I do like a good link-spam in the morning

From: "Kyra jhons" <kyra.jhons@beacaliforniaspermdonor.com>
To: Blogsome <dan@dansdata.com>
Subject: Page rank 4 link request
Date: Wed, 15 Oct 2008 15:40:41 -0500

Hi:

My name is Kyra Jhons, I´ve visited your website blogsome.com and I
was wondering if you would like to exchange links with my website,
currently I have a Business website and I´m looking for other similars
like yours. In exchange I'll give you a link from my
"Beacalifornias Permdonor Marketing Service" website with page rank 4
(http://www.beacaliforniaspermdonor.com).

Your link will be exactly here:

http://www.beacaliforniaspermdonor.com with page rank 4 (your link will
be in Homepage and NOT at links page!!)

If you are interested please add my link to your site using the
following details, let me know once it's ready and dont forget to send
me your site details for do the same for you, your link will be ready
on my site in less than 24 hours, otherwise you can delete my link from
your site.

Title: UK Prepaid Cards
Url: http://www.what-prepaid-card.co.uk
Description: What Prepaid compares current UK pay as you go prepaid
credit cards.

Or you can use the following html code:

<a href="http://www.what-prepaid-card.co.uk">UK Prepaid Cards</a> -
What Prepaid compares current UK pay as you go prepaid credit cards.

Please let me know once it's ready and send me your site details for do
the same for you. I'll be waiting for your kind reply.

Best Regards

Kyra Jhons

PD: In order to follow anti-spam regulations, please be so kind of
filling in the following form if you don't want to receive any more
messages from this address.
http://www.goodeyeforlinks.com/Contact_Us.html

The link-farm site and the site they want promoted are different because these spammers, like many others, are playing the triangle. I think beacaliforniaspermdonor.com may set a new high-water mark for link irrelevance, pretty much regardless of who gets this spam.

Oh, and in case you're wondering, I am not the boss of Blogsome. And I'm certainly not going to hand out links to any Johnny-come-lately who doesn't even offer me "f-ree software".

I particularly like how they call their link-farm page "Beacalifornias Permdonor". It's like the exact opposite of the Who Represents/Experts Exchange thing. (See also "beontopranking-google.com".)

Scam magnetism

Apropos previous mentions of lazy spam-scammers, here's one who's working harder.

I got three copies of his "order", sent to my domain-registration e-mail address, my private iiNet address, and dan@dansdata.com. The man's thorough!

From: "Bill Jackson" <rev.billjackson@gmail.com>
Date: Tue, 12 Aug 2008 16:11:41 -0700
To: sushilmehta0072000@yahoo.com
Subject: order

Hello good day my name is Rev.Bill Jackson i will like to order some Fuel
Savers from you and will like to nop the cost for each plus tax and dont
include shipping cost

Thorough, but dumb.

Perhaps there's a little symbiont circle out there, of scam artists making worthless fuel-savers and other scam artists buying said fuel-savers with fake bank cheques.

(See also.)

Oh, and the New South Wales Office of Fair Trading has announced an investigation into fuel-saving devices. They somehow managed to not mention the word "firepower" anywhere in the press release.

Posted in Scams, Spam. 3 Comments »

A new backscatter record!

Man, "I" seem to be sending a lot of spam these days.

Since I wrote about what happens when someone looses a volley of spam with your e-mail address in the "From:" field, there've been a few other spam-runs that've resulted in smaller backscatter storms pitter-pattering into my e-mail account. From which I then, of course, deleted them without downloading, after scanning the headers with good old MailWasher.

Yesterday, though, I got this:

Backscatter spam.

As soon as I'd finished scanning headers and deleting a couple of hundred messages, there were another couple of hundred waiting. It's slackened off, now; the total for this run may end up at 5000 bounces.

As usual, the bounces came from umpteen small and medium businesses, US middle schools, mailing list servers (I don't think I've been subscribed to or unsubscribed from anything, this time)... you name it.

Perhaps I should have just picked half a dozen at random and sent them form letters telling them about the problem. Maybe the administrator addresses for one or two wouldn't even give me yet more bounces.


