Category: Spam

Posted on
by

We’ve been testing Barracuda’s new BRBL spam block list at work. This involves flagging but not actually blocking messages, then me looking through the logs for potential false positives. I’ve found several, including the Star Wars Fan Club (I subscribed myself just to verify that it was really sent by a server at lucas-online.info) and a senator’s mailing list.

There’s also a lot of definite spam, and a lot of stuff that I just can’t tell. It’s marketing, certainly, but I have no idea whether the particular users actually subscribed or not.

Anyway, this subject showed up several times on the list:

Stimulate your bottom line with Microsoft Financing and the 2008 Economic Stimulus Act

Naturally, when I first skimmed the list only the first three words were visible. 😯

Posted on
by

A couple of messages recently fell into the spamtraps with the subject, “Someone sent you Snickers Candy,” offering lots of free candy and exhorting, “Don’t resist temptation! Sign-up now to get started.”

One of the throwaway addresses used? dietsthatwork2008 (dot) com.

Obviously, that one doesn’t!

Posted on
by

One of the great ironies of phishing is that, these days, identity theft via the web tends to work by preying on people’s fear of identity theft. It doesn’t help that most people don’t really understand the technology. The typical phishing message looks something like this:

Dear so-and-so. In order for us to protect your account from identity theft, we need you to give us all the critical information that we already have. Otherwise, your account will be locked.

These typically use actual bank logos and link to a website that imitates the bank’s real site as closely as possible. The days of “Pease entr yore acccccount infomation hear KTHXBYE” are long gone.

But the one I saw in the spamtraps today was just astonishing in its brazen use of buzzwords to add authenticity:

Dear Wilmington Trust Banking Member,

Due to the high number of fraud attempts and phishing scams, it has been decided to implement EV SSL Certification on this Internet Banking website.

First we have the scare tactic (always ironic in a “there are treacherous people about” sense). Throwing in EV SSL certificates makes it seem a bit more authoritative, since it’s something a lot of companies have started doing, and people may have heard about it in the news.

The use of EV SSL certification works with high security Web browsers to clearly identify whether the site belongs to the company or is another site imitating that company’s site.

It has been introduced to protect our clients against phishing and other online fraudulent activities. Since most Internet related crimes rely on false identity, WTDirect went through a rigorous validation process that meets the Extended Validation guidelines.

And here they talk about EV certs and how much safer they’ll make your account!

Please Update your account to the new EV SSL certification by Clicking here.

And here’s where they demonstrate that they figure the typical mark doesn’t actually have a clue what EV SSL certificates are. Various real businesses have converted from standard SSL to Extended Validation SSL, and the users didn’t have to do a thing.

Now, you might need to upgrade your web browser or switch to one that will show you a green bar (Firefox 3, IE7, Opera 9, etc.), but you’d still be able to access your account even if you didn’t. Unless the site started blocking other browsers like PayPal briefly discussed back in April. Even then, there would still be nothing that would require you to log into your account and make a change.

Anyway, let’s continue:

Please enter your User ID and Password and then click Go.

This one’s presumably a simple phish, just obtaining login credentials to give the thief access to the account through the web.

(Failure to verify account details correctly will lead to account suspension)

And of course the implied threat: Do this or you won’t be able to get at your money. Again, a typical phishing tactic.

On a side note: My favorite spam topic of the last week is “Refinance your ARM today.”. Yeah, I know what ARM stands for, but I keep imagining Cyborg, or perhaps the Six Million-Dollar Man, trying to refi a loan that covers the gadgets in his arm.

Posted on
by

Waaay back in the dark ages of the Web (somewhere between 1994 and 1997) I discovered a weekly email newsletter called “This Is True.” It collected strange-but-true news stories from around the world, summarizing each in a short paragraph with a witty one-liner at the end. I subscribed to the free edition, and later to the full version, which had about twice as many stories. I even picked up a few of the books collecting past stories (at a con, I think, but I can’t remember which con).

Eventually I got too busy to read them, and the back-issues piled up unread, and I decided to let my subscription lapse. But earlier this year, I decided to re-up with the shorter, free version, and it’s still as good as ever.

This week’s issue included a disappointing story: even though they practice — in fact, probably helped originate — responsible list management, Yahoo is blocking them as spammers. Why? Because people are signing up for the list, then deciding they don’t want it anymore, and instead of unsubscribing, hitting the “Report as Spam” button. Yahoo has apparently taken those spam reports at face value, and blocked everyone’s copy of the newsletter.

Clearly, some people are unclear on what “spam” means. It’s not just “mail I don’t want.” It’s mass mail I don’t want and didn’t ask for.”

That, and I’m sure some people don’t realize that their reports are being used to train everyone’s filters. I remember a co-worker explaining a few years ago that he’d trained Gmail to send the SourceForge newsletters (or something similar) straight into his spam folder. I commented that they might be using that data to train their sitewide filters, and he said something like, “I hope not.”

Using user feedback to train sitewide or network-wide (such as Cloudmark, or Akismet) filters is a powerful technique. Some people will catch the leading edge of a spam attack, and that data can be used to protect others as the attack continues. Some will check their mail sooner, and that data can be used to re-filter messages that have been received, but not yet viewed.

Unfortunately, it also can give a lot of power to people who are either unclear on the criteria being used or have an axe to grind, unless you include measures to (a) contain the impact or (b) keep track of each reporter’s reliability. I know Cloudmark factors in the reporter’s reputation, for instance. And I suspect that AOL does, at least in some cases, limit measures such as blocking to specific recipients, but I can’t be certain.

Anyway, to summarize:

  • Use the Report Spam button responsibly.  If you actually subscribed to it, it isn’t spam unless they refuse to remove you from the list.
  • Check out This is True.  You may laugh, you may groan, you may think, or you may get pissed off at the world — or all of the above.  It’s certainly worth a look.

(I really should have finished writing this yesterday, before someone submitted the original story to Slashdot. Posting about it to get the word out seems kind of redundant now. Heck, now that I think about it, I should have submitted the original to Slashdot. Oh, well.