described:
- please give us some mobile numbers from persons you guess that might be it..

One time e-mail addresses

[Fuzzums]

If some lame service requires you to supply them with an e-mail address, use a one-time address.
Read is once for your password. If you start receiving spam you know the originator and can iglore that address.

Spammotel provides in such a service. Also some providers allow you to use alias@your_name.your_isp.com, making it simple to track the origin of spam and making it easyer to filter (loveletter.com@my_name.my_isp.com)

Hotmail serves the purpose of one-time accounts very well. How hard is it to forget about a hotmail account anyway?

Re:One time e-mail addresses

[DeadSea]

You can't do that for this service. Your *friends* give them your email address. I'd like to find out which of my "friends" gave my personal email address to crushlink.com (a similar service) and beat them. However it looks like the only way I can find out is by entering the email addresses of all my friends so they all get spammed.

Re:One time e-mail addresses

[Jugalator]

I've tried Spamgourmet. Excellent free service where you can do this:

1. Register a username like "foo".
2. Register at the MegaSpam forum.
3. Tell them your e-mail address is megaspam.2.foo@spamgourmet.com.
4. You will be forwarded the next 2 mails from the MegaSpam forum, probably containing password details as such things.
5. Spamgourmet will then eat all mails from the MegaSpam forum.

They also allow you to list trusted senders, which don't advance the message count for your temporary address, reply address masking, and password prefixes so others can't make up new addresses with your username.

Pretty nice, especially as it's free and no ads or other catches. They have around 14,000 accounts as of today and eats about 12,000 spams/day. :-)

And there's also despammed.org where any mails to that address will be filtered from spam before it's sent to your primary address or the web service. Everything on that site is free (and ad free) as well.

Nothing immoral about this at all

[Brento]

There really is someone who likes you. In fact, here's the original personal ad involved:

"Mass email marketer ISO young, wealthy singles with low self-esteem and money to burn. Low IQ is a plus, gullibility even better. Turn-ons: making telephone calls at dinnertime, taking long walks on the beach with your money."

Funnycard

[Spackler]

Funnycard is also just an email harvester! It has the subject:

Message from person_you_know via the FunnyCard Network.

It comes with a forged header, that says it's sent from the person_you_know (of course it was my sister). Clicking on the link then requires you to put in 4 (fake of course) email addresses to see the card. As soon as you submit it, it sends the same email to all 4 addresses with a forged return address of YOU (you get back the send errors that the fake users you sent to, don't exist). Displays some lame joke (that the sender never saw), and says goodbye.

Deduce the rate at which suckers are born

[sam_handelman]

My numbers come from here.

$100 gets 10 million addresses. It costs $3,000 to send these 10 million messages. Let's assume a capital outlay of $3,100 per week, which seems reasonable.

A "positive response rate" of 0.1% to 1% is expected. Say 0.1%, since this scam is especially egregious, that's 10,000 responses per week, is 10,000 suckers per 60 * 24 * 7 = 10,080 minutes.

That means a sucker is born every minute (every 59.52 seconds, actually), which we already knew.

Re:The SMS lover scam

[ranulf]

Yeah, I've had about five similar message such as from "Flirt Love Box". "Tried to call you but you were out", "Tried to send an SMS", etc.. messages, all with 0909 premium rate numbers.

At the bottom, it adds "The call is charged as a long distance call - For UK the charge is 2.5 Pence/sec" which is £1.50 per minute. Even then, I don't think that's enough to cover them legally, as I beleive they have to state the cost as a per-minute rate.

Fortunately, I'm not stupid enough to believe that these messages are for me. No-one I know sends messages in bright yellow with red and blue headings.

Just remember how UK phone charges work:
01/02 - standard long distance geographic number. Basically cheap.
05 - I don't think this is used, except 0500 which is free
07 - mobile, going to be quite expensive
08 - information. Generally increasing in cost as number increases, except for 0845 charged as local
09 - premium rate. Cost determined by operator, without limit.
00 - international. Again expensive.

If you don't know what the number is, don't dial!

Does this mean...

[Wdomburg]

Noone really has a crush on the support alias for my company? I don't know how I'm going to break the news to it.

Someone's operating the scam in Holland too

[hrm]

A couple of weeks ago I received a SMS message that started with "Iemand vindt je leuk, en heeft ons jouw nummer achtergelaten..." ("Someone likes you and has left your number with us", original Dutch maintained for Google searches).

Oh, speaking of googling, there was a hilarious spelling mistake at the end "Wil je weten wie je geheime *aanbieder* is?" ("Do you want to know who your secret admirer is", except they put an 'e' in "aanbidder" where a 'd' should be, "aanbieder" means "provider")

I couldn't find a reference on the internet to this operation, so I figured it might be legit. I called to the number they gave: 09062001372 (couple dozen eurocents a minute). They pulled the same routine as described above. I had to enter my own phone number (as if they didn't have it) then take a guess as to who left my number in the first place (I gave a bogus number). Then I was promised they'd SMS the number of my secret provider, but of course they never did.

I suppose this scam pays off quite well. I'm a pretty suspicious person as a rule, but in this case, especially after I couldn't find any information about it on the internet, I just had to check it out. They got about 3 minutes worth of high phone rates out of me.

My solution

[dr_dank]

I got these stupid e-mails too, but they wouldn't release the address of your so-called crush until you furnish them with e-mail address after e-mail address.

Instead of putting down bogus addresses, I submitted every abuse@{$insert ISP here} address and anti-spam address that I could think of. That'll give them something to think about.

Re:a question

[gmack]

EDU domains tend to scare spammers.. not only is there not much money to be got. They are likely to end up with some anti spam vigalante with a lot of free time that can be spent causing them pain.

Re:i wonder if you ever find out...

[langed]

I was fortunate enough so far in my 23 years to have filtered away from my usual existance most of the people who would pilfer my email for such frivolous purposes.
So when my address was spammed by SomeoneLikesYou, I got on the phone. Sure enough, the one person who actually did it was my not-so-security-minded girlfriend.

So when I hit the site, I entered only one email address--hers. The site didn't like that, and since it doesn't like bounces either, I just started registering aliases on my linux box. So we had a@mybox.net, b@mybox.net, c@mybox.net, and d@mybox.net.

And, sure enough, when it finally accepted that, it said I had a match! (I also had some 4 more emails popping up in my inbox....)

Since the site demanded that I pay up-front or sign up for affiliate info, I went on my merry way, happy to know I hadn't offended anyone else.

About a month later, though, I got this email "Are you sure this loser Sara is right for you?" which told me to come back and visit the site again, threatening to remove my information and promising not to spam me again. I received a second mesage, again titled "Are you sure this loser Sara is right for you?", before I created a new procmail rule.

I figured I was lucky, I got everything I wanted to know without it costing me anything but the time. I doubt many others were so lucky.

Disposable addresses and Spamgourmet

[Balinares]

Never sign up anywhere with a real email address.
Instead, get an account on Spamgourmet, and you'll have as many disposable email addresses as necessary, that will work only as many times as you want. Then they become a direct link to /dev/null, and you never hear about them again.

Seriously. This service rocks.

Old news... to me, anyway

[Chmarr]

I've been onto their particular game for about half a year now, as evidenced in a warning I wrote here.

In general, you should never give anyone's email address out. Ie, treat it like a phone number; it's not yours to give out, it's the owner's.

I treat the 'send this to a friend' thing in the same way. If you read the privacy statements of a lot of web sites, you'll see that it refers to your privacy, but doesn't mention anything about the privacy of your friends' email addresses that you happen to type into those 'send this to a friend' boxes.

Just don't give away your email address

[mosch]

Not giving your email address works works really well, unless:

• you have a job that requires that you post on public, technical mailing lists.
• you have a job where your email address ends up in whois records.
• you're the postmaster, hostmaster or any other sort of contact for a company.
• you don't need your email address to be publicly available for business reasons.
• somebody forwards an email that you sent them to a public mailing list.
• you've had the same, well-known email address since the days when it was considered a good thing to publicize your address.
• one of your friends or business associates gets a virus that causes your email address to end up getting sent off to a mailing list or something.
• your dipshit ISP allows VRFY.
• etc, etc, etc.

There's not always an easy way to keep from getting spam, even if you're relatively careful with your addresses.

Someone has a crush on the debian project

[sfraggle]

http://lists.debian.org/debian-project/2001/debi an -project-200108/msg00016.html