« 99% = 100% (?) | Main | A New Low in Phisher Stupidity »

March 03, 2007

A spammer has to overcome a number of hurdles these days to get his or her message read. The battle starts at your incoming email server, which (I hope) has spam filtering of some type, perhaps using blocklists and other techniques (Spam Wars describes how these things work). Next comes client-side filtering, such as Mailwasher for Outlook or filtering built into modern-day email programs.

Out of fear of quietly deleting potentially good email (ham), it's quite common for both server and client spam filters to quarantine suspicious email for review later. Spammers would rather have that occur than silent deletion because there is still a chance that the intended recipient will read the message.

Having survived far enough to get into a list of incoming email (suspicious or otherwise), the message now faces a major challenge: convincing the recipient (by trickery, if necessary) to view the message content. Using deceptive Subject: lines in spam grew to such a massive problem that the practice was explicitly cited as a no-no in the U.S. CAN-SPAM act—despite numerous holes in the law that essentially legalized unsolicited email.

(It's a natural fit for the U.S. Federal Trade Commission to be the enforcer of the CAN-SPAM act as written. The FTC has long seen itself as the guardian of consumers against deceptive advertising, and the law's focus on commercial email (a flaw, IMHO) simply extends otherwise outlawed activity to the specifics of email.)

The law seems to have had negligible impact on the practice of deceptive Subject: lines. Last summer I reported how a mortgage spammer was using brand-name credit record histories to trick recipients. And today I saw one of the most cynical deceptions in a long while. Imagine seeing the following item in your inbox:

Subject: why did you tell everybody i had aids?

The From: field in the inbox listing showed just a first name ("Delia"). An unsuspecting recipient could easily be horrified that someone is accusing him/her of spreading a vicious rumor. And if the recipient doesn't recognize the name (Delia isn't exactly a common name), the Subject: line calls out for clarification, denial—some action on the recipient's part.

Click-click.

Here, at last, is what is at the bottom of the accusation:

Aloha!

Exquisite Replica

Brand new 2007 Replica models available - express worldwide shipping available!

Go here today: http://[removed].com

Regards,
Delia

Beyond tricking the recipient into viewing the message, I'm not sure what the spammer's expectations are for this piece. Is the recipient supposed to be sooo happy that there is no accusation that he/she will visit the site and buy a Relox watch? Or (more likely) is the spammer also getting paid for click-throughs to the site so that if you do follow the link to satisfy the ire building as the result of the deception, you're still putting money in the spammer's pocket (the URL is also coded in a way that could confirm your email address—an extra cha-ching for the spammer)? I won't touch that URL with a ten foot pole.

What about the FTC pursuing this deception? The spamvertised domain name lists an owner in Canada, but I have zero confidence in the accuracy of that information. More to the point, the site is hosted in China. The spam message originated from Taiwan (a block of IP addresses indicating the likelihood of having been sent by a zombie PC). Except for the fact that the message causes the most grief to a U.S. entity (me), I measure the chance of enforcement of this particular deception at about one degree above Absolute Zero.

My dream is that this mailing—to however many millions it was sent—results in zero hits to the spamvertised web site. The same for the next mailing, and the mailing after that. In time, the spammers would get the message that even with their substantial economic advantage in sending cheap advertisements to those who don't want them, recipients rule. Yeah, baby, Recipients Rule!