Skip to content

Free M&S vouchers? or just spiced ham?

November 2, 2008

I’ve just been forwarded an email that was clearly spam-posing-as-viral-marketing-mail, but was none-the-less sufficiently sophisticated to fool the sender who forwarded it onto me. “…all you have to do is send this e-mail out to 8 people (for £100 of free vouchers) or 20 people (for £500 of free vouchers). Within 2 weeks you will receive an e-mail with your vouchers attached.” What could be easier? Oh, and don’t forget to “Please mark a copy to:”. As one of the many of the intermediate forwarders put it, “Thought this was worth a go – nothing to lose“.

I was going to wrote something smug about people not making the most basic effort to Google things before sending them on, but I’ve just realised that in my haste to send a reply-to-all about how this was a hoax and that they should Google for things once in a while, I cc’d the very address of the spammer that I’m moaning about having my address sent to! Urgh.

Anyway, had anyone in the surprisingly lengthy chain of previous senders bothered to put into Google, then the top hit (at least, at the time of writing) would’ve been…

…which is where lots of people confirm its a scam, and one person is astute enough to notice that is not the same as It’s interesting to note that the spammer has gone to the bother of creating a whole fake website, as well as posting messages on websites saying things like “I know Andy”, but, anyway, let’s hope that the gmail spam filter is up to the job of whatever Mr Andy Curran can throw at it.

So, what do you want me to do about it?

There are basically two lessons here. First of all, if it’s too good to be true, then it is; and if you can’t tell, shove it into Google and find out.

Secondly, if you are going to send something out, particularly to a disparate bunch of people who may well all know you, but don’t know each other, then it’s generally good form to put all their addresses in the BCC: field, so that they can’t all see each other.

And if that means you have to send out two messages, the first BCC-ing everyone you want to involve in your M&S-vouchers-for-free scheme, and the second CC-ing everyone who agrees (plus Mr Curran) then, yes, that’s what you should do.


The spammer’s email address “bounced”, which in theory means that nothing got through to him… but in practice my gmail spam filter has been working harder than ever, and, to be honest, if someone’s going to go to the effort of faking a whole website, then they’re probably going to go to the bother of faking some bounce-back messages too. In fact, it kinda explains why they’re posting on message boards saying that they “know Andy” and the it’s just a prank gone wrong – it makes the bounce-back messages more credible, and the victims more likely to attribute their increase in spam to something other than sending their email address (and eight of their closest friends) to a spammer…


So I was somewhat randomly surfing the internet, and happened across a link to the Sophos page for this very scam. This just asks more questions than is does provide answers: Why does the spam they received link to the valid domain and not the fake Why would anyone want to launch a DDos Attack on And why is it literally impossible to contact anyone at Sophos through their blog pages, despite those people being listed under press contacts?

I can’t answer either of the latter questions, but I would guess that the 2007 email Sophos received linked to because either a) someone first started this chain mail as an attempt to DDoS and an opportunistic “Andy Curran” took the opportunity to spawn a copycat spam email (coupled with a fake website), or b) Mr Curran launched the initial fake email as a smokescreen to cover his attempt to skim as many email addresses as possible. It smacks somewhat of the Minority Report plot line**, but is nonetheless believable. Well, I think so, anyway.

**For those of you who haven’t seen the Minority Report, and don’t want to watch it just to follow my meandering rant… part of the story impinges on the faking an event, so that when the event actually occurs at a later date, people assume that it is just a retelling of the original. In this instance, Mr Curran has (or, at least, may have) sent out spam emails with links to, so that when his emails are sent out later, people like Sophos assume that they’re part of the debarkle, don’t register that the domain has subtly changed, and don’t bother to investigate it as thoroughly as they may have done a fresh event.


One Comment
  1. dan permalink
    December 10, 2008 11:17 pm

    Given the amount of traffic hitting this page from Google, I thought it might be worth turning on comments and seeing if the people looking at it had anything to add. Unfortunately, all I’ve had is comment-spam (and quite a lot of it) so if you’d like to get in touch, I’m afraid that you’ll have to do it the old fashioned way…

Comments are closed.

%d bloggers like this: