Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« May 2005 | Main | July 2005 »

June 30, 2005

A Sort of "Quiet Period?" Permalink

In addition to my daily spam stats summaries, I also keep an eye on another quantitative chunk of information: how much spam gets through my server filters. I don't write down the number every day because the raw number, itself, doesn't mean much. For any given day, I have a sense—written or not—of how often I sigh or frown at the leakages that reach my personal computer's inbox.

There is, however, a number that I see that gives me an idea of a moving 30-day window. Let me explain.

My email client software (Microsoft Entourage on the Mac) is set up to preserve all deleted mail in the Deleted Items folder for 30 days. When the 30 days are up for a deleted message, the item is deleted for good the next time I quit the program. That Deleted Items folder contains both read and unread messages, spam and ham—the works.

As a rule, I do not open spam or phishing messages the traditional way. Instead, I open the source-code view. Fortunately, this is easier to do in Entourage than in a lot of other email clients, like Outlook on Windows, which make users jump through hoops (or memorize a finger-twisting keyboard combination) to get at the source. Viewing the source code version of a suspected spam message is not only the safest way to inspect the content (if, in fact, you care to), but it also shows me what HTML spam tricks the spammer is using to fool typical email client users.

When I'm done with these messages, I delete them, still showing them as unread as far as Entourage believes. They stay listed in boldface in the Deleted Items folder, and the number of unread items in that folder appears in parentheses after the folder name among the list of folders. Thus, the number that appears there is roughly the number of spam messages that got through my server filters within the last 30 days.

Over time, I've seen this number go up and down from month to month. Whenever it goes down, I take pride in how well my filtering is working; when it inches up, I wonder what more I could do. I like keeping spam off the client because when I'm out of the office, I check email on a wireless handheld device—when I don't give a rat's patoot that "Julie" has just set up her web cam.

I'm not particularly obsessive about my server filtering because, by and large, it does a good job with occasional minor tweaks. Considering that, if left unfiltered, my domain would receive roughly 7000-8000 email messages per weekday, I shouldn't be too concerned (statistically speaking) that even in those heavy leakage periods, an average of 20 unsolicited messages per day get through to the client. Moreover, I don't actively block some types of messages, such as phishing messages from institutions with which I don't have accounts. I like those to get through in modest quantities only because I take such glee in reporting the sites to their hosting companies, hijacked server administrators, and, when appropriate, domain registrars.

The last lull in the 30-day moving average was in January 2005, when there were only about 10 leaks per day. Since then, the volume has inched up and remained fairly steady over the last several months. I've noticed, however, that in the last week or so, the amount of spam leaking through is decidedly lower, and my little number indicator is headed downward. That's not reflected in the other spam stat totals, which are keeping their normal pace.

I've been watching this leakage number for so long that as much as I enjoy seeing a low number, I tend to worry more that it's just the quiet before the storm. The phishers, the mortgage lead weasels, the medz pharms, and "Julie" will be back, with a vengeance. The 30-day average number will once again start its upward crawl.

Maybe this period—while the trend is headed downward—is the time I should cherish. Things will improve for a short while. Okay, I think I've convinced myself to enjoy it while it lasts.

Posted on June 30, 2005 at 08:41 PM

June 21, 2005

The Randomizer Ate My Homework Permalink

I've been tracking (and quickly forwarding to the FTC's refrigerator at spam@uce.gov) mortgage spam. There have been tons recently using the same Subject: line ploy of surrounding my name with a randomized word on each end. They're so easy to pick out from a list of subjects, that it's laughable.

Even more laughable is when the randomizer selects words that would probably insult the recipient. Not everyone in the spam run gets the same random words, so I can't jump up and down with glee in the belief that the run will insult every recipient.

But that makes me wonder what a less suspicious recipient would think about the following forumla, which I saw today:

imbecile [recipient's name] oboist

I wouldn't mind being called an oboist, but I don't know too many people who would take kindly to being called an imbecile. You'd think the spammer would use a more friendly word list. To the spammer I say: "I'm rubber and you're glue; what bounces of me sticks on you!" Phhhbbbtt!

Just trying to come down to the spammer's age level.

Posted on June 21, 2005 at 11:50 PM

June 15, 2005

Phishers Desperate to Look More Ophicial Permalink

Here's something in a phishing site that I had not seen before. The institution is a primarily midwest U.S. bank, so the odds of reaching an actual customer of the institution must be pretty low. But that didn't deter the phisher from concocting an elaborate charade at the phishing site, should someone visit there.

In place of the usual login screen or form is an official-looking "new enrollment" page that simply reels off a bunch of legalese. This, the header tells me, is Step 1 of 3. Clicking "Continue" brings me to another, much longer page consisting of a "consumer services agreement." The wording is taken from the real agreement of the institution.

Continuing on, I reach Step 3 of 3: a form requesting my Social Security Number, debit card number, and PIN. AHA!

Not only might the official-looking legal pages make someone believe it's the real thing, but the domain of this scam is very real-looking, containing the name of the institution and the word "online." The real site for the institution has a different domain name.

