Banner: Comic-Con International

If you’re trying to get a message out, or provide a service, analytics are great. They tell you what’s working and what’s not, so you can focus on what does work. Unfortunately, when it comes to email, a lot of organizations use a third-party click-tracking service, which registers which mailing the user clicked on, then redirects them to the real website.

Why do I say unfortunately?

Because it’s what phishing does: Sets up a link that looks like it goes one place, but sends you somewhere else instead. In the case of a legitimate email with a click tracker, you end up at the real site eventually. In the case of a phishing message, you end up at a fake login page that wants to capture your username & password, or a site with drive-by malware downloads. Using this technique in legit mail trains people to ignore warning signs, making them more vulnerable to the bad guys. And it makes it harder for security software to detect phishing automatically.

Now add another reason: You don’t control that click-tracking service, so it had better be reliable.

That’s what happened with Comic-Con registration today.

Getting tickets to San Diego Comic-Con used to be a breeze, but last year the system broke down repeatedly. It took them three tries, with multiple handlers, to open a registration system that didn’t melt in the first few minutes.

A few days ago, Comic-Con International sent out a message with the date and time registration would open, and a link to where the page would be when it went live. They went to a lot of trouble to make sure their servers could handle the load, as did the company handling registration. They built a "waiting room" to make sure that people trying to buy tickets would get feedback, and get into a queue, when they arrived, but could still be filtered into the registration system slowly enough not to overwhelm it.

The weak link: The click tracker.

Continue reading

It seems obvious that different email addresses get different types of spam. I recently noticed that even addresses with nearly identical exposure sometimes end up with wildly different collections.

A number of our spamtrap addresses are "seeded" by hiding them on websites. Put it somewhere that no human visitor will notice, ’cause the harvesting bots will see it anyway. There’s a whole set scattered across this domain, for instance, and even the spamtraps hidden in different areas of this site attract different types of spammers.

My Flash site is the most high-trafficked section on here. Spamtraps there seem to pick up mostly ads for dubious pharmaceuticals, and occasionally mortgage offers. It’s also the most heavily linked-to section, so this is probably the target of spiders that jump from site to site.

The remnants of my Les Misérables site wouldn’t seem to be terribly popular with spammers, but it turns out spamtraps on those pages pick up quite a bit…mostly in Chinese. Back when the site was active, it got linked to by a lyrics site in Taiwan. When it went more-or-less offline, the link stayed.

Spamtraps rotated through the top page of the site seem to collect mostly porn. I’m guessing there’s a class of bots that just look for valid domain names and hit the home page… and they’re mostly used by porn spammers.

The last area of the site that gets lots of spam is this blog. And it seems to collect all of the above.