Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« March 2009 | Main | May 2009 »

April 24, 2009

File Under "Haw, haw" Permalink

Two ridiculous Subject: lines passed my eyes this morning. Not that craziness in this header field is anything new, but one has to wonder about the numskulls who dream this stuff up.

First on the docket is one trying to be topical:

Subject: Obama has given us over $1BILLION to distribute affordable prescription drugs!

This from a run-of-the-mill medz spammer pitching no-prescription-needed hard stuff. Sadly, I think this line will actually get a pretty good click-through rate as taxpayers track down the latest purported bailout. Heck, it may even show up on Fox News at the center of an investigation of how the Obama administration is pushing federally funded illegal drugs.

And then comes this gem:

From: OPERA Fan
Subject: As Seen On OPERA! the Only Genuine Pharmacy Online

Time for some English diction lessons: "Oh, oh, oh. Prah, prah, prah." Unless: A) Tristan is playing the role of Isolde's Vicodin mule; or B) You can't view the medz web site on Internet Explorer, Firefox, or Safari.

Posted on April 24, 2009 at 09:56 AM

April 21, 2009

The Inefficiencies of Botnet Spammers Permalink

If you've been watching my daily spam stats recently, you must have noticed a sizable uptick in the number of items I classify under "Dictionary Attacks." Into this category goes every incoming message that gets immediately rejected as "User unknown" because there is no account set up for the addressee's name. In the past two days alone, my poor server has turned back more than 51,000 such attempts.

Diving into the logs, I see that the patterns are typical of what I've reported in the past (gateway article here): small bursts from a widely distributed range of IP addresses around the world.

One To: address at random caught my eye, so I was curious how often the bots tried to spam it. Yesterday it was 82; today it was 70 (four of which had the address also in the envelope "from" field). I then set my scope wider, searching a couple years' worth of logs for the same address.

There were nearly 4800 hits dating back to April 2007.

So much for the notion that there might be a feedback loop of some kind that reports back to controllers when addresses bounce or are accepted. For at least the past two years, my server has consistently rejected attempts to send email to that address. I don't think it's a case of optimism on the list owner's part ("Someday dannyg.com will open an account under that name, and we're ready to spam the crap out of it." — like the optimistic child who, upon opening a birthday present box filled with manure, is convinced there is a pony outside). It must be the case that they just don't care.

What I like about this (if one can like anything about spam) is that sending this crap costs the sender something. True, it's nano-cents per piece, and payment may even be done under barter arrangements, but the sender is expending something of value to pay for botnet time and, more importantly, address lists that must be getting dirtier and dirtier over time. Heck, someone has been propagating a clearly bad address here (one of thousands) for at least two years.

It gives me a glimmer of hope that botnet spamming could one day begin to collapse under the weight of its own inefficiencies. The recent upswing in incoming spam addressed to non-existent addresses may be a sign that the botnet spammers are getting more desperate in trying to rustle up sales of whatever they're peddling. The bum economy may also be helping otherwise gullible spam recipients to think twice before buying counterfeit medz or a Piaget knockoff.

Whatever it takes to undermine the spam economy is okay with me. And if the damage is self-inflicted, all the better.

Posted on April 21, 2009 at 07:50 AM

April 19, 2009

"Podmena" Alive Again Permalink

Back in January, I wrote about spam arriving with nothing more than the text "podmena traffica test" in the body. It's back again, based on not only messages I've seen here, but also on the number of visitors to the earlier article who find it via Google.

That the messages come from a botnet is hard to dispute. The bizarre Subject: lines of the earlier campaigns were ultimately used verbatim for run-of-the-mill medz and knock-off goods spam runs (that even trickle in months later).

While I don't have anything more to report about what's behind this pattern, I am glad that more email users seem to be performing some due diligence in looking behind the unexpected/unexplained. That's also one reason why I quote liberally from incoming spam that, in my estimation, is potentially dangerous — in the hope that the curious will use Google to learn about bad consequences without acting directly on the messages.

Of course, there isn't much to act on with the "podmena" spam because there aren't any links or URLs to follow. But one thing is certain: if your email address is receiving these messages, more spam will follow unless you have good server-side filtering in front of your inbox.

Posted on April 19, 2009 at 01:36 PM