If you're looking for a standalone header-scan Bayesian-spam-identifying whitelist-plus-blacklist sort of app for Windows, I think MailWasher continues to be a good option. It's been updated considerably since my ancient review of it.

Note, however, that the last MailWasher update was quite a while ago, so the program (well, the full "Pro" version of it, anyway; I don't know about the free-as-in-beer basic version) still defaults to using the Open Relay Database (ORDB) service to identify spam sources.

ORDB has been defunct for a long time, now, and earlier this year the minimal server still running at the ORDB address started loudly announcing the service's discontinuation by returning a "positive" response for every single query.

That means that MailWasher, with ORDB activated, will say that every single message it looks at is spam, according to ORDB. I think it actually won't default to marking all messages for deletion, but this obviously still completely breaks MailWasher's basic functionality.

Easy to fix, though: Just uncheck the ORDB option in the "origin of spam" config tab and you'll be fine.

MailWasher also defaults to adding the apparent sender address for every message identified as spam to its blacklist, which seems to me to be just as dumb, if not as annoying to others, as sending bounce messages to those addresses (which is another feature you can turn on in MailWasher - for the love of all that is Holy, please don't). Uncheck the "Mark the sender of the email to be blacklisted" options in the "Origin of spam" and "Learning" setup tabs, and it won't do that any more.

Feel free to suggest, in the comments, any other standalone header-scan mail-filter programs you think I should check out. I'm aware of the spam filters built into various modern e-mail clients, but I'm still using a version of Eudora carved from primordial basalt and so don't need any of those.

Any filter that requires you to download all of the spam, rather than just scan the headers, is also Right Out. Even when I'm not in the middle of a backscatter snowstorm.

The spam-scammers aren't even TRYING any more.

From: Sharon Williams <sharon_williams29@yahoo.com>
Date: Thu, 10 Jul 2008 09:56:31 -0700 (PDT)
To: dan@dansdata.com
Subject: LCDs Purchase

Hello Sales,

I hold LCDS Store,So I will like to purchasing your Items Product,which is:

LCDS........................................5Pieces

So kindly e-mail me back with the Total Cost and plus the Shipping Cost together to London,E16 4SP ,So as to have you paid with my Credit Card# for you to charge for the Order from you there on your behalf.
Hope to hear from you back today.
Thank you..

Regard,

Oh, you'd like five LCDs, would you? Any preference? Five seven-segment calculator displays, five thirty-inch Dells... all the same to you, eh?

Every day for these scammers must be a new adventure. They've literally got no idea at all what might be turning up from the sort of ultra-gullible schmuck that'd fall for their "orders".

The last shreds of my faith in humanity depend on nobody at all falling for this one, though.

Despite the mention of a London address, I think this is probably yet another Nigerian, or perhaps Romanian, scammer. They get a sucker at the stated address to send everything on to them, then the sucker ends up carrying the can when the goods vanish into Africa or wherever and no money comes back.

I don't think any actual forwarding company will fall for this any more (this piece is almost six years old), but there's still a pretty good supply of individual suckers who'll believe what a brother in Christ has to say.

The Capital Letters mean it's Really from the CIA

In a similar vein to the death-threat spam, I just received this:

From: "PaulAllison@cia.com" <paulallison @cia.com>
Date: Fri, 4 Jul 2008 22:49:21 +0200
To: dan@dansdata.com
Subject: CIA - Case ID: 528-84223 - WARNING

Hello,

Your IP address has been logged on more than 20 illegal Websites.
This does not necessary means that You browsed all of this illegal content.
Theres possibility someone else has access to your PC, physically or someone else gained remote access to your PC machine.
As a matter of that, we kindly ask You to answer all our questions regarding this case in reasonable amount of time.
List of all our questions is available for download at http://www.cia-intl.com.ba/ID528-84223.zip
If you do not answer these questions until 10.07.2008 we will start investigation and make final decision on our own. In that case, You'll get the charge in writing soon after.
Please note that browsing illegal content online is serious violation of laws in many countries.
We expect your co-operation and prompt response.

Sincerely,
Paul Allison
Central Intelligence Agency -CIA-
935 Pennsylvania Avenue, NW , Room 3220
Washington , DC 20535
Phone: (202) 324-30000
Case ID: 528-84223

Apparently this is some kind of July 4th special offer.

