I handle the abuse contact for an ISP’s domain name. Normally this doesn’t take up much of my inbox. Even the “Your users are spamming” messages (in response to forged senders) have dropped off.
Since last night, though, the abuse and tech support contacts that filter into my inbox have collected 42 44 spams advertising the “Body Bouncer,” which claims to “take the gravity out of sex.”* Distributed IPs, random content, 6 different subjects (so far). What they have in common are a sales pitch in an image, and a link to their website.
Ordinarily, that would be enough to tag it. The URL was already in SURBL and URIBL.com. There was only one problem. 37 of these messages were sent abuse@example.com—an address which expects spammy content and therefore does not filter it.
I set up a filter on the URL in my mail client, which takes care of the immediate problem…but why are they targeting the abuse contacts in the first place?
Now this isn’t the first time someone’s decided to spam the abuse contact, but I don’t see the value in it. Sure, it might get past the filter, but it targets the people least likely to buy your product and most likely to track you down and file a complaint. It’s like pulling a bank robbery in broad daylight across the street from the police station.
The only reason to target abuse@example.com, spam@example.com, etc. to the exclusion of other addresses is to taunt the spamfighters. Either they’re total a—holes, or someone wants us to think they are.
I did some digging. The domain name has been around since January of last year, and apparently made a run through the blogosphere last July. Rather atypical for a spammer these days, as they tend to use throwaway domain names that change weekly just to keep a few hours ahead of the filters. And while the product has shown up in spam before, it wasn’t with their presumably flagship domain name.
I tried looking at the website in Lynx, but it was typical clueless design where even a lot of the text was in picture form, with “Picture1.jpg” as the ALT text. Finally I fired up Opera, disabled JavaScript, Java, and Cookies, and looked at the site. Curiously, one of the images on the home page was exactly the image used in the spam!
At this point I was seriously leaning toward Joe job as a theory. I looked around, and there’s a note on the front page: “If you believe you have received unsolicited (spam) email from us, please click here for an important message.” It leads to a page describing spam from knockoff websites using their own phone numbers to collect credit card info…and a Joe job.
Do I believe them? I can’t say I’m convinced, which is why I’m not linking to them directly in this article. But given the evidence—they’ve been using the domain name long enough that it would be counter-productive to hand it straight to the most motivated antispam folks—but I’ll give them the benefit of the doubt and let adaptive measures deal with it instead of something more drastic—like SMTP-rejecting everything that mentions their domain name.
*It appears to be a trampoline with a hole in it.
[…] On another note, I’ve been seeing a lot more email spam targeting the abuse contacts lately. I don’t know what they think they’re accomplishing, since the people reading abuse@wherever are most likely to report them and least likely to buy from them. I mean, “Greetings Abuse!!!” doesn’t seem an effective way to begin a sales pitch. […]
[…] Every once in a while, a comment spam manages to get past both Bad Behavior and Spam Karma. Oddly enough, it always seems to be on the same entry: “Abuse Contact” is not an invitation. […]
“The only reason to target abuse@example.com, spam@example.com, etc. to the exclusion of other addresses is to taunt the spamfighters.”
not sure i agree – imnho, its an economies of scale issue. the more email addys the better (for the spammer) – plain and simple.
If it’s simply a matter of “the more email addys the better,” why send mail only to the abuse contacts? Wouldn’t it be more effective to just blast every address you have for the site? Or run a dictionary attack?