Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« November 2004 | Main | January 2005 »

December 31, 2004

Timely Phishing Permalink

I don't have the stats to back this up, but it seems as though phishing scams frequently arrive on Friday evenings, especially when the destination of the bogus link is to a hijacked server somewhere. My guess as to this timing is that it will take longer for the company being used as bait to reach the administrator of the hijacked server—allowing the privacy-ripping page to trap victims for a few days.

Three identical PayPal phishes arrived within the past few hours. The operative link in each is to an IP address of what appears to be an unprotected (and otherwise unused) server located in China. Even if recipients report this to PayPal, how long will it take from a Friday New Year's Eve for PayPal to reach the ISP in the Liaoning province of China and get them to shut down this scammer? Will the ISP even care or understand the nature of the problem?

In the meantime, untold numbers of PayPal customers will be frightened by the notice that "Your account access will remain limited until this issue has been resolved" and will click a link that, on the surface, looks legit. Underneath, however, the link takes them on a voyage to China, where they will unwittingly yield their user IDs, passwords, and who knows what other private information to an identity theft gang that could be anywhere on the planet. For the victims, the start of 2005 will be a Crappy New Year.

Posted on December 31, 2004 at 05:52 PM
A Partially Honest Scammer Permalink

Another one of the European lottery scammeroos arrived today. From other sightings, it first went around a couple of weeks ago. Same "winning numbers" and all that rot (haven't these crooks heard of randomizers?).

All of these scams are variations of the advance fee scam, whereby you have to come up with money to take care of "fees" and "processing" to get some big pay day. What struck me about this particular lottery notice was that one of the "steps to claiming your prize" said this:

1.Winners must pay 480 pounds only as fee before claiming their prize for the processing and handling of award.

I gotta hand it to them for being at least somewhat honest about that part—although I doubt the fees stop at 480 pounds if you're gullible enough to start down this one-way road to financial ruin.

This message, by the way, had plenty of inadvertent humor inside it, seemingly from someone not knowing or using the English language very well. And this from a supposedly London-based office (as it turns out, a non-existent building sharing the same name as one in Singapore...hmmm). Here are some of my personal favorites:

  • "We are please to announce you as one of the 10 lucky winners"
  • "Consequently, you have therefore been approved"
  • "Please contact the under listed claims officer"
  • "Winners are advice to keep this award confidential until prize are claimed to avert incidence of impersonation by unscrupulous elements."
  • "The FreeLotto Awards is proudly sponsored by the Microsoft Corporation, the Intel Group, Toshiba, Dell Computers, Mackintosh and a conglomeration of other international IT companies." (So much for the millions that Apple Computer, Inc. spends on its corporate branding.)

The scammer also didn't realize (or didn't care) that by sending the message through a web-based mail account at an Italian ISP, the message would get a nice little footer:

Mail sent from WebMail service at PolettiX

So, an outfit that claims to give away (get this) 200 million euros annually uses a web mail portal to send out its "winner" notifications. That would be like Publisher's Clearing House using a Hotmail account to notify winners instead of its Prize Patrol and camera crew.

The sad part, however, is that this scammy message will probably trick more than a few recipients into forking over money they can't afford to receive absolutely nothing in return. The scammers must have been sufficiently encouraged by earlier responses to try again with new contact addresses.

Posted on December 31, 2004 at 11:28 AM
How To Ruin a Reputation in One Easy Spam Permalink

My "Suspects" directory got a message whose Subject: line read "Happy New Year." The From: listing showed a domain name that I did not recognize. Here is the text of the message (real names/URLs disguised to prevent you from visiting their site):

Customers,

Your friends at www.foo_bar.com want to wish you a Happy New Year, the best of wishes and success in the 2005 season. We're hoping to serve all of your cycling needs in the upcoming year.

