Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« July 2005 | Main | September 2005 »

August 22, 2005

Take Two Fake Rolexes and Call Me In the Morning Permalink

As I was scrolling through the source code of spam trapped in my server's "Suspects" bin today, I noticed a familiar message flogging fake Rolex watches. It uses an old technique called ASCII Art—something I wrote about back in a January 2005 dispatch.

What really caught my eye, however, was the link URL the recipient is to click to either visit the online store or "0pt 0ut" (those are zeros) of future mail (yah!). The domain name is short, to the point, and clearly intended for a medz spammer (the word "pills" is in the domain name).

As I demonstrate in Spam Wars, a lot of spammers and spamvertisers sell anything for which they can make a buck. Today it's fake Rolexes; yesterday it was fake Viagra or a cream you're supposed to rub somewhere. They're not building a brand name of their own, just a money machine flogging the product (phony or otherwise) du jour.

In the meantime, we're all paying for the "privilege" of having their messages jam our inboxes. People must be buying this crap because the spammers wouldn't continue to spam if they weren't making money doing it. The spammers won't stop on their own. Even with literally billions of messages per day being summarily deleted or shunted into spam bins, enough of them get through to make it worth the spammers' while. But if everyone stopped visiting spammers' Web sites, the spam, too, would stop. Tell your kids, your uncle Fred, Grandma, and the bored co-worker in the next cubicle.

Posted on August 22, 2005 at 11:48 AM

August 18, 2005

Getting The Details Correct in a Reffinapnce Permalink

In their efforts to get messages past content filters, spammers commonly misspell the kinds of words that they believe filters are looking for. But quite often, the result is something close to gibberish. When it comes to entrusting my mortgage refinancing needs to a broker or lender, I don't think I'd be confident in someone who plies his wares via the following real spam message:

Danny Goodman
My name is Antonio G. Sneed and I checked your informyation and you have been approouved for a reffinapnce. Please find all details below:

Intelrest: 3.5
Temrm: 360 months

Please follow this linka for your instant activattion http://www.[redacted].com/kggaannfa.asp?opw=50122450

Thank you for your immediazte attentlion.

Very truly yours,
Antonio G. Sneed
CA Directr

The domain name claims to be registered to someone on Moscow, and the Web server is located somewhere in China. Perhaps our spammer is not a native English speaker/writer, and truly believes the message is spelled correctly.

Anyone who responds to this offer would have to be a complete doodoo—I mean, dodo.

Posted on August 18, 2005 at 11:06 AM

August 17, 2005

The Zotob Worm And My Spam Stats Permalink

The mainstream news media is alive with stories about the Zotob family of worms spreading widely around the Internet. That the worm found its way into personal computers of some very large media outlets—CNN and The New York Times, for instance—helped the story get out even faster.

If you've come to my site to check the impact of this family on the "Virm" (virus/malware) category of my Spam Stats chart, you'll see (if you happen to check during the week that this article first appears) that the Virm count is in the normal weekday range. No, this isn't a calculation mistake. The difference with Zotob is that it spreads through means other than email. Because my Virm counter reports only what comes through in email, it won't know anything about direct attacks on open ports at IP addresses or internal network propagation.

But the stats do show about a 20% increase in spam above the usual "noise level" for the Tuesday of this week. It's hard to say for sure whether this is the result of infected machines spewing out more than the usual amount of relayed spam. There is a similar increase in the category of Dictionary Attacks, which includes spam sent to corrupted user account names at one of my domains—corruptions that have been in the spammers' databases for years.

Tuesday's increase can be attributed either to the spurt in infected PCs. Or it's simply back-to-school spam. After all, every third-grader should have his or her own fake Rolex.

Posted on August 17, 2005 at 11:30 AM

August 10, 2005

Ouch! (Know Your Spamming Affiliate) Permalink

I saw a spam message hawking laser eye surgery. Kind of odd, but at least it's not trying to get me to enlarge a body part.