They even went to the trouble of making http://www.cia-intl.com.ba/ by itself redirect to cia.gov. I like to see that kind of attention to detail in a threat-scammer.

(CIA-dot-com, used for the probably-not-connected reply address, is actually just an ISP.)

Interestingly, this spam actually did come from a .ba (Bosnia and Herzegovina) source, bhtelecom.ba. And http://www.cia-intl.com.ba/ID528-84223.zip is still live, as I write this - it's 476 kilobytes, and actually is a zip file, containing the 562-kilobyte ID528-84223.exe.

The jotti.org online malware scanner I've mentioned before, which submits uploaded files to umpteen anti-virus programs, got only one hit, from BitDefender. It reckoned the file behaved like the uninventively-named Win32.Malware. The Sunbelt Sandbox scanner generated reams of conclusions - basically, every bit of information you can get by running the program in a virtual machine and tracking everything it does for a little while - but as far as actual identification went, just dropped it in the VIPRE.Suspicious "miscellaneous" bin.

I then deleted the file and sprinkled quicklime over the part of the hard drive where it had been. I've learned my lesson.

Posted in Scams, Spam. 4 Comments »

If you can't get better, at least get revenge

I just received, complained about and deleted an unsolicited commercial e-mail promoting "The Highland Hypnotist, Scott Burke".

I needn't post it here, because you can read the whole thing for yourself on prlog.org, one of those sites where people can upload press releases about whatever they like.

It's pretty standard woo-woo claptrap. Mysterious Scottish wizard Has The Power to Cure What Ails Ye, et cetera. Except for the headline.

Which is, just in case you've not yet read the prlog.org page: "Highland Hypnotist Uses His Powers To Avenge Bad Health....or Your Money Back!"

Avenge bad health?

So, what, he finds the guy who made you sick and beats the hell out of him?

I suppose that could account for the money-back guarantee - "OK, you've still got diabetes, but you didn't see the part when I totally avenged the dickens out of it!".

(Actually, money-back guarantees like this are de rigueur for quacks of all colours. Some of them just never return anybody's money, of course, but most rely on the low number of warranty claims that're likely to turn up when your audience is self-selected for gullibility and you're treating variable illnesses with indistinct end-points.)

Posted in Scams, Spam. 5 Comments »

One more reason to love spammers

Backscatter graph

A spammer has just used my e-mail address as the return address for a good-sized run of spam. Gee, it's fun when that happens.

In case this is all new to you: There is nothing verified about the From: or Reply-To: lines in an e-mail. A sender can put whatever they like in there. Spammers do this as a matter of course, generally picking some address out of the same list to which they're sending the spam, or picking something relevant-sounding like admin@viagra.com or bigmoney@amazingsupercasino.biz.

It seems, at least, that Internet users are now savvy enough that they don't send outraged messages to these bogus reply addresses any more. Or maybe the people who're prone to do that are all now just behind good enough spam filters that they never get to see that "I" sent them 300 porn spams today. So that's a relief.

But I've still ended up with the thick end of three thousand "backscatter" bounce messages from moronic mail servers that don't check to see whether, perchance, incoming obvious spam might just possibly not have a genuine reply address. Nope, they (a) accept the mail, even though they could tell instantly that it's for an address that doesn't exist, and (b) then cheerfully send an error e-mail. And they send that error e-mail to the Reply-To address, because how could the Reply-To for "Hot replica watches from 2008" or "ivagra ciails" possibly not be real!?

What mail servers should do in this situation is check the recipient before they accept the message, and reject message delivery if the recipient does not exist. Then an error gets sent directly to the sending mail server.

Backscatter will still exist even if every mail server got this right, but it'd be restricted to far rarer things like "I'm out of the office" messages, and other kinds of autoresponder systems.

The backscatter bounce flow seems to have slacked off a bit, now; it's down to about five bounces a minute. And it's not terribly onerous for me to MailWash all of those bounces out of existence. Actually filtering backscatter bounces is a bit tricky - in essence, you probably do want to receive bounces from messages you actually sent, and backscatter bounces look very much the same - but manually deleting them with some sort of header-preview tool like MailWasher is no big deal.