The Foo_bar Team

I researched the domain name, and found it to have been created way back in 1999, so this is not some Johnny-come-lately business. The domain registration lists its home base as Florida. Unfortunately for Floridians, the name of their state causes the blood pressure of veteran spam fighters to ratchet up a few mmHgs. It seems that a lot of spamming operations are based there. Most of that activity, however, tends to be in the southeast portion of the state (Boca Raton has the spammiest reputation). The domain registration of my suspect spammer showed him to be on the west coast of Florida, up in the St. Petersburg area. In truth, the geography is not an issue with me—egregious American spammers are distributed all across this Great Land of Ours.

Based on the message, I guess I'm supposed to believe that I am a customer of this outfit. I can tell you that I enjoy cycling, but haven't done so on a bicycle that goes anywhere in probably decades. There just isn't enough wind resistance or danger on my recumbant stationary cycle that I'd need a helmet or spandex suit. Nor have I bought cycling gifts for my cycling friends. In other words: In no way on Earth could I be considered a customer of this outfit.

But that doesn't stop it from lying about it in the hope that I'll click on their link to visit their online store.

What this message does stop is me from ever visiting this online shop. If they have a retail store, I wouldn't go in there either. Merchants who try to play these kinds of tricks don't deserve to be rewarded for their trickery. This message isn't a friendly holiday greeting to customers; it's an outright spam message trolling for Web site traffic (and not CAN-SPAM compliant, at that).

Then a second, identical message was sent within less than 24 hours. Sheesh!

To this firm I say: You may have been in business for a number of years, but in my book, you have crossed the line into blatant spamdom. No click-throughs for you.

Posted on December 31, 2004 at 09:53 AM

December 30, 2004

Award Permalink

DTG Best 2004I'm thrilled to announce that Spam Wars was named among the select group of Best Books for 2004 by Design, Type & Graphics Magazine. To share a category with my esteemed colleague, Dan Gillmor, is an honor, indeed.

Click on the image to see all the winners.

Posted on December 30, 2004 at 11:29 AM

December 28, 2004

Spam Wars On the Air Permalink

I've posted a schedule of upcoming radio interviews slated for January and February 2005. Some have Internet audio feeds in case you're not in Tuscon when my melodious tones are broadcast through the ether.

Posted on December 28, 2004 at 11:26 AM

December 27, 2004

The Ugly Somewhereian Permalink

As an Anglovideophile (someone who enjoys British television programming), I'm usually amused at portrayals of American characters in my favorite shows. Such characters are usually loud, brash, back-slapping, and very me-oriented. At times I cringe at what seem to be unflattering caricatures—until I realize that I know people just like the boors on screen. It's not uncommon, then, for American spammers to assume that the rest of the world does things the way we do them in America.

But I just saw a turnabout on this theme with the following spam message subject:

Via/Cia/Vico unbeatable boxing day price!

The bit at the beginning is shorthand for three popular prescription drugs (two hardeners and a softener). But look at that reference to Boxing Day! How cool is that!

I'd wager that 80% or more of Americans haven't a clue what Boxing Day is (despite it being a public holiday right next door in Canada). The percentage may be higher among those who buy drugs (real or otherwise) without a prescription.

That led me to wonder about the author of this spam message. The Web site at the end of the spamvertised link is hosted in China, but that's fairly common among illegal medz spammers from around the world. The message entered the Internet through a Trojaned machine connected to an American (Michigan) DSL network. Again, another deadend trail.

The domain name, minted only a couple of weeks ago, shows a registration to someone who gave an address in Norway. Domain name registrations are so easy to forge today that I don't put immediate faith in any registration record I see.

Grammar and spelling of the message indicate a good grasp of the English language. Shipping is purportedly by United Parcel Service, a favorite in the U.S., but a worldwide organization nevertheless.

The Boxing Day reference is a real puzzle. Would it make good marketing sense for an American spammer to use that term in the Subject: line if a large percentage of the intended audience wouldn't know what it is? Or is it a case of a spammer from outside the U.S. practicing reverse Ugly Americanism, unaware that not everyone in the world knows a term taken for granted in one's own culture?

