Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« June 2005 | Main | August 2005 »

July 31, 2005

A Verse to Spam Permalink

I write a lot, but I don't write poetry...or at least not since high school assignments made me do it. Poetry, in my opinion, is a difficult medium, and not one I appear to be equipped to handle. Moreover, quite a bit of modern poetry leaves me scratching my head. Give me my dusty copy of The Oxford Book of English Verse instead, and send me to the Lake Country.

What brings this subject to the forefront was a perusal the other day of an email account inbox I have at Comcast. For better or worse, Comcast is my onramp to the Information Superhighway. Every customer gets an account name and email address, like it or not. I don't use the account name for anything, don't publish the address anywhere, and don't check the inbox except perhaps every two or three months—just to clear out the junk.

And what junk!

Like most big ISPs, Comcast must get its share of dictionary attacks. Somewhere along the line, my account ID must have shown up as being valid, because the amount of spam addressed to that account is quite incredible. Except for Comcast's own occasional messages, the rest is 100% spam. Comcast's spam filtering is abominable, compared to the job that Microsoft Entourage (my Mac email client) does on the messages that make it through my server filters. Whoever designed the Entourage spam detectors should get in touch with Comcast ASAP.

Rather than clutter my email client with Comcast-delivered crap, I use Comcast's Web interface to read and delete the mail. I continue to apply the same "don't open it" practice there as I do in my Mac email client. But that means that I still see the From: and Subject: lines in the list of waiting messages.

The batch of messages I saw the other day really struck me as being perhaps akin to modern poetry. Clearly, each Subject: line from a large family of messages was assembled from random words, but I swear it might just nudge some poetic muse in a reader. I know what free verse is, so this is perhaps a genre to be known as random verse. Or spamdom verse.

And so, I grabbed a series of these Subject: lines, made an occasional punctuation and agreement tweak (e.g., a/an agreement) to prepare a poem that I call...

A Verse to Spam
To draw or ascription,
Or watch a mirror
At wakeup so bilk concomitance,
Is wait be stardust?

I turnoff by orientation staircase
As count at desiccant ampere;
His hurt by ulterior cupping,
Do can it hermit telephotography?

The spend go representation
That spell at electoral.
He smoke, he duckling,
A worry as tripper truculence.

I'll leave you in silence to contemplate.

Posted on July 31, 2005 at 12:33 PM

July 25, 2005

The Art of the "Joe-Job" Permalink

Here is the Spam Wars glossary definition for a "Joe-job":

Joe-job A tactic of a spammer to make a spam barrage appear to originate from the mail server of an enemy, or list the enemy’s Web site as a spamvertiser in the hopes that thousands of bounce messages and complaints will land at the target’s feet. Named after an attack on the joes.com domain.

This definition was the furthest thing from my mind when I received an odd little spamlet, whose body (sans URL) reads as follows:

Hi
Try jwSpamSpy, our spam filter for POP3 mailboxes.
We use it to track spammers and scammers.
Free full featured 30 day evaluation version available!

The link was to a Web site with a .de (Germany) country-specific top-level domain. I had not heard of the jwSpamSpy product, but, then, I don't claim to have evaluated every spam tool in existence. I was ready to lambaste this spam for using spam to sell an anti-spam tool. Perhaps it wasn't really an anti-spam tool, but just some kind of malware installer.

Before I hit the keys to flame away, I dug a little deeper (without visiting the site, as is my rule). It didn't take long to uncover that jwSpamSpy is a real product, and its developer has been gathering extensive data on spamvertised Web site domain names, supplying those names to one of the blocklists that some blended spam filters use. He also publishes—out in the open—his extensive list so that anyone can use those domains in their custom filtering, if they so choose.

From everything I could uncover, this fellow is a Good Guy, and wouldn't be caught dead using spam to promote his own product. Was this spam message a Joe-job?

Yup.

Apparently this guy—Joe Wein is his name—has touched a raw nerve or two among spammers. Whatever he's doing must be working. Unfortunately he has to fend off the unfortunate byproduct of being Joe jobbed (what with automated spam reporting not understanding the subtleties of the art), but at least his effort is not for naught.

And that someone named Joe is being Joe-jobbed also has a bit of humor attached to it. There is no need to change the term.

Posted on July 25, 2005 at 10:55 AM

July 14, 2005

"Just When You've Seen It All" Department Permalink

Virtually anyone with an email address has seen his or her share of slimey things ooze into their inboxes, but an item trapped in my server's Suspects bin was a new one to me:

Subject: Bring out the new you with gastric bypass surgery...

That's really raising the bar way past the weight loss patches. Can you buy a do-it-yourself kit? And if you used that kit to bring out the new you, would you be able to get it all back in?

The best I can tell—without actually visiting the highly coded link URLs that would drop some coin into the spammer's pocket—is that this spam would take visitors to some kind of search engine, but probably not one I'd want to come near.

Yeah, that's how I want to find my next doctor: via spam.

Posted on July 14, 2005 at 08:28 AM

July 10, 2005

Goodbye Julie, Hello Sarah (grumble, grumble) Permalink

For quite awhile during the lengthy research and writing phase of Spam Wars, I saw a lot of adult-oriented spam claiming to be authored by someone named Lisa. That's why on page 270, in a list of spam message deceptions, I reveal the secret that "Lisa did not just move into your area."

