Archive for the 'Spam' Category

Now even random spammers believe I think too highly of myself

September 19th, 2007

From a spam email I received today, after the link to their site:

Greeting yaron
get rid of that self-esteem once and for all.

I think I’ll keep my self-esteem, but nice of them to offer.

Don’t bother people who are not your users

August 29th, 2007

I just got a message from Yahoo letting me know that they’ll be shutting down the Yahoo Photos service soon.

The stated purpose of which was to let me know that I need to take out the pictures I stored in Yahoo Photos and move them elsewhere.

Except that, well, I don’t have any pictures in Yahoo Photos.

I tested it a while back. Once. I just put a couple of pictures there, saw the behaviour, and then removed the pictures.

Haven’t used the service in over a year, I believe.

And in any case, I don’t have any picture there. When I tried to follow their link to go to my pictures, just to verify, it didn’t show me any picture either.

So I know I’m not using the Yahoo Photos service. And Yahoo knows I’m not using the Yahoo Photos service. In this case, what exactly was the point in their email?

How not to try and foil spam detectors

August 22nd, 2007

Senders of email spam keep working on ways to have their spam messages pass through spam filters. The idea being, naturally, that a spam that got caught before someone reads it will never generate revenues.

And sadly enough spam that does gets read by real people sometimes does generate revenue. That is why they still keep sending them.

But there are two important things for the spammers to to do there.

  1. As I mentioned, they need to try and make it hard to automatically flag the message as spam. That way the message may pass on to the recipient, who may actually read it.
  2. The spam message has to be readable to the person receiving it. Otherwise there is also no way to get money out of it, so why bother sending the message in the first place?

Sometimes, however, they get too creative. So much that the message is almost entirely unreadable to a person.

For example, an excerpt from a “stocks” spam message I received recently:

C,Y’T'V con’tinu+es i-t_s stead-y cl.imb f_o-r t’h-e s econd w_eek. S,tock re,porti-ng site-s acros_s t*h-e boar,d a-r,e issuin+g
sto*ck watc’h notic._es. R’e*a_d t-h’e ne’ws, l.o,o*k at t-h e numbe-r.s, a.n.d g+e t on C.Y_T’V as it kee ps i,t-s clim-b going .
Busines*s NewsNow h.a,s re.l’eased C,Y*T+V as feature.*d Sto,ckWa’tch.

It’s readable, barely, but you have to really try.

When someone opens a message which is just full of text like that, the first reaction is that it’s total gibberish, and people would erase it without even trying to read it.

Amusingly enough, this did not pose any problem for the spam filters, which caught it easily. I found it going through the spam folder, not my inbox.

The poor[1] spammer got it all wrong.

---
  1. Sadly enough that’s probably not a financial statement. Nor does it express genuine sympathy on my part[back]

The totally inept handling of spamming blogs by Blogspot (Blogger)

June 1st, 2006

Almost two weeks ago this blog received copious amounts of trackback spam. In two waves. The first included links to a wide selection of sites claiming to offer insurance. The second one was of identical trackbacks, all pointing to the same address, a site touting and extolling the virtues of the drug Phentermine.

And it wasn’t a stand-alone site, it was a Blogspot/Blogger blog. Not really surprising, at that. As a major service offering easy to use free blogs for anyone, quite a lot of spammers are using them to create fake blogs.

They’re aware of that, of course. They make it harder to automatic program to create a blog, as a way to reduce the amount of these splogs. But a real spammer can still manually create a new Blogspot blog, and use it as a fake page directing to a site selling the stuff.

Which was the state when I decided to take a peek at the site. A blog with one post, going on and on about the alleged amazing virtues of this drug.

They put very little thought into creating this blog, and everything was at the default settings. So comments were allowed. Three of them existed at the time, by three different people yelling at the blog owner to stop spamming them.

I was not the only target, it seemed.

Blogspot also adds a button to each blog, allowing readers to flag it as containing “objectionable” content. Which doesn’t really apply in this case, since what bothered me was the spamming context, and not so much the content itself. The content was also junk, but flagging it doesn’t have room for comments, so no way to tell anyone about the spamming.

But everyone has an abuse team. Blogspot/Blogger must have too, so I figured I’ll go looking. They have usage policy, and they mention not liking these sort of things. But no obvious email address.

I tried to just send to an abuse email address. Most companies and services have them, user abuse at the domain . Well, Blogger doesn’t. They never thought anyone would be interested in reporting to them things like spam and abuse, it would seem. I tried, the message bounced.

Until I got the bounce notification a day has passed. So I decided to check back the site, to see if maybe they got the hint already by some other means, and I can stop. No such luck, it was still alive and well. The spammer erased the complaining comments, though, and blocked comments on the blog. Big surprise.

I still needed to report them. so I went back to the Blogger site to dig deeper. The main Blogger page has a link to their help section.

The help section actually contains this encouraging phrase:

If you can’t find what you need here, try asking the Blogger Help Group, or send an email to the Blogger support team and we’ll get back to you as soon as we can

I won’t ask the help group, since it’s not their job, and since that requires registration. I’m not about to register to a service just so I can do them a favour and reported someone abusing them.

I’d have been happy for the email to the support team. But no email address provided. I could have guessed that it’s support at blogger dot com. But after the abuse guess didn’t work, I decided not to waste my time with more wild guesses.

The help page did have a link to a TOS page. which is usually good, since they should provide a way to contact them to report abuse of said terms. Except that this page only had one thing to say regarding contacting them:

17. VIOLATIONS Please report any violations of the TOS via the Blogger Support home page.

With a link back to the general help page. The help page that doesn’t provide any obvious means of contact.

There’s nothing there like “Contact Us”, or an indication of what to do if you have an issue not covered in the displayed list.

Time for some creative thinking. What topics can raise issues that they didn’t think to already include in the help, and are important enough that they’ll have to provide some way for people to pose questions?

User login. People have to use the service. So I went there.

And there it was. One of the discussed problems was what to do if someone subscribed with an email address they’re no longer using, and forgot their password. And there’s a link to a form to report the problem.

Not at all an obvious connection, but it’s there.

This goes to a page asking for a Blogger login. Hmm… Again, I’ve no intention of joining and creating an account just so I could complain. But, and luckily there’s a but, there is a link for “Skip authentication”. Sounds promising.

This goes to another page. Now I had to choose between wanting to ask a question, and wanting to submit a feature request or suggestion. I wanted neither.

The correct answer, though, if anyone wonders, is wanting to ask a question. That goes to a help page, with a form, allowing to submit questions, and report TOS violations.

There’s another way to get there, BTW, besides looking for that login problem I found. For all the actual help topics, once you get to a specific topic, and not looking at an index or list of problems, the sidebar changes. And the bottom of it contains an “Ask Blogger” area, that links to the same place I got to from that post.

The top parts of the sidebar looks exactly the same, though, containing the same information. So it’s very hard to notice that something changed in a useful way down there at the bottom.

Not only that, but there’s one topic that doesn’t have the sidebar. The TOS page. This has a lot of text, so they present it in an extra-wide column, and they removed the sidebar to make room.

Normally, for the problem I was having, the need to report an abuse, this is the only topic anyone would have a reason to suspect has a connection to what they need. Stripping that link from the page, and even having a topic in it pointing elsewhere, that’s terribly inconsiderate and misleading.

Complex, and confusing.

But finally I did get there. So I sent them a notice (the copies here are stripped of the links, email addresses, and names):

Hi,

I have a blog which yesterday started to receive a large amount of
trackback spam with the links pointing towards
****.

Judging by a few angry comments already posted there, I’m not the only one
being spammed with this link as the address… Though checking again today
the angry comments were erased.

Please close that site and do whatever you can to stop that behaviour.

BTW, getting to this form to report problem is not trivial and there isn’t
an obvious way to get to it. You have to make contacting you easier.
Yesterday I instead opted to try sending an email to ****,
but now got back a bounce from it… Try to either have an email address
for reporting such problems, or have a clear contact link from the main
page, instead of having to go to the help section and through several
other screens.