The cynic in me says it's an American spammer who is trying to throw off possible puruit by authorities, making it sound as though the operation is outside the U.S. A prosecutor would place an order and trace both the shipping and credit card processing data to find out for sure. If only!

Posted on December 27, 2004 at 01:30 PM
Language Torture (Online Dating Style) Permalink

I was scanning through some spam source code and encountered a rather strange lure to an online dating site. This is the line (referring to the service's customers) that got my attention (spelling and spacing left intact):

Many of them are just looking fornew friends, an occassional lover and a night stand.

Now, I know that somewhere along the line most of us have been in a relationship in which we either treated, or were treated by, someone as little more than furniture. Here, apparently, is a Web site that guarantees it. Perhaps by New Year's Eve you can aspire to a dining room table. Or an "occassional" chair.

Posted on December 27, 2004 at 12:17 PM

December 23, 2004

PSA (Not That Kind) Test Permalink

It's not uncommon for a message captured in my server's "Suspects" bin to trouble me for one reason or another, but a recent one gave me a real reason to pause. Its subject was:

PSA: AMBER Alert! --- URGENT! --- AMBER Alert!

The message's return address was a dot-org domain, which could easily be confused to mean an organization (like a non-profit or the like), not necessarily a commercial source. At least they weren't using hijacked computers to send this stuff.

For those of you who aren't in the advertising or broadcasting bizzes, a PSA (not to be confused with the prostate cancer screening test by the same initials) is a Public Service Announcement. Those are the radio and television spots that talk about some public issue, like good health practices, stay in school, read to your kids, just say "no," and so on. Although stations no longer have to run these spots, most do, giving away the air time to a variety of causes (and sometimes surrounding those spots with "brought to you by" advertising).

This email message was posing as an unsolicited public service announcement—the first I had ever recalled seeing. The bulk of the message accurately described the details of an AMBER (America's Missing: Broadcast Emergency Response) Alert that had been receiving a lot of broadcast air time in the San Francisco area, and probably up and down the west coast. A 13-year old boy had apparently been kidnapped by his father (in violation of a restraining order), and authorities were very concerned for the safety of the child.

At the bottom of the message was an advertisement for auto safety products you've probably seen advertised here and there. Things like the hammer that you can use to break out a window should you be trapped inside your car. That sort of stuff. The domain for the links was the same name as the dot-org sender, but to a dot-info top-level domain. My suspicio-meter jumped a few notches.

Naturally my first inclination was to get on my high horse and instantly label this as "spam" by my definition. My definition has nothing to do with the content of the message, but, rather, whether I had given prior consent to the sender.

But then for a moment I stopped to wonder: what if someone received and read this undesired, unsolicited message, and then happened to spot the car identified in the report, conceivably saving a child from danger? Would that not have been spam for a good cause? If that had been my child, would I not have welcomed every possible avenue of alerting the public?

I don't recall every having been so conflicted about a piece of spam. But I keep coming back to another initial reaction of mine: a businessperson was unfairly exploiting a serious, potentially life-and-death situation to get into the inboxes and minds of recipients who would otherwise rather not hear from him. It could lead to more spammers doing the same thing, damaging the image of the entire AMBER Alert system. I also have doubts about unsolicited email being the proper medium for these kinds of announcements, when radio, television, and electronic highway signs are better poised to get information in front of those who could more likely spot a suspect vehicle.

Another statement in the message also raised my ire:

Interference with the publication and/or the delivery of this Public Service Announcement to its addressee may subject the interfering party to civil and/or criminal penalty.

Please, can someone point me to a law that would subject me or an ISP to a penalty by blocking this message? I mean it: contact me with chapter and verse that gives special protection to this message. Or is this another case of a spammer being too strident with a form of disclaimer?

