The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Wednesday, June 28, 2006

Scamming the 419 Scammers

One of the things I truly love are the people who scam the 419 scammers, often with bizarre requests that the scammer must fulfill . Perhaps my favorite of all was the fellow who convinced the scammer to send photos of his family and then declared that he had fallen in love with the scammer's daughter and was on his way to Nigeria to marry her. (If anybody has the link to this story, please send it to me.)

The point of the game, generally, is to see how long you can keep the scammer on the hook before he realizes he's being made fun of, and to show off your own creativity with the bizarre letters you write.

But now comes a site that beats them all: Using the pen name "Derek Trotter", this scammer scammer responds to the scammers, telling them he's too busy awarding $150,000 art scholarships to help the scammer launder his dead relative's money. Once the scammer is hooked, "Derek Trotter" gets them to make intricate carvings and ship them to him in hopes of winning the scholarship. I present to you: Welcome to the 419 Eater.

Monday, June 26, 2006

Support Net Neutrality

[Note, good links at the end if you don't want to read the whole thing.]

What has this to do with spam? Diddly-squat. I write about it because the loss of net neutrality is the only threat I've ever seen to the internet worse than spam.

A little background: back in the Elder Days, when cable TV first came about, I thought it was going to be a boon to the consumer.

Ever watch the Olympics? Eight million different sporting events, and the only ones you can actually watch are the ones that the U.S.A. is winning medals in, or the ones that involve young women in spandex.

Well I thought that cable TV would rescue us from that nonsense. "Finally," I thought, "we'll have a dozen channels of Olympic coverage to choose from". Boy, was I wrong. Turns out that it all comes down to back-room deals. One broadcast network negotiates exclusive rights to cover the Olympics in America, and every other network and cable provider gets shut out. And every sporting event that the single network doesn't think will make money gets shut out too.

Now you'd think that the other carriers would be able to negotiate to carry the events the one network didn't want, but it doesn't work that way. That one network doesn't want competition, so it negotiates an exclusive deal. This is common practice in the media industry. In fact, stations and networks will often purchase exclusive rights to something just to keep it out of the hands of their competitors. I once even saw a PBS station purchase the rights to Red Dwarf, not so they could show it, but to prevent another PBS station from showing it.

Sit back and think on how bad your cable service is. Live in the wrong coverage area? Sorry, no SciFi channel for you — they didn't give us what we wanted for access to your area. Want HBO? Sure, but only if you also buy these eight other channels that you'll never watch. Olympic sailing? Sorry, CBS blacked us out.

So cable TV failed to bring us the renaissance of culture and information that the technology promised us. What the engineers gave us, the marketing team took away. As my friend Bob puts it, "The only difference between cable TV and regular TV is that it takes three times as long to realize that there's nothing on."

So what does this have to do with net neutrality? This: Those same media monopolies that fucked up cable now want to fuck up the internet. Want to run a Google search? Sorry, AT&T owns all the broadband in your town and they've partnered with Yahoo. Want to watch your favorite video blog? Sorry, they didn't pay the big fees Comcast charges anybody who wants to transmit video content over their wires. Craig's List? Ooooh, sorry; but don't worry, we have our own classifieds service with dozens of listings — we're sure you'll agree it's just as good.

Could this sort of thing really happen? It already has. AOL has been known to block its users from seeing web sites critical of their proposed pay-to-spam scheme. In 2005, Canadian telephone company Telus blocked its customers from visiting the web site of theTelecommunications Workers Union. In 2005, Shaw cable deliberately degraded the service offering competing VOIP service.

What does the lack of net neutrality look like? Suppose the roads were all privately owned and supported by tolls. Net neutrality would be like this: you pay your tolls based on how much your vehicle weighs and how far it's going. Maybe you pay a monthly fee for unlimited access. Whatever. Just like the internet, there would be all sorts of options you could buy. But the thing is, you don't get charged by what your cargo is. Now imagine a world without road neutrality. How much do you suppose FedEx would be willing to pay the San Francisco department of roads to ban DHL trucks? What chance would your start-up delivery service stand if the big boys had already struck deals with all of the highway providers?

