I’ve seen some pretty weird spam in my time, both as an email user and an email admin. My favorite is still the request to purchase a Dimensional Warp Generator. But this one, which showed up in the spamtraps a few days ago, has got to be pretty close.
Old Witchcraft Secrets – make your wildest dreams come true
Continue reading
Following up on the PayPal anti-phishing discussion of a few weeks ago, I see that PayPal is promoting a service called Iconix. You install the program on your system, and it looks at your inbox for messages that claim to be from one of its customers. It tries to verify them “using industry-standard authentication technologies such as Sender ID and DomainKeys.” Messages that pass get a lock-and-checkbox icon attached to the sender’s name, and in some cases the name is replaced by the sender’s logo.
On the tech side, it’s similar to SpamAssassin’s whitelist_from_spf and whitelist_from_dkim features. Both allow you to specify a sender to whitelist, and it will only give a message special treatment if it can verify the sender.
On the user-interface side, it’s similar to EC certificates, in that it tries to highlight a “good” class of messages rather than flag or filter out a “bad” class.
It’s not a bad idea, actually, and now that I’m surprised I haven’t seen something similar in other email clients. It’s sort of like setting up custom rings or images for images on your cell phone address book
They seem to be focused on webmail and Outlook so far, and only on Windows, but it looks like the perfect candidate for a Thunderbird extension. They do have a sign-up form to notify you when they add support for various programs and OSes, and I was pleased to see not only Thunderbird and Mac OS listed, but Linux as well. Too often, Linux gets forgotten in the shuffle to ensure compatibility with every Windows variation.
I don’t think I’ve seen this one in the wild, but variations pop up on Spam Or Not from time to time.
I’ve obscured the website address, though I’m sure it’s been replaced by now.
Seriously, how can you look at the combination of poorly-drawn not-quite stick figures (probably done with a mouse in Microsoft Paint) with the visual equation demonstrating the supposed effects of a diet supplement and not laugh?
Edit: I’ve realized why I haven’t seen these in the wild: We use the MSRBL-Images signatures in our spam filter, and that list is built using ratings from Spam Or Not.
Edit 2: Both the filter signatures and the rating site seem to be gone now, so a little background: MSRBL-Images was a list of hashes that could be used to identify images that were repeatedly used in spam. Spam or Not, inspired by the infamous Hot or Not site, was their way of crowdsourcing the data. The site would show an image that had been collected, and you could mark it as spam or not, and some threshold or percentage of spam ratings would cause the hash to go into their signature list.
With bloggers squashing obviously-spammy links* as fast as they can, comment spammers have evolved. (I think they’ve reached the level of slime mold now, rather than amoebas.) They’re trying to make their sites look like blogs. And I’m seeing two main techniques, one involving Trackbacks/Pingbacks, the other involving manual person-at-a-keyboard commenting.
Pingbacks and Trackbacks are two ways for one site to notify another that it’s linked to it, and provide an excerpt of the context. Essentially, they’re automated comments. You read a post on some other site, you write your own response, linking to the original post, and your blog software submits the equivalent of “Hi, I read your post, and it got me thinking. I ended up writing my own post over here…”
Where spam is concerned, the main difference is that with Trackbacks, the submitting site provides an exceprt, but with Pingbacks, all it submits is the URL. The receiving blog then retrieves the page and scans it for the link, building an excerpt from the context. The upshot of this is that Pingbacks automatically verify that yes, the site really did link to you, which meant that a lot of early comment spam was submitted using Trackbacks.
The obvious response to that was to set up spam protection to verify links on incoming Trackbacks. And the obvious response by the spammers was to put up real links, at least long enough to let the victims verify them.
So now, a lot of trackback/pingback spam seems to come from sites running actual blogging software, but not really posting any content. Just “So-and so wrote an interesting post today” over and over, hundreds of times a day. Half the time they don’t bother to match the name to the actual link. This is the kind of spam that prompted my recent re-evaluation of spam plugins on this site.
Then there was the sneaky post I got on Thursday. It was a sort-of half-on-topic comment on a post about movies, and the author’s URL pointed to what appeared to be a blog about movies. OK, fair enough, but I was still a bit suspicious since it didn’t look like they’d actually read my post.