It all comes back to consent. Even if the message were sent by a government agency, I should have to affirmatively opt-in to receive such messages beforehand, not have them shoved into my inbox involuntarily. There are already plenty of ways to get these announcements emailed to me if I want them (e.g., subscriptions to news organization alerts).

Fortunately, the boy was found, unharmed, within 24 hours of his abduction. The suspect car (with the boy asleep in it) was parked in a residential driveway, where a citizen spotted it. As the result of spam? Highly unlikely.

Posted on December 23, 2004 at 05:44 PM

December 22, 2004

Spammed By a Yahoo! Group Permalink

I am registered with several Yahoo! Groups for some professional and hobby interests of mine. I have a few of them send me digests of messages, while for the others I check the message boards manually from time to time. It's not a bad service, although the ads can get a bit intrusive.

The other day, a message arrives in my inbox from a yahoogroups.com address, and headers show the originating mail really did come from a Yahoo! Groups (YG) server. But the message was from a group I never signed up with. Moreover, the To: field (and envelope) of the message wasn't directed to the address I use for my real groups, but rather an address at one of my domains that had been harvested from another location on the Internet.

The message was from the moderator, wishing me (well, not by name) happy holidays, while he was about to go skiing in California for vacation. "Thanks for being a valued subscriber of mine," it ended. Above that was a pitch for an "amazing program" that earned him a bunch of cash. According to him, I had visited his Web site "a while back." Since I avoid scammy Web sites like the plague, and certainly wouldn't register with any kind of email address, I have only two words for this guy:

Im. Possible.

Upon visiting the YG home page, I searched for the name of the group (which has "home" and "biz" buried within it). It shows up with over 18,000 members. That is huge in Yahoo! Groupdom. I then click the link to visit the group's area.

Unlike other groups I've visited as a nonmember, this one didn't display any information or links or anything. Just a message that it is restricted to members only. Since I had not "joined" this group through my regular YG ID, I logged out and entered the group again as a non-person. Still no access unless I entered the right YG user ID and password.

But how can I do that if I didn't create the registration in the first place? Supplying YG with an email address is (thankfully) insufficient to get them to reveal the associated user ID and password. Without the user ID (that only the registrant knows), this registration cannot be used, modified, or terminated.

Here's what I think is going on here. This fellow is using YG to do the spamming for him. His "group" is nothing more than an outgoing spew machine to get people to visit his Web site. My spam filtering allows mail from YG, because I really want to get the messages from groups I belong to. Sure, I could unsubscribe from the group (provided I changed my email client to the harvested address -- NOT!), but that would only listwash me from this guy's hit list, while he continues this highly unethical practice to bother thousands of others. Besides, I never, never, never unsubscribe from something to which I didn't subscribe in the first place. Period.

I have filed complaints with Yahoo! Groups and the hosting outfit for his Web site. A few days later, the group is still up and running (but down about 6 "members"). The domain registration for this site is hidden behind one of the anonymizer registration services, but his message left other clues that this fellow may be located in the Las Vegas area.

If anything develops out of this, I'll let you know. I'm not expecting miracles.

And for the record, I've been working from home since March 1981. If the view from my home office window is straight out to where the waves crash for the annual Mavericks surfing competition, then I guess you'd say I'm doing OK. But sorry, my "amazing program" is not for sale.

Posted on December 22, 2004 at 12:43 PM

December 20, 2004

(In)Security Permalink

Here's another trick that phishers and scammers try in the hope that the victim operates on auto-pilot rather than being even slightly suspicious. The image below is a snapshot for a PayPal phishing form in the Apple Safari browser.

Bogus PayPal Form

Note the reddish highlighted area near the top that says "Secure Log in" with a little padlock icon. I'll wager that lots of folks seeing this would believe that the current page is using the type of secure connection that the real PayPal Web site uses.

Bzzzt! Wrong!

There are two clues against this. First is the URL in the address box at the top of the browser window. The protocol is http:, not the https: that indicates the "secure socket layer" kind of connection. Second, each browser has its own way of indicating when it's connected through a secure connection. Safari has a bold black padlock icon and the name of the domain down in the lower right corner of the browser's border—missing in action in the snapshot. Other browsers usually have some kind of lock icon outside of the browser's display area.

I frequently wonder if secure connection indicators should be more obvious, like turning the browser's entire window border into bright hazmat yellow and black diagonal bars. The current indicators are so subtle that I believe a lot of users don't pay much attention to them one way or another, and could too easily be fooled by the trick in our phisher's form above.

UPDATE: I was reminded that Mozilla/Firefox browsers also turn the background color of the Address box a different color when you access a secure page. I actually use Firefox for my personal secure transactions and did notice this at one time. But even this indicator is too subtle, IMHO. Subtle enough for me to forget about it in the browser I use most often.

UPUPDATE: It also turns out that Internet Explorer 6 on Windows XP with Service Pack 2 can be vulnerable to a spoof that causes the browser to display a secure URL in the Address box as well as the secure icon where it's supposed to be...but the displayed page could belong to somebody else, including a scammer simulating the real page. If that page has a form asking for username and password, the form gets submitted to the Bad Guy. There are ways to lock down IE6 to prevent this kind of spoof (short of using less vulnerable, alternative browsers), but you'd have to be led to a trick site by following a link. Avoiding links in unsolicited email messages and popup windows is a good start. An even better start is to not view unsolicited messages in the first place, and use a browser (like any of the Mozilla derivatives) that has good popup blocking built-in.

Posted on December 20, 2004 at 08:35 PM

December 19, 2004

Treble CAN-SPAMmery Permalink

Here's my proposal to the Federal Trade Commission: Triple penalties for claiming CAN-SPAM compliance when you don't even come close.

A very strange (to me, anyway) message arrived into my server's Suspects bin, and it really got my dander up. The subject is:

Microsoft net frame download

The From: line displayed a name "Net Frame" with an email address at the pop.net domain. Here is the full body text (stupidly included template verbiage removed; spamvertised URL and removal address munged):

Microsoft Net Frame downloads, click here <http://www.some_long_domain_name.com>
Critically important downloads for all Windows computer users running non-Windows applications to insure interoperability.
2004 Can Spam Compliant
For removal from the net frame mailing list, please click on the following mail link, type 'remove' in the subject line and send. something_with_remove@popular_ISP.net

The domain name in the spamvertised URL was made up of several words, including things like "alarm," "phone," "security," and the like.

Anytime a spam message comes along promoting some kind of system software update, the last thing you want to do is download anything from that site. In this case, a lot of recipients may be quite perplexed as to what kind of downloads are involved. Perhaps he meant .Net frameworks. I'm not a .Net programmer, so perhaps "net frame" is in the regular lingo. That phrase, however, doesn't show up when searching Microsoft Developer Network.

At this point, the message really reeks to my nose. I wouldn't touch this Web site with a securely firewalled Macintosh, much less a Windows machine. As much as I promote the notion of ZERO RESPONSE to spam, the proclamation of CAN-SPAM compliance in this otherwise non-commercial spam lured me to get to the bottom of it. I logged onto a remote Unix system and used the text-based Lynx browser to see what's at the end of the URL.

The top part of the page has numerous links claiming to lead to a variety of Windows-related downloads. Those links are actually to Microsoft's download pages (the real ones). So this guy is not offering bogus system upgrades. Yet why is he spamming me to tell me about Microsoft system upgrades?

Lower in the page comes his commercial spiel for security gizmos. In other words, this guy is selling security gear via spam, should you fall for his rather cryptic download ploy.

I imagine his CAN-SPAM defense is that his spamvertised URL delivers exactly what the spam message says it would. And because CAN-SPAM allows him to spam me without my consent, it's OK to offer an opt-out link to "the net frame mailing list" to which I never subscribed.

