Back to previous post: Obama 666

Go to Making Light's front page.

Forward to next post: Classifying the Novel

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

August 10, 2008

CNN Spam?
Posted by Jim Macdonald at 10:58 PM * 61 comments

Over on the so-called “CNN Blog” we find this entry:

August 8, 2008
Fraudulent spam about
Posted: 07:45 PM ET

Earlier this week, a spam message purporting to be from CNN began circulating the Internet. We decided to blog about this to alert those of you who hadn’t yet received it to be on the lookout for it; and also to assure those of you who did receive it that the message was NOT, in fact, from CNN.

As you may know, spammers often disguise or forge the source of their e-mail to give recipients the impression that the message derived from another system, especially one tied to a recognizable brand. In this instance, the spammer chose to use the CNN brand.

The message, claiming to contain CNN’s Top 10 news stories and videos of the day, is fraudulent and did not originate from CNN. If you have received it, we suggest that you delete it from your mailbox. Further, we recommend you delete any e-mail message from your mailbox that you believe may be illegitimate.

Thanks to all of you out there who alerted us to the existence of this spam purporting to be from CNN.

Posted by: CNN Public Relations
Filed under: marketing • technology

CNN is being mighty coy about exactly what this spam says, other than that it purports “to contain CNN’s Top 10 news stories and videos of the day.”

Under normal circumstances when there’s a new spam going around I find about 180 copies in my spam filter. But nothing that seems to match that description has shown up.

The bulk messages that purport to be CNN Alerts, that direct you to click here for more information about some likely keyword, but really take you to a website in Lower Slobistan where you find your computer recruited into a bot net faster than you can say Java Script, have been around for a while, and don’t match this description.

So, anyone know what’s up with CNN Spam?

Comments on CNN Spam?:
#1 ::: Brenda Kalt ::: (view all by) ::: August 10, 2008, 11:10 PM:

I got eight copies in my work account on Friday. Since I never open anything that looks unfamiliar, I don't know what was in it.

#2 ::: Michael C. ::: (view all by) ::: August 10, 2008, 11:19 PM:

From Slashdot:
More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as news notifications, security researchers said today. The bogus messages, which claim to be from the news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a fake newer edition, which delivers a Trojan horse — identified by multiple names, including Cbeplay.a — that 'phones home' to a malicious server to grab and install additional malware.

#3 ::: Henry Richardson ::: (view all by) ::: August 10, 2008, 11:27 PM:

Sunbelt blog explains the CNN spam.

#4 ::: Will "scifantasy" Frank ::: (view all by) ::: August 10, 2008, 11:30 PM:

Huh, and possibly dammit.

I started getting those CNN Top Ten emails the other day. I thought I'd just been resubscribed to a list, so I hit the unsubscribe link. It took a few times but then the emails stopped.

Then again, I run Gentoo Linux, so I doubt the flash player .exe would have done much, even if I saw it (which I didn't). I guess I should just keep an eye, and watch my spamcatcher in case a lot more starts coming...

#5 ::: Jen Roth ::: (view all by) ::: August 10, 2008, 11:33 PM:

The ones we got at our university a couple of days ago led the user to download fake antivirus software.

#6 ::: Clifton Royston ::: (view all by) ::: August 10, 2008, 11:36 PM:

As Michael C. says just above, it's a massive multi-platform virus distribution burst, fueled by computers already infected with the Rustock bot and driving users to cracked websites (and possibly to some run by co-conspirators and collaborators.)

Here's some analysis:

One large site reports this botnet is now accounting for about 5-6% of its inbound spam.

#7 ::: Clifton Royston ::: (view all by) ::: August 10, 2008, 11:38 PM:

Sorry, dropped the URL; that should have gone here: Linking all the news spam together.

#8 ::: Azz ::: (view all by) ::: August 10, 2008, 11:42 PM:

Text of it:

Title: CNN Alerts: My Custom Alert
Your E-Mail Alerts
Alert Name: My Custom Alert

Tropical Storm Edouard moving toward Texas coast
Sun, 10 Aug 2008 18:40:36 -0600


You have agreed to receive this email from as a result of your preference settings.
To manage your settings click here.
To alter your alert criteria or frequency or to unsubscribe from receiving custom email alerts, click here.

Cable News Network. One CNN Center, Atlanta, Georgia 30303
© 2008 Cable News Network.
A Time Warner Company
All Rights Reserved.
View our privacy policy and terms.

I cleared out a boatload of them this morning; I'm not sure if there were others with different text.

#9 ::: FungiFromYuggoth ::: (view all by) ::: August 10, 2008, 11:42 PM:

ZDnet has another article on the CNN spam, which references a more technical writeup on Threatfire of a similar attack.

The description of what's going on might be vague because the attack is multifaceted: a barrage of attempts to exploit the client browser followed by "Hi, please run my trojan horse, kthxbye".

It appears that the user may be the upper bound on system security.

#10 ::: James D. Macdonald ::: (view all by) ::: August 10, 2008, 11:43 PM:

Well, I am answered.

#11 ::: alice ::: (view all by) ::: August 10, 2008, 11:59 PM:

I've received several hundred of these, as my work address gets submission email for several internal mailing lists forwarded to it.

#12 ::: Lizzy L ::: (view all by) ::: August 11, 2008, 01:02 AM:

I got one a few days ago. I opened it, clicked on a story, and got the Flash Player message. I then closed and deleted the whole thing without downloading anything. It was very professional-looking, none of the usual misspellings and grammar errors one usually finds with those nasty things.

My anti-virus software has been quiet. I ran Ad-Aware today and it came up with just the usual stuff, cookies and so on.


#13 ::: Paula Helm Murray ::: (view all by) ::: August 11, 2008, 01:36 AM:

I've got a Mac and filters set on 'decapitate" so I get very little spam email.

And the ones that do come through are often phishing from places I do not have a bank account with. ( iam with what used to be Federal Employees Credit Union) and they are wise to such assaults.

On the other hand I'm kind of glad my mom is willfully ignorant of computers in general and the Internet specifically.

#14 ::: Michael Roberts ::: (view all by) ::: August 11, 2008, 01:46 AM:

I've been tracking it for two weeks. It's the Storm botnet, and it's the same group that had the funky headlines between June and July. They started using a "CNN Daily Top 10" video email on August 4, then switched to "CNN Alerts: My Custom Alert" on August 7. I kind of expected them to switch today, but I'll bet we'll be seeing something by tomorrow morning at the latest.

I have about 8000 copies of just those purporting to be from CNN, if you want, and a more or less complete analysis here. I first got interested when I saw the groovy Javascript exploits on the hijacked target servers.

I've also identified about 15,000 IPs of zombie PCs injecting the stuff. The reason for this wave lately is that they're falling behind and need new PCs. But the blitz has made it possible for me to see them -- so all in all, it's been pretty damned nice.

Fascinatingly, there's an "Internet Explorer 7" upgrade spam from a completely different botnet for the same purpose, which just started up today.

At, I get a lot of spam. You may think you get a lot of spam. Ha. I laugh.

#15 ::: Wirelizard ::: (view all by) ::: August 11, 2008, 01:51 AM:

It appears that the user may be the upper bound on system security.

It always has been, really.

There once was a noob on the 'net
who hadn't caught viruses, yet.
Spam from Russia, quite graphic,
made his computer quite spastic,
That foolish young noob on the 'net.

(No, I'm not happy with graphic/spastic either, but what can you do when only the first two lines spring fully-formed and demand completion?)

#16 ::: Sean Pratz ::: (view all by) ::: August 11, 2008, 01:52 AM:

CNN spam? Today I got one about a politician's two-year-old affair, and a few days earlier another about an actor's car accident. Yet I haven't heard a damned thing about, for example, the DHS's laptop seizure policy, or any of the other liberties Americans have lost in the last seven years.

Boing Boing's where I get the real news.

