Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« February 2007 | Main | April 2007 »

March 28, 2007

The Smell of Fresh Spammer in the Morning Permalink

I find it so odd that a small company trolling for business would take the time to harvest an email address manually from a Web site (the address is shown only in an image, not a searchable string of characters in the page), but not take an extra two seconds to recognize that the person belonging to that address is not a suitable potential customer.

The spam message that prompts this thought has the following body parts:

Is your book the next to appear on the big screen?

Check out www.[removed].com to see the trailer for our first film, [removed].

We are making another trip to Hollywood in April to present all new books to all new Producers and Directors! We will present your book in face to face meetings for just $650.

Call me today to get started!

The recipient email address of this message was stolen from my other web site's page about consulting services. My other site is where I support my computer programming books. If you're not into JavaScript, Dynamic HTML, or AppleScript, there isn't much there to interest you.

I therefore find it bizarre that the "Author Consultant" who sent this spam would think I'd be a candidate for her service. The world is not—repeat, not—waiting breathlessly for the movie version of Dynamic HTML: The Definitive Reference, 3rd Edition. While my JavaScript Bible is epic in page count, it would be a tough pitch to a Hollywood producer.

The spam message was sent pretty much in compliance with the U.S. CAN-SPAM law, which allowed me to track down the sending computer. It's in an IP block run by an outfit that has a zero-tolerance view of using the service for unsolicited email. I reported the message as a possible violation of the Acceptable Use Policy.

Perhaps the spammer can pitch this little story to a producer of short films. The film would be rated G, but it may have a very sad ending.

Posted on March 28, 2007 at 03:04 PM

March 26, 2007

Wall Street Journal Columnist Has it Wrong Permalink

Walt Mossberg has been The Wall Street Journal technology columnist for a long time now. Back in the day when I used to attend lots of high-end computer/technology conferences, our paths crossed regularly. I like Walt. He's a smart guy.

But I take strong issue with a spam-fighting recommendation he makes in the March 22, 2007 installment of his "Mossberg's Mailbox." A reader inquires about the best antispam system out there because filters haven't been doing the job. Walt rightly states that antispam filtering has a "tough time coping" with spammers' rapidly changing tactics.

Where Walt goes astray, however, is in recommending challenge-response (C-R) as the way to thwart spam. I talk about C-R in Spam Wars, and I sent Walt a copy of the book when it came out. He probably didn't read it (so much for our Mutual Admiration Society, I guess).

While it's true that C-R keeps unsolicited email from non-white-listed senders out of your inbox, there are too many problems with it to recommend it as a solution. I'll focus here on two deal breakers.

  • Number One. If a human sender not on your whitelist tries to send you an email message, he or she receives a message in return asking the sender to perform one more step (clicking an encoded link, solving a puzzle or CAPTCHA cipher, etc.) to get the message through the blockade. But if you sign up for a newsletter, place an e-commerce order with a new-to-you web site, or perform any other action that will generate email messages headed your way, those messages are typically not sent by humans. They're computer-generated messages that won't receive the challenge, nor have any brains to solve the puzzle. The confirmation for your airline ticket or e-commerce order won't arrive—nor will order changes, shipping confirmations, flight schedule change notifications, or any other potentially vital missive. It is extremely rare for a site that sends automated confirmation email to advise its customers ahead of time about the sender's address of such email (so that the customer can whitelist the address before messages are sent).
  • Number Two. A C-R message is known in the anti-spam field as backscatter. Backscatter is sent to whatever address the receiving server believes is the From: address of the message (which may not always be in the From: field of the header—but that's a longer story for another time). As you have probably witnessed in your own inbox, a lot of spam and most virus-type email messages have forged From: addresses. Very often the forged addresses are valid addresses (harvested from the millions of infected PCs around the world). Let's say that the forged From: address happens to be what is known as a spam trap address—email addresses intentionally set up to be harvested from web pages, as proof that whoever sends email to that address is an illegal (in the U.S.) spammer. Any email received at that address is reported as spam, and the IP address of the sender is added to the world's blocklists (a.k.a. blacklists) used by all major anti-spam services. If your C-R system receives a message with a spam trap address in the From: field, your C-R system sends its challenge to the spam trap address, very likely landing your email server's IP address on a blocklist. The result is that an incoming email server using a service that relies on the blocklist (and blocklists are a major source of spam rejection data) will block email messages that you, personally, send. You will be labeled a spammer (and perhaps reported to your ISP as such) until your IP address falls off the blocklist (when your backscatter to the spam trap address stops for a few days). Moreover, if someone really wants to punk you, they could send many email messages to you, forge the From: address to read the address of any well-known antispammer, and your email may be hosed for awhile.