Mixed in among the thousands of bounces, though, were a few other things, one of which I'd never seen before.

For every few hundred nonexistent-address errors, you see, there are a few "please confirm your subscription" messages. Those are from mailing list servers that treat anything sent to subscribe@dumblist.example.org as a subscribe request, even if it's an ad for porn or watches or pharmaceuticals.

This does no real harm - it's just another darn message in among the bounces - unless the list is one of the old-style ones that don't require a subscribe confirmation.

Here's a new one, though. This spammer sucessfully UNSUBSCRIBED me from a mailing list!

I'm a subscriber to Jakob Nielsen's Alertbox list, which is administered by Sparklist. It's normal for mailing list unsubscribe requests to not require a confirmation, and clearly Sparklist don't spam-filter unsubscribe messages. So when the spammer sent some piece of crap or other to leave-alertbox@laser.sparklist.com, "from" dan@dansdata.com, it cheerfully unsubscribed me.

My actual Alertbox e-mails have a different unsubscribe address, leave-alertbox-[seven-digit-number]Y@laser.sparklist.com, which probably isn't in any spammer's database, and would be unlikely to be generated randomly either (yes, spammers send spam to aaaa@example.org, aaab@example.org, aaac@example.org...). But I just tried unsubscribing by e-mailing plain old leave-alertbox@laser.sparklist.com, and it worked just fine. So I reckon that's the button the spammer pressed.

I just subscribed to Alertbox again, so there's no real harm done there, either. But it was a pure fluke that I noticed the lone "Alertbox unsubscribe confirmation" message in the middle of the thousands of bounces and other messages. It didn't even come from the same address as the subscribe confirmation messages, so whitelisting that address wouldn't have helped me. If this had been some mailing list that was essential for my job, or something, I could have missed a few issues before I noticed.

Thanks again, spammers! You're doing a heck of a job!

Posted in Spam. 7 Comments »

On spam

I know what you're wondering. You're wondering how many penis-pill spams I get per hour.

Well, gentle reader, it varies, depending on the time of day, from about six to about fifteen.

Luvverly spam, wonderful spam...

Per hour.

For some weeks now, the most popular ones have had subject lines that always contain a name, a word vaguely denoting bigness, and a word vaguely donating a dickish object, in various arrangements.

Some of the words for "big" are particularly entertaining. Actual subject lines I've seen include HoracioObviousFuckstick, BouffantPenisRosetta, and ClarkOverlargeBodypart (overlarge?).

(The penis I've been promised has also been described as "spacious". I'm sure "massive" has been in there, too - though "sturdy" and "fearsome", sadly, remain unused.)

The body of these messages always includes another of the three-word portmanteaux, followed by the URL of a Web site. There are many such sites - calormontes.com, grayskues.com, janeoplane.com, jeroneus.com, junioeres.com, planesjanes.com, razkoesu.com and slopitues.com were all promoted in one day - all registered with nonsense details to Some Dude In China.

All of them currently give you the same site (on, I think, the same physical server), promoting a product allegedly called "VPXL" from a company allegedly called "Express Herbals".

The VPXL/Express Herbals guys are the source of the vast bulk of my dick-pill spam, and I bet they're the source of most of yours, too, if you're not using an airtight spam filter.

(I've got three active e-mail addresses at the moment. The filtering on my iiNet account lets through zero spam but no doubt bounces a few valid messages; I only use it for a couple of mailing lists and occasional personal messages, though, so that's fine. I've also got an old Optus account I hardly ever use for anything, which is almost as well filtered; only a few spams a day get through there. And then there's dan@dansdata.com, messages to which get an "X-Spam-Tests-Failed:" header tacked on by m'verygoodfriends at SecureWebs who host Dan's Data, but are very minimally filtered by them, if they're filtered at all. Hence: Spamvalanche!)

Like the previous fake marijuana spams, the VPXL ones come to you courtesy of a botnet - a huge collection of virus-infected home computers on ordinary Internet accounts, identifiable because the sending IP addresses for the spam vary widely but always belong to some ISP or other that serves the home-user market.

