Category: Spam

Posted on
by

I’ve noticed a new subset of blog spam over the past few months: Jokes. Instead of just filling the comment with links to the spamvertized site, it’ll either leave the the link in the author URL field, or toss a couple links in at the end, but the bulk of the comment will actually be a joke.

Generally they tend to be story-type jokes, the kind you’ll find on, say, Jumbo Joke. This is probably an effort to build up enough comedic content to overwhelm the presence of links to a porn or pillz site. A similar technique had a brief heyday maybe a year ago in email spam, though I haven’t seem many of them lately.

It’s still spam—there’s no way I’m letting those comments and links onto the site—and Spam Karma still catches them. Still, it at least makes the spamtraps a little more interesting than the endless morass of links and keywords.

On another note, I’ve been seeing a lot more email spam targeting the abuse contacts lately. I don’t know what they think they’re accomplishing, since the people reading abuse@wherever are most likely to report them and least likely to buy from them. I mean, “Greetings Abuse!!!” doesn’t seem an effective way to begin a sales pitch.

Posted on
by

Some funny spam subjects that have popped up in my inbox or in the server’s spam traps recently:

  • freewheeling slush — Because slush that’s hemmed in by tradition just isn’t worth reading.
  • Planning buying trickles — In times of drought, even the tiniest stream is a wise investment!
  • Google Animal Gestation — I see Google is diversifying their business again.
  • Wanna Burn Movies? — For some reason I’m picturing a can of film on a bonfire, not a DVD burner.
  • I found something Daphne — It looks like a monster mask! Jeepers, this haunting is a hoax!

Brought to you by the Department of Word Salad. (I really ought to draw up a guest strip for Spamusement with one of these.)

Posted on
by

In the past two weeks, a new variant of the advance fee scam has dropped into our spam traps: supposed UK-based artists needing help selling their works overseas.

The classic Nigerian scam involves someone claiming to be the relative of a deceased or deposed dictator, general, etc. is trying to smuggle money out of the country and needs to borrow your bank account to do it.

It’s usually a third-world country, often one with political strife, so that the average westerner won’t be too suspicious of the level of corruption implied. You never see this scam claiming to come from, say, France, or Japan, because the process would set off too many alarm bells. Someone needing to transfer that much money would either do it through normal banking channels or through organized crime—not by firing off an email to some random citizen in a foreign country.

The first-world variation, at least up until now, has been the “International Lottery” scam. In this variation you get a winning notice, but of course you need to pay them before they can send you the money, etc. This one generally claims to be based in Europe, often several countries in one message. The idea of a lottery seems much more plausible in the first world.

Someone has come up with a way to bring the 419 scam into the first world. The two samples I’ve seen so far both involve UK-based artists trying to sell their works in the US. The premise is that their customers want to pay by some method that is “difficult to cash” in the UK, so they want you, a US resident, to accept the travelers’ checks, or money orders, then wire them the amount minus a 10% commission.

Right.

I’m seriously waiting for someone to offer a commission on the Brooklyn Bridge.

The setting has changed—instead of a dictator’s widow who has hidden away ill-gotten gains in “darkest Africa,” it’s a happy Londoner living with his or her “two kids” and “the love of [their] life” and selling art on the international market. All shiny, happy and yuppie (with just a hint of bohemian). But the script is the same: Someone wants to clear huge amounts of money through your bank account.

I was going to post some quotes, but as I started looking at them, the similarities really go through the entire message. Continue reading

Posted on
by

Spam subject:

this going to expolad

It’s a stock spam, and what they’re trying to say is “This is going to explode.” But doesn’t “Expo-Lad” sound like a character from the Legion of Super-Heroes?

Just imagine:

“No one wants to come to our convention! What can we do?”
“Never fear! Expo-Lad will save us!”

Update: I can’t believe I didn’t think of this earlier, but maybe ExpoLad is related to TypoLad!

Posted on
by

It seems obvious that different email addresses get different types of spam. I recently noticed that even addresses with nearly identical exposure sometimes end up with wildly different collections.