What really got me, though, was the domain name of the spamvertised Web site. I won't divulge the whole thing, but a big part of it was—I kid you not—"modernjabbing."

Now, I haven't had laser eye surgery, but I don't think I'd inquire at an outfit that is into modern jabbing. No thank you.

Posted on August 10, 2005 at 07:48 PM
Web Beacons: Alive and Unwelcome Permalink

Spam Wars readers know all about Web beacons or Web bugs—email message inclusions that download zero-sized images, passing your email address along the way, thus confirming that your email address is active. Every once in awhile, I'll read some article proclaiming that the technique isn't used much anymore.


Scanning through my server's Suspects bin, I encountered this little gem, whose only goal is to get its recipient to open the message in an HTML-capable email program (i.e., most standalone email programs and Web mail pages), and thus confirm the recipient's address. The Subject: line of the one I received is:

Subject: dannygWho are you

The miscreant putting together the template didn't think to include a space between the email address user name and the "Who are you" part. But imagine seeing this in your email inbox with your email account user name at the beginning. Would you open it to see what it's about? Unfortunately, I believe most would do so, especially those who don't follow Spam Wars guidelines for email safety.

If you were to open the message in your email program, the message body would read exactly the same as the Subject: line (including the space mistake). That's all you would see. You'd be puzzled. Perhaps even a little frightened. The From: field just has seven "w"s in a row, followed by an email address you wouldn't recognize (it's non-working, as well).

What the recipient doesn't see is that the HTML of the message includes a tag that downloads an image. The specifications for the image set the size at zero height and width, meaning that it will be invisible. But don't worry...you're not missing anything because the URL for the image won't download anything worth seeing. The heart of what's going on here is in the URL, itself. After the Web address of the server (in the numeric IP address format pointing to a location in China) are identifiers for both the recipient's email address and the affiliate who caused the spam to be sent (the second identifier could also label the particular campaign being used for this mailing).

By opening—or even just previewing—the message, you've confirmed your address to a spamming group. That address becomes a valuable asset that gets sold to other spammers. Here's your reward: Expect to see more spam in the weeks and months ahead.

Oh, and this isn't a Windows-only deal, like most of the spyware running around. If the email program is capable of rendering HTML (like a Web browser), you are susceptible to this venerable trick. Even if you use Web mail at an Internet cafe on someone else's computer, it's still your address that gets confirmed.

Fortunately, more and more email programs offer a preference setting that lets you turn off automatic downloading of images (and other types of downloadable HTML stuff) in email messages. Instead, you can see the text, with placeholders for the images. If you want to download the images, you can click on a button. I was pleasantly surprised to see this blockade turned on by default when I upgraded to the current version of my email program.

Alas, I fear that the social engineering occurring in this "Who are you" message will trick even careful users into downloading the bogus image. If they had taken further precautions (as I detail in Spam Wars), they would have seen the trick being perpetrated, and walked, if not run, away from this message without doing any damage.

Please, please protect yourself, and don't give the spammers the satisfaction of knowing your email address is alive and well.

Posted on August 10, 2005 at 08:19 AM

August 06, 2005

Oh, O(prah)! Permalink

Those who have heard my public speaking on the topic of improving consumer education about spamdom and scamdom know that I frequently ask if anyone in the room knows Oprah, as in Oprah Winfrey. I ask this—half in jest, half in all seriousness—because I believe the message about protecting oneself from e-messaging-borne intrusions needs to reach the Internet-using public, especially those who are not sufficiently technically aware to realize that they're at grave risk. These folks don't read antispam Web sites or RSS feeds, just as homeowners don't study termites until the porch falls off the side of the house. Oprah's audience (among others) needs to learn about the potential perils of opening unsolicited messages and clicking on the links.

In the last week or so, a series of spam messages have been trumpeting a free three-year subscription to "Oprah Magazine." Most of the messages fail to get the title of magazine, "O, The Oprah Magazine," correct, but who cares as long as "Oprah" is in the Subject: line? A three-year sub to "O" on the open market is worth about $50 (extrapolating the official Web site's $19.97 rate for a one-year subscription).

