On spam

I know what you're wondering. You're wondering how many penis-pill spams I get per hour.

Well, gentle reader, it varies, depending on the time of day, from about six to about fifteen.

Luvverly spam, wonderful spam...

Per hour.

For some weeks now, the most popular ones have had subject lines that always contain a name, a word vaguely denoting bigness, and a word vaguely donating a dickish object, in various arrangements.

Some of the words for "big" are particularly entertaining. Actual subject lines I've seen include HoracioObviousFuckstick, BouffantPenisRosetta, and ClarkOverlargeBodypart (overlarge?).

(The penis I've been promised has also been described as "spacious". I'm sure "massive" has been in there, too - though "sturdy" and "fearsome", sadly, remain unused.)

The body of these messages always includes another of the three-word portmanteaux, followed by the URL of a Web site. There are many such sites - calormontes.com, grayskues.com, janeoplane.com, jeroneus.com, junioeres.com, planesjanes.com, razkoesu.com and slopitues.com were all promoted in one day - all registered with nonsense details to Some Dude In China.

All of them currently give you the same site (on, I think, the same physical server), promoting a product allegedly called "VPXL" from a company allegedly called "Express Herbals".

The VPXL/Express Herbals guys are the source of the vast bulk of my dick-pill spam, and I bet they're the source of most of yours, too, if you're not using an airtight spam filter.

(I've got three active e-mail addresses at the moment. The filtering on my iiNet account lets through zero spam but no doubt bounces a few valid messages; I only use it for a couple of mailing lists and occasional personal messages, though, so that's fine. I've also got an old Optus account I hardly ever use for anything, which is almost as well filtered; only a few spams a day get through there. And then there's dan@dansdata.com, messages to which get an "X-Spam-Tests-Failed:" header tacked on by m'verygoodfriends at SecureWebs who host Dan's Data, but are very minimally filtered by them, if they're filtered at all. Hence: Spamvalanche!)

Like the previous fake marijuana spams, the VPXL ones come to you courtesy of a botnet - a huge collection of virus-infected home computers on ordinary Internet accounts, identifiable because the sending IP addresses for the spam vary widely but always belong to some ISP or other that serves the home-user market.

The botnet this time is called Mega-D, and it has the interesting quality that its infected machines almost all seem to be in non-English-speaking countries. (The previous Storm-botnet spam overwhelmingly came from the USA.)

The VPXL dudes now seem to be shifting away from the three-word spams. In one 155-minute period earlier today I received:

One VPXL spam directly promoting http://polierin.com/; it came from a codetel.net.do IP address (Dominican Republic).

One VPXL spam with an "I'm Feeling Lucky" Google link (http://google.com/pagead/iclk?sa=l&ai=acetate&num=137336094&adurl=http://clinrie.com?446) that takes you to the spammers' site, in this case clinrie.com. The spam came from 58.19.232.188, a China Network Communications Group Corporation IP address.

One for jilafen.com from 80.146.114.212, a Deutsche Telekom address.

One for nidegnero.com from 201.19.74.24, a probably-Brazilian IP address.

And another variant, whose body text said "Pls Go ' www.redmehs ' dot com"; redmehs.com is VPXL yet again, registered to Chinese nonsense yet again. This one came from 68.118.233.112, though, which is an IP address belonging to Charter Communications in the USA.

There was exactly one spam that actually mentioned VPXL in the text of the spam - but it was malformed, with no actual link to anywhere you could buy the product. It came from 92.112.20.89, belonging to Ukrtelecom in the Ukraine.

And then there were a couple of the classic three-worders, one from Peru and one from Chile, both promoting zhbvdiaeg.com.

And then there was yet another variant, from a Colombian IP address and promoting http://geocities.com/kathydowns889/, which is a redirector page that sends you to neverwaitons.com, another facade for the Express Herbals server.

The runners-up in the dick-pill spam-flow are the "Canadian Pharmacy" type (the sites are usually subtitled "#1 internet online drugstore"). The most prominent products on these sites are, of course, always erectile dysfunction drugs. Which you almost certainly will not actually receive if you place an order.

In my 155-minute period I got one promoting marquitamontemurrodd.blogspot.com, which redirects to a Canadian Pharmacy site at putwish.com, which is registered to a pile of Chinese nonsense that closely resembles the standard VPXL-domain registration nonsense, leading me to suspect they're related. The spam came from 220.128.197.130, some Taiwanese mail server.

And then there was one that directly promoted canocaw.com, "Target Pharmacy", registered to more Chinese nonsense and also billed as "#1 Online Pharmacy Store", and looking much the same as the "Canadian" version. The sender was 84.108.33.6, belonging to Bezeq International in Israel.

Another one promoted tamilacyg.blogspot.com, which redirected to another "Canadian Pharmacy" at pha-cana.com, an unusually comprehensible domain name for these guys. More Chinese rego details; spam sent from 82.54.82.43, Telecom Italia.

