Sci-fi, comics, humor, photos…it’s all fair game.

Stupid Scammer Tricks: Forgetting BCC

Saturday, February 9th, 2008 Posted in Spam, You Must be Mistaken | No Comments »

There’s something delicious about irony in spam. Yesterday, the spamtraps netted an advance fee fraud scam message that started out like this:

Let me be honest with you. This information is just for you alone [emphasis added]. I would suggest that you try to fix it instead of making any trouble with it as my job might be put on the line here.

Your name has been on an awaiting list of payment roaster submitted by the Nigerian Government For your lottery/inheritance reasons of no banking particulars on which transfer should be made to until two days ago when the paying Bank personnel brought in another payment roaster for the replacement of the former that had your name on it.

The funny part? (Well, aside from the “payment roaster.”) There were about 300 recipients in the To: line.

Gee, I don’t think all 300 people have the same account info…

Most spam doesn’t run into this problem, since it’s generated by special programs that don’t even bother filling in complete headers. But from what I understand, a lot of 419 scams are still sent by people sitting in internet cafes, copying and pasting bits from templates. So it’s easy to imagine someone pasting their list into the wrong field. Kind of like the classic “Reply All” fiascos.

Now there’s an opening line!

Tuesday, January 8th, 2008 Posted in Humor, Spam | No Comments »

I just spotted an advance fee fraud pitch in the spamtraps that started out with the greeting: Dear Trusting Friend.

I suppose the scammer could have meant “trusted friend,” which is still odd for an introduction, but makes a little more sense. Of course, if you take “trusting” to the extreme—i.e. gullible—you’ve just described the type of mark they’re looking for.

As a bonus: only two* of the ~270 Google hits for the phrase is not a references to 419-style letters using the same opening. People just don’t write things like that normally, which makes it a pretty good indicator.

*I didn’t look at all 270, but there were only 30 hits by the time Google filtered out duplicates. And most of those were clearly recognizable just from the excerpt on the search results pages. For the record, both of the two non-scam hits used it as a description, not a greeting.

New trend in 419 scams: UK Artists

Wednesday, July 5th, 2006 Posted in Spam | 141 Comments »

In the past two weeks, a new variant of the advance fee scam has dropped into our spam traps: supposed UK-based artists needing help selling their works overseas.

The classic Nigerian scam involves someone claiming to be the relative of a deceased or deposed dictator, general, etc. is trying to smuggle money out of the country and needs to borrow your bank account to do it.

It’s usually a third-world country, often one with political strife, so that the average westerner won’t be too suspicious of the level of corruption implied. You never see this scam claiming to come from, say, France, or Japan, because the process would set off too many alarm bells. Someone needing to transfer that much money would either do it through normal banking channels or through organized crime—not by firing off an email to some random citizen in a foreign country.

The first-world variation, at least up until now, has been the “International Lottery” scam. In this variation you get a winning notice, but of course you need to pay them before they can send you the money, etc. This one generally claims to be based in Europe, often several countries in one message. The idea of a lottery seems much more plausible in the first world.

Someone has come up with a way to bring the 419 scam into the first world. The two samples I’ve seen so far both involve UK-based artists trying to sell their works in the US. The premise is that their customers want to pay by some method that is “difficult to cash” in the UK, so they want you, a US resident, to accept the travelers’ checks, or money orders, then wire them the amount minus a 10% commission.

Right.

I’m seriously waiting for someone to offer a commission on the Brooklyn Bridge.

The setting has changed—instead of a dictator’s widow who has hidden away ill-gotten gains in “darkest Africa,” it’s a happy Londoner living with his or her “two kids” and “the love of [their] life” and selling art on the international market. All shiny, happy and yuppie (with just a hint of bohemian). But the script is the same: Someone wants to clear huge amounts of money through your bank account.

I was going to post some quotes, but as I started looking at them, the similarities really go through the entire message. Read the rest of this entry »

Nigerian Scams for Auction?

Sunday, February 5th, 2006 Posted in Humor, Spam | No Comments »

eBay must have some sort of blanket advertising deal with Google, because the “sponsored links” you get for some searches really don’t make any sense.

Case in point: I did a Google search for the phrase, “nigerian scam,” and saw the following ad:

Looking for Nigerian Scam? Find exactly what you want today

Wow, when they say, “Whatever it is, you can get it here.”—they really mean it! ;-)

Interestingly, if you search for “419 scam,” you get the same type of ad, but not if you search for “advance fee fraud.”

I tried a few random search terms, and from what I can tell, eBay’s ad shows up on many—but not all—two-word searches. I’m not sure what the pattern is, but I can’t imagine someone at eBay deliberately asked to buy ad space for some of these phrases.

But in a show of accuracy, if you search for “random stuff,” you’ll find it!