Shortly after the book came out in the fall of 2004, Lisa spam was supplanted by Julie spam. Julie had just moved into the area, had just set up a Web cam, or had just started playing around on the Internet. Lisa was gone, and Julie was everywhere.

It now seems that here, in the summer of 2005, Julie has been booted out, and someone named Sarah has taken over:

hey, i'm sarah :)
Checked your profile
Decided to give you my site with pictures ;)

Even the porn site subdirectories in the spam links have migrated from things like /ju8/ to /sa8/. Who knows how long Sarah will last, dare I say it, in this position?

Of course, I highly doubt there was or is a single Lisa, Julie, or Sarah running all this stuff. It's more likely the same porn ring running each string of spam. Do all of their Web cam women claim to be the nom du jour? I really don't care to know. But I do wish they'd stop sending the deceptive, zombie-sourced spam. I won't be clicking on any of the links (in more domains than you would imagine), and I encourage all others to practice the same restraint. Spam links to adult sites commonly lead to pop-up hell (if your browser is not equipped to block them), and Internet Explorer users running Windows will likely experience multiple attempts to load adware or spyware onto the visiting PC.

Yes, you can catch something nasty by clicking links to watch Lisa, Julie, Sarah, or—should she be next—even Gertrude.

Posted on July 10, 2005 at 02:25 PM

July 03, 2005

Another Address Shot to Hell Permalink

As Master of My Domain, I have the luxury of setting up special user names for email addresses on my system. I don't have a lot of special addresses set up, but I do have a separate address for my eBay account. It is used nowhere else. All messages directed to that address go straight through to the my incoming mail (after checking for viruses, however). This became necessary when my rather tight filtering was diverting real post-auction communication to either the spam suspects bin or trash bin on my server. With the dedicated eBay address, I don't have to whitelist each new correspondent. No matter who sends a message to that address, I'll see the message.

I had that address in my eBay preferences for at least a couple years—maybe longer. It is, of course, immediately helpful in recognizing bogus eBay phishing messages, which invariably get sent to my regular (non-eBay) adddress, and therefore couldn't possibly be legitimate. After all, it's my regular address that is in vastly wide circulation in spamdom. Over all that time, I never received a single unsolicited message directed to that address. It signalled to me that eBay was good to their privacy policy and they respected my email preference settings.

But a couple of days ago, some garbage directed to that address started to arrive. A medz spam, a junk stock pump-and-dump appeal, to cite two. The main reason I noticed them is that the messages made it to my personal computer but had other markings that would have normally caused them to be deleted or diverted at the server.

So, that address is now lost to spamdom.

As to how that happened, there are several possibilities:

  1. A former eBay correspondent filled in that address in a place where spammers collect addresses.
  2. EBay's database was broken into.
  3. A former eBay correspondent's computer became infected with a worm that harvested local addresses.

In rating these possibilities, No. 1 has a low probability in my opinion. No. 2 sounds good to the conspiracy theorists of the world, but I think we would have heard about this earlier.

That leaves No. 3, whereby the PC of an earlier correspondent had been compromised, and all addresses found in address books, archived messages, and so on, were collected and fed back to a spammer. It's a clear indication that, as I state in Spam Wars, you cannot protect an email address if you ever use it, even sparingly. The sanctity of your address is in the hands of the security-mindedness of every one of your correspondents. One click of a message link can take them to a malware installation site; their PC is hosed, and your email address is "out there."

Although I've been an eBay user for a long time, I haven't done a lot of eBay buying or selling over the last couple of years. I could probably narrow down the list of suspects to about 20 individuals. But that would be a waste of time. If I sent messages to all of them accusing them of possible PC infections, most of them would probably blame me for making a false accusation—denial runs rampant among those who exhibit the riskiest Internet behavior. And, as I've described elsewhere, infections can come not only from virus mail attachments, but from simply visiting, no matter who briefly, a malware installation site at the other end of a spam message's link.

I'm fortunate that I can not only set up a new address for my eBay auctions, but that I won't lose touch with anyone as a result. For the moment, I have a reprieve. Anyone sending to the old address will have the message immediately rejected by my server. The moment I start communicating with someone after a new auction, however, my new eBay address will be at risk of escaping into the wrong hands.

Posted on July 03, 2005 at 01:40 PM

July 01, 2005

Bank Mergers and Phishers Permalink

Oh my goodness! It appears that Bank of America is buying MBNA, a huge credit card issuing company. I know I've received phishing messages purporting to come from Bank of America (BofA) and MBNA, desperately trying to obtain my mother's maiden name and my shoe size.

For each institution, the phisher has to come up with a dummy email message and Web site. Ideally (from the phisher's perspective), the email message and Web site need to replicate the look and feel of real correspondence and sites of the institutions. This takes some work—a little HTML, maybe a little CSS and JavaScript. And expert use of Ctrl+C and Ctrl+V.

But this merger stuff is going to kill the business for the 16-year olds who are creating the phony message and Web site formats that go into the phishing kits. I mean, for each merger, some kid has fewer bogus HTML email messages and sites to concoct. What are these kids going to do instead? It'll be like the Dot-Bomb era all over again. Hordes of unemployed Web coders roaming the streets. Desperate ones will make handmade cardboard signs reading "Will Phish for Phood."

This merger business is going to be ugly.

Posted on July 01, 2005 at 05:01 PM