And one promoting ruoedi.kiltyale.com, which is "World Pharmacy", which looks a bit different from the Canadian and Target varieties. Kiltyale.com is registered to marginally more real-looking Chinese details than the other pharma-sites, but the spam came from 190.156.83.182 in Colombia, which suggests the Mega-D net again.

And then there was one promoting the entirely genuine-sounding URL http://gbcdelmafhjk.filmplenick.com/?iafhjkxowptygzchcmbcdelm, which is a "Viagra + Cialis" site calling itself "VIP Pharmacy". Filmplenick.com is registered to a US address, so even though this was another spam from a South American IP address, I suspect it's not the same people as "Canadian" and "Target".

And then there was one for www.onthebob.com, a site that's regrettably down right now - one of only two pharma-spams whose promoted sites didn't work - and which is registered to pointless details in Brazil rather than China, suggesting that the culprit is different again. The spam came from 60.242.181.54, which is a TPG Internet IP address right here in Australia.

The other complete failure had the subject "Hydrocodone, Vicodin, Phentermin, we are 100% reliable pharmacy retailer cufqev21ph", and advertised gop.uhthclrenewed.com, which is down (so not quite 100%, I guess). Actually, the uhthclrenewed.com domain isn't even registered as I write this, so spamming about it would appear to be slightly premature. This spam originated from 66.228.248.134, belonging to the gloriously titled "Park Region Mutual Telephone Co. and Otter Tail Telcom" in the USA.

On top of these, I got one ad for pohfrensei.com, selling the entirely non-icky product "WonderCum". This is the VPXL people again; that domain is registered to more Chinese nonsense, and WonderCum and VPXL are often sold - or complained about - on the same sites. This spam came from a BT Total Broadband IP address in the UK, though.

(The VPXL people have also been responsible for "Elite Herbal", "Manster", "ManXL" and the delightfully understated "Megadik".)

There was also one quit-smoking spam advertising something called LiveFree at www.celarpo.com/f/. That's probably unrelated to the dick-pills people; the domain is registered to someone allegedly in the USA, and the spam came from 201.226.17.2, somewhere in South America.

I also got one sad little "RE: February 88% OFF" (the number varies - in one mail check a while ago I got eight different "discounts"...), allegedly from "admin@viagra.com", with a link to a broken redirector. Presumably that's the remnant of an older botnet, still spamming sporadically away with out-of-date info.

Along with all of the above, and not counting the spams not in English that I couldn't figure out, my 155-minute period netted me nine casino spams (including four copies of "RE ORDER Casino"), six offers of business loans, two counterfeit-watch spams, five counterfeit-other-things spams (four were in Asian character sets, but "Gucci" and "Tiffany" stood out in the headers...), two "offshore printing service" spams (I've been getting those for a while), one fake-lottery spam, two eBay phishes, and exactly one of those magical messages that's nothing but the bare minimum headers needed to get it to you, with no subject, To: line or body.

Yes, I have thought about just redirecting all of my mail through Gmail or something so that I won't smell this constant tide of manure any more - even if all it can do is slap up against my MailWasher deletion queue. I doubt Gmail filtering would be any worse than what I'm doing now - I may be manually scanning over the headers of my mail, but I'm sure I've failed to notice valid mail and deleted it anyway.

But there's a sick fascination to doing it this way.

It's interesting to see the sheer quantity of repeato-spam. You don't get to appreciate the magnitude of the problem - sucking up Internet bandwidth, server power and the money you pay for Internet access - if you hide behind a filter.

The current repeato-spam onslaught is, I think, created by the distributed botnet senders. Botnets are a great way to spam, but they have no way to coordinate their sending lists.

Spammers never prune their mailing lists anyway, and I do know that one should never underestimate the stupidity of spammers, but I think even the dumbest modern mass-mailing software ought to be able to avoid sending the same spam to the same recipient twelve times in one run. If you've got thousands of zombie PCs sending your spam independently, though, it becomes much harder to prevent the same recipient getting (essentially) the same message over and over and over in a short period of time, because none of the individual bots know which other bot has sent which message to which recipient.

This is probably why I got three copies in quick succession of "AGF has an exellent opportunity for you! Australia", plus one "AGF is a smarter way to money! Australia", three "New part time job - good salary in Australia", one "Work with us today - earn money today!", one "AGF company helping individuals in business online" and one "it is your new job possible!". All in the course of, I don't know, maybe three hours.

I suppose someone's dotty email-forwarding great-aunt might think this just meant these people were really really eager to find new employees. But super-repeato-spam like this, and like the three-word dick-pill tirade, ought to have some negative effect on the message's credibility to even the most cretinous of other recipients.

Another attraction of paying (at least a little) attention to incoming crap is that you get to see how much of it, as in this case, resolves to just a very few senders.

If someone found, and dealt with, in one way or another, just the VPXL spammers, the total volume of spam in the world might well drop by a double-digit percentage. It's not often that crime prevention has such a definite monetary payoff; since spam costs the world tens of billions of dollars a year, you could easily save a sum equal to the Gross Domestic Product of an African nation by shutting down just one major spam-group, as long as another didn't rise up to take their place.

