Disorderly Content

Just arrived in my inbox:

Goodday,

I require a partner to transfer $8.6m that belonged
to a dead customer of my bank.

Reply for more information on
the procedure.

Regards,

Jeeze, how lazy can they get?

Having a blog that supports comments means dealing with comment spam. For a long time I dealt with the spam in an ad hoc and mostly brute force way: deleting it and filtering out anything uniquely spammy to keep the same spam messages from recurring. It was a holding action at best. And when I prepared to go on my first long vacation where I'd have limited net access, I seriously considered turning comments off for the duration. It's not like I get many real comments, after all. But in the end I found a better alternative, a simple CAPTCHA I hoped would deal with the more egregious spammers. So far it appears to be working, even as I realize that mentioning it is practically begging to be attacked.

So today, with that vacation a couple of weeks in the past, I got curious about my website traffic, and specifically about how many spam attempts I was receiving. It's easy enough to detect: just look for the POST requests in my log and see if anything interesting pops up[. What I found surprised me: a single IP address was responsible for three quarters of the 25,000 attempts to post a comment to one of my two blogs in the last month. (During that month I had maybe three actual comments, so either the CAPTCHA is working really well, or I'm confusing real commenters as well as the Minions of Satan.) That IP address belongs to a domain called netcathost.com, which a Google search reveals to be a Minion of Satan of long standing. He apparently owns a sizable range of IP addresses, which makes me wonder why I only get the one. Still, it makes it easier to deny his bot access to my site, even if my simple CAPTCHA is good enough to block his messages.

Ah, a spammer with a sense of irony. Having noticed a typo in my previous post, I made the correction and uploaded it to my server. Which noted that some email had shown up in one of my spamboxes, so I took a moment to see what form of luncheon meat it was. Logging in ran my comment spam checker, which shows me any blog comments posted recently. And what should I see but yet another piece of drug sales spam (and who in the world buys life altering chemicals from some sleazebucket on the Internet?). But this one was special: it started with a plea to the webmaster to "Please do NOT remove this message". Which of course I did. Still it was nice, and entertaining, to be asked.

(Did he really think that would work? Then again, he's used to selling to people too stupid to recognize a bad idea when it's shoved in front of them.)

Jeeze, that didn't take long at all! I've been on MySpace for all of two weeks and already I'm under attack! Early this morning I had two new friend requests, both with photos so professionally perfect that I knew they were some form of con. But of course I wanted to be sure, or maybe I just wanted to see in what form the con would present itself. So I clicked on the profile to get a splash screen I hadn't encountered before:

This profile contains adult content.
CLICK HERE to install MS Viewer.

The link above takes you to an image on Flickr. It's perfectly safe, unlike the real thing which installs a trojan that does untold damage. Or it might have, if I weren't on a Mac and unable (and unwilling) to run Windows executables. So once more I breathe a sigh of relief, feel just a teeny bit smug and then wonder if I should reconsider my views on the death penalty. For spammers and scammers like this, maybe the good of society would be served by extreme prejudice.

I've never been a fan of Best Buy; my occasional visit there makes me look on Fry's Electronics with favor. But that was mostly over their sales tactics and the general competence of their staff. (Geek Squad, take note: it takes more than dressing like a loser to make you a computer nerd.) There's a difference between being pushy and outright dishonesty. And Best Buy? You've stepped way over the line.

I refer to stories over the past few days about Best Buy's shadow web site, an inside-the-store copy of the corporate site that has higher prices than the one they show the outside world. As I understand it, the scam (and I select that word carefully) goes like this: customer comes into the store, expecting the same good deal they saw on the web. Employee brings up the item, which shows a higher price. "Gee, " employee says, "guess the price went up." And customer, assuming he doesn't want to come away empty handed, accepts the explanation and pays the higher price.

The story ends with the statement that Best Buy has "failed to give clear answers" about the purpose of the phony site. Yeah, that ought to be a good story, assuming they can maintain a poker face. I'm betting not.

I just got home from a grocery run. And checking my email I saw I had a message from Paypal. It was a confirmation of a payment of several hundred dollars for a cell phone. Clearly there was a mistake, and I came within a hairsbreadth of clicking on the convenient Dispute Transaction link at the bottom of the message when it hit me: Scam, scam, scam, scam.... Sure enough, mousing over the link showed a numeric IP address on the URL. So of course I went to my browser, logged into Paypal and verified that there were no suspicious transactions. And then I forwarded the email to Paypal.

Nice try, guys. At least there's something original going on.