#17 ::: Michael Roberts ::: (view all by) ::: August 11, 2008, 01:55 AM:

Will - by the way, don't worry about having clicked the unsubscribe link. That actually goes to CNN; they copied it wholesale for verisimilitude.

#18 ::: eric ::: (view all by) ::: August 11, 2008, 02:45 AM:

A metric ton of them here, at least, that weren't caught in's spam filter.

For a few weeks I was trending down to 1000 spam (caught) a week, but it looks like I'm back up in the 3500 range again.

#19 ::: Paula Lieberman ::: (view all by) ::: August 11, 2008, 02:48 AM:

Wirelizard #15

There once was a noob on the 'net
who hadn't caught viruses, yet.
But "Hot babes and sex!"
Were just the right hex
And now his hard drive's been reset.

#20 ::: Elaine ::: (view all by) ::: August 11, 2008, 08:04 AM:

I gave my mother an Ubuntu Linux rebuilt system three months ago. She is no less clueless on Linux than she was on Windows, but at least the damage is a little more limited.

#21 ::: Vicki ::: (view all by) ::: August 11, 2008, 09:35 AM:

My company's IT department sent around a warning about this a week or so back: apparently a number of my coworkers had received it at their work email addresses, and opened it, leaving viruses on their system. I got it at my usual home address, thought "oh, spam" and deleted the two or three copies that were there right away, and have removed more since. I don't know if my coworkers are actually on some kind of CNN mailing list, as I am not, or are just a bit more gullible. (I have been online longer than most of the people at my office, and dealt with more of this crap as a result.)

#22 ::: Bruce Cohen (SpeakerToManagers) ::: (view all by) ::: August 11, 2008, 09:46 AM:

Vicki @ 21

I have been online longer than most of the people at my office, and dealt with more of this crap as a result.

As the saying goes, "The pioneers are the ones with the arrows in their backs."

#23 ::: Kevin Reid ::: (view all by) ::: August 11, 2008, 12:09 PM:

#9: "It appears that the user may be the upper bound on system security."

There's lots of room for bad software design (say, outdated threat models, such as assuming that every program acts on its user's behalf), and bad user interface design (such as patching the former model by asking the user for confirmation of the program's actions), to produce values well below that bound.

#24 ::: Jillian ::: (view all by) ::: August 11, 2008, 01:00 PM:

I just got my 2nd - both were re Obama

"CNN Alerts: My Custom Alert‏
From: CNN Alerts
Medium riskYou may not know this sender.Mark as safe|Mark as unsafe
Sent: Mon 8/11/08 7:16 PM
Your E-Mail Alerts
Alert Name: My Custom Alert

Obama visit Iraq, boo-ed off stage
Thu, 7 Aug 2008 21:47:46 +0200


You have agreed to receive this email from as a result of your preference settings.
To manage your settings click here.
To alter your alert criteria or frequency or to unsubscribe from receiving custom email alerts, click here.

Cable News Network. One CNN Center, Atlanta, Georgia 30303
© 2008 Cable News Network.
A Time Warner Company
All Rights Reserved.
View our privacy policy and terms.

#25 ::: Hank Roberts ::: (view all by) ::: August 11, 2008, 02:52 PM:

Lots and lots of CNN spam since it started.
Number caught increasing steadily (Postini at work and SpamCop at home are doing a good job catching these now, after some got through last week).

#26 ::: Cat Meadors ::: (view all by) ::: August 11, 2008, 03:24 PM:

Neat! I just checked my spam trap and there were over 50 of these in there. I guess the botnet is warming up...

(Was "Melissa" the "I love you" virus? Whichever, I had to clean up that mess because one of my users had it sent from a woman he was, actually, desperately in love with. It doesn't even take something this well-done to get people to do dumb things. Although, now I'm wondering about one of my apps that asks me to upgrade it every time I start it... hrm...)

