Kraft Foods: Emailing Spamtraps

The Canadian branch of Kraft Foods, Kraft Canada, is spamming several email addresses that either never existed or have been closed for several years, with the usual intervening twelve months or more of bouncing all email at SMTP time. Their ESP is Epsilon Interactive.

Sending IP: 198.31.62.194

Spam Sample:

Actual Headers:

Received: from mta.email.kraftcanada.com (mta.email.kraftcanada.com [198.31.62.194])
        by <xxx> (Postfix) with ESMTP id <xxx>
        for <xxx>; Tue, 11 Oct 2011 11:xx:xx -0500 (CDT)
DomainKey-Signature: <xxx>
Received: from [10.21.<xxx>.<xxx>] ([10.21.<xxx>.<xxx>:<xxx>] helo=<xxx>)
        by <xxx> (envelope-from <cocinas.kraft-<xxx>@email.comidakraft.com>)
        (ecelerity 2.2.2.45 r(34222M)) with ESMTP
        id <xxx>; Tue, 11 Oct 2011 12:xx:xx -0400
Date: Tue, 11 Oct 2011 12:xx:xx -0400 (EDT)
Message-Id: <Kilauea<xxx>@flonetwork.com>
From: "Recetas Kraft | comida y familia" <cocinas.kraft@email.comidakraft.com>
Reply-To: "Recetas Kraft | comida y familia" <cocinas.kraft-<xxx>@email.comidakraft.com>
To: <xxx>
Subject: Recetas deliciosas para cenar entresemana!
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Readable Email:

From: Recetas Kraft | comida y familia <cocinas.kraft@email.comidakraft.com>
To: <spamtrap>
Subject: Recetas deliciosas para cenar entresemana!
Reply-To: Recetas Kraft | comida y familia <cocinas.kraft-<xxx>@email.comidakraft.com>

Ideas deliciosas y variadas para la cena de cualquier día de la semana.

Miralo en el navegador

<removed>

Te hemos enviado este mensaje a <xxx>

Cancela tu suscripción
Suscribete
Administra mis Preferencias
Política de Privacidad
Contáctanos
Preguntas Más Frecuentes

Contáctanos
Kraft Foods Global, Inc., Consumer Relations Group, 1 Kraft Court, Glenview, IL 60025
1-800-572-3807

2 Responses to Kraft Foods: Emailing Spamtraps

  1. Gevalia is part of Kraft foods.

    http://www.gevalia.com/customer-service/Email-Unsubscribe.aspx is an email form to *unsubscribe* from their mailing list.

    So, what happens to email addresses that are entered in that form? The first time, 2005-03-27, I created a new email address in a domain that I control, submitted that new address to the Gevalia unsubscribe form above (even though that new address was never on their list, or any other list), and it eventually started receiving spam. Today, over 6 years later, that address receives about two spam attempts per day. However, that email address was possibly guessable.

    So on 2006-05-15, I created a new email address in a domain I control by doing something like

    u=$((date; echo “abc”; ps axf) | md5sum | awk ‘{print $1}’)
    echo $u@mydomain.com

    That results in an email address something like 69355fa0100438373858e216740dbaad@mydomain.com although the first part is of course different. Such an address is essentially not guessable.

    That new address was then submitted to the Gevalia unsubscribe form above (even though that new address was never on their list, or any other list), and it eventually started receiving spam. Today, over 5 years later, that unguessable address also receives about two spam attempts per day.

    In both cases, their software should have realized that my email addresses was not even on their list, and discarded any record of them. Instead, they not only kept them, but they either sold them to spammers, or they kept them in an insecure location where they could be stolen by spammers.

    • My experience is that Gevalia is rarely if ever advertised using mainsleaze spam. Mainsleaze spam is sent from the company’s own IPs or a legitimate ESP. Mainsleaze spam makes no effort to hide who is sending it or for whom it is being sent. It’s “honest” spam, as spam goes, even if the companies sending it know quite well what they’re doing.

      Instead for the last few years I’ve seen a steady trickle (sometimes a stream) of snowshoe spam advertising Gevalia. Snowshoe spam is sent from IPs that belong to a shell company or were obtained under a false identity. It uses random-sounding or “nonsense name” domains whose ownership is usually forged or hidden behind a Whois Privacy service. URLs in snowshoe spam are heavily tagged; when you click one, the affiliate program and spammer know exactly which email address generated the click.

      This is how snowshoe spam works: the snowshoe spammer first either sets up a bogus affiliate program or signs on to a genuine, but poorly policed, affiliate program that pays for clicks. He then obtains IPs and domains, normally using a shell company or falsified identity so that the ISP will not have a record of his real name, location, or contact information.

      The affiliate program then advertises its services to companies who want more traffic to their web sites and more business. The company that wants this signs onto the affiliate program for (usually unspecified) marketing services. There may be language in the contract that (*wink*wink*nudge*nudge*) forbids spam. The company doesn’t know how the affiliate program markets for them. As we say in the Silicon Valley, that’s a feature, not a bug.

      If despite the efforts he makes to fly beneath the radar, the affiliate is caught spamming and reported to the affiliate program, the affiliate program expresses horror that a *spammer* (*GASP*) is on their system, and terminates that spammer immediately. If the company on whose behalf the spam was sent is contacted, they are horrified that a *spammer* spammed for them, and point to the affiliate program’s quick removal of the spammer.

      The spammer gets paid unless and until he is caught, a good revenue stream for him. When he is caught, he simply abandons that account/identity, opens a new account under a new identity, and keeps right on spamming. Meanwhile, the company is never held responsible despite the fact that their money is paying the snowshoe spammer just as surely as if they’d cut a check directly to the spammer.

      There is NOTHING honest about snowshoe spam. :/

      The last time I checked, the IPs that hosted gevalia.com and joingevalia.com were listed on the Spamhaus SBL because of Gevalia’s spamming. I think that’s where they should be. Snowshoe spam is beyond the scope of the Mainsleaze blog. We started this blog to deal with a type of spam that isn’t usually suitable for blacklisting. In my opinion, snowshoe spam is eminently suitable for blacklisting, and there are a bunch of excellent blacklists that are doing just that.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top