In the end, while C-R does keep most spam out of your inbox, it is way too dangerous in both preventing critical ham from reaching you, while also exposing you to being blocked. Don't go there, Walt.

Posted on March 26, 2007 at 05:40 PM

March 25, 2007

My Private Battle with Blog Spammers Permalink

As regular visitors here know, I don't have comments open on this blog. The primary reason is that blogs are readily compromised by blog spammers who litter blogs with links to their sites selling (or linking further to sites that sell) medz, ringtones, insurance, sex,...well, you know the stuff.

There are ways to keep this junk out, but they can entail requiring visitor registration or constant moderation of comments. I don't like the burden of the first solution on visitors, and I don't like the burden of the second solution on me. I could also install a CAPTCHA system, but I've personally grown weary of deciphering the squiggly letters and numbers at sites that use them.

The reason this issue even arises is that the Contact page of this site uses a well-known service provided by the site's hosting company. Any message you submit in that form arrives in one of my email addresses dedicated to that purpose. The system was very easy to set up, and works well.

The problem, however, is that robotic web crawlers can find the submission URL in the form (it identifies the well-known server program right in the URL). Blog spammers can locate the submission URL and then start sending their messages to the URL without even visiting the Contact page. The spammers don't know that the comments they submit to this site don't get automatically posted because they don't monitor the results of their spamming. All that happens is that my inbox fills up with alleged comments/questions that turn out to be nothing but spam.

Blog spammers try to make it sound as though the comment was submitted by a visitor to the site. Most messages stroke the egos of the blogger and other commenters, starting the message with the likes of the following (taken from actual blog spam, with original spelling):

  • This site is very nise and helpfull! Visit my sites, please:
  • Yo! Cool stuff! Thanks for being here. Please visit my site too:
  • Amazing artwork! This is spectacularly done! Would you please also visit my site?
  • Very well! Your site is neat! Please visit my site too:
  • You have a great page! Please visit my homepage:
  • I liked this site, it's neat. Good job! Please visit my site too:
  • I really enjoyed this page. I will be linking and I will be trying to read and research all that there is to offer from this site! Would you please also visit my homepage?
  • One of the best locations I've come across lately!!! Definately a permanent bookmark! Please also visit my site:
  • Hi people! Great job! Would you please also visit my site?
  • First time here on your site. I am delighted to find your wonderful website online. Please visit my homepage:
  • Nice webpage, lovely, cool design.
  • Nice page greetings to all in this guestbook! Please visit my site too:
  • Fascinating site and well worth the visit. I will be back
  • Excellent site, added to favorites!

The above list came from just two days' of blog spam attempts. I know many of these "senders" never visited the site because I have blocked access to spamwars.com from their IP addresses—making it kinda hard to "enjoy the page" or make it a "permanent bookmark." I used to have an advisory on the page that blog spammers were wasting their time because there was no automatic posting of submissions. It turned out that my advisory was a waste of bytes and pixels.

Thankfully, I know that blog spammers are just as lazy as I am. In other words, if I remove all vestiges of the contact URL from the Contact page, they (or, rather, their crawling computers) won't know to look deeper to see if some kind of obfuscation is going on. That led me to implement a solution that relies of browser JavaScript to embed the URL into the page for actual visitors. It's not even very sophisticated JavaScript—a scripting newbie could figure out without any trouble.