And what benefit does this give to the consumer? In the immortal words of Douglas Adams: None At All. What good does it do you to find out that a package you ordered can only be delivered as far as the outskirts of the city, from whence you'll have to arrange a FedEx pickup at additional cost. You may find there are businesses from whom you simply cannot order goods at all because their road provider didn't pay the fees charged by your road provider. But don't worry, there's another business inside your local driving area whose products are almost as good.

Want to know who to trust? Think about who's against it. The primary opponent of net neutrality is AT&T, one of the most evil corporations around. These are the people who allowed the NSA to monitor your phone calls, in violation of the electronic privacy laws. These are the people who signed a pink contract with a major spammer*. Those of us who remember what they were like before they were broken up are none too happy to see the old monopoly re-forming. And even more unhappy to see them stretching their monopoly to cover the internet as well.

Believe me, allowing the big telcos and cable companies to control your access to the internet benefits nobody but the big telcos and cable companies.

OK, I won't bore you with logic and similies that have already been said better than I could say them. Instead, I'll give you a few good quotes and juicy links.

We didn't invent the internet just to turn it back into cable TV
— Mary Hodder, Napsterization
Right now you write a letter, seal it in an envelope, and put postage on it. The letter arrives at its destination irrespective of its content, so long as you paid postage for the weight of the letter. What if the post office were instead to rip open your envelope and extort money from the recipient, based on the urgency of the contents and the recipient's ability to pay?
— Jeremy Shute

http://savetheinternet.com — the primary site on the subject.

Wikipedia > Net Neutrality — as always, the "go-to" reference site.

A Note to Google Users on Net Neutrality — open letter from Eric Schmidt, CEO of Google.

The Death of The Internet? — a 6-minute video that discusses the issues.

A Ninja explains Net Neutrality — my very favorite.

Ze Frank explains Net Neutrality — (mature language) also very funny. It's toward the end of the video.

Rocketboom explains net Neutrality — good explanation, plain and simple.

http://www.conservativenannystate.org/ — what conservatives really mean by small government.

Liberte, Egalite, Fraternite, Snooping — Edf.fr snoops on your browsing habits

Not strictly about spam, but serious enough for me to make a note of it: The Electricite de France web site, edf.fr (not a link for good reasons) loads invasive javascript into your browser which then records all of your browsing habits into cookies which will later be returned to edf.fr.

This is an outrageous invasion of privacy. It should be interesting to see what comes of it.

Read the details in electronpusher's blog: Liberte, Egalite, Fraternite, Snooping

Sunday, June 25, 2006

Cell phone spam reaches America

First article I've seen about text spam hitting the U.S.A.: Text Message Spam Could Cost You.

In the article, Sprint and NextTel both say that if you're charged for receiving text spam, you can report it to them for a full refund. While comforting, this is hardly a solution. It's still a waste of your time to receive the spam and deal with it, and now there's the added burden of documenting it and going through the — what I suspect will be arduous — task of reporting it through the phone company bureaucracy.

Text message spam is a violation of USC 47, the same law that forbids fax spam. What I'd like to see would be a detailed list of instructions, perhaps posted on the ISIPP site or on my own HOWTOs list, telling the recipient how to track a text spam to its source and getting some legal action.

Amazon, del.icio.us, and other major sites also vulnerable to spam

Just to show that the big guys also fall victim to comment spam from time to time, link aggregator del.icio.us and bookseller Amazon have both been hit by blog spammers.

In the first case, blog spam has made it into the del.icio.us popular list — a list of top and most popular links. See an example at GigaOM blog article del.icio.us Popular is spammed.

In the second case, Elliot Back documents how a comment spammer has managed to get 100,000 copies of the same ad into Amazon reviews. See his article Spammers Hit Amazon.com Reviews.

Likewise, Gadi Evron of SecuriTeam reports that Reddit, a curated community news site, has been plagued with spammers and vote-bots.