I run a modestly successful blog. No, not this one; I'm talking about my iTunes music blog. Having a music blog means I get approached on occasion by musicians and music fans, all hoping I'll provide a plug. One positive is that it's been generally easy to tell the difference between a band that wants exposure, even as little as I'm likely to provide, and a fan who just wants to share a new discovery.

Well, easy until today. Because today I got an email from someone who claimed to be a fan of some singer I'd never heard of. And I might have bought her story if I hadn't followed the link to her blog, which consisted of five whole entries over six months, five of which are about this same obscure performer. Or if this blogger hadn't claimed to be from Minnesota, despite a fractured syntax which suggests that wherever she was schooled, it wasn't within the borders of these United States. (No, not even Canada.) Or, for that matter, if I didn't think the subject of her blog sounded like a bunch of cats fighting it out in a garbage can. A really tinny garbage can.

It's possible I'm wrong; that she isn't trying to scam me (and by extension you, my beloved reader), that she's just an inarticulate midwesterner with truly appalling taste in music. Possible but unlikely. In any event, there's a reason I'm not providing any information about my correspondent or her taste in music: I respect you too much for that. After all, you're here, aren't you?

I'm a member of a Yahoo! Group for submitters to microstock photography agencies; it's a place where we can discuss the business or hobby or whatever microstock is to us, free from the sometimes draconian censorship policies of the agencies' own forums. Anyway, today I got a couple of large messages with the Subject line of New Graphic Site. They claimed to be lesbian porn, although the attachments had another type of screwing in mind. Fortunately, Thunderbird doesn't display images in messages without my permission, so I wasn't at risk. But I did have to laugh at the signature Yahoo! appends to all its messages:

Tired of spam? Yahoo! Mail has the best Spam protection around

Which leaves me wondering if it's that same best Spam protection around that didn't catch this particular bit of nogoodnikware. Four times to our group alone!

At the request of Dori at Backup Brain, a link to her post about Michael S. Cox, a spammer with the nerve to deny that he's that Michael S. Cox.

As bad as spammers are, I really have to wonder about the ones who are too stupid or too lazy even to get their messages right. In the past few days I've had several pharmaceutical spams that squeezed past my filters. They're the usual stuff: misspelled words and special characters to bypass dictionary-based filters, a minimum of words, a different variant on the same phrase, this one reading We are your One Stop Shop for Substantial Dicounts. (I've never been much for dicounts, much less substantial ones. You of course may have your own opinion on the subject.)

But what's really special about this bit of canned luncheon meat is the URL, which is of course the real cargo of the message. And yet somehow I don't think they really want me to point my browser at <http://www./>. Or maybe they do; maybe they're trying to make me crazy, so I'll need the psychotropic drugs they're planning to offer me in a later mailing.

Or not. Maybe these particular spamming b@stards (hey, I can do it too) aren't even smart enough to use their own spamming tools. Yeah, that'd be my bet.

Over at Google Blogoscoped there's an article about how a search engine optimization (i.e. "Let's game Google") firm called Traffic Power and its clients have been removed completely from Google's index. As a naive believer in fairness, I think SEO ranks just below spam on the list of modern tech evils, so I can't help but feel that we're seeing a little frontier justice in action. Or maybe I'm just jealous that these guys have the money to get attention on the web. I have to do it the old fashioned way: through wit and charm and useful information. And we can all see how well that's working.

We all know that spammers are scum. But every now and then they do something that's at least momentarily entertaining. Like this call from beyond the grave of jobs past I just received. Actually, I've seen a couple of them in the last 24 hours. And they're all addressed to me at my current email address. But what's interesting is that they're addressed from me as well. But not at that address, which of course wouldn't be interesting at all. No, they come from, and I quote:

From: "Shiffman" <shiffman@slappy.engr.sgi.com>

Which used to be me, back in the 1990s when I worked at Silicon Graphics and had a computer I'd named in honor of Slappy Squirrel of Animaniacs fame. Speaking of which, when d'ya think we'll see Yakko, Wakko and Dot on DVD? Anybody?

I've always gone with the classic definition of chutzpah: the guy who kills both his parents and then asks the court to show him mercy because he's an orphan. But I may just have to reconsider. Because this one fits as well if not better. It's an email message I just received. Judge for yourself if the word fits:

Subject: Dear Hank,


I use a good spam filter, and you probably do the same.
I have whitelisted you and that means that I will receive all the emails you send to me.
I would appreciate it if you would whitelist my email address:
* * address deleted * * in your spam filter.

If you don't have a spam filter, I can recommend * * product name deleted * *. It is a highly effective free spam filter for Outlook and Outlook Express.

You can get the free * * product name deleted - again * * here:
* * URL deleted * *

I hope that you will whitelist me, so we can continue to communicate safely via email in the future.