From what I can tell, this entire campaign is about lead generation, that is, getting names/addresses/email addresses of new people so that they can be spammed until the cows come home. Clues in some of the messages indicate that to get the subscription, you'll need to jump through a few hoops, but mostly you'll be giving up the names/addresses/email addresses of your friends and family, ratting them out to spammers.

The messages I've inspected use the same magazine cover artwork, supplied by a Canadian firm called Azoogle Inc., a firm that is listed in Spamhaus' Registry of Known Spam Operations (the master record is here.) The messages originate from and link to affiliates who do the dirty work for a commission.

Do the hoop jumpers ever get their subscriptions? I can't say for sure one way or the other. The magazine subscription business runs so slowly on its own that there is a good likelihood that you'll forget about the subscription you "won," and may give it a few milliseconds of thought several months from now if the magazines don't arrive. Then you'll just shrug your shoulders, while the inboxes of you and your best friends pile up with spam crap, and your lead data is resold over and over, putting yet more coin in spammers' pockets.

What would Oprah think about all this? I want to believe that she would have nothing to do with a ROKSO-listed bulk emailer. I also want to believe that she would not be too happy to have an army of no-name Web sites flail her valuable brand name about the Internet with wild abandon—without her control. The truth, however, could come from the other side of the coin: her magazine/publishing group made a deal with Azoogle for low-cost subscriptions in return for the "exposure" to millions of potential readers (how the exposure is achieved—just don't tell us). It could be a pure advertising play. That would leave a very bad taste in the mouths of those who are spammed—and spammed repeatedly—in Oprah's name.

And so, I ask once again:

Does anyone know Oprah?

Posted on August 06, 2005 at 09:23 AM

August 05, 2005

Watching a Train Wreck Permalink

A lot of people are going to be ripped off today, and there's not a damned thing I can do about it.

I'm sure I wasn't the only one to receive the following message (phone number blocked out):

: )))

Please be aware that your refund which totals $1,742.63 is available and ready for you to either pick up or we can send it to you.

Call me anytime at ***-***-**** for more info.

Please email me back and let me know how to proceed.

Refund Dept.

The return email address is from a yahoo.com account, although the message originated from a server (or hijacked computer-turned-server) in Sudan.

I don't know for sure what kind of scam this is, but I suspect it's either identity theft (you have to supply all kinds of personal info to obtain your refund—not) or a telephone redirect that lands a hefty (and irreversible) charge on your next phone bill. My money's on the former.

The phone number is in the Reno, Nevada area, and I'll give a call to law enforcement there. I may sound defeatest, but I don't expect much help in tracking down what this is all about.

I want to shout from a global rooftop to warn all recipients about these kinds of messages. What looks to be manna from heaven will probably lead to identity-theft hell.

Posted on August 05, 2005 at 09:10 AM

August 02, 2005

Is Insurance Spam The New Mortgage Spam? Permalink

For years I've seen dribs and drabs of life insurance spam, but in the past week or so, the level directed this way has increased. The types of messages have a similar smell to those that offer mortgages. We all know that the mortgage spammers are not mortgage brokers or lenders, but, rather, lead generators. The lead generators, in turn, sell the leads to the brokers and lenders, who have been frequently documented (in legal filings) to pay tens of dollars per lead.

So, that "leads" me to wonder if this rash of life insurance spam is working on the same principle: obtaining leads for insurance brokers who don't want to know how the leads were obtained.

I now feel in the position of the character played by Robert DeNiro in "Meet the Parents" and sequel, where he plays a retired CIA agent who is keeping an eye on his future son-in-law (played by Ben Stiller). DeNiro does this gesture where he points to his own eyes and then points to Stiller, indicating "I'm watching you."

Posted on August 02, 2005 at 10:42 AM