Best regards

Seems clear enough.

I quickly got back an automatic reply:

Hi there,

Thanks for contacting Blogger Support. We will review your message and
respond as soon as possible. Thanks for your patience.

Sincerely,
Blogger Support

It turned out that as soon as possible was about three days. Yes, they’re that fast.

And this is what they had to say:

Hello,

Thank you for writing in regarding content on
****. Upon review of this blog, it appears that
the content in question has already been removed.

Please let us know if we can further assist you.

Sincerely,
The Blogger Team

Well, that’s good news. Except it wasn’t. Because the site’s content hasn’t been removed, just changed.

It existed, the splog in question wasn’t closed.

The spammer just changed tactics, adding to the page a JavaScript code that redirected anyone coming to the page into another site, dedicated for selling the junk. Going to the splog with JavaScript enabled resulted in getting to the spammer’s sales site. Going to the splog without JavaScript showed the splog with a much shorter post still talking about Phentermine.

There is no option at all to get to the splog site and get the impression that it was removed. None. This can only happen by not bothering to check it at all.

At least they signed it with sincerity. I was not impressed.

I sent a reply, doing their job for them:

Removed??

Changed, yes. Removed, no.

It’s still a blogspot/blogger blog, except that the main page contains a
javascript which redirects to a new site
*** , selling the same drug
that the original spam blog sold.

This is the script from within that blogspot page:

<script type="text/javascript"
src="http://www.blogger.com/js/cookies.common.js";;>
</script></head><script language="JavaScript">
var a1='win', a2='dow.', a3='loca', a4='tion.', a5='replace',
a6='("****";;)';
var i,str="";
for(i=1;i<=6;i++)
{
str += eval("a"+i);
}
eval(str);
</script>

This is a cute little script, by the way. Nothing amazing, but enough to bypass whatever attempts Blogger/Blogspot have to prevent users from sticking such address changing mechanisms into their pages.

This, I assumed, should be enough to catch someone’s attention, and have them do something about it.

Wrong assumption.

It has been quite a few days, and I got annoyed again and decided to check what is going on with that. I forwarded them the last message again, adding:

I didn’t get any reply from you on that one, but the blogspot subdomain is
still there, still active, though now redirects to another site selling
the same pill.

It’s over a week now that you’re hosting this spammer.

And I did get a reply this time. Wait, this may seem familiar to you:

Hello,

Thank you for writing in regarding content on
****. Upon review of this blog, it appears that
the content in question has already been removed.

Please let us know if we can further assist you.

Sincerely,
The Blogger Team

Yep, the exact same canned response as before.

Anyone else getting the feeling that they’re not as sincere as they claim to be, and that the review of the blog didn’t really occur?

I sent this in reply:

The content has not been removed, and this is the exact same response you gave my original message, when the content has not been removed either.

I didn’t get anything back.

And the site was still there. Taking a better look at it (with JavaScript disabled, to avoid the redirection) I saw that the person created it made a few additional blogs with the same user. Two of which redirected (using the same trick) to online casino sites, and one which now is just an empty blog doing noting.

So I decided to once again forward it to them with additional comments:

Hi,

I took another look at the site, and it’s still there. There’s a javascript that automatically redirects to an external site selling the junk.

Loading the site with javascript disabled I was able to get it to show, now having nothing but a small placeholder post (the original longer post was erased). But looking at the blogger profile shows a total of four sites from the same author, one which is currently pointless, and two more which have the same automatic-redirection javascript, for casino sites ( **** and **** ).

I’m pretty sure that this is not a valid use of a blogspot blog as per your policies. Especially considering that these “blogs” were also there as the link source for a massive distributed trackback spam attack all over, but even just as they are now.

Please remove these, and if possible try to follow up on the people responsible, instead of just keeping this junk alive while sending me a message telling me that the content has been removed while it’s still there…

Thank you,
Yaron.

No response back from them yet. And the splogs are still there.

