K-Squared Ramblings

Eye Gouging

Here’s another example of randomly-generated spam somehow being appropriate:

This morning I received an image-based stock spam. The sender’s name was listed as “eye gouging.” Yes, spam does sometimes make you want to gouge out your eyes (or perhaps the spammer’s). May I recommend the Grammar Spork™ (NSFW: language) for such cases?

Back to Basics: Phish by Phone

I just spotted a rather disturbing phishing message in (of all places) our abuse contact mailbox:

Subject: Fraud Prevention Measures

Dear customer!

Due to high fraud activity we constantly increasing security level both for online banking and card transactions. In order to update our records you are required to call MBNA Card Service number at 1-800-[removed] and update information on your MBNA card.

This is free of charge and would not affect any transactions with your card. Please note this is necessary to provide highest security level for all transactions with your card.

No HTML tricks. No links to fraudulent websites. Just a phone number.

I can only assume this is a response to high-profile inclusion of antiphishing features in Internet Explorer 7 and in Firefox 2. If there’s no website, there’s nothing for a web browser to check.

And of course by not using sneaky technical tricks in the message, it’s harder for tools like ClamAV, spam filters, or mail clients to detect.

Incidentally, does anyone else find it ironic that one of the most common phishing techniques is to exploit people’s fear of being phished?

Further reading: Anti-Phishing Working Group.

Joke Spam

I’ve noticed a new subset of blog spam over the past few months: Jokes. Instead of just filling the comment with links to the spamvertized site, it’ll either leave the the link in the author URL field, or toss a couple links in at the end, but the bulk of the comment will actually be a joke.

Generally they tend to be story-type jokes, the kind you’ll find on, say, Jumbo Joke. This is probably an effort to build up enough comedic content to overwhelm the presence of links to a porn or pillz site. A similar technique had a brief heyday maybe a year ago in email spam, though I haven’t seem many of them lately.

It’s still spam—there’s no way I’m letting those comments and links onto the site—and Spam Karma still catches them. Still, it at least makes the spamtraps a little more interesting than the endless morass of links and keywords.

On another note, I’ve been seeing a lot more email spam targeting the abuse contacts lately. I don’t know what they think they’re accomplishing, since the people reading abuse@wherever are most likely to report them and least likely to buy from them. I mean, “Greetings Abuse!!!” doesn’t seem an effective way to begin a sales pitch.

Freewheeling Slush!

Some funny spam subjects that have popped up in my inbox or in the server’s spam traps recently:

• freewheeling slush — Because slush that’s hemmed in by tradition just isn’t worth reading.
• Planning buying trickles — In times of drought, even the tiniest stream is a wise investment!
• Google Animal Gestation — I see Google is diversifying their business again.
• Wanna Burn Movies? — For some reason I’m picturing a can of film on a bonfire, not a DVD burner.
• I found something Daphne — It looks like a monster mask! Jeepers, this haunting is a hoax!

Brought to you by the Department of Word Salad. (I really ought to draw up a guest strip for Spamusement with one of these.)

New trend in 419 scams: UK Artists

In the past two weeks, a new variant of the advance fee scam has dropped into our spam traps: supposed UK-based artists needing help selling their works overseas.

The classic Nigerian scam involves someone claiming to be the relative of a deceased or deposed dictator, general, etc. is trying to smuggle money out of the country and needs to borrow your bank account to do it.

It’s usually a third-world country, often one with political strife, so that the average westerner won’t be too suspicious of the level of corruption implied. You never see this scam claiming to come from, say, France, or Japan, because the process would set off too many alarm bells. Someone needing to transfer that much money would either do it through normal banking channels or through organized crime—not by firing off an email to some random citizen in a foreign country.

The first-world variation, at least up until now, has been the “International Lottery” scam. In this variation you get a winning notice, but of course you need to pay them before they can send you the money, etc. This one generally claims to be based in Europe, often several countries in one message. The idea of a lottery seems much more plausible in the first world.

Someone has come up with a way to bring the 419 scam into the first world. The two samples I’ve seen so far both involve UK-based artists trying to sell their works in the US. The premise is that their customers want to pay by some method that is “difficult to cash” in the UK, so they want you, a US resident, to accept the travelers’ checks, or money orders, then wire them the amount minus a 10% commission.

Right.

I’m seriously waiting for someone to offer a commission on the Brooklyn Bridge.

The setting has changed—instead of a dictator’s widow who has hidden away ill-gotten gains in “darkest Africa,” it’s a happy Londoner living with his or her “two kids” and “the love of [their] life” and selling art on the international market. All shiny, happy and yuppie (with just a hint of bohemian). But the script is the same: Someone wants to clear huge amounts of money through your bank account.

