Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« April 2006 | Main | June 2006 »

May 24, 2006

(More Than) Seven "Dirty" Email Words Permalink

In the early 1970s, comedian George Carlin codified for all-time the "Seven Words You Can Never Say on Television" in one of his routines. Times have changed, of course, to the point where one of those words was repeated an intentionally numbing number of times on the South Park episode titled "It Hits the Fan."

Thanks to spammers trying to wheedle their way into our inboxes and hearts, they have overused a large number of everyday words whose usage in a harmless email message might land that message in the recipient's spam crapper. Or at least the message might gain some points on its spam score if it goes through content-based spam filtering. This, according to a Direct Magazine article.

What are those magic words? Here's a sampler, according to Email Reaction:

acceptance, accordingly, beneficiary, beverage, certified, dainty, deceased, degrees, deposit, depression, diagnostics, dollars, dormant, enlarge, foreigner, lenders, loan, lottery, maintained, medication, medium, Netherlands, Nigeria, organization, paste, percent, perpetual, presently, reciprocal, replicas, reseller, sincerely, somebody, southwestern, statements, Swiss, tablets, trademarks, transaction, urgent, valuables, verify, warehouse, watches

Makes ya just want to exit your email program, and pick up the phone.

Posted on May 24, 2006 at 11:46 AM

May 22, 2006

New eBay Spoof Trick Permalink

If I hadn't seen it myself, I wouldn't have believed it.

I was perusing one of the eBay categories I check daily. At the top of the regular listings (meaning it was freshly added) was an item that was clearly out of the category. According to the time remaining, the listing had been there for almost one hour.

When I clicked the link to open the auction detail page in a new window, the new window opened not to the item detailed listing, but to an eBay login screen. I thought this odd, and then glanced at the browser's Address bar. I had been redirected to a phishing site hosted in Utah—directly from a link in a real eBay category listing page!

I'm really, really glad I use a Macintosh, because visiting that bogus page with a PC might have put my computer at risk for malware installation without my permission. I could have handed my machine over to a botnet. The source code I received didn't have any malware loaders in it, but a sensible crook would limit sending such loaders to browsers identifying themselves as Internet Explorer on Windows.

How did that redirection happen? I couldn't go back to check because within the minute or so that transpired, eBay had managed to pull the listing. Clicking the link led to an "invalid auction" page.

I can only assume that the eBay "seller" had managed to include either a meta-refresh tag (if eBay's system allows that, which I doubt) or perhaps managed to get some JavaScript into the listing details that automatically redirects visitors to the phishing page.

Chances are that the "seller" had used an account that had been previously phished to add the listings to who-knows-how-many eBay category listings. Alas, I imagine that their phishing haul for the hour or so these listings were alive was pretty good because unlike phishing email messages, this trick reached right into active eBay users who probably thought nothing of entering their usernames and passwords into the lookalike screen. Submissions went to a remailing service hosted in the Czech Republic (and eventually to whoever has access to account ID 42277, wherever he may be).

I hope eBay figures out the technique that this crook used to put the redirector into the listing and filters out those attempts in the future. If we can't even trust links at otherwise trusted Web sites, where does that leave us? Up a creek without an auction paddle.

Posted on May 22, 2006 at 11:37 PM
Captcha Gotcha Permalink

In Spam Wars I describe the background behind the Completely Automated Public Turing Test to Tell Computers and Humans Apart—CAPTCHA. These are the visual puzzles you sometimes get at Web sites where you either sign up for stuff or are requesting information that computerized robots would love to snarf. The purpose of the CAPTCHA is to make sure that a human, not an automated process, is actually filling out the form.

I've seen a lot of these, and sometimes I never know if I'm reading them correctly. The visual noise used to disguise the letters (to prevent optical character readers from trying to figure them out) is sometimes so intense, and sometimes the letters are so distorted, that I'll simply make a best guess at what I'm seeing.

That tactic failed the other day as I was entering an order at an online store. During the account creation phase, the site presented the following CAPTCHA challenge and I took a stab at what it read:

CAPTCHA screen shot

I believe my mistake was the "q," which may be a "g," even though the bottom of the letter is cut off. A tiny bit of the descender may be coming up from the bottom of the image. I'll never know, because like any good CAPTCHA usage, this site doesn't give you a second chance with the same image (I used the browser's Back button to get me to the page so I could grab the screenshot).

Now, I have pretty good (corrected) eyesight, and I like a good puzzle, which makes me wonder how those who have poorer eyesight and are puzzle-challenged fare with the increasingly noisy CAPTCHA challenges.

On the other hand, the site should have immediately known from my mistake that I was not a computer, for, as has been said: "To err is human."

Posted on May 22, 2006 at 08:12 AM

May 20, 2006

Infuriating [Nearly] Empty Korean Spam Permalink

The last few days, I've been pummeled by inane messages originating from South Korea. Except for the IP of the sending machine, they're all the same:

Received: from 128.121.100.64 ([211.215.229.186]) by dannyg.com (8.12.11.20060308) id k4KEVVOI056048 for <[redacted]@dannyg.com>; Sat, 20 May 2006 08:31:31 -0600 (MDT)
Received: from (HELO snz) [56.85.171.193] by 128.121.100.64 id 5oU5HG53z7u5; Sat, 20 May 2006 17:26:41 +0300
Message-ID: <w$-10-14m$a-52496@d7c963>
From: "ahjlj" <asjkj@co.kr>
Reply-To: "ahjlj" <asjkj@co.kr>
To: [redacted]@dannyg.com
Date: Sat, 20 May 2006 17:26:41 +0300
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="54C31DD8B_3"
X-Priority: 3
X-UIDL: \8@"!!$`!!N

--54C31DD8B_3
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

.

--54C31DD8B_3--

If I were to view this in my email reader, it's message body would be a single period. Period.

The IP addresses of the source machines spewing this nonsense are all in blocks managed by Hanaro Telecom from Seoul, South Korea. They are also in blocks listed in several blocklists because they are believed to be residential addresses handed out to dial-up or broadband (DSL or cable) users.

What are these messages, you may ask? My guess is that they are either test messages to see if compromised PCs are ready to relay spam or they are supposed to contain spam messages but have been misprogrammed.

This kind of activity is what leads many an email administrator in non-Asian countries to block all incoming email for countries such as South Korea and China.

[As a side note, this is my 200th posting to the Spam Wars Dispatches blog. Thanks very much for reading.]

Posted on May 20, 2006 at 08:20 AM