#27 ::: Nenya ::: (view all by) ::: August 11, 2008, 06:13 PM:

Ooh, I saw this! My Gmail has been catching these by the bucketload this week. It's kind of strange to see a whole page of spam subject lines, all alike. (Since that address is not signed up for any services remotely like CNN, I wouldn't have clicked anyway. I can't say I'm immune to doing stupid things online, but at least this one wasn't a temptation at all.)

#28 ::: Earl Cooley III ::: (view all by) ::: August 11, 2008, 06:46 PM:

I feel a bit left out. No CNN spam here; most of mine is either Russian, Chinese, German, or in character sets my email reader isn't set up to interpret correctly.

#29 ::: Stefan Jones ::: (view all by) ::: August 11, 2008, 06:51 PM:

#28: Don't feel bad. I only get the CNN mail at my work address.

#30 ::: rmb ::: (view all by) ::: August 11, 2008, 07:02 PM:

I've gotten a bunch of these. I was somewhat perplexed because the headlines looked real and the links at the bottom were actually to But I've never signed up with, and when I typed in the url of the `unsubscribe' link, it had no record of any account of mine.

#31 ::: Scorpio ::: (view all by) ::: August 11, 2008, 08:53 PM:

I got one at my home ISP and a couple in G-mail. Never opened them. I read the news where I want to and I ignore solicitations.

#32 ::: Michael Roberts ::: (view all by) ::: August 11, 2008, 10:26 PM:

All y'all following the story, they switched landing pages again. About time, too! It had been four days since they did anything worthy of analysis.

The new one pops up a window at, but I'm positive it's also been hijacked, as I see no reason for a consulting company in Germany to be actively aiding and abetting the botnet. I emailed them to tell them they've been featured. We'll see if it has any effect.

#33 ::: Josh Jasper ::: (view all by) ::: August 11, 2008, 11:29 PM:

My CEO just sent a pleading note to the rest of the company to get him off of CNN's mailing list, as he was getting 50 or so alerts a day.

Our COO just accused the SVP of Biz Dev of signing us all up for the alerts.

Guess what sort of company I work for.

Yes, a technnology company!

#34 ::: geekosaur ::: (view all by) ::: August 12, 2008, 12:25 AM:

Cat Meadors @26:
yep, "I Love You" was the "Melissa" virus. My sister's still kinda peeved about it (guess her name :)

I've been seeing the "CNN" spam increasing over the past few days; my Cyrus sieve scripts have been catching it on my home and work accounts, and the other accounts haven't been used enough to show up on anyone's radar (although, hm, they should have harvested the GMail one by now). I still need to rewrite my home Sieve script: I used two different kinds of whitelists to see which one would work better, and the one on my work account is much more reliable (fewer false positives, very very few false negatives; home accunt is so-so on both.

#35 ::: Joyce Reynolds-Ward ::: (view all by) ::: August 12, 2008, 12:42 AM:

Yeah, my spam filter's been catching a lot of these of late. Since I don't subscribe to anything CNNish, I figured it was some sort of weird spam and cleared it without looking.

(and I've very, very happy to have an ISP with a reasonable spam filter that I can check on a daily basis with a minimum of fuss. For some reason the Tor newsletters get stuck there, no matter how often I whitelist them)

#36 ::: Marilee ::: (view all by) ::: August 12, 2008, 12:50 AM:

Wirelizard, #15, the third & fourth lines have too many syllables, too. It's Da dada Da or da Da dada Da.

I haven't had any. Most of my spam either comes with all ?????s or are from people pretending to be banks with which I don't have accounts. Oh, and I still get the occasional lottery.

#37 ::: dcb ::: (view all by) ::: August 12, 2008, 04:22 AM:

So I'm not the only one getting "CNN Alert: My Custom Alert" spam - I'm deleting about 10 or so a day at present.

#38 ::: Casey Rousseau ::: (view all by) ::: August 12, 2008, 07:30 AM:

Over the last week, these messages have become a *majority* of the spam caught by my work postini account!

#39 ::: Tykewriter ::: (view all by) ::: August 12, 2008, 09:29 AM:

Just to join in the general. I've been getting them too. Gmail sends them straight to the Spam box. Sometimes it's a relief to hear from old Denis Enlargement again. Nothing in blueyonder, though.

