Catching up with Image Spam
Thursday, August 2nd, 2007 Posted in Spam | 3 Comments »Since adding the MSRBL-Images signatures to our spam filters at work, I’ve occasionally dropped in to Spam or Not to help rate their submissions. It uses the “Hot or Not” concept, but instead displays an image that’s been submitted as spam, and asks viewers to rate just how spammy it is. The results feed back into developing their signatures.
Right now they’re just 10 images away from rating every single image in their database.
Total Images: 308780
Total Ratings: 314616
Rated Images: 308770 (99.99%)
Unfortunately, I seem to be mostly getting already-ranked images, because that third number isn’t climbing in step with the second. And of course, when it comes to spam, you can rate all you want—they’ll make more.
The Good Old Days
Tuesday, May 29th, 2007 Posted in Spam | 4 Comments »I recently stumbled across an archived mailing list post of mine from the days before spammers started targeting WordPress. Someone had remarked that their spam problem had disappeared when they switched from Movable Type to WordPress, and I responded:
Oh, they hit us WordPress users too, just not as often as MT. Having it automatically moderate comments with certain keywords or more than X number of links helps cut it down, and the ability to (a) see all the latest comments and (b) mass-delete comments reduces the pain of cleanup. But they do target WP blogs from time to time.
I tend to get a pair of comments sent to the moderation queue every few weeks (presumably they figure if the first two didn’t show up, they won’t waste their time with more), but just this morning I had to delete a spam comment that came in last night and didn’t trip the moderation rules. (One of those with the generic “I like your site” messages and the author’s URL being the spamvertized site.)
That was September 2004. How things have changed! All WordPress blogs come with Akismet as an anti-spam measure, but I still prefer to use Bad Behavior, which has blocked ~2900 hits to this site in the past week alone, and Spam Karma, which has collected over 17,000 comment spams.
And with all those counter-measures in place, I get a couple of comments landing in the moderation queue each week. And just this morning I had to delete a spam comment that came in last night and didn’t trip either layer of defense (it was a generic piece targeting keywords found in a post). The filters are just barely keeping pace with the increased volume.
No comment?
Friday, April 27th, 2007 Posted in Spam | No Comments »Project Honeypot recently started tracking comment spammers as well as email harvesting bots. Oddly enough, even though they have data going back to March 22, and even though Bad Behavior and Spam Karma have blocked an incredible number of spam comments on this site (Bad Behavior has blocked 3807 connections in the past week alone)....none of the honeypots I manage have trapped a single comment spam.
And no, the honeypot on this site isn’t protected by those plugins.
Pro-whaaat?
Thursday, March 15th, 2007 Posted in Humor, Spam | 3 Comments »A piece of spam came across the abuse desk the other day hawking something called “Viagra Professional.” Just as some songs aren’t suited for elevator music, some products aren’t suited for Microsoft-style naming schemes.
Think about it: Outside the pharmaceutical industry, what *ahem* profession would have a use for Viagra?
Nasty Ebay “About Me” Phish
Tuesday, February 27th, 2007 Posted in Computers/Internet, Spam | 7 Comments »Someone I know encountered a really sneaky eBay phish this weekend. It arrived through eBay’s official “Ask seller a question” system, and consisted of a simple request: Was his auction the same as the auction at the following About Me page?
The URL was a normal eBay URL of the form http://members.ebay.com/aboutme/_____. Pasting the link into another browser brought up the user’s About Me page… which consisted of a spoofed eBay login form that would submit the username and password to a page hosted at Yahoo.
So it not only came through eBay’s official messaging system, but the form appeared on eBay’s own website, meaning it bypasses many of the usual cues. It’s not a secured page, but use of SSL for login pages is still spotty enough that a user could easily miss that. And how many people have noticed that eBay only puts login forms on signin.ebay.com? You have a slightly better chance if you have a browser like Opera, which shows you the target* of a form when you hover over a button. If you think to look at it. Read the rest of this entry »
Enhance your… mortgage?
