It's a Dirty Job

Diane gets sex spam and she doesn't like it. She's sent up an offensive example.

Now I don't know why the filth heads toward her mailbox, but a quick look at her quarantine shows that there's plenty of raw ... offers ... being blocked. A closer look at the one that got through reveals the reason. There's not a single dirty or ambiguous word, it's barely even English:

If you are disappointed in its second half, bold, come in. I can do for you is - what can not no girl! enter here (a link).

Where's the harm in that? Well, it's obvious. Obvious to me and obvious to Diane too. But utterly undetectable to to the machine that's trying to keep solicitations out of her mailbox.

So I have to go down and tell the lady that her basic problem is her dirty, dirty mind.

Spam Counter - 2009 October: 1032

Mostly watches

Spam Counter - 2009 September: 818

More phishing than usual.

Spam Counter - 2009 August: 967

Very evenly mixed bunch. I liked "Stimulate her grotto better"

Spam Counter - 2009 July: 1010

Penis 60%

Acai 10%

Watches 5%

Other 15%

Spam Counter - 2009 May: 1358

That's bad.

I'm seeing Acai Berry among other approaches to the size of my waist and a renewed emphasis on the size and stiffness of my male member. There are fewer fake watches -- the SS Submariner -- and a very few swine flu.

Password-Stealing Spam

Big current spam trick: The stolen webmail account.

Hotmail etc. make it hard to register accounts for spamming, so a lot of mail out of their relays isn't spam. And that means that spam detectors mod up mail coming through those gateways -- if it's truly from Hotmail, it's much less likely to be spam. So we're seeing a resurgence -- it feels like 1998 -- of spam from public webmail services. Examined, it turns out:

• To be from a real MSN/Hotmail/Yahoo account (they're not just spoofing addresses -- that wouldn't work)
• To be pushing Chinese electrical goods (if it was stiffy lollies, the language would push the spam balance back to "block")
• It's all sent from Chinese IP addresses. Whether it's .fr, .co.uk, or whatever, it's all pirated from China.

I wrote about this, from the other side, last year. But this is more sophisticated, going to big lists, not just address books.

Just another penalty of being spywared.

Spam Counter - 2009 Apr: 986

But it was 1300 earlier in the month.

There's a big new botnet at work -- quarantines at have vastly increased lately. Mostly traditional stuff with rather more images and spam poetry than we've seen lately.

One thing that stands out is the new wonder drug: Magnesium Oxide. Why am I getting Magnesium Oxide spam? It's milk of magnesia -- an antacid. Why would anyone buy that online? What really perplexes me is that they obviously expect their target market to know why they want it -- or is it that people who respond to spam are precisely the people who will buy anything?

Spam Counter - 2009 Mar: 939

At least it's not going up.
"Update your manhood here and now" (upgrade?)

Authentication News Roundup

Two items tonight, on the Authentication Hotline

Rubbish Disguises
City financial types are being directed by firms and industry bodies to wear casual clothes on the riot days, so they don't stand out. It's a lovely idea -- take one middle aged bank operative, replace suit with M&S chinos and polo shirt and Shazam! indistinguishable from a climate change protester.

Or maybe you could try wearing a keffiyah. That should do it.

Effective Disguises
New spam trend: We're starting to get stiffy lolly spam pointing to .cn sites. The sender appears to be bright enough to realise that firms have filters which spot this a mile off, but also that there will be approved addresses bypassing the filters. So this mail is spoofed from plausible addresses. Yesterday I removed unisys.com from our approved list which should stop the immediate problem, but the attack is going to work until there's some way of authenticating envelope sender addresses.

The problem will really kick off when spammers realise that everyone has a bypass for FT.com because their news alerts are totally indistinguishable from spam.

I guess we need a checkbox. For any bypass, domain or just a single address, you need to be able to say "only bypass if the sender is spf authenticated".

Spam Counter - 2009 Feb: 972

Mostly drugs. Some Rolex. I particularly liked "Unlock her odorant gates" but it was just a graphic so I can't tell what it was about.

It's going up. I suppose the spamternet has interpreted the loss of McColo as damage, and routed around it.

Spam Counter - 2009 Jan: 850

850 -- Rolex and Canadian Phamacy

Spam Counter - 2008 December: 727

Still dropping. Maybe spammers take Christmas off. If the returns are as poor as we're told, that's not surprising.

Spam Counter - 2008 December 13: 634

Can't put this on the graph, but one month on from McColo it's still falling.....

Spam Counter - 2008 November: 852

This month's drop is the the famous McColo effect. It'll be interesting to see how a whole month without McColo looks on 12/12.
The content seems the same as ever.
Two interesting papers about email-delivered nuisances: spam and phishing. Each offers methodologies which finally give realistic estimates for the return from penis spam and phishing. Both agree there's very little profit in it -- mugs and losers are, after all, a limited resource. Which is nice.

Chinese Hackers are Real, I Tell You...

... And they're planning to flood the world with cheap telephones.

Al sits close to the Head of IT -- a position that reflects his operational centrality, and the affection in which he is held. But he came to me with a puzzle about his Hotmail. It seemed that he'd managed to send himself, and all his contacts, an email advertising http://www.feixiangyu.com -- an electrical distributor.

Well, we looked at things like his spam folder, and whether it was just in fact a particularly artful non-delivery notice. But soon he had replies from his contacts congratulating him on his new business venture.....

Now the beauty of Hotmail is that it's easy to attribute. The X-Originating-IP header gives just that -- the IP address of the originating computer, which is the IP that Hotmail saw as the browser that "got" (GETed?) the send links. This one was 123.53.119.162 and Sam Spade plumps that in the middle of the Middle Kingdom. The ISP is Chinanet, and the PoP is Zhengzhou -- capital of Henan, a respectful distance from the Yellow River -- seven million people in a few square miles, and at least one dodgy marketing guy.

On the whole, I'd rather be hacked by Chinese shopkeepers than the Russian Mafia -- you're less likely to have your bank account emptied. I told Al to change his passwords, check his bank statement, and run an online AV check on his home PC. I sure hope that shows something, otherwise I'm going to have to wonder whether it happened on his office machine, and that's something I just don't want....

Spam Counter - 2008 October: 1387

No real change. Penis pills and Russian ladies: Olga and TatianaG want to meet me?

Spam Counter - 2008 September: 1355

Among the penis pills and the phishing we see hints of cheap clothes and dodgy diplomas. Are the times hardening? If so, Spam Will Adapt & Survive!

Spam Counter - 2008 August: 1,521

Penis pills and Paris Hilton (declared a national historic monument). Breaks a five month downward trend, alas.

Spam Counter - 2008July: 1,207

Nearly all penis pills, or visit and get pwned.