I was going to post some quotes, but as I started looking at them, the similarities really go through the entire message. Read the rest of this entry »

Look, it’s Expo-Lad!

Spam subject:

this going to expolad

It’s a stock spam, and what they’re trying to say is “This is going to explode.” But doesn’t “Expo-Lad” sound like a character from the Legion of Super-Heroes?

Just imagine:

“No one wants to come to our convention! What can we do?”
“Never fear! Expo-Lad will save us!”

Update: I can’t believe I didn’t think of this earlier, but maybe ExpoLad is related to TypoLad!

Spam Target Breakdown

It seems obvious that different email addresses get different types of spam. I recently noticed that even addresses with nearly identical exposure sometimes end up with wildly different collections.

A number of our spamtrap addresses are “seeded” by hiding them on websites. Put it somewhere that no human visitor will notice, ’cause the harvesting bots will see it anyway. There’s a whole set scattered across this domain, for instance, and even the spamtraps hidden in different areas of this site attract different types of spammers.

My Flash site is the most high-trafficked section on here. Spamtraps there seem to pick up mostly ads for dubious pharmaceuticals, and occasionally mortgage offers. It’s also the most heavily linked-to section, so this is probably the target of spiders that jump from site to site.

The remnants of my Les Misérables site wouldn’t seem to be terribly popular with spammers, but it turns out spamtraps on those pages pick up quite a bit…mostly in Chinese. Back when the site was active, it got linked to by a lyrics site in Taiwan. When it went more-or-less offline, the link stayed.

Spamtraps rotated through the top page of the site seem to collect mostly porn. I’m guessing there’s a class of bots that just look for valid domain names and hit the home page… and they’re mostly used by porn spammers.

The last area of the site that gets lots of spam is this blog. And it seems to collect all of the above.

The Trill of the Chase

Some recent bizarre-but-true spam subjects:

Dinky $ch001girl$ of the universe

Obviously trying to avoid keyword filters (not that it helped), but come on—”dinky?” When was the last time you saw that applied to a person? And what exactly is a “schoolgirl of the universe?” It sounds like a new anime series or something, with schoolgirls and jet packs, roaming the galaxy to defeat evildoers.

trill boxing

It’s the fight of the 24th Century! In this corner: Curzon Dax! In this corner: Odan! Who will win? All I know is it won’t be my free time; when I looked up the names, I found Memory Alpha, a Star Trek wiki with waaay too much info. And there’s all kinds of stuff that’s happened since I stopped watching in the mid-1990s.

It lets a woman ride you like you’ve never been ridden before!

Sent to a spamtrap with a woman’s first name. Sure, you’ll reach a few who might be interested, but statistically speaking you’re better off targetting men. Or, if you take it literally instead of figuratively, horses. Last I looked, though, there weren’t too many horses with email. Unless you count pwnies, I suppose.

Thank you, Captain Obvious

OK, I appreciate that eBay has a dedicated email address for reporting phishing attempts. I appreciate that their abuse department is a lot busier than I am, and therefore has to rely heavily on form letters. And I appreciate that they’re making an effort to educate the public on how to spot phishing and avoid getting caught.

But when I forward them a message with the comment, “Here’s a sample of a blatant phish,” is it really necessary to reply with the full two-page notice explaining, “This is a spoof, we didn’t send it, here’s how to avoid it, blah blah blah” and the entire body of the original message, complete with the links to the phishing site?

I’d think in this case a simple, “Thanks for the report, we’ve notified the authorities” note would be sufficient, especially since the “how to spot a phish” stuff is already in the auto-response. All it takes is giving their abuse staff an extra choice for the form letter.

And under no circumstances should they be including the full, original text of the phish. At best, it’s asking for the response to get lost in a spam box or blocked outright. At worst, it’s a security risk waiting to happen (since this copy really did come from eBay). Somewhere in the middle is the risk of mucking up adaptive filters as they try to reconcile the original message, which was spam, with the new message, which isn’t.

Such a Dreary Place

A mortgage spam started with this line:

D r ear Home O u wne u r ,

OK, so they’re inserting random space-letter-space sets into the text. But let’s ignore what they’re trying to say, and look at how it actually came out.

“Drear” home owner? (Or rather, “ouwneur?” Are they French?) Apparently I picked up the deed to the House of Usher or some such miserable domicile. I can’t say I’ve noticed any ravens around (not counting my comic collection, anyway), though I’ve certainly been awake many a weary midnight.

This is very good title

Lately I’ve seen an interesting pattern emerge in the comment spam logs here. Along with the usual collections of links to pills, porn, and watches, there are a bunch of trackback spam attempts using innocuous websites like Google and Yahoo and the phrase “this is very good,” over and over.

