Category: Spam

Posted on
by

There’s something delicious about irony in spam. Yesterday, the spamtraps netted an advance fee fraud scam message that started out like this:

Let me be honest with you. This information is just for you alone [emphasis added]. I would suggest that you try to fix it instead of making any trouble with it as my job might be put on the line here.

Your name has been on an awaiting list of payment roaster submitted by the Nigerian Government For your lottery/inheritance reasons of no banking particulars on which transfer should be made to until two days ago when the paying Bank personnel brought in another payment roaster for the replacement of the former that had your name on it.

The funny part? (Well, aside from the “payment roaster.”) There were about 300 recipients in the To: line.

Gee, I don’t think all 300 people have the same account info…

Most spam doesn’t run into this problem, since it’s generated by special programs that don’t even bother filling in complete headers. But from what I understand, a lot of 419 scams are still sent by people sitting in internet cafes, copying and pasting bits from templates. So it’s easy to imagine someone pasting their list into the wrong field. Kind of like the classic “Reply All” fiascos.

Posted on
by

I just spotted an advance fee fraud pitch in the spamtraps that started out with the greeting: Dear Trusting Friend.

I suppose the scammer could have meant “trusted friend,” which is still odd for an introduction, but makes a little more sense. Of course, if you take “trusting” to the extreme—i.e. gullible—you’ve just described the type of mark they’re looking for.

As a bonus: only two* of the ~270 Google hits for the phrase is not a reference to 419-style letters using the same opening. People just don’t write things like that normally, which makes it a pretty good indicator.

*I didn’t look at all 270, but there were only 30 hits by the time Google filtered out duplicates. And most of those were clearly recognizable just from the excerpt on the search results pages. For the record, both of the two non-scam hits used it as a description, not a greeting.

Posted on
by

I recently noticed that the mail server was experiencing 4 times the typical number of SMTP connections. It didn’t seem to be under any stress, though, not as far as server load went. So I watched the log file trail, and saw a bunch of messages coming in to nonexistent users with the pattern, FirstnameLastname@alternativebrowseralliance.com.

My first thought was that someone was running a dictionary attack against the domain, trying many different addresses to see which might be valid. Then I noticed that they seemed to be coming from <> — in other words, they were bounce notices.

Great. A Joe Job.

I enabled a catch-all temporarily. That did cause the server to slow down, as it was now actually processing the quadruple load instead of kicking back 3/4 of it with a “User unknown” error. (I hadn’t thought to disable spam scanning on the domain first.) In the 30 seconds before I turned it off again, it picked up 25 non-delivery notices. And those are just the ones that got past the spam filter.

As it turned out, they were just random junk. Some spammer had picked the domain and was using it to forge random From: addresses, and we were getting the bounces. In the old days they made up the whole address, but it’s easy to check whether a domain exists. So now they pick some real domain and make up a fake address. That’s harder to detect unless the domain in question uses some sort of verification system like SPF or DKIM.

So it wasn’t a Joe Job: no one was trying to besmirch the site’s reputation. It still meant extra traffic to the mail server, though.

This problem is called backscatter, and it exists for two reasons:

  1. The sender address on an email message is easy to forge, like writing a fake address on an envelope.
  2. Many mail systems will accept a message first, then process it. If it then decides to reject it, it can’t respond to the actual sender, only to the one listed in the message—and in the case of spam, it’s usually forged (see #1).

I don’t send any mail using the domain. The only reason it even has mail pointed anywhere is so that I can receive mail sent to the webmaster for the Alternative Browser Alliance. I suppose I could set up a -all (no servers are authorized) SPF record, and hope some recipients decide not to send bounces. But I’m not sure how much it would actually accomplish.

Anyway, the two lessons to take away from this are:

  • Reject messages to bad recipients in the initial SMTP transaction. It’ll protect your server from backscatter (and dictionary attacks), because you won’t have to queue and process all the extra junk.
  • Don’t generate bounce messages after the fact based on something as easily forged as the supposed sender. Otherwise, you’ll be contributing to backscatter.

Posted on
by

Bad Behavior and Spam Karma do a good job of fighting most of the spam that hits this site, but over the last few weeks I’ve seen a (relatively) new kind that seems to require manual intervention: pingback spam.

It took a long time for spammers to really start abusing pingbacks, because of two things: First, pingbacks require the remote site to link to your site before they can get you to link to theirs. Second, it was just so much easier to abuse trackbacks and ordinary comments. I guess those have gotten locked down enough that it’s worth the effort to target pingbacks now. Continue reading

Posted on
by

Judging by a quartet of comments posted this evening, 3 of which slipped past Spam Karma, someone’s started outsourcing comment spam to India. (I’m serious, the IP addresses were assigned to Bharti Airtel and BSNL Internet, both ISPs based in New Delhi.)

They were posted quickly, as if they’d been composed in another editor and pasted into the form. More importantly, they were actually posted through the form, not just sending data directly to the handler. And most tellingly, the posters had gone to the effort to fill out the CAPTCHA that Spam Karma provides to allow human commenters to recover from a false positive.

The one I liked best, from a technical perspective, was posted on Tall Ships of San Diego. The spammer had followed my link to the San Diego Maritime Museum, then followed that to a page describing one of the ships, the Californian, and generated a post by stringing together sentences from that page. The whole thing linked to a student loan site.

At first glance, it looked like a garbled, on-topic comment from someone who maybe didn’t speak English as their first language. That happens, and if it’s a legit comment, I leave it. In fact, I considered leaving the comment but deleting the author URL, until I looked up the ship. (It wasn’t one of the ships we toured on our visit, and I didn’t recognize the name.) As I looked at the ship’s profile, I started recognizing text from the comment. At that point it became clear what was going on, and I started looking at the other comments posted over the last few hours.