Category: Spam

Posted on
by

It’s well-known that some spammers will find a way to track which email address has responded to/complained about their “messages.” Sometimes they’ll assign an ID code to each address, and sometimes they’ll just disguise it using something like ROT13. This code is then placed in the unsubscribe and purchase links, or embedded image references. (Legitimate mailing lists often use a similar technique: each message has a unique return address so that bounces can still be identified even if the message has been forwarded to another account.)

I just spotted a mortgage spammer using wildcard DNS and undisguised addresses. Suppose that the target address is ramblings@example.com, or rather ramblo@hyperborea.org, for you bots reading this. The purchase link would be http://Ramblings.h1gher.net/formupdate.asp, and the “unsubscribe” (yeah, right) link would be http://Ramblings.h1gher.net/deletion.asp.

They hit four of our spamtraps last night, two of which used unobfuscated links like this.

Posted on
by

In the past few weeks I’ve started getting emails asking to exchange links with various websites. They don’t seem to be using templates, since each email has been different, but what they do have in common is that they have nothing to do with anything on my own site. They’ve clearly just let some program look for keywords, built a list of sites, and put webmaster@ in front of them. That’s why I consider these spam. If someone were to use the same software to identify relevant sites, then check them out before sending a “please link to me!” message, that would just be communication between webmasters.

The one case where the site looked even remotely related was someone’s collection of links to super-heroines. Well, super-heroines, female wrestlers, adult fanfic and heroine fetish pictures, but at least it was relevant, even if I couldn’t in good conscience link back to it from my comic book site. The one I got yesterday was more typical: a real estate site that wants me to link to them because the word generations appears in both their URL and the title of one page on my Flash site.

Come on, how hard would it be to actually look at the sites you’re soliciting? Do a little research, will ya?

Posted on
by

I had set this spam sample aside without really looking at it back at the end of March. As I checked the folder this morning, the scammer’s supposed name jumped out at me.

VADER DARTH
CO-OPERATIVE BANK PLC
UNIVERSITY BRANCH, GROVE HOUSE
OXFORD ROAD MANCHESTER UK

I AM WRITING TO LET YOU KNOW HOW I FEEL AND ALSO EXPLAIN THINGS TO YOU THROUGH THIS LETTER AND WILL APPRECIATE IF YOU COULD ADVICE ME ON THIS ISSUE. MY NAME IS VADER DARTH. I WAS BORN IN TENNESSE AND RAISED IN EUROPE AND I NOW WORK WITH THE CO-OPERATIVE BANK IN THE MANCHESTER CITY, UNITED KINGDOM. I HAVE A VERY GOOD FRIEND WHOM I MET IN MY UNIVERSITY YEARS BY NAME FAURE EYADEMA, THE SON OF THE LATE PRESIDENT OF TOGO…

It continues on with the standard Nigerian scam pitch (relocated to Togo) about the relative of the deposed/late leader who needs to transfer a large amount of money through some random person’s account.

Yes, people fall for these scams… but come on, who do they think they’re fooling with an alias like “Vader Darth?”

Perhaps it’s a long-overdue response to the now-infamous 419 Eater successfully baiting a scammer as “D’arth Vader” of Dark Side Industries. More likely someone else didn’t recognize the name when they chose to use it.

I suppose it fits in with the 419 scammer from Tatooine who posted to The Darth Side last month.

Posted on
by

Two disparate types of spam, united in that the supposed sender just does not make sense.

First there was a Nigerian scam purporting to be from David Hume.

Then there was the blog comment spam (alas, deleted en masse just as I read the name) apparently left by “Jessica Albas Breasts.” I mentioned this to Katie, who responded, “How do they type?” An excellent question, and one which I imagine can be answered with sufficient exploration of the internet.

Posted on
by

In the old days, we used to accept email sent to any local account. This meant that various system accounts would collect outside mail instead of bouncing it. No one was reading, say, rpm@example.com, or apache@example.com, but the mailboxes were there.

Enter the dictionary attacks. An awful lot of those standard accounts are three-letter names—rpm, gdm, bin, adm, etc. Spammers trying to guess addresses made up of three initials landed on these addresses, confirmed them, and added them to their lists. The system accounts began collecting spam.

Eventually we locked things down so that only “real” accounts would accept mail from outside. But here was this steady stream of 100% spam we could use to help train our filters.

The funny thing: these days, nearly all of it is for sex-related drugs or body part enlargements. Sent to software!

(Incidentally, if you can read this sentence, don’t send mail to ramblo@hyperborea.org.)