But I'm happy to report that my inbox has been completely clear of blog spam attempts for the past week. I'm not happy that JavaScript must be enabled for someone to submit a comment, but there are plenty of other ways for anyone to reach me (via the dannyg.com site).

While I'm ranting on the subject of blog spam, let me also rag on Blogger for being indirectly responsible for blog spam and doing seemingly little or nothing to fight it. Easily 60% of the blog spam aimed my way link to pages at blogspot.com. The blogspot.com pages often contain nothing more than even more links to sites that sell the spammed crap. The purpose of all of this is to help the spammers increase the likelihood of their URLs being picked up by search engine crawlers and raising in the rankings. Search engine optimizers will tell you that having lots of pages point to yours is a good way to bump up your rankings. The blog spammers' dearest wish is that someone searching for "ringtones" or "viagra" on Google or the like will find one of their links in the first page of results.

Blogger (owned by Google) is one of those gigantic sites that makes it extremely difficult for a human to get in contact with another human at the company to do things like file complaints. After some research months ago, I reported some of these blogspot.com pages to Blogger as examples of abuse. No response, and no action on the offending pages. Unfortunately, their Terms of Service document doesn't explicitly indicate that blog spamming with links to Blogger pages is taboo. I even posted a public query to the Blogger help forum, asking for an official response to the issue. No response after two weeks.

Okay, I think I've gotten the blog spam issue out of my system. But it's a problem that obviously isn't going away around the blogosphere. To protect themselves, bloggers who open their sites to active comments have to battle this junk constantly. And that's not counting the sites no longer actively being monitored by their owners, but are littered with hundreds of blog spam comments. All of them junking up search engine rankings.

If only we could harness for good all of the intellectual energy that is expended in the name of gaming the Interet systems.

Posted on March 25, 2007 at 02:46 PM

March 20, 2007

How Botnets Spread Permalink

Imagine receiving what seems to be an innocent email or instant message like the following:

From: Anton <Lorna@[removed].net>
Subject: look into future


just look at this :)



Plain text, no fancy HTML tricks. Just a friendly lure and a simple URL (if you were Korean, you'd readily notice the domain being a popular web hosting site). It might be a joke, or something cute, or funny.


If you were an Internet Explorer user on Windows, that click would be the last action you performed on your PC while it was still under your total control.

That potentially friendly, cute, funny web page ends up displaying nothing but a "404 Not Found" message. But it's no error message. Instead, it is the only visible text on a page that has already run two invisible scripts. The first script (in JavaScript) assembled the page that displays the 404 message. Also on that assembled page is yet another script (in VBScript) that attempted to load a Trojan into your computer—one that allows remote control of your computer for things like spamming, further Trojan propagation, logging your password keystrokes to financial institution web sites, grabbing all email addresses stored on your computer, attacks on other computers...the list goes on and on.

By doing all of the Trojan loading via VBScript, the malware propagator is self-selecting users of Internet Explorer in Windows. Other browsers and operating systems do not execute VBScript in web pages. But that's not to say that a future attempt will exploit an unpatched security hole in any other browser or OS.

It is the simple email messages like this one that make it imperative to train the world's email users to be suspicious of literally every email and instant message arriving at their machines. Spam filters have a hard time identifying such messages as spam. Malware distribution sites like these can be set up in seconds on free hosting services around the world—making it difficult for every bad URL to be captured by services that attempt to pre-warn users about potentially bad pages.

How long will ISPs and corporate email server administrators (and their management) continue to ignore the "last mile" of defense—the user?