#40 ::: Janet Croft ::: (view all by) ::: August 12, 2008, 11:00 AM:

Thanks -- yeah, these weren't ringing my "spam alert" bells, but I blocked the "top 10" anyway because it was annoying. I got one of the "custom alerts" today and thought it might actually BE one of my custom alerts, but now I know to look closely at the topic (it COULD have been -- MAYBE Iceland had won a medal in the summer Olympics...)

#41 ::: Earl Cooley III ::: (view all by) ::: August 12, 2008, 03:49 PM:

At last, oh, at last! My long, dark desolation of rejection is over! I've finally received my very own precious copy of the CNN Spam. I've kept it undeleted in my Junk email shrine so that I may partake (with rhino-hide gloves and thick goggles) of its awe-inspiring perfection. It completes me.

#42 ::: Michael Roberts ::: (view all by) ::: August 12, 2008, 08:05 PM:

Earl, we're all happy for you.

#43 ::: Marilee ::: (view all by) ::: August 12, 2008, 09:44 PM:

Ha! I thought to look at the bitbucket mail from my domain and I have batches there! You know how when you look at Usenet on Google, they ellipse the end of the name in the edress? Well, that's what mine are all directed to.

#44 ::: Michael Roberts ::: (view all by) ::: August 13, 2008, 09:10 AM: - BREAKING NEWS: Botnet changes spam subjects again.

#45 ::: Phil ::: (view all by) ::: August 13, 2008, 09:35 AM:

One of our employees recently downloaded or opened one of these emails and it turned his computer into a zombie. Consequently inundating the web with thousands of the SMTP CNN emails.

Does anybody have any idea how to get rid of this.

I've run Spybot S & D, CA, and Avg, but all came back clean.

Help please.

#46 ::: Michael I ::: (view all by) ::: August 13, 2008, 10:26 AM:

Michael Roberts@44

Also BBC

#47 ::: Jon Meltzer ::: (view all by) ::: August 13, 2008, 10:43 AM:

I just saw this spam mentioned on a college mailing list I subscribe to. I redirected them here as this thread has the best collection of links on it I've seen.

(Don't worry about the n00bs: many of them are fen and the others are just as cool)

#48 ::: Jon Meltzer ::: (view all by) ::: August 13, 2008, 10:50 AM:

#33: Been there, done that, same business.

You really wonder, sometimes.

#49 ::: Jim Macdonald ::: (view all by) ::: August 13, 2008, 11:50 AM:

May I suggest that all Windows users pick up Grr!

It blocks things from installing themselves on your computer without your explicit permission(and can be centrally managed on large networks).

#50 ::: Michael Roberts ::: (view all by) ::: August 13, 2008, 12:08 PM:

Jon: don't worry about the n00bs, we like them. (They're so crunchy after proper frying.)

Michael I: huh? Can you give me a couple of subjects? Because I'm not seeing any faux-BBC coming in over the botnet IPs I'm monitoring.

Oh! I see: "BBC NEWS" -- but that's not the same people. That one's redirecting to news.avi.exe; goodness, but there are a lot of bad guys these days.

Phil: I'm trying to find the removal instructions I ran across yesterday. If I do, I'll post them.

#51 ::: FungiFromYuggoth ::: (view all by) ::: August 13, 2008, 12:13 PM:

Phil: I'd recommend getting a shareware spyware removal tool like Spyware Sweeper for about $30.

There's some technical details about what gets installed - Trojan-Downloader.Agent.EL - and how to remove it at Enigma Software, but since the spam is a moving target you're better off with a tool. The Enigma site (naturally) recommends their own software.

#52 ::: FungiFromYuggoth ::: (view all by) ::: August 13, 2008, 12:15 PM:

Also naturally, I screwed up the main link I was trying to post.

What was I saying about the user being the upper bound? Oh well. That has always been the case, but the lower bound was sufficiently far away from the upper that it wasn't obvious.