I really must remind myself not to attribute to malice anything which can be attributed to incompetency. But they must have some very incompetent people over there at Blogger support for this…

Trackbacks are out

May 19th, 2006

Not that it should be a big problem, it’s not like I’m getting lots of trackbacks anyway. But since it is a policy change, I may as well put a post on it.

Too many attempts at trackback spam lately, so all in all it doesn’t seem worth it to keep trackbacks. So for now they’re off.

Comments are still open, though. And will hopefully always remain so.

Lottery scam, by real mail

May 19th, 2006

A refreshing change (well, a change anyway) in all those scam attempts (Nigerian 419 types, or otherwise) everyone keeps receiving in email.

My brother received one in the mail. Regular mail. In an elegant envelope, printed on elegant stationary, and everything.

I know that these things also happen, and probably happened for a long time before email became so ubiquitous, but it’s certainly much rarer, and nothing I personally encountered before.

This one was a variation on the lottery scams.

The paper, addressing him by name, claimed to be from the Spanish elGordo lottery. And informed him that he won something like a million Euro.

Of course, not having ever purchased a lottery ticket in Spain, that’s not very likely. But they did have an explanation, this was a lottery done by randomly picking people from around the world as winners. Very convincing, no, to just randomly pick people and give them money, no need to apply?

They also mention that the money is transferred by a third-party, some security/insurance company, and that they’ll need to take 10% of the winning money as a commission for processing it. Another very convincing claim.

And there’s an attached form asking for all sorts of personal questions. Plenty of personal information, quite possibly enough for someone to even get into his bank account, for example, or for other identity-theft related reasons.

And most typical, though what I still find most peculiar about all of those scam attempts, the English was terrible. They did improve on the average by not having many spelling errors. That’s something that’s very rare for the emails. But the syntax and grammar, ouch. It hurt just reading the thing.

I admit, it’s quite possible that some random Spaniard off the street will use that as English, and expect it to be fine. I personally correspond with company clients from abroad who have worse English. But not when what’s written is supposed to be an official letter, sent by a respectable authority, and involving those amounts of money. And lottery foundation that can afford sending millions of Euros as prizes can certainly employ someone with reasonable English skills.

But those scammers apparently never can. Not once. Ever.

Sometimes I think these guys will have much higher success rate if people would only ignore those flimsy scam attempts because they make no sense, and not also because they have terrible grammar. With that language one can hardly even begin to try and take what’s actually written seriously.

And unlike the emails version, sending those real letters cost money. There’s postage, there’s the envelope cost, there’s printing the stationary on quality paper, stamping the paper and envelope with all sorts of official looking stamps. All sorts of stuff. So if they’re sending a large bunch of those, at least paying someone to go over the language would make sense.

Oh, well, can’t complain.

What I did find, however, is that throwing up these absurd amounts of money is actually helpful. It should have been obvious from the get-go that this is a fake. It was obvious from the get-go that this was a fake. But my brother, and my parents, still tried to check, and asked me several times to check, just in case maybe it is true.

They got annoyed when I told them, what they knew, that there isn’t a point in wasting time checking. They insisted. And when I actually checked, and reported back about the numerous reported cases of these scams, and obviously nothing real of the sort, they still kept insisting to maybe check again.

Almost sad to know that I share the same genes…

They got over it eventually. I just became more rude in pointing out all the obvious problems very clearly. But hey, send something that make no sense with a bait of a thousand Euro, and you’ll get instant scepticism. Do it with a million, and you’ll get a higher scepticism, but combined with a higher willingness to ignore it.

Depressing, actually. Even people who are relatively well off, and don’t need it, still get a little silly when the possibility of plenty of easy money comes off…

The supportive argument my brother came up with that most amused me was that they knew his name and address, and how could a scammer know these? Even before addressing the question, this is obviously a pathetic excuse, since by the same measure how would the real Spanish lottery know them, when he didn’t buy a ticket (or ever even been to Spain) ?

Just because something is an official institute doesn’t make it easier for them to know details that “nobody can know” compared to anyone else.