I skimmed the site looking for things like cobbled-together sentences, and an idea of how long it had been around. Then there was a random post about guitars, in a different writing style. I figured, okay, maybe they’re doing one of those paid-post things.
Then I moved the mouse cursor over one of the links.
It quickly became clear that every single outgoing link on the front page was pointing to ultimate – free – downloads – dot – com, whether it was a movie title, or an actor, or a song title.
At this point I’m not sure whether the site in question is simply an elaborately designed intermediary created to “launder” the links to spam sites, or whether it’s a legit blog that’s been hijacked by someone replacing their links. I looked around at some of the older posts and I do see links to Amazon and a couple of other sites.
*This is also why I’ve stopped using the Alternative Browser Alliance as my URL when commenting on browser-related blogs. Even though I’m making an on-topic comment, I don’t want people to take a look at the link, say, “Hey, this isn’t a person, this is some weird campaign thing!” and delete the comment…and worse, get a rep as a comment spammer. So these days I just link everything here.
There’s something delicious about irony in spam. Yesterday, the spamtraps netted an advance fee fraud scam message that started out like this:
Let me be honest with you. This information is just for you alone [emphasis added]. I would suggest that you try to fix it instead of making any trouble with it as my job might be put on the line here.
Your name has been on an awaiting list of payment roaster submitted by the Nigerian Government For your lottery/inheritance reasons of no banking particulars on which transfer should be made to until two days ago when the paying Bank personnel brought in another payment roaster for the replacement of the former that had your name on it.
The funny part? (Well, aside from the “payment roaster.”) There were about 300 recipients in the To: line.
Gee, I don’t think all 300 people have the same account info…
Most spam doesn’t run into this problem, since it’s generated by special programs that don’t even bother filling in complete headers. But from what I understand, a lot of 419 scams are still sent by people sitting in internet cafes, copying and pasting bits from templates. So it’s easy to imagine someone pasting their list into the wrong field. Kind of like the classic “Reply All” fiascos.
I just spotted an advance fee fraud pitch in the spamtraps that started out with the greeting: Dear Trusting Friend.
I suppose the scammer could have meant “trusted friend,” which is still odd for an introduction, but makes a little more sense. Of course, if you take “trusting” to the extreme—i.e. gullible—you’ve just described the type of mark they’re looking for.
As a bonus: only two* of the ~270 Google hits for the phrase is not a reference to 419-style letters using the same opening. People just don’t write things like that normally, which makes it a pretty good indicator.
*I didn’t look at all 270, but there were only 30 hits by the time Google filtered out duplicates. And most of those were clearly recognizable just from the excerpt on the search results pages. For the record, both of the two non-scam hits used it as a description, not a greeting.
I recently noticed that the mail server was experiencing 4 times the typical number of SMTP connections. It didn’t seem to be under any stress, though, not as far as server load went. So I watched the log file trail, and saw a bunch of messages coming in to nonexistent users with the pattern, FirstnameLastname@alternativebrowseralliance.com.
My first thought was that someone was running a dictionary attack against the domain, trying many different addresses to see which might be valid. Then I noticed that they seemed to be coming from <> — in other words, they were bounce notices.
Great. A Joe Job.
I enabled a catch-all temporarily. That did cause the server to slow down, as it was now actually processing the quadruple load instead of kicking back 3/4 of it with a “User unknown” error. (I hadn’t thought to disable spam scanning on the domain first.) In the 30 seconds before I turned it off again, it picked up 25 non-delivery notices. And those are just the ones that got past the spam filter.
As it turned out, they were just random junk. Some spammer had picked the domain and was using it to forge random From: addresses, and we were getting the bounces. In the old days they made up the whole address, but it’s easy to check whether a domain exists. So now they pick some real domain and make up a fake address. That’s harder to detect unless the domain in question uses some sort of verification system like SPF or DKIM.
So it wasn’t a Joe Job: no one was trying to besmirch the site’s reputation. It still meant extra traffic to the mail server, though.
This problem is called backscatter, and it exists for two reasons:
I don’t send any mail using the domain. The only reason it even has mail pointed anywhere is so that I can receive mail sent to the webmaster for the Alternative Browser Alliance. I suppose I could set up a -all (no servers are authorized) SPF record, and hope some recipients decide not to send bounces. But I’m not sure how much it would actually accomplish.
Anyway, the two lessons to take away from this are:
