January 29, 2007Inside a Mortgage Spammer's Template
I get a huge kick out of spammer engines that aren't programmed right and thus reveal some of the insider info. I suspect it's a case of a wannabe spammer who buys a spam kit, but doesn't know the first thing about computers. With dreams of dollar signs dancing in his head, he sends out a spew, only to let some of the dirty laundry go out with it.
Case in point is a spam message that arrived from a presumed botnet computer belonging to a Pennsylvania Comcast customer. The computer may belong to the customer, but it is pwned by at least one botmaster. But I digress.
The spam had the all-too-common mortgage spam Subject: line:
Subject: You are approved!
Longtime readers of this blog will know that mortgage spammers really rub me the wrong way. I routinely forward such messages (the entire source code listing) to the FTC's spam refrigerator (firstname.lastname@example.org) in the hope that the messages will ultimately be used as evidence in prosecutions of these scumbags.
While I was in the process of fetching the source code listing, I noticed that the From: field had the following plain-language name associated with what otherwise looked like a plausible email address:
Readers of Spam Wars will recognize the percent symbol as a possible indicator that the text is a placeholder where a mail merge type of operation is to occur. In this case, the spam spewing software running on the bot is supposed to insert a real-sounding name in the field—a name that would appear in the From listing in the recipient's email inbox. The boob who initiated this mailing, however, failed to fill out something or click a switch to make the program do what he intended. Thus, the placeholder remains in place.
But that's not all. The rest of the message shows exactly where the Mad Libs program is supposed to fill in the blanks for greeting, message, loan amount, monthly payment amount, and even a chunk of quoted text (probably from some public domain work) that is supposed to fool Bayesian spam filters.
Here's the complete body of the message as I received it (with the Taiwanese link disguised):
You can receive %CUSTOM_3 for
%CUSTOM_4 per month.
Please respond %MTG_TODAY.
I'm amazed that this genius was able to get the bot to insert a URL. There's no way I'm going to visit the spamvertised site and possibly credit "guga" with a clickthrough. I did check the domain registration, however, and it seems that the domain was registered a couple of weeks ago.
So, the next time you receive a mortgage spam that looks like this, but with numbers in the right spaces, you can be sure the values were calculated with all the care and personal attention of a random number generator on a hijacked computer sitting in someone's den or teenager's bedroom.Posted on January 29, 2007 at 10:33 PM