In fact, this whole scam is so official-looking, I fear that my report to the hosting company won't be taken seriously, and they'll be fooled into thinking it's the real bank's site (notwithstanding the 2004 copyright date on the bogus pages). They closed down the last phishing site I reported yesterday, so here's hoping they're equally responsive today.

Posted on June 15, 2005 at 02:03 PM

June 14, 2005

Brand Name Survey Scams Permalink

I must have the likely suspects of "survey" spammers in my spam filters because it's now rare that I get to see the contents of the messages (they get trashed on the server after logging the Subject: line). But one slipped through the filters today, reminding me about how dastardly these liars are.

This one's Subject: line would attract the attention of any chocoholic:

Hershey bar Survey: Milk Chocolate vs. Dark

The From: field read:

Hershey's Survey

Whenever I see a respected brand name hurled about in an email message Subject: or From: line, my scam radar goes into high-sensitivity mode. Therefore, rather than rush to open and view the message, I check out the source code first.

The originator of this message identified himself as a domain whose name contained the word "offer." That the message did not originate from a Hershey's server is not alarming. It's not uncommon for big companies to contract outside services for market research.

But then I did a little digging on the domain name. A distinctive stench began to waft my way. The telephone and FAX numbers of the registrant were—and I'm not afraid of revealing too much by publishing the numbers here—+1.5555555555. Veteran U.S. film and TV watchers know that the 555 telephone prefix is reserved by phone companies in every area code as a non-working prefix for use in offline demonstrations, movies, and what-not. That's to prevent film buffs and whackos from dialing a number mentioned in a movie to see who answers (usually some little old lady who eventually has to change her number).

The name of the registrant or contact email address had no match to the "offer" domain name, although the word "media" appears in the company name (by now you're probably getting the picture). Moreover, the Chicago street address turns out to be a UPS (formerly Mailboxes etc.) store.

My question is, therefore, would a company, such as The Hershey Company, hire a firm: a) whose mailing address is a personal mailbox at a UPS store; b) who provides bogus domain registration info; and c) mails from a nondescript domain that is not quite one month old?

Looking into the message body, I find some additional disturbing things. Like the fact that viewing the message in a regular HTML email window loads several images from two other domains, each image URL containing an affiliate ID. Thus, each view of the message may earn brownie points or cents for the sender.

The clickable links also are coded with a hairy identification number of some kind (divided into four segments). The number is certainly long enough to correspond to my email address entry in the sender's database, while the other numbers could identify the message to help the sender know which version of the pitch I'd be responding to.

There is little plain-view text in the message. I presume most of the come-on is in the images—which I won't download or view. But the text I do see invites me to click to learn more about 10 pounds of complimentary chocolate or a $50 restaurant gift card. Hmm, they don't say it's Hershey's chocolate. Nor do they say that I'd definitely get one of these things for clicking "there." With such a great risk of confirming my address to the sender, I won't click the link to see where it leads.

(I don't know what kind of information the survey asks of its participants, but the lure of ten pounds of chocolate may be enough to pry some sensitive data. According to a BBC News article, 70% of surveyed Liverpool, England commuters were willing to divulge their computer passwords for a mere bar of chocolate. For ten pounds of chocolate, they'd probably hand over their first-born children.)

I tried contacting Hershey's to see if this survey is legitimate, and whether this message was a proper use of the company's trademark (there were no trademark assertions in the text portion of the message). Unfortunately, too many Big Companies make it nearly impossible for Joe Average to get in touch with anyone who can dish out the straight poop.

(About a year ago, I got a survey mailing that claimed to be from the Wall Street Journal—I'm a subscriber. Treating the message with the same "radioactive waste" care described here, I did get in contact with someone at the Journal who confirmed that the survey was legitimate and under contract to Dow Jones. But she also noted that in my subscription details, I had asked not to be contacted. That I received the survey request was a mistake, and to compensate me for my troubles, she extended my subscription by several months. I thought that was pretty classy.)

Call me suspicious, but I strongly doubt that this message links to a Hershey's-sponsored survey. Instead, it's most likely a scam to collect your email address and perhaps some other demographic data that will be sold to others as a "targeted" email address. The address will be current (or, as one bulk email marketer called them in email messages collected by court subpoena, "freshies"), and will become a valuable asset to this spammer. You'll reap the benefit of even more spam to that address—long after the zits from eating ten pounds of chocolate have receded (as if you'd actually get the chocolate).

As for my chocolate preference, it's dark chocolate. The Hershey Company probably already knows that.

Posted on June 14, 2005 at 05:00 PM

June 11, 2005

Maybe I Expect Too Much Logic Permalink

Every now and then a spam Subject: line jumps out at me because it seems so idiotic. Here is one that was addressed to a domain registered and hosted in the U.S., to the user name of someone who got only as far as Singapore. The sender, however, seems to have a different notion:

Subject: This Message Actually Reaches 1mil Malaysians

The message comes from an email marketing service based in Malaysia that claims to help my company reach millions of Malaysians via email. But if they're mailing to my address, how does it help with their credibility that the addresses they mail to are really in Malaysia? Based on my having received this message, and giving the sender the full benefit of the doubt, the Subject: should read:

Subject: This Message Actually Reaches 999,999 Malaysians

Something tells me, however, that I'm not the only non-Malaysian to receive this peddle pitch.