Monday, January 22nd, 2007 Posted in Spam | 3 Comments »I suppose it was only a matter of time before these two genres of spam collided. Today I received a spam advertising body-part enlargement products, with a link to a site called bmsMUNGEDcommercialmortgage.info (without the MUNGED).
Apparently, getting a new mortgage is supposed to increase my ability to handle huge tracts of land.
Flash Fraud
Tuesday, January 2nd, 2007 Posted in Comics, Spam | 3 Comments »Got an interesting phish today.
Subject: Error in your billing information
From: Keystone Savings Bank.
Hmm, Keystone, eh? 
Apparently, it *is* a challenge
Thursday, November 16th, 2006 Posted in Spam | No Comments »Every once in a while, a comment spam manages to get past both Bad Behavior and Spam Karma. Oddly enough, it always seems to be on the same entry: “Abuse Contact” is not an invitation.
I guess spammers like a challenge as much as anyone else.
Eye Gouging
Thursday, September 21st, 2006 Posted in Humor, Spam | 1 Comment »Here’s another example of randomly-generated spam somehow being appropriate:
This morning I received an image-based stock spam. The sender’s name was listed as “eye gouging.” Yes, spam does sometimes make you want to gouge out your eyes (or perhaps the spammer’s). May I recommend the Grammar Spork™ (NSFW: language) for such cases?
Back to Basics: Phish by Phone
Friday, September 8th, 2006 Posted in Spam | No Comments »I just spotted a rather disturbing phishing message in (of all places) our abuse contact mailbox:
Subject: Fraud Prevention Measures
Dear customer!
Due to high fraud activity we constantly increasing security level both for online banking and card transactions. In order to update our records you are required to call MBNA Card Service number at 1-800-[removed] and update information on your MBNA card.
This is free of charge and would not affect any transactions with your card. Please note this is necessary to provide highest security level for all transactions with your card.
No HTML tricks. No links to fraudulent websites. Just a phone number.
I can only assume this is a response to high-profile inclusion of antiphishing features in Internet Explorer 7 and in Firefox 2. If there’s no website, there’s nothing for a web browser to check.
And of course by not using sneaky technical tricks in the message, it’s harder for tools like ClamAV, spam filters, or mail clients to detect.
Incidentally, does anyone else find it ironic that one of the most common phishing techniques is to exploit people’s fear of being phished?
Further reading: Anti-Phishing Working Group.
Joke Spam
Tuesday, September 5th, 2006 Posted in Humor, Spam | 2 Comments »I’ve noticed a new subset of blog spam over the past few months: Jokes. Instead of just filling the comment with links to the spamvertized site, it’ll either leave the the link in the author URL field, or toss a couple links in at the end, but the bulk of the comment will actually be a joke.
Generally they tend to be story-type jokes, the kind you’ll find on, say, Jumbo Joke. This is probably an effort to build up enough comedic content to overwhelm the presence of links to a porn or pillz site. A similar technique had a brief heyday maybe a year ago in email spam, though I haven’t seem many of them lately.
It’s still spam—there’s no way I’m letting those comments and links onto the site—and Spam Karma still catches them. Still, it at least makes the spamtraps a little more interesting than the endless morass of links and keywords.
On another note, I’ve been seeing a lot more email spam targeting the abuse contacts lately. I don’t know what they think they’re accomplishing, since the people reading abuse@wherever are most likely to report them and least likely to buy from them. I mean, “Greetings Abuse!!!” doesn’t seem an effective way to begin a sales pitch.
Freewheeling Slush!
Tuesday, July 18th, 2006 Posted in Humor, Spam | No Comments »Some funny spam subjects that have popped up in my inbox or in the server’s spam traps recently:
- freewheeling slush — Because slush that’s hemmed in by tradition just isn’t worth reading.
- Planning buying trickles — In times of drought, even the tiniest stream is a wise investment!
- Google Animal Gestation — I see Google is diversifying their business again.