Friday, June 23, 2006

Phish/zombie attack via cell phone text spam

OK, I'm not even entirely sure how to classify this one. Spammer sends text message to cell phone, thanking mark for signing up for $2/day dating service. Mark follows "unsubscribe" link to spammer's web site and is talked into downloading software with a trojan in it. Trojan turns mark's computer into a zombie.

Folks: Don't believe things strangers send to your cell phones. If you must be gullible, at least don't believe it when they say you signed up for a dating site you didn't sign up for. If you must believe it, don't download random software there just because they told you. If you must download the software from strange web sites, get a Mac.

Awww, who am I kidding? People dumb enough to do all that stuff don't read my blog in the first place.

Read all about it at ZDNet: Zombie builders send out phone texts.

Thursday, June 22, 2006

Here is why you need to secure your WiFi signal

Short story: this guy had an unsecured WiFi hub in his apartment building. Comes home early one day and spots someone sitting in the parking lot with a laptop, using his WiFi to flood the internet with comment spam.

Let me put this clearly: If you don't secure your WiFi, spammers will use your connection to spam with, and if you're unlucky, your ISP will disconnect you for spamming.

Update: Seems that the story itself may spam, intended to attract readers to a site which sells anti-spam products. Read all about it at MetaFilter. The original author has commented to defend his story.

My comments about securing your WiFi still stand.

Monday, June 19, 2006

Google yanks millions of blog spam pages

According to Barry Schwartz of Search Engine Watch, Google has dropped about five billion pages from their index due to search engine spam — specifically blog spam. (Two years ago, I don't think they indexed that many total.)

Discussion starts at Digital Point forums where a member started a thread revealing and discussing a number of spam sites which had managed to acquire billions — yes, billions — of listings at Google.

(On Sunday, Adam Lasnik of Google chimed in and said that the absurd numbers were tied to a bad data push and did not actually reflect the number of pages the spammer had managed to get indexed.)

This is followed by a blogger's step-by-step explanation of how the spam works. Short explanation: search engines weight subdomain names very heavily as keywords, so the spammers build dns servers that create effectively infinite numbers of subdomains that redirect back to the main page. The web server there serves up canned content that corresponds to the keywords being searched for. By having unlimited subdomains, you get around Google's limits on pages indexed per site per day. The virtual subdomains all link to each other. Finally, you set the entire system in motion with massive blog comment spams intended to bring the search engines.

This caught Google's attention, and the delisting began. I just tried it myself, and queries which were returning 5 billion results are now returning zero results.

Just a quick reminder: spam reports can be sent to Google at http://www.google.com/contact/spamreport.html

Blog spammer tracked to Austria

(Via Spam Huntress). Blogger Peter Forret tracks down a spammer who hit his blog with over 2600 posts. Read his story in Meet Mark Hostetler, spammer from Austria; this article could serve as a tutorial on tracking spammers.

To summarize: The spams all pointed to domains registered in Belgium. A check of the .be whois database showed them to be registered to "Pikod Darek" of Poland. The sites themselves are hosted by spam-friendly isp The Planet. The sites are simple redirectors which send the user to http://www.find.fm/?aid=4077, which in turn is owned by Mark Hostetler who also owns Cashwebsearch.com and Peakclick.com.

Spammer offering to buy MySpace contacts lists?

(Via BoingBoing) It looks like a spammer is spamming MySpace users and offering to buy their account to obtain their friends lists — provided they have at least 20,000 friends.

Apparently this isn't as crazy as it sounds, as there are 'bots which will add people to your friends list for you.

For more details, read Brooklyn Ski Club: Easy Money, Sell Your Friends.

Sunday, June 18, 2006

Ryan Pitylak: Confessions of a former spam king

Like Sanford Wallace and Jennifer Clason before him, Ryan Pitylak is now proclaiming to have seen the light. He now calls himself an anti-spammer. Read it in his op-ed piece Confessions of a former spam king.

Of course, it's possible he's sincere. Actions will speak louder than op-ed pieces. Let's see if he can undo the damage he's caused.

