Current category:Anti-spam

Intuit spam – when spammers mess up their spam

If you have had a look at your spam folder lately you would probably have noticed a lot of spam seemingly coming from a company called Intuit. They do all sorts of spamming and are using subject fields like “Intuit  Request  Info”, “Your Intuit  Shipment  Status update”, “Intuit GoPayment  Order  Note”, “Intuit Payroll  Processing  query.”, “Your payroll processing  authorization status.” etc. etc. There is actually a real company called Intuit producing financial software and the Intuit spammers are clearly spoofing them.

Let’s start by naming this “intuit spam” due to the sheer volume right right now. You will probably also be happy to learn that we’ve stopped a few million of these babies the last few days using SPAMfighter. This is a typical Intuit spam mail:

Intuit spam

It’s basic spammer & phishing stuff trying to lead us onto websites holding malware or having us give up our personal information. Let’s not dwelve with that. The reason for this blog post is another Intuit spam mail where something seems to go terribly wrong for the Intuit spammers. This is how it looks:

Intuit spam

Notice how this Intuit spam mail offers an insight into how they use mail merge to vary mails. So some people will receive spam with “we will also provide you with the ability” and other will read the mail as “we will also supply you with” using the variable {110} in the mail. Likewise a lot of other words are being “spinned” using variables to vary the content. Why do they do this? By varying the mails they try to keep below the radar and hope they can bypass spam filters like SPAMfighter. Obviously this isn’t so using such primitive approaches.

This knowledge that spammers are varying mails and using mail merge isn’t new of cource but it is great seeing it in action for anti spam nerds as us!

Btw. The real Intuit guys have set up an e-mail where you can forward phishing attempts. So if your spam filter is not eating the Intuit spam mails then you can forward them to spoof@intuit.com

Update January 2013:

Intuit spam is again topping our spam lists. Right now a spam mail with the subject line “Payroll Account Holded by Intuit” is flooding inboxes in various versions. The one we are looking at right now holds a link to a “Federal Reserve website” but leads to a malware infected .ru (russian) site.

GD Star Rating
loading...
Intuit spam - when spammers mess up their spam, 4.2 out of 5 based on 13 ratings

About Kim Falkner

VP Marketing for SPAMfighter with a passion for IT-security and blogging. Follow me on Google+ (+Kim Falkner) or LinkedIn (Kim Falkner on LinkedIn)
This entry was posted in Anti-spam. Bookmark the permalink.

3 Comments

  1. Phil says:

    Dammit intuit spam. It just never seems to stop. What to do here and why are the real Intuit company not doing anything?

  2. Kim Falkner says:

    Thank you for the comment Phil! Not much to do about it exept using a decent spam filter. Intuit can’t do that much to prevent the Intuit phishing spam mails i am afraid.

  3. Joey says:

    Just got one of those Intuit Gopayment or whatever spam mails

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>