The botnet this time is called Mega-D, and it has the interesting quality that its infected machines almost all seem to be in non-English-speaking countries. (The previous Storm-botnet spam overwhelmingly came from the USA.)

The VPXL dudes now seem to be shifting away from the three-word spams. In one 155-minute period earlier today I received:

One VPXL spam directly promoting http://polierin.com/; it came from a codetel.net.do IP address (Dominican Republic).

One VPXL spam with an "I'm Feeling Lucky" Google link (http://google.com/pagead/iclk?sa=l&ai=acetate&num=137336094&adurl=http://clinrie.com?446) that takes you to the spammers' site, in this case clinrie.com. The spam came from 58.19.232.188, a China Network Communications Group Corporation IP address.

One for jilafen.com from 80.146.114.212, a Deutsche Telekom address.

One for nidegnero.com from 201.19.74.24, a probably-Brazilian IP address.

And another variant, whose body text said "Pls Go ' www.redmehs ' dot com"; redmehs.com is VPXL yet again, registered to Chinese nonsense yet again. This one came from 68.118.233.112, though, which is an IP address belonging to Charter Communications in the USA.

There was exactly one spam that actually mentioned VPXL in the text of the spam - but it was malformed, with no actual link to anywhere you could buy the product. It came from 92.112.20.89, belonging to Ukrtelecom in the Ukraine.

And then there were a couple of the classic three-worders, one from Peru and one from Chile, both promoting zhbvdiaeg.com.

And then there was yet another variant, from a Colombian IP address and promoting http://geocities.com/kathydowns889/, which is a redirector page that sends you to neverwaitons.com, another facade for the Express Herbals server.

The runners-up in the dick-pill spam-flow are the "Canadian Pharmacy" type (the sites are usually subtitled "#1 internet online drugstore"). The most prominent products on these sites are, of course, always erectile dysfunction drugs. Which you almost certainly will not actually receive if you place an order.

In my 155-minute period I got one promoting marquitamontemurrodd.blogspot.com, which redirects to a Canadian Pharmacy site at putwish.com, which is registered to a pile of Chinese nonsense that closely resembles the standard VPXL-domain registration nonsense, leading me to suspect they're related. The spam came from 220.128.197.130, some Taiwanese mail server.

And then there was one that directly promoted canocaw.com, "Target Pharmacy", registered to more Chinese nonsense and also billed as "#1 Online Pharmacy Store", and looking much the same as the "Canadian" version. The sender was 84.108.33.6, belonging to Bezeq International in Israel.

Another one promoted tamilacyg.blogspot.com, which redirected to another "Canadian Pharmacy" at pha-cana.com, an unusually comprehensible domain name for these guys. More Chinese rego details; spam sent from 82.54.82.43, Telecom Italia.

And one promoting ruoedi.kiltyale.com, which is "World Pharmacy", which looks a bit different from the Canadian and Target varieties. Kiltyale.com is registered to marginally more real-looking Chinese details than the other pharma-sites, but the spam came from 190.156.83.182 in Colombia, which suggests the Mega-D net again.

And then there was one promoting the entirely genuine-sounding URL http://gbcdelmafhjk.filmplenick.com/?iafhjkxowptygzchcmbcdelm, which is a "Viagra + Cialis" site calling itself "VIP Pharmacy". Filmplenick.com is registered to a US address, so even though this was another spam from a South American IP address, I suspect it's not the same people as "Canadian" and "Target".

And then there was one for www.onthebob.com, a site that's regrettably down right now - one of only two pharma-spams whose promoted sites didn't work - and which is registered to pointless details in Brazil rather than China, suggesting that the culprit is different again. The spam came from 60.242.181.54, which is a TPG Internet IP address right here in Australia.

The other complete failure had the subject "Hydrocodone, Vicodin, Phentermin, we are 100% reliable pharmacy retailer cufqev21ph", and advertised gop.uhthclrenewed.com, which is down (so not quite 100%, I guess). Actually, the uhthclrenewed.com domain isn't even registered as I write this, so spamming about it would appear to be slightly premature. This spam originated from 66.228.248.134, belonging to the gloriously titled "Park Region Mutual Telephone Co. and Otter Tail Telcom" in the USA.