Best regards

* * name deleted * *

Needless to say, I've never heard of the author of this oh so helpful missive. But I want to thank him, her or it for caring so much about the safety of my electronic communication. Unless... do you suppose this was just a ruse to get me to download some piece of software? But... wouldn't that make this... spam?

...or at least a nice picture of it. As I've mentioned a few times before, I've gotten caught up in taking pictures and attempting to sell them on several microstock photography websites. The idea is that designers of websites, brochures, magazine ads and the like can search websites for appropriate graphics to include in their work. They pay a few dollars for each image, which the stock photo site shares with the photographer.

Anyway, a while back there was a lot of sturm und drang on one of the stock sites about somebody who was selling prints on eBay. The problem is that the prints were of pictures that were purchased from that site, a site which is pretty explicit about what are appropriate and inappropriate uses of purchased photos. And the license terms do not allow for printing and selling copies of photos. As I'm sure the eBay seller knew all too well. I mean, you read those click-through licenses carefully, don't you?

That seller was dealt with. And then it happened again, only with a twist. This time when the seller was told to stop selling what doesn't belong to him, he explained that he'd bought a sort of business kit on eBay. Somebody was selling a printer, a library of images, and the idea that you'd make a business out of selling photos on eBay. Of course, the buyer of the kit had no idea the seller didn't have the rights to what he was selling.

Which reminds me of all those ads for work at home businesses, the kind that involve stuffing envelopes. Which always seem to turn out to be businesses selling those same work at home businesses to even more gullible people, who'll have to find new gullible people to sell to. As with everything else that promises an easy way to make money, Caveat Emptor: Let the buyer beware.

My antispam filters are doing okay against most of the deluge, but I'm still having trouble keeping the pump & dump stock scammers' emails away from my inbox. I've never had the urge to investigate any of the stock offerings these people (and I use the term in its loosest sense) announce with such breathless enthusiasm. Fortunately, someone else does. As I just read at Boing Boing, a website called Spam Stock Tracker has a real time display of the performance of a basket of penny stocks being pushed by the scammer-spammers. To my very great surprise, the news is not at all good; the theoretical portfolio has lost almost half its value since the experiment began in May. Gee, and they seemed so genuinely excited!

(One amusing side note: the owner of the site is using Google AdSense to try to make a few pennies from his traffic. And one of the ads Google considers relevant to his content has the title Hot Penny Stocks. There's a bit of irony here; if only I were clever enough to articulate it...)

A few days ago (on my birthday of all days) I got a call from my bank that one of my credit card numbers had escaped into the wild. Which is a minor hassle but, thankfully, nothing more than that. But that's why it took me more than a second to recognize tonight's email invasion attempt for what it was.

The email isn't remotely subtle. The subject is simply Error, the return address linda@support.com and the text of the message: Your credit card was charged for $500 USD. For additional information see the attachment. Oh, and that attachment: a 15KB file with the unsubtle name of archive.exe. Not running Windows, an EXE file poses no threat. But really; just how stupid would someone have to be to double click on an attachment in a message this obvious? I mean, all that's missing is a big claxon and a flashing warning:

THIS IS A REALLY, REALLY BAD IDEA!.

I've been getting a lot of spam lately from pump & dump operations telling about the wonderfulness of the latest penny stock. Today's example is a little more egregious, in part because it looks so much more professional and pretends to play by the rules. Like the claim that I signed up with them (as if I would!), that they're in compliance with the CAN-SPAM Act (uh huh) and that all I have to do is click on the link below to remove myself from their list. Except that they seem to have neglected to include the link, which I'm sure is an innocent oversight.

Or maybe not. The name of this paragon of virtue? Bull Ventures. Which I guess is what's known as truth in advertising...

When I lived in Los Angeles, it seems like half the people I met were either in the entertainment business or trying to be. The temp receptionist with the development deal for a TV pilot, the guys on the loading dock with the band and the connection to one production company or another, the infinite numbers of would-be actors waiting tables. There are so many real phonies in La La Land that it's hard to imagine why there'd be a nead for phony phonies.

Which is why a story in the LA Times is so fascinating. Somehow a con man managed to get an entire group of people to work on a nonexistent reality series, all waiting for paychecks that never came, many of them advancing their own money for the project. Some of them were the usual Angelinos who thought they were getting a huge break. But others were real professionals who should have known better.

And suddenly Ed Wood seems the epitome of Hollywood virtue...