And that might well not happen, if we establish just a little deterrent value. First World nations need to crack down on spam more effectively, and Third World nations need to realise that spammers are (a) rich and (b) probably all pudgy and easy to rob, 'cos they spend a lot of time sitting in front of a computer.

Legal prosecution would be good. But I'd settle for standover men.

"I bet that stuff you sell's given you a really big dick. Would you like to keep it?"

12 Responses to “On spam”

  1. Daniel Rutter Says:

    Note, in the unlikely event that you've read this far, that this is the kind of post that tends to attract comments which contain words which will cause the comment to be held for moderation.

    So if you've just written a brilliant comment containing your insights into herbal Viagra casino work-at-home programs, and you don't see it on the page, there's no need to repeat it. Once I approve the comment, it'll be visible.

  2. jwaddell Says:

    You'd think that as the world as a whole becomes more internet-savvy, and the number of people who have learned their lesson after being scammed increases, the spammers' profits would be constantly decreasing. But of course there are plenty of people who don't learn from their mistakes.

    On another note, a good way to handle false positives in GMail is to do a search in your spam folder for your name, by searching for "in:spam justin". I find one every couple of months with this method, and it saves a lot of time manually scanning through the spam folder!

  3. corinoco Says:

    It's a bit sad to hear our new PM mouthing off about a crusade against P2P, thereby jumping on the same bandwagon as the UK & US (grumble 'free trade' grumble), while no government anywhere seems to have the balls to stand up to spam properly. Especially the US; up to recently it's been mostly them.

    Pay-per-mail looks like a good solution - say $0.01 per email (OK, it will have to be $0.02 because of GST!), assuming that's offset by lowered ISP costs. The problem is it's like any other international law - everyone has to adhere to it or it won't work.

    Hmm.. standover men does seem like the best option. Or Vogon Poetry. "Oh frettled gruntbuggly, thy micturations are to me..."

  4. Daniel Rutter Says:

    Not only would pay-per-message require worldwide cooperation, and be least easy to set up in the countries that already produce the most spam, but it would also make it impossible for most people in poor countries to, say, run a mailing list.

    There are numerous other problems with the idea.

    To whom would people who run their own mail servers pay the fee? Would e-mail encryption be made illegal? If someone accidentally makes a mail forwarding loop that runs over the weekend and clogs a couple of servers, do the server owners involved each pay $50,000 to each other, or do they both have to pay it to your E-Mail Post Office and then try to get the money out of the person who made the mistake?

    Oh, and who pays, and how much, for bounce messages? What about other errors?

    I've got more, if you'd like... :-)

  5. Kiwiri Says:

    The funniest three-word-dick-pill subject line I've come across so far is "Wide-rangingBodypartForrest", as I note here. See further spams that have amused me recently, here.

  6. Falk Says:

    Three things that drive me mad about spam:
    1) It seems to make the spammers rich -- otherwise they'd have given up by now
    2) There are no current laws to adequately deal with spammers*
    3) As with drunk people running down my mailbox, whatever laws are available are militantly not enforced by the law enforcement agencies

    *: We'd need to get Amnesty International on-board with the reintroduction of breaking at the wheel. Considering how much misery worldwide this would ameliorate, it mightn't be too hard...

  7. Jax184 Says:

    I still say the spammers need to be locked up in jail with a bunch of single, scammed men loaded up on viagra and promises of meeting singles in their area...

    Anyway, just a note to those who haven't seen it already, http://www.spamusement.com has managed to find what may be the only valid use for spam.

  8. Hendo Says:

    I had a remarkably honest Subject header the other day:

    SPAM#SPAMimSPAMsSPAMsSPAM%SPAM?SPAM' 'SPAMsSPAM?

    Enough to make me wonder if the product or service was similarly honestly portrayed. Bit hard to tell though:

    Ищите хорошую рекламу? Мы к Вашим услугам!
    Хотим предложить вам наши услуги рассылок{LET:рекламных сообщений,почтовых сообщений,почты,рекламы} по {LET:отличным,приемлемым,правильным,невысоким} ценам.

    Наш прайс-лист:
    1 000 000 имайлов на аккаунты сервиса МАЙЛ РУ 10 т. до 12 000 почтовым ящикам рублей

    Наши телефоны:
    8-909.903-4366

  9. Hendo Says:

    Just ran it through altavista - it's offering a spam mail out service...

  10. Steven Den Beste Says:

    Bad enough to multi-spam with normal messages. But it's rather stupid to multi-spam when you're trying to run a 419 scam.

    Receiving essentially the same letter from Mr. Jason Taylor, Lawyer, begging for your help -- receiving it five times, in slightly varied versions, all addressed to BCC mailing lists, rather defuses the message. (Except that I don't see them because K9 stops them all. Great program, that one.)

  11. app Says:

    I think what amuses me is the 'christian' spam...stuff for christian mortgage, christian dating, bibles, i love jesus t-shirts, etc.

    But what I haven't recieved yet is one for christian penis or breast enlargement. I am still waiting for that.


Leave a Reply