But the idiocy doesn't stop there. This marketing service, based in Malaysia and purporting to mail to Malaysians, assures me that:

As professionals, we abide by all rules and regulations set by the Federal Trade Commision....

Maybe the Malaysian government has a "Federal Trade Commission." I don't know, and I don't feel like digging through their government Web sites to find out. My guess, however, is that this disclaimer is pointing to the U.S. Federal Trade Commission (if someone knows otherwise, please let me know). Aside from the fact that this message, itself, does not have a postal mailing address (and is thus in violation of the U.S. CAN-SPAM law enforced by the FTC), I fail to comprehend the relevance of this claim. Even if a U.S.-based company hired this outfit to mail to Malaysians and the messages broke all the CAN-SPAM rules on the books, what would the consequences be? Is a spammed Malaysian going to complain to the FTC about a spam that originated in Malaysia? (And would the FTC give a rat's patoot?)

The whole thing is just too bizarre.

The company also has a lot of faith in the quality of its lists:

If there are less than 10 enquiries of your products/services, we will compensate you with another 1million for free!

Note that this count is for "enquiries," not orders. That's ten out of a million. In spamdom, that rate might be acceptable as a breakeven point for revenue-generating orders (assuming a net profit of $10-20 per order), but for leads, that seems like an embarrassingly small guarantee rate.

In Internet discussion groups, a "troll" is someone who posts an intentionally provocative statement with the sole purpose of starting flame wars among regular inhabitants. Although it's often difficult advice to follow, the best response to a troll is no response. Thus the frequent admonition: Don't Feed the Troll. In the case of our Malaysian email marketing service, they're not mailing this spam to inflame or be provocative. They want to get your business. Still, the corollary to the admonition applies here: Don't Feed the Spammer.

Posted on June 11, 2005 at 10:25 PM

June 07, 2005

Why Do They Bother? Permalink

One of the requirements of the U.S. CAN-SPAM law is that an unsolicited message must have a valid physical address to which a recipient may write to be removed from the mailing list. Compliance with this provision is next to zero among senders who mail to harvested email addresses (since harvesting is also illegal according to CAN-SPAM).

So, when a message arrives (in my Suspects bin) that includes a mailing address, it's kind of amazing. When such an address appears, however, it's usually a tremendous joke. The message in question has very little text (beyond the Bayesian filter hashbuster block), and what text exists is not English (it tries to be). Only by some weird characters in the Subject: line and by the domain name that includes the word "date" do I suppose this site is for some kind of adult site. This is the type of spam to which I do not respond in any way—no Web site hits...Zero Response.

With a little checking on this message and domain, I see that the spamvertised site is hosted in China, and the domain registrant claims to be from Nicaragua. Apparent ties to the U.S. are nil. So why bother with the address to comply with the U.S. law? Not only that, but the address is complete window dressing:

9145, 18 AVE, ZZ, %PAIS_65438

See that "%PAIS_" part? That's a placeholder for a random filler. "País" is Spanish for "country." The spammer's routine failed to fill in a random country name for this address. I'm assuming the "65438" is to be interpreted as a postal code.

Anyway, even if a country name appeared in this bogus address, it wouldn't make the message any more compliant with the CAN-SPAM law. Why bother?

Posted on June 07, 2005 at 07:39 PM

June 04, 2005

Stranger and stranger Permalink

About a month ago, I wrote about an erectile drugs spammer whose messages, while carefully crafted to avoid some types of spam content filtering, lacked something quite important: a link or URL to visit his Web site to buy his phony medz. There are also no images in these messages (unlike another ED drugs spammer who uses the same table technique, but includes images embedded in the mail as binary attachments). The messages get cut off at the same place and with the same telltale symbols.

I hadn't seen much from him for awhile until the last couple of days. He has the same no-URL problem, but his messages now contain a text-only section that have extracts from anti-spam Web site articles. One was about Scott Richter's bankruptcy actions, and one I saw today had a long paragraph excerpt of an article by a CipherTrust executive. This is a common technique used to trick Bayesian filters, as I describe in Spam Wars.

What strikes me as odd is that some content filters are on the lookout for the word "spam" because so many bogus disclaimers include phrases like "this is not spam." But this fellow has no qualms about including spam-tripping extracts in his insert intended to fool filters.

I wonder what else this guy can do to further sabotage his spam runs.

Posted on June 04, 2005 at 09:22 AM

June 01, 2005

On-Demand Phisher Nuking Permalink

How cool is this:

  1. Receive a phishing mail with a link to a customer account at a Web hosting firm.
  2. Confirm (safely) that the URL is still active (or that the phisher didn't screw up the link).
  3. Use the firm's live chat support feature asking for the best way to report a phishing customer.
  4. Support rep asks for the URL.
  5. 30 seconds later he asks me to try the URL.
  6. URL is dead.

And the winner is: addr.com. Kudos and huzzah!

Posted on June 01, 2005 at 11:58 PM