- Wanna Burn Movies? — For some reason I’m picturing a can of film on a bonfire, not a DVD burner.
- I found something Daphne — It looks like a monster mask! Jeepers, this haunting is a hoax!
Brought to you by the Department of Word Salad. (I really ought to draw up a guest strip for Spamusement with one of these.)
New trend in 419 scams: UK Artists
Wednesday, July 5th, 2006 Posted in Spam | 141 Comments »In the past two weeks, a new variant of the advance fee scam has dropped into our spam traps: supposed UK-based artists needing help selling their works overseas.
The classic Nigerian scam involves someone claiming to be the relative of a deceased or deposed dictator, general, etc. is trying to smuggle money out of the country and needs to borrow your bank account to do it.
It’s usually a third-world country, often one with political strife, so that the average westerner won’t be too suspicious of the level of corruption implied. You never see this scam claiming to come from, say, France, or Japan, because the process would set off too many alarm bells. Someone needing to transfer that much money would either do it through normal banking channels or through organized crime—not by firing off an email to some random citizen in a foreign country.
The first-world variation, at least up until now, has been the “International Lottery” scam. In this variation you get a winning notice, but of course you need to pay them before they can send you the money, etc. This one generally claims to be based in Europe, often several countries in one message. The idea of a lottery seems much more plausible in the first world.
Someone has come up with a way to bring the 419 scam into the first world. The two samples I’ve seen so far both involve UK-based artists trying to sell their works in the US. The premise is that their customers want to pay by some method that is “difficult to cash” in the UK, so they want you, a US resident, to accept the travelers’ checks, or money orders, then wire them the amount minus a 10% commission.
Right.
I’m seriously waiting for someone to offer a commission on the Brooklyn Bridge.
The setting has changed—instead of a dictator’s widow who has hidden away ill-gotten gains in “darkest Africa,” it’s a happy Londoner living with his or her “two kids” and “the love of [their] life” and selling art on the international market. All shiny, happy and yuppie (with just a hint of bohemian). But the script is the same: Someone wants to clear huge amounts of money through your bank account.
I was going to post some quotes, but as I started looking at them, the similarities really go through the entire message. Read the rest of this entry »
Look, it’s Expo-Lad!
Wednesday, June 7th, 2006 Posted in Comics, Humor, Spam | No Comments »Spam subject:
this going to expolad
It’s a stock spam, and what they’re trying to say is “This is going to explode.” But doesn’t “Expo-Lad” sound like a character from the Legion of Super-Heroes?
Just imagine:
“No one wants to come to our convention! What can we do?”
“Never fear! Expo-Lad will save us!”
Update: I can’t believe I didn’t think of this earlier, but maybe ExpoLad is related to TypoLad!
Spam Target Breakdown
Sunday, May 28th, 2006 Posted in Spam | No Comments »It seems obvious that different email addresses get different types of spam. I recently noticed that even addresses with nearly identical exposure sometimes end up with wildly different collections.
A number of our spamtrap addresses are “seeded” by hiding them on websites. Put it somewhere that no human visitor will notice, ’cause the harvesting bots will see it anyway. There’s a whole set scattered across this domain, for instance, and even the spamtraps hidden in different areas of this site attract different types of spammers.
My Flash site is the most high-trafficked section on here. Spamtraps there seem to pick up mostly ads for dubious pharmaceuticals, and occasionally mortgage offers. It’s also the most heavily linked-to section, so this is probably the target of spiders that jump from site to site.
The remnants of my Les Misérables site wouldn’t seem to be terribly popular with spammers, but it turns out spamtraps on those pages pick up quite a bit…mostly in Chinese. Back when the site was active, it got linked to by a lyrics site in Taiwan. When it went more-or-less offline, the link stayed.
Spamtraps rotated through the top page of the site seem to collect mostly porn. I’m guessing there’s a class of bots that just look for valid domain names and hit the home page… and they’re mostly used by porn spammers.
The last area of the site that gets lots of spam is this blog. And it seems to collect all of the above.