How Thunderbird’s Scam Detection Works

Friday, October 28th, 2005 Posted in Mozilla, Spam, Troubleshooting | 25 Comments »

Since upgrading to Mozilla Thunderbird 1.5 beta 2, I’ve seen a number of messages slapped with a warning label that “Thunderbird thinks this message might be an email scam.” It appears at the top of the message, in the same style as the junk mail notice bar or the warning that remote images have been blocked, and there’s a button to mark the message as “Not a Scam.”

There’s only one problem. Since SpamAssassin and ClamAV do such a good job of catching the phishing scams before they reach my inbox, Thunderbird has yet to catch any actual phish. But there’ve been a lot of false positives. It’s hit LiveJournal reply notices, newsletters from IEEE and Golden Key, a Spam Karma notice from my own blog, and I’ve seen it on both outbid notices and updates to saved searches from eBay.

I found myself wondering just how Thunderbird’s phishing detection decides that a message is suspicious—and how to teach it that the next LJ notice isn’t a scam.

The Thunderbird support website doesn’t seem to have been updated yet. Most of the articles I’ve found only talk about TB adding the feature, not how it works. The best information I found was this Mozillazine forum thread, which included a link to the actual code that makes the decision, in phishingDetector.js. Thunderbird looks at the following:

  • Links that only use an IP address, including dotted decimal, octal, hex, dword, or some mixed encoding.
  • Links that claim to go to one site, but actually go to another. (Phishers do this to fool you into going to their site. Legit mailing lists sometimes do this with redirectors for tracking purposes.)
  • Forms embedded in the email. (This explains the LiveJournal notices.)

It also appears to trap text URLs containing HTML-escaped characters, which explains the Spam Karma reports. In this case the report includes a spammer’s link with ​ in the hostname. The message is plain text, so Thunderbird leaves the entity as-is when displaying it…but decodes it when it creates the link. Result: a link where the text and URL don’t match.

The easiest way to prevent it from freaking out over the next message? Add the sender to your address book. I’m not sure that’s a great idea, since a phisher could guess which addresses you have saved and spoof them, but it’s at least simple. I guess I’ll find out whether it works the next time I get a reply notice from LJ. Update: Adding the sender to your address book doesn’t seem to have any effect.

Update 2 (July 12, 2006): The comment thread’s gotten long enough that I can see people might miss this, so here’s how to disable it:

  1. Open Options or Preferences (this will be under the Tools menu on Windows, Thunderbird on Mac, or Edit on Linux).
  2. Click on Privacy (there should be a big padlock icon).
  3. Click on the E-mail Scams tab.
  4. Disable the “Check mail messages for email scams” option and click on Close.

That’s it.

Spamming for God (multicultural edition)

Tuesday, December 14th, 2004 Posted in Spam | No Comments »

Various outlets have reported on the recent appearance of evangelical spam—unsolicited bulk email which promotes religious messages instead of advertising products. It’s been pointed out that since CAN-SPAM refers to commercial mail it can’t be used to stop people who bombard you with other types of messages.

I’ve seen 419 scams with religious trappings for months. These are the usual “Help me smuggle $20 million out of my country” ploys with the added twist of “Oh, I’m a missionary” or “I’ll donate it to an orphanage” or “You can trust me, I’m a Christian,” usually tied to a middle-eastern nation where Christians are in the minority (because Nigeria is so passé). Of course the only thing the scammers really worship is the almighty X-MILLION US DOLLARS. It’s a cheap sympathy ploy, nothing more, made obvious by the fact that, well, it’s a scam!

Today I saw a new variation on that tactic: instead of appealing to Christians, this one was appealing to Muslims. It was all about some Muslim convert in Cuba who had been abandoned by his Catholic family and just needed to transfer $12 million out of the country… all sent from a UK-based email account.

On a side note, I’ve found myself wondering lately why so many of these seem to come from European ISP Tiscali, particularly Tiscali UK. (One came through yesterday with 119 copies of the standard footer!) I assume they must provide easy-to-get email accounts, or perhaps connectivity for a lot of Internet cafés. It also suggests that quite a few of these scammers aren’t anywhere near the (mostly) third-world nations where they claim to live.

Points for honesty?

Monday, October 4th, 2004 Posted in Spam | 8 Comments »

This showed up in the spamtraps today:

Subject: Truth of the matter

Dear Sir,

This letter can only define Nigeria Scam, a.k.a. 419. If this mail look like scam to you delete it, we are looking for serious minded person.

As we all know, top officials do loot funds out of the country with non-residence foreigners. When they try and fail, the world hears it as fraud/scam, but when they go through, nobody or a newspaper writes it.

This trade is huge here and people are making lots of money out there in most foreign countries. Though the government are mapping out sophisticated strategies to checkmate unauthorized dealers. From the president to the cleaner in the house, they are all into this trade.

And so on.

This has got to be the most brazen variation I’ve seen — and the first one that admits what it is up front. Of course it goes on to try to convince you that no, this one’s the real thing, we’re only trying to cheat other people, not you, because you wouldn’t fall for that sort of thing, would you?

I’m trying to figure out whether the proper response to this is “WTF” or “O_o” or just “Unbe-flipping-lievable.”