Instead, I see the message (and its From: and Subject: lines) to be purely misleading as to the intent of the sender. Something tells me that he really doesn't care all that much whether recipients upgrade their Windows computers.

But he's in the clear, right? After all, he says the message is "Can Spam Compliant." Well, no. Even if the message were deemed in court to not be misleading, the message fails to provide a postal mailing address for removal. Oops.

Most recipients, however, don't know enough about the CAN-SPAM law to evaluate a message in that light. Spammers like to use false claims of compliance to shove their spew down our throats, under the assumption that if it's The Law, then we have to take it. Well, we don't have to take it. And if they incorrectly use that claim as a weapon, then they should pay a stiff penalty for that betrayal of trust. I mean, it's almost like impersonating an enforcement official.

As I say in Spam Wars, "[T]he more strident the claim, the less likely the sender cares one whit about the law." To me, a false compliance claim is an intentional, mean-spirited deception that deserves commensurate punishment.

Posted on December 19, 2004 at 02:21 PM
The Impatience Factor Permalink

The flood of phishing messages continues. A PayPal one arrived late one night that I naturally checked into to see if perhaps the link led to an insecure server somewhere that had been hijacked. Because the actual link (as revealed in the message body's source code) led to a numeric IP address (one that looks like 192.168.1.100), I thought I'd check it out.

These types of URLs are often followed by a slash and some subdirectory where all the phishing forms and programs are hosted. The home page of the URL may be a legitimate Web site, and the site's owners are none the wiser. In this case, however, the home page was just some meaningless non-phishing form that didn't lead to anywhere, and didn't identify itself as belonging to any particular entity. I'm not sure what, if anything, it may have been.

Looking up the IP address (I like the whois facility of openrbl.org), I found that it belonged to a small block managed by a Los Angeles-area ISP. I visited the ISP's Web site, where I learned it was a subsidiary of a larger ISP (who isn't these days?). There was a support phone number so I could call somebody there to alert them that one of their addresses was being used as a phishing hole. Since the message had just arrived, perhaps not too many recipients will have been suckered into giving up their user IDs and passwords.

Calling the tech support line at an ISP can be a frustrating experience. The larger the ISP, the worse it is for those callers who phone only when there is a serious problem. The first line of support folks tend to be trained to handle such weighty matters as those that can be solved with "Make sure your modem is plugged in" and such. But I'm a patient guy and know how the game is played (hoping that eventually I could get bumped up to the next level of support tech).

So, I call the ISP, and only have to wait on hold for a few minutes (it was nearly midnight). I explained that I wasn't a customer but had received the phishing message that led to an address in one of their IP address blocks. Maybe the tech was taken aback that I wasn't calling to complain about something or that I wasn't all hyper about my spamware-infested PC. I had to tell him again why I was calling. I gave him the IP address and URL to the phishing form (which was a little complicated over the phone because the HTML file name had spaces in it, which translate to "%20" characters).

He checked the URL and came back to tell me it looks like a phishing page. Oh, really! Well, at least he got the message.

Then he said he couldn't do anything about it, and would leave a message for the system administrator to look into in the morning. Aaargh! How many victims would be suckered into giving up their identities in the intervening hours? I felt completely helpless. Before I closed down for the night, I checked again, and the page was still up.

I don't know how much longer it ran, but when I checked again at about 6:30 am the next morning, the IP address came back to a "no longer available" page, and the phishing form's URL was inaccessible. Still, it would have been much better if the ISP had some policy and process in place that allowed such reports to be acted upon in minutes rather than hours.

Most phishers must know that they'll be closed down eventually, sometimes sooner than later, so I assume they are most interested in the first few hours following the spamming effort. That's the critical time when reports of such activity—especially at an ISP—should be quickly investigated and handled.