A number of our spamtrap addresses are “seeded” by hiding them on websites. Put it somewhere that no human visitor will notice, ’cause the harvesting bots will see it anyway. There’s a whole set scattered across this domain, for instance, and even the spamtraps hidden in different areas of this site attract different types of spammers.

My Flash site is the most high-trafficked section on here. Spamtraps there seem to pick up mostly ads for dubious pharmaceuticals, and occasionally mortgage offers. It’s also the most heavily linked-to section, so this is probably the target of spiders that jump from site to site.

The remnants of my Les Misérables site wouldn’t seem to be terribly popular with spammers, but it turns out spamtraps on those pages pick up quite a bit…mostly in Chinese. Back when the site was active, it got linked to by a lyrics site in Taiwan. When it went more-or-less offline, the link stayed.

Spamtraps rotated through the top page of the site seem to collect mostly porn. I’m guessing there’s a class of bots that just look for valid domain names and hit the home page… and they’re mostly used by porn spammers.

The last area of the site that gets lots of spam is this blog. And it seems to collect all of the above.

Posted on
by

Some recent bizarre-but-true spam subjects:

Dinky $ch001girl$ of the universe

Obviously trying to avoid keyword filters (not that it helped), but come on—“dinky?” When was the last time you saw that applied to a person? And what exactly is a “schoolgirl of the universe?” It sounds like a new anime series or something, with schoolgirls and jet packs, roaming the galaxy to defeat evildoers.

trill boxing

It’s the fight of the 24th Century! In this corner: Curzon Dax! In this corner: Odan! Who will win? All I know is it won’t be my free time; when I looked up the names, I found Memory Alpha, a Star Trek wiki with waaay too much info. And there’s all kinds of stuff that’s happened since I stopped watching in the mid-1990s.

It lets a woman ride you like you’ve never been ridden before!

Sent to a spamtrap with a woman’s first name. Sure, you’ll reach a few who might be interested, but statistically speaking you’re better off targeting men. Or, if you take it literally instead of figuratively, horses. Last I looked, though, there weren’t too many horses with email. Unless you count pwnies, I suppose.

Posted on
by

Remember how LiveJournal, TypePad, and related sites were down the other day? The official line was that “Six Apart has been the victim of a sophisticated distributed denial of service attack.”

It turns out that the DDOS wasn’t aimed at 6A, LJ, or any other part of their network. It was aimed at Blue Security, an anti-spam company, who decided to re-route their web traffic to their blog—a blog hosted on TypePad. So instead of their own site going down, it took out Six Apart’s entire network of millions of bloggers.

Classy move, guys.

I do admire Six Apart’s restraint in not pointing fingers themselves. If it had been my site (though in a way, I suppose it was, since I’ve got an LJ blog, even if I don’t update it very often), I would have been royally pissed off.

Sure, Blue Security didn’t launch the attack—but they did choose where to redirect it. Maybe they thought Six Apart would be able to handle it. Maybe they thought the attackers were targeting them by IP and not domain name. Maybe they were panicked and didn’t think. Maybe they thought things through, but 6A got bitten by the now-all-too-familiar law of unintended consequences. They could easily have pointed their domain name at empty IP space, or to localhost. Redirecting it to a third party was less like deflecting a punch and more like the “Do it to Julia!” moment in 1984, or the classic joke, “I don’t have to outrun the bear, I only have to outrun you.”

(via Spamroll)

Update: Additional articles at Computer Business Review and at Netcraft, and a Slashdot story.

Update 2: According to Blue Security, the DDoS was not targeting their website by name, and the DDoS didn’t attack their blog until after they had already redirected the website. So it looks like it was less a case of them redirecting the attack and more a case of the attackers chasing them.

*Sigh* Must remember to collect all facts before engaging in righteous anger.

Update 3 (May 9): Apparently “all the facts” as reported by Blue Security don’t add up… (via Happy Software Prole)