Unless the only mail you get is delivered by somebody in a postal uniform, you probably get at least a couple of phishing emails a week. You know what I mean; they claim to come from eBay or PayPal and tell you your account is about to be closed unless you log in and update everything. I got one of these PayPal scam attempts just moments ago. Which is hardly news, right? Except that the heading on the message got my attention. "You're Billing Information!", it screams. Well, the hell I am. I'm not billing Information or anyone else. Unless of course that's an example of the grammatic incompetence of the would-be scammer, who doesn't know the difference between you're and your. If I wasn't already wary, the illiteracy of the message would be a dead giveaway.

It's the little things, you know?

Update 07/09: This guy makes a similar point, aside from being more inclusive and considerably more amusing.

One of my hobbies is helping actress and entrepreneur Virginia Hey with webmastering duties for her sites. That includes checking and cleaning out spam, of both the comment and trackback variety. Today I got a bit of a surprise, one I had to validate. But yes it's true; some trackback spammer has actually registered the domain www.unitedinchristchurch.org as a link to one of those poker sites. I'm not even a Christian and I'm offended by this one.

Of all the attempts to infect my computers, I am most amused by the "social" diseases. These are viruses that don't infect directly. Instead they try to get me to do something stupid, in effect to infect myself. Like the well meaning friend who passed along a message about a Trojan Horse that was assaulting Windows, including instructions for tracking down the problem file and deleting it. Except, as I informed her, that file was not an attack; it was a necessary part of Windows. The attack was in the message, and in the credulity of its recipients.

What brought that incident to mind was a message I just received, purportedly from the antivirus people at Symantec. I include the text of the message for your edification and/or amusement:

The sample file you sent contains a new virus version of buppa.k.
Please update your virus scanner with the attached dat file.

Best Regards,
Keria Reynolds

I might have been fooled, except for the fact that I sent no such sample file, do not run any Symantec software, and do not have an infectable computer (i.e. one running Windows). Even if any or all of these were true, I can't imagine being foolish enough to install the file provided by this kind Ms. Reynolds. And even if I were, would I really trust a file called "signature.zip"? Is anyone that gullible?

Yes, that was a rhetorical question.

The world is full of wonderful products that do amazing things, often in violation of the laws of physics (and, one would hope, the laws of the State of California). I get a kick out of the pseudoscientific explanations for how these amazing inventions can do what common sense should tell us is impossible; theirs is some of the most creative writing on the planet.

But I love the spoilsports even more. Like Daniel Rutter of Dan's Data, who devotes way too much time and energy to something called the Batterylife Activator, a magical sticker that somehow restores health and wellbeing to out of shape Lithium Ion batteries. Dan describes in excruciating detail how this miracle product is supposed to work, although with rather more sarcasm than one would expect from a truly objective evaluator, his testing methodology and the results of the test.

I am, I hope, not giving away the last page of the mystery if I suggest that the Activator has all the characteristics of a classic product scam, complete with testimonials by major corporations and universities, although never with enough detail to verify same. Although the fact that I place this one in scams rather than tech may have already given away the surprise ending.

I'm used to getting phishing emails. I'm sure you've seen them, the messages from eBay or your bank or brokerage house claiming that your information is incomplete and must be corrected within 48 hours. Or else! Whenever I get one of these things, I switch to the raw source view of the message to find the scam. Usually it's a numeric IP address in a URL; sometimes it's a tricked out text URL that looks right, but only if you don't look too closely.

But as I said in the title, they're getting sneakier. Today I got one from eBay requiring an update of contact information, including a phone number. And my cursory examination of the message made it look genuine. Including the first Received header, which claimed to be from a real eBay server:

Received: from csa002.corp.ebay.com (172.180.94.12 [172.180.94.12])
    by pmta02.mta.everyone.net (EON-AUTHRELAY) with ESMTP id BF439CF9
    for <**********>; Sun, 6 Feb 2005 16:15:47 -0800

And I didn't spot any phony URLs in the plain ASCII version of the message or the HTML version. Still, being the paranoid sort, I went directly to eBay to check my contact information. And discovered something interesting: nowhere do they ask for a telephone number.

That made me doubly suspicious. So I went back to the email, where I found what I'd missed the first time in the HTML version of the message:

<FONT face=3DArial><A 
href=3D"http://signin.ebay.com-ws2.org/DLLupdate/eBayISAPI/login.html" 
target=3D_blank><FONT face=3DArial color=3D#0000ff
size=3D2>http://signin.ebay.com//ws2/eBayISAPI.dll?SignIn&ssPageName=3Dh:h:sin:US</FONT></A>

Do you see it? The URL in the <A> tag that goes to signin.ebay.com-ws2.org instead of signin.ebay.com? I have of course forwarded the message to eBay. With any luck at all, this particular site will be shut down before too many people get caught. But it's a sad day when I start thinking of spammers as benign creatures. Even if it's only relative.