Phishing is one of those activities that undermines the credibility of the Internet. As long as amateurs set up phishing sites that are easy to trace, we should oblige, and shut them down immediately.

Posted on December 19, 2004 at 12:30 PM

December 15, 2004

'Tis the Season... Permalink

...to be infected by viruses. Fa la la.

Sure, it's hard to resist an email message whose subject line wishes you a Merry Christmas (or may appear to have been forwarded to you). But if you don't recognize the sender right away, put on your spam warrior flak jacket and helmet. One of the latest worm attacks (called Zafi-d) uses the holiday greeting to entice victims to open the message and the attached "postcard" file. If you open that file without the latest antivirus protection, you've just handed over your computer to the Bad Guys.

That's probably not a gift you intended to give this season.

(For the stand-your-hair-on-end details, check out the Sophos description. Click the Advanced tab to see the various Subject: lines and messages for this particular virus.)

Opening unexpected file attachments (even when the message is From: somone you know) is among the most dangerous things you can do with your computer (after dropping it out the window onto someone's head). Imagine that each such file launch is like sticking an unfolded paperclip into a wall power outlet. Zzzats the picture!

Posted on December 15, 2004 at 07:24 AM

December 12, 2004

Amazon.com Availability Permalink

The "1 to 2 month" availability of Spam Wars from amazon.com is apparently due to a supply chain snafu. The first shipment to the distributor sold out instantly. When the amazon computer sees an "out of stock" situation at the distributor, the long lead time appears in the item's listing. In the meantime, the distributor failed to respond to rising backorders, causing the long lead time to persist. I'm told now that books are on the way, and normal delivery lead times should resume shortly.

Have I ever told you how much fun it is to be an author? If you need me, I'll be in the next room, screaming.

Posted on December 12, 2004 at 01:38 PM

December 09, 2004

Challenge-Response Sucks Permalink

So I get an earnest, one-on-one email request from someone interested in my JavaScript and DHTML books. I answer promptly (for a change) with the information he requested.

Immediately coming back to my inbox is an EarthLink notice that my message has been diverted to a "suspect email" folder. I don't have a problem with that—in fact my own incoming spam filtering diverts some messages to a suspect area that I scan through daily to find the occasional ham. But I get the impression that the only way my message will ever see the light of day again is for me to click the link that will let my correspondent determine if my address should be whitelisted for his account.

Now, I know that this person probably wants to receive the message I sent. But when you use a challenge-response (CR) system, it's too easy to forget to whitelist every new person you send a message to. In the meantime, more mail traffic is generated, more (of my) time (and associated computer/network resources, incremental though they may be) is devoted to responding to a question, and I get peeved enough to rant in this Dispatch entry.

I have not clicked the link that will help my message continue on its way, and I'm not inclined to do so, even though it may cost me a valuable reader (I'll be deemed the stuck-up author who is too High and Mighty to answer his email). CR is one of those ideas that sounds good when one is frustrated with all the spam leaking through, but if you carry on an active life of correspondence with new people, you'll probably miss some mail. Mine.

Posted on December 09, 2004 at 07:47 AM

December 06, 2004

The Ol' Euro Lottery Permalink

I don't know why I continue to write for a pittance when I've already won two One Million Euro lotteries over the weekend. One was from The Netherlands, the other from Spain.

There must be plenty of folks out there who fall for these advance-fee scams because they keep coming. There is always some "mix up" of numbers and names, so the recipient must keep the "winning information" confidential. That, of course, is to prevent you from mentioning it to someone who will slap you across the kisser and yell "Snap out of it!"

These things work by tricking recipients into paying up-front fees and taxes to collect (not!) their winnings. The only money that changes hands is your money into their hands.

By the way, my winning "lucky star numbers" in the most recent one were: 34-32-90-43-32. A Google of that string yields page after page after page of various other reports of other "winners" receiving similar messages and identical lucky numbers—talk about your lucky numbers. It doesn't take much research to sniff out a scam.