#53 ::: Clifton Royston ::: (view all by) ::: August 13, 2008, 12:33 PM:

Just for info, the CNN spams have morphed into MSNBC headline spams, and a different spammer has decided they like this approach enough to start using BBC headline spams.

#54 ::: Clifton Royston ::: (view all by) ::: August 13, 2008, 12:35 PM:

Oh, and I see Michael beat me to it way upthread. 's what I get for being in a later timezone.

#55 ::: Michael Roberts ::: (view all by) ::: August 13, 2008, 12:52 PM:

The BBC News IP pool doesn't coincide with the IE 7 update spam from a couple of days ago, either. That makes at least three botnets, unless they use different segments of their pool for different applications. (That theory doesn't hold up, though, because the CNN/news headline group has spammed on other topics, and is still doing so, although at lower intensity.)

The more I look, the more there is to see...

#56 ::: Jon Meltzer ::: (view all by) ::: August 13, 2008, 01:03 PM:

#45, #51: Also try this link.

No guarantees; I haven't needed to get rid of the virus myself. I hope the user has been backing up because it looks like the easiest thing to do might be to reformat, reinstall, and restore.

#57 ::: Stefan Jones ::: (view all by) ::: August 13, 2008, 01:32 PM:

Got my first MSNBC spam just this morning! The lead story link goes to somesite in Japan.

#58 ::: Jon Meltzer ::: (view all by) ::: August 13, 2008, 01:58 PM:

A prevention utility that might help in future recovery from viruses like this one:

Most backup programs that I know of do not back up the Windows registry. I have on my computers ERUNT, a freeware utility that automatically backs up the registry every day. The only "flaw" is that every so often I have to go to ERUNT's storage directory and clean out the clutter. But that's trivial.

This has saved me a couple of times. It's not just viruses one has to worry about; a power failure at the right time can trash one's registry.

#59 ::: Clifton Royston ::: (view all by) ::: August 13, 2008, 02:54 PM:

Phil @ 45:
Serious answer here: The virus and malware developers have developed very sophisticated hooks to selectively hide their software from the antivirus software or to disable it from really removing all their hooks. Once it's on the computer, you can't be really sure of cleaning it all out, because you can no longer trust anything the computer sees. That's what they mean by "owned" - you only see what the malware wants you to see. The only way to be sure is start from scratch.

At this point with the current virus state-of-the-art, I'd recommend backing up all data files (documents, databases, address books, etc.) to offline media, wiping the hard disk, and reinstalling Windows from scratch. That's the same as I'd do for a cracked Linux or Unix server. It's a harsh road, but it's the only way to be sure you've got it all.

(One advantage you do have with Linux is that you can boot the computer from a standalone CD and then use tools on the CD to check and disinfect the system; but it's been a long time since you could boot into Windows from a floppy or CD, other than to install.)

Here's a good article from last fall on what I'm talking about:
Security researcher Peter Gutmann's The Commercial Malware Industry
(5 second summary: the bad guys are winning, by miles.)

#60 ::: Phil ::: (view all by) ::: August 14, 2008, 08:20 AM:


It turns out the user downloaded something thats looks similar to XP Antivirus. Which he got from a link in an email. He tells me that he thought it was one of his friends emailing it to him. WRONG!

BTW, XP anitvirus looks like this;

But I'm guessing he really got the CNN Virus/worm/trojan whatever you want to label it.

thanks #52 and #56
I will try those programs today

#61 ::: Clifton Royston ::: (view all by) ::: August 16, 2008, 12:42 PM:

There are several flavors of viruses and malware which masquerade as antivirus software. They're usually hard to remove. Good luck.

I think my previous advice still stands, but hope you manage to truly remove it without having to wipe.

Welcome to Making Light's comment section. The moderators are Avram Grumer, Jim Macdonald, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

If you are a spammer, your fate is in the hands of Jim Macdonald, and your foot shall slide in due time.

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.

(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 by Patrick & Teresa Nielsen Hayden. All rights reserved.