Title? “this is very good”
Blog Name? “this is very good”
Author? “this is very good”

The excerpt itself varies a bit, but is usually something like, “this is related article.”

I figure they’re either probes or attempts to poison blacklists.

What’s funny about these is that in the logs, the fields are all run together, so it looks like this:

author: this is very good title: this is very good blog_name: this is very good e-mail: …

The natural inclination is to break the phrases at the punctuation, so it looks like it’s saying, “This is very good title. This is very good blog name. This is related article.”—making it sound like Zathras is behind the keyboard!

Spam is like machine gun fire

After my latest round of supposed anti-fraud notices claiming to be from banks with which I don’t have any accounts, it occurred to me that phishing, 419 scams, email spam, blog spam, etc. are all scattershot approaches. They seem so obvious to those of us who are used to seeing them. It seems unthinkable that someone would fall for a phishing attempt that identifies itself as someone else’s bank, or buy pharmaceuticals from someone who can’t spell d.Ruugz. But they’re not intended for us. We’re just collateral damage.

Direct marketing often makes at least an effort to aim, because paper and postage cost money. That’s why businesses and charities will mainly share/sell their mailing lists among similar organizations, and not some random list of people. In this way, direct marketing is like riflery: you want each shot to be as accurate as possible.

Email, however, is cheap, and most spammers are using someone else’s resources to send out the mail anyway. It’s long been pointed out that they don’t care if 99% of their messages get lost in the ether. They only need a fraction of their list to respond. It’s like using a machine gun: you don’t have to aim, just spray the general area and at least one bullet is likely to hit your target.

So phishers don’t have to match their pitches to each recipient’s bank. If they plaster the net with messages claiming to be from Chase, it doesn’t matter if most of their messages hit Wells Fargo customers. Statistically speaking, some of the recipients will have Chase accounts, and some of them will be fooled, and that’s all they need to collect their virtual loot.

And the rest of us? Bystanders caught in the drive-by.

Pressing Buttons

You’ve probably heard by now that AOL and Yahoo are preparing a system by which large-volume email senders can pay to get their mail sent on to subscribers. You probably haven’t heard that it’s not just pay-to-send so much as it’s pay-to-get-accredited. Senders pay a company called Goodmail to say “we won’t send spam,” Goodmail checks them out, and Yahoo and AOL use Goodmail to bypass their regular spam filters.

This, of course, hasn’t stopped a flood of knee-jerk reactions. (via Spamroll)

What’s funny is that this conundrum has been almost exactly like the controversy two years ago over Microsoft choosing Bonded Sender as an accreditation service/whitelist for Hotmail—knee jerking and all.

Back then I wrote the following article and never got around to posting it. Thanks to AOL, it’s finally topical again. Sadly, I haven’t had to change much to bring it up to date. Read the rest of this entry »

Symantec Issues

Last week I received a message offering a 30% discount on Norton Internet Security 2006. It claimed to be from Symantec, but the email address was at digitalriver.com, and all the links—including the ones that claimed to be at symantec.com—went to bluehornet.com.

Now 5 minutes of research turns up the facts that Symantec does work with Digital River and Digital River owns Blue Hornet. And it did go to the address I used to register Norton Antivirus last year. So it’s probably a legit offer.

But let’s think about this for a minute.

Assuming it’s legit, Symantec—a company that deals in internet security—is deliberately sending out offers via third-party domains, email and web servers. Depending on how security-conscious you are, they are either making their messages look suspicious or training users to ignore warning signs.

Or have you never seen spam offering enormous discounts on Norton products? Which generally turn out to be pirated. And I seem to recall—though I can’t find an article to back it up—that the bootleg copies are often infected themselves, or crippled in some way.

Given how many shady operators are out there, taking advantage of the big guys’ name recognition, you’d think the big guys would at least make some effort to make their own offerings look less, well, shady.

Nigerian Scams for Auction?

eBay must have some sort of blanket advertising deal with Google, because the “sponsored links” you get for some searches really don’t make any sense.

Case in point: I did a Google search for the phrase, “nigerian scam,” and saw the following ad:

Wow, when they say, “Whatever it is, you can get it here.”—they really mean it!

Interestingly, if you search for “419 scam,” you get the same type of ad, but not if you search for “advance fee fraud.”

I tried a few random search terms, and from what I can tell, eBay’s ad shows up on many—but not all—two-word searches. I’m not sure what the pattern is, but I can’t imagine someone at eBay deliberately asked to buy ad space for some of these phrases.

But in a show of accuracy, if you search for “random stuff,” you’ll find it!