Please, folks, Microsoft does not sponsor lotteries to promote the use of their products. Bill Gates doesn't give his money away via European lotteries. Even if multi-million euro lotteries existed (repeat after me: "They don't."), they wouldn't be using yahoo.com and netscape.com mailing addresses (sheesh!). And, if someone is going to award you a ton of cash without your prior participation, the message won't come to you via email, addressed to "Sir/Madam." It will come from the MacArthur Foundation or John Beresford Tipton.

Tell your emailing parents, grandparents, neighbors, and kids.

Posted on December 06, 2004 at 09:13 AM

December 05, 2004

New Site Additions Permalink

Feel free to poke around the Web site for new postings of book reviews, media appearances by yours truly, and upcoming events.

Posted on December 05, 2004 at 01:57 PM

December 04, 2004

Identity Crisis Permalink

When a purely unsolicited spam message promoting "quality opt-in leads" comes over the transom, I wonder if anyone who buys this stuff does any due diligence. The message sports three different domains: one in the From: field; another as the domain to visit; yet another to unsubscribe. Whois records on two of them disguise their true identities behind one of the whois anonymizer services.

This particular mailing spamvertises a $29/month subscription, for which you'll receive each month a 100,000 record list of:

[i]ndividuals that have opted in to receive more information about starting a home based business. They are waiting to hear from you today.

The records include name, physical address, email address, and a timestamp and IP address (presumably of when the person opted in). I wonder if these IP addresses are like the ones I see on messages that swear up and down that I had signed up to receive mailings while using a computer at a particular IP address. Then I check the IP address and find it's in China or someplace I've never been.

Why is this company (whose real name is anybody's guess) offering such quality for so low a price?

As a major lead generation company we are generating more than we can use, so we are offering our membership clients an amazing deal.

Yah! They're so "major" that they hide behind three domain names (and mail through a fourth).

And what is their definition of opt-in? The Direct Marketing Association has several, only one of which corresponds to the good, confirmed type. In the meantime, a goodly number of spammers (perhaps this particular spammer) believe that posting a harvestable email address on a Web page or newsgroup return address is opting in to receive email from anybody.

Finally, is the address to which this outfit mailed this spam in their opt-in lead database? The Magic 8 Ball says: "Probably." But trust me when I say this: I am not waiting to hear from you if you intend to email me about a home-based business.

Posted on December 04, 2004 at 09:16 AM

December 02, 2004

Subject: payless for W!!nd0ws Millenium Permalink

Would anyone pay anything for WinME these days (even if it were a real copy instead of a pirated version)?

Rule #3 spammer at work.

Posted on December 02, 2004 at 05:34 PM
Bounces Tell a Story Permalink

Because one of my email addresses is "out there," I of course get a lot of spam at that address. But the address is also used frequently as the forged From: address of spam runs. This gives me the "opportunity" of receiving a variety of bounce messages sent by mail servers that stupidly accept bogus incoming mail (or mail addressed to invalid addresses at its domain) and then send a bounce message to the address in the From: or Reply-To: fields of the mail—even if those addresses were forged.

It doesn't take many of these bounce messages to realize that spam is transforming, if not ruining, the email practices of everyday folks and organizations that want to do the right thing by allowing themselves to be contactable on the Internet. I get a lot of bounce messages similar to this one:

Thank you for contacting [name withheld]!
Unfortunately, we are no longer replying to messages sent directly to this e-mail address. Going forward, please review our FAQ pages by selecting the topic that best fits your issue on our website here:
http://www.name_withheld.com/contact.jhtml
If you are unable to find your specific question addressed, please scroll to the bottom of one of the FAQ topic pages to "contact us".
Thank you, [Name Withheld] Customer Support

I get these from organizations and individuals who have simply given up on email as a mode of initial contact. Spam has driven them underground in a way. Very sad.

Posted on December 02, 2004 at 11:18 AM