Spamnation

Murk-o-sur

Fri, 16 Oct 2009 07:32:42 -0500

Our spamtraps get hit with a fair amount of unsolicited email from Latin America, particularly from Brazil, Argentina and Peru. By and large, this email is from actual businesses (albeit sometimes small or shady ones) rather than pharmacy spammers or penis pill vendors.

Some of the senders are knowingly abusive, as can be seen by the contortions they go through to try to avoid spam-filtering or identification. The word 'publicidad' ('advertising') which several Latin American spam laws require to be included in the subject line of the message, is often permuted in interesting ways. Others actually comply, to a greater or lesser degree, with whatever laws are in force in their country. And then there are the disclaimers ...

"opt-out" is not a "policy"

Thu, 01 Oct 2009 12:29:05 -0500

A recent piece of unsolicited email, promoting a Brazilian retailer called Chic Mix, carries the following interesting message (loosely translated from the Portuguese):

Anti-Spam Policy: if you don't want to continue receiving news from Chic Mix, please click here

If you spotted that the words 'anti-spam policy' don't really belong there, give yourself a small prize. Whatever that message is, it's not a 'policy'.

Jose Thomaz goes crazy

Sat, 12 Sep 2009 07:59:29 -0500

Spammers come and go. Some spammers, however, just keep on spamming. One of the most prolific and persistent is a Brazilian spammer advertising health insurance plans. For a long time, this spammer was an unknown. He used a constantly changing lineup of email addresses, some of which featured the word ‘saude’ ('health') or some variation on 'jcthomaz'. Eventually, however, he started advertising a domain - jcplanosdesaude.com. In some cases, the domain didn't appear in the message, but phone numbers that were also listed on that domain did.

Hack'n'spam

Sun, 30 Aug 2009 07:14:44 -0500

One of the perennial problems for spammers is finding what the intelligence community refers to as 'clean skins': identities that aren't associated with known bad actors. For spammers, the problem is two-fold: they want their emails to originate from netblocks that aren't known to be spam-infested, and they want the URLs that they cite to refer to domains that aren't known as spam domains.

Hotmail Hijack #3

Thu, 27 Aug 2009 20:22:01 -0500

In a blog post, Microsoft has acknowledged that some Hotmail users' accounts are being hijacked, a problem that has been previously discussed here. The article claims that a "worm or virus" is involved.

Yahoo! vs .cn

Wed, 15 Jul 2009 09:00:00 -0500

As mentioned in a recent post about abuse of URL shorteners, Yahoo! is currently a popular choice for spammers wanting to host their ads on a 'trustworthy' domain. Spammers create Yahoo! groups or profiles, post their ad copy to the profile page or as a message to the group, and then send out spam containing the relevant URLs. Because the URLs contain the 'yahoo.com' domain name, they aren't good candidates for URI DNSBL filtering.

Our traps have been picking up a lot of this kind of spam recently, so I decided to try to work out how big the problem really is.

The Long and the Short

Tue, 07 Jul 2009 20:37:01 -0500

MessageLabs is reporting that use of URL shorteners in spam has exploded, with more than 2% of all spam now containing shortened URLs. The technique is reported to be heavily used in spam sent by the Donbot botnet.

Bind their kings in chains

Sat, 27 Jun 2009 23:39:10 -0500

June looks like being a bad month for some of the big names in the world of spam. First to hit the news was Sanford Wallace, who may face criminal charges for spamming Facebook in defiance of a court-ordered injunction. Then, on Monday this week, Alan Ralsky pleaded guilty to charges of wire fraud, money laundering and violations of the CAN-SPAM Act in connection with a stock spam scheme. His son-in-law and three others also face heavy fines and possible jail sentences for their part in the scheme.

Finally, Tuesday saw the arrest of 'Cajun Spam King' Ronnie Scelson, who faces charges related to the forcible rape of one teenage girl and the molestation of a second. Scelson may also be charged with drug possession, while examination of computers seized from his home may lead to additional charges.

Hotmail Hijack #2

Thu, 18 Jun 2009 08:36:42 -0500

We've had some more feedback from people who have been affected by Hotmail hijackers. It seems that changing your Hotmail password should be effective — provided that you can prevent the hijackers re-acquiring your new password.

In addition to changing your password and making sure that any 'alternate email address' linked to your account is correct, you should also check:

Your vacation message
Your signature

and remove any text that the scammers have added there. You can update your signature and vacation message through the "Options" menu at the top right of the main Hotmail mail page. Choose "More Options" from the pull-down menu to get access to your account settings.

Hotmail hijack

Thu, 14 May 2009 08:21:19 -0500

In an earlier post, I wrote about some Chinese fake-storefront scammers who are apparently using hijacked Hotmail accounts to send out spam. We've had a lot of messages from Hotmail users and their friends about this problem, so here's a quick explanation and some tips.

CAN-SPAM, eh?

Thu, 07 May 2009 07:18:17 -0500

Canada is currently considering a new anti-spam bill, touted as the Canadian equivalent of the US CAN-SPAM Act. The Electronic Commerce Protection Act (ECPA) is not yet law, but if it does pass without too much modification, it may offer Canadians better protection against spam than their neighbors south of the border currently enjoy, at least in theory.

Called it

Sat, 25 Apr 2009 09:00:00 -0500

In a recent post about an apparent scam involving eBay, I suggested that it would probably turn out to be a form of money transfer scam. So I mailed the scammer, pretending to be interested in their proposal. Here's what they wrote back:

Farewell Geocities

Thu, 23 Apr 2009 14:52:16 -0500

Ten days after my post about spammers using Geocities (and other free sites) to host their ads, Yahoo! has announced that Geocities will be closed down. I don't think this has anything to do with my post, and it may not even be directly due to the abuse of the service by spammers. Geocities had simply outlived its own initial success and, with nothing new to offer, was probably just a drain on resources. The spammers, like rats leaving a sinking ship, are already moving on to other hosts, such as LiveJournal.

Name that scam

Wed, 22 Apr 2009 06:55:48 -0500

I'm currently working on an upgrade to this site that will include a section about some of the scams most commonly seen in spam. I've already covered a few of the favorites — 419, money transfer, courier parcel, fake storefonts and so on (don't look for them just yet; the scam guide is part of a planned comprehensive upgrade which may take months). However, I think I've just come across a new one.

Who's a-scraping?

Sat, 18 Apr 2009 17:55:37 -0500

I'm currently soak-testing a new spamtrap system, aimed at getting some additional metrics and information about spammer behavior and in particular the way that they use 'web-scrapers' to find email addresses. The system works by hiding email addresses on web pages and then counting the spams that get sent to them.

The results have been interesting. Just to throw out a random example, an email address that was handed out to a web crawler running on a server hosted at theplanet.com in December 2007 now receives just under 40 spams a day. The spam sent to that trap consists of the usual fake watches, diplomas, penis enlargements and pharmacy spam. That's a lot of spam for an address that has only ever been seen by a single robot.