And, naturally, things like names and address are in lots of places. Easy, too easy, to know. It’s a major privacy issue, but also a part of life. Everyone (hermits and total paranoids excluded… sometimes) leaves their information in too many places. Almost any business or service someone interacts with will collect information, which can sometime include address. Plenty of government offices will as well. There are probably so many different registries that contain my brother’s name and address that guessing which one these scammers took the info from will not be possible.

Not for him/us, anyway. The police may be able to. If they get enough complaints, and can cross enough of the people somehow. But that’s doubtful as well, given how prevalent this information is.

At least nothing came off it, except for the amusement value. And the envelope and paper as small mementoes, if the police won’t impound them for investigation…

Context counts, even in spam blocking

March 15th, 2006

Different kinds of spam, while all being spam, are still different. As such, tools useful in limiting one kind are often not at all appropriate for another.

And lately one of those right tools for the wrong job is becoming very popular. In this case the DSBL list of open SMTP relays.

Open SMTP relays are basically mail servers set so that anyone could connect to them and send email messages through them. There’s nothing wrong with having a mail relay, but there is a problem with them being totally open an unauthenticated. They’re very popular with spammers, because the spam senders can connect to these relays and send their spam messages through them, instead of directly from their own computers.

Which is why things like the DSBL list exists. Mail servers can choose to check all incoming messages against the list, and if an incoming message came from one of those known open relays, they can treat the message as probably being spam. It won’t always be spam, but there’s good enough a chance that the false positive ratio isn’t too big.

The problem starts when people try to use the exact same list to decide if comments on blogs are spam. There is no real connection between the two. Blog comments are not sent as email messages, and do not transfer through those mail relays. And many of these relays are not intentionally so, but are rather just badly configured. Blocking email from them is legitimate, because they’re open to abuse. But blocking blog comments from them isn’t, because nothing on them indicate that they’re used by comment spammers instead of real people.

My problem isn’t with the concept of checking against problematical lists. There are alternative lists like the Blitzed DNSBL which are based on open proxy servers. Proxy servers are ones which allow to transfer through them regular web access methods, such as the ways used to post comments to blogs. And comment spammer do use these.

It’s just that more and more people are blocking against the wrong kind of list. They’re protecting themselves against the wrong kind of spam. Meaning that large majority of the addresses they block will be false positives. And that’s a bad ratio.

This is becoming a larger problem because it becomes easier to use. Many of the popular blogging platforms have plug-ins to fight spam. And a few, which are increasing in popularity, allow to check the IP address of the comment poster against such lists. And the DSBL list often comes on by default, for reasons I can’t quite grasp.

Pointless, and irrelevant. Fighting spam is good, but people should do it properly, not with the wrong methods. People sometimes don’t notice this, though, because these lists are often combined, including both mail relays, and some proxies. Which mean they may sometimes also block what people think they will. But using just a combined list is too blunt an instrument. It’s akin to blocking all English speaking people because there are spammers in the US.

Another thing which complicates using such lists, and blocking based on computers’ IP addresses in general, is dynamic addresses. Many internet users receive a dynamic IP address from their ISP whenever they connect to the internet. This means that when they disconnect, and then reconnect, they get a different address. And the previous address gets back into the pool of addresses, to be given to a different user.

If someone has a badly configured server on a home computer with a dynamic address, and it manages to get into such a list, that will not prevent them from sending spam (whether email, comment, or other kind), but will block other users of the same ISP instead.

The reason for this rant is, well, that this happened to me. More than once. I was blocked a few times posting to different blogs, because my IP address, my dynamic IP address that I possibly never used before that day, was included on the DSBL as an open mail relay.

And they were added to the list over either a single incident, or two incidents, which occurred no later than 2004. Someone had a server that allowed people to send mail messages, and because of that I was blocked years later from posting comments on a blog.

The first time this happened I thought it was a non-issue. But it’s becoming one very fast.

Yes, any form of automatically detecting spam will have false positives. But that’s not a reason to go with forms who will only happen to have non-false positive by pure luck. There are other ways to fight spam than methods who will interfere with legitimate users more than they will interfere with spammers