On top of these, I got one ad for pohfrensei.com, selling the entirely non-icky product "WonderCum". This is the VPXL people again; that domain is registered to more Chinese nonsense, and WonderCum and VPXL are often sold - or complained about - on the same sites. This spam came from a BT Total Broadband IP address in the UK, though.

(The VPXL people have also been responsible for "Elite Herbal", "Manster", "ManXL" and the delightfully understated "Megadik".)

There was also one quit-smoking spam advertising something called LiveFree at www.celarpo.com/f/. That's probably unrelated to the dick-pills people; the domain is registered to someone allegedly in the USA, and the spam came from 201.226.17.2, somewhere in South America.

I also got one sad little "RE: February 88% OFF" (the number varies - in one mail check a while ago I got eight different "discounts"...), allegedly from "admin@viagra.com", with a link to a broken redirector. Presumably that's the remnant of an older botnet, still spamming sporadically away with out-of-date info.

Along with all of the above, and not counting the spams not in English that I couldn't figure out, my 155-minute period netted me nine casino spams (including four copies of "RE ORDER Casino"), six offers of business loans, two counterfeit-watch spams, five counterfeit-other-things spams (four were in Asian character sets, but "Gucci" and "Tiffany" stood out in the headers...), two "offshore printing service" spams (I've been getting those for a while), one fake-lottery spam, two eBay phishes, and exactly one of those magical messages that's nothing but the bare minimum headers needed to get it to you, with no subject, To: line or body.

Yes, I have thought about just redirecting all of my mail through Gmail or something so that I won't smell this constant tide of manure any more - even if all it can do is slap up against my MailWasher deletion queue. I doubt Gmail filtering would be any worse than what I'm doing now - I may be manually scanning over the headers of my mail, but I'm sure I've failed to notice valid mail and deleted it anyway.

But there's a sick fascination to doing it this way.

It's interesting to see the sheer quantity of repeato-spam. You don't get to appreciate the magnitude of the problem - sucking up Internet bandwidth, server power and the money you pay for Internet access - if you hide behind a filter.

The current repeato-spam onslaught is, I think, created by the distributed botnet senders. Botnets are a great way to spam, but they have no way to coordinate their sending lists.

Spammers never prune their mailing lists anyway, and I do know that one should never underestimate the stupidity of spammers, but I think even the dumbest modern mass-mailing software ought to be able to avoid sending the same spam to the same recipient twelve times in one run. If you've got thousands of zombie PCs sending your spam independently, though, it becomes much harder to prevent the same recipient getting (essentially) the same message over and over and over in a short period of time, because none of the individual bots know which other bot has sent which message to which recipient.

This is probably why I got three copies in quick succession of "AGF has an exellent opportunity for you! Australia", plus one "AGF is a smarter way to money! Australia", three "New part time job - good salary in Australia", one "Work with us today - earn money today!", one "AGF company helping individuals in business online" and one "it is your new job possible!". All in the course of, I don't know, maybe three hours.

I suppose someone's dotty email-forwarding great-aunt might think this just meant these people were really really eager to find new employees. But super-repeato-spam like this, and like the three-word dick-pill tirade, ought to have some negative effect on the message's credibility to even the most cretinous of other recipients.

Another attraction of paying (at least a little) attention to incoming crap is that you get to see how much of it, as in this case, resolves to just a very few senders.

If someone found, and dealt with, in one way or another, just the VPXL spammers, the total volume of spam in the world might well drop by a double-digit percentage. It's not often that crime prevention has such a definite monetary payoff; since spam costs the world tens of billions of dollars a year, you could easily save a sum equal to the Gross Domestic Product of an African nation by shutting down just one major spam-group, as long as another didn't rise up to take their place.

And that might well not happen, if we establish just a little deterrent value. First World nations need to crack down on spam more effectively, and Third World nations need to realise that spammers are (a) rich and (b) probably all pudgy and easy to rob, 'cos they spend a lot of time sitting in front of a computer.

Legal prosecution would be good. But I'd settle for standover men.

"I bet that stuff you sell's given you a really big dick. Would you like to keep it?"