Posted on March 20, 2007 at 12:05 PM

March 07, 2007

A New Low in Phisher Stupidity Permalink

I'll let the message speak for itzelf:

Crazy phishing message

UPDATE (8 March 2007 0820PST): This guy is something else. The URL in the first message had already been taken down by the time I saw it. Later in the day, he found a new server to hijack. He had fixed one of the misspellings, but was still calling everything a "Security Tranzaction." Overnight (here in PST-land), he sent out some more, with a different Subject: line, linking to the second URL. Also sometime overnight, the second URL was taken offline. And just now, I got another message identical to the one in the picture above, pointing to the now defunct second URL. These bot-net mailings have to be costing this guy something, so I'm hoping the old adage, "crime doesn't pay," holds up.

Posted on March 07, 2007 at 09:17 AM

March 03, 2007

The Deceptive Subject Line: Gateway to Your Psyche Permalink

A spammer has to overcome a number of hurdles these days to get his or her message read. The battle starts at your incoming email server, which (I hope) has spam filtering of some type, perhaps using blocklists and other techniques (Spam Wars describes how these things work). Next comes client-side filtering, such as Mailwasher for Outlook or filtering built into modern-day email programs.

Out of fear of quietly deleting potentially good email (ham), it's quite common for both server and client spam filters to quarantine suspicious email for review later. Spammers would rather have that occur than silent deletion because there is still a chance that the intended recipient will read the message.

Having survived far enough to get into a list of incoming email (suspicious or otherwise), the message now faces a major challenge: convincing the recipient (by trickery, if necessary) to view the message content. Using deceptive Subject: lines in spam grew to such a massive problem that the practice was explicitly cited as a no-no in the U.S. CAN-SPAM act—despite numerous holes in the law that essentially legalized unsolicited email.

(It's a natural fit for the U.S. Federal Trade Commission to be the enforcer of the CAN-SPAM act as written. The FTC has long seen itself as the guardian of consumers against deceptive advertising, and the law's focus on commercial email (a flaw, IMHO) simply extends otherwise outlawed activity to the specifics of email.)

The law seems to have had negligible impact on the practice of deceptive Subject: lines. Last summer I reported how a mortgage spammer was using brand-name credit record histories to trick recipients. And today I saw one of the most cynical deceptions in a long while. Imagine seeing the following item in your inbox:

Subject: why did you tell everybody i had aids?

The From: field in the inbox listing showed just a first name ("Delia"). An unsuspecting recipient could easily be horrified that someone is accusing him/her of spreading a vicious rumor. And if the recipient doesn't recognize the name (Delia isn't exactly a common name), the Subject: line calls out for clarification, denial—some action on the recipient's part.


Here, at last, is what is at the bottom of the accusation:


Exquisite Replica

Brand new 2007 Replica models available - express worldwide shipping available!

Go here today: http://[removed].com


Beyond tricking the recipient into viewing the message, I'm not sure what the spammer's expectations are for this piece. Is the recipient supposed to be sooo happy that there is no accusation that he/she will visit the site and buy a Relox watch? Or (more likely) is the spammer also getting paid for click-throughs to the site so that if you do follow the link to satisfy the ire building as the result of the deception, you're still putting money in the spammer's pocket (the URL is also coded in a way that could confirm your email address—an extra cha-ching for the spammer)? I won't touch that URL with a ten foot pole.

What about the FTC pursuing this deception? The spamvertised domain name lists an owner in Canada, but I have zero confidence in the accuracy of that information. More to the point, the site is hosted in China. The spam message originated from Taiwan (a block of IP addresses indicating the likelihood of having been sent by a zombie PC). Except for the fact that the message causes the most grief to a U.S. entity (me), I measure the chance of enforcement of this particular deception at about one degree above Absolute Zero.

My dream is that this mailing—to however many millions it was sent—results in zero hits to the spamvertised web site. The same for the next mailing, and the mailing after that. In time, the spammers would get the message that even with their substantial economic advantage in sending cheap advertisements to those who don't want them, recipients rule. Yeah, baby, Recipients Rule!

Posted on March 03, 2007 at 05:48 PM