Wednesday, June 14, 2006

Wall Street Journal on reputation tools

Today's Wall Street Journal has an article about internet tools that make surfing the internet safer for consumers.

In the article Seeking a Safer Internet, the WSJ reviews such software tools as SiteAdvisor (which I wrote about in January), Scandoo, and TrustWatch. SiteAdvisor works through a toolbar which the user needs to download. Scandoo gives the user a search box and performs "real time" analysis on the site. It also flags sex or nudity. TrustWatch provides their own search page which uses Ask.com for the searches, and then annotates the results.

The WSJ article goes on at some length, reviewing and comparing the tools and discussing the reactions of the sites flagged by them.

Kevin Smith — Blog Spammer

Kevin Smith, the director of the movie Clerks 2 is running a contest with prizes going to the person who can post the most blog spam promoting his movie. See his contest page.

I'm sure he thinks he's being clever or original somehow, but guess what Kevin, blog spam isn't either of those, and you're just another spammer.

Update: I've visited the discussion board for the contest. So far, nobody's talking about comment spam, although they are talking about posting in all the message boards they visit.

Tuesday, June 13, 2006

Taiwan cited as source of 2/3 of all zombie spam

As reported in the UK Register, 64% of servers controlling spam traffic are in Taiwan, while the U.S. accounts for 23% and China is in third place with 3%.

The Register is citing CipherTrust as their source. According to the article, CipherTrust seeded the internet with a number of "honeypot" zombies and then recorded the sources of the spammers who were trying to control them.

The controlling servers were mostly tracked to Taiwan. The spammers themselves could be anywhere of course.

Monday, June 12, 2006

Gartman Convicted!

OK, file this under "whyinthehell didn't I hear this before?"

Tom Gartman, the rape porn spammer who fled to Canada and was later extradited, was convicted in Texas on obscenity charges back in March. Last I'd heard, he was just coming to trial.

Gartman was convicted along with Alan McDowell. He faces up to ten years in prison and a $500,000 fine.

Read all about it in the Department of Justice press release and the Dallas Morning News.

Domain Registry Support scam surfaces again

Now calling themselves Domain Registry of America; they call up registered owners of domain names and tell you they need your fax number to send you some important information. Sometimes they claim to be hired by ICANN. They can be identified by caller id indicating their number is (866) 383-0986.

They ignore the 'do-not-call' registry and will also call cell phones, in violation of USC 47.

It's still not clear exactly what they want your fax number for, but the best bet is that they make money reselling it to fax spammers.

This phone number is associated with other scams; entering it into Google can be very instructive.

Eliot Spitzer election news

Eliot Spitzer, perhaps the most effective anti-spam attorney general, is running for re-election. His opponent, John Faso, is trying to play the "my opponent will raise your taxes" card. Any news article that starts with "Borrowing a page from Karl Rove's playbook..." can't be good. I may just donate to Spitzer's campaign fund myself.

For the full story, see New York Times article Tuning Up for Race Against Spitzer, Underdog Beats the Drum of Taxes. (Registration required, but it's benign.)

Now, if only someone could explain to me how an attorney general can raise taxes...

Thursday, June 08, 2006

New "Job recruitment" spam

Latest spam to cross my desk:

OFFER OF EMPLOYMENT
THE Hilton Hotel, London, is offering employment opportunity to Men and
Women around the world ho can work and live here in Hilton Hotel, London.

To receive full employment/ information package, please contact us on
E-Mail m.h.grayson@hotelhillton.com

Thank you.

Hilton Hotel, London.
225 Edgware Road, London,
United Kingdom. W2 1JU


It's not clear yet whether this is some sort of phishing attempt or an advanced fee fraud. My money is on advanced fee fraud. Let's be careful out there.

Update: The ratware used to send the spam has been identified as one which is a favorite among Nigerian scammers, so it's probably advanced fee fraud.

Ryan Pitylak to pay $7.5 million fine to Texas

Just when I thought Ryan Pitylak had gotten a slap on the wrist, I see some good news from Texas.

It's a legal document entitled "Final Judgement and Order for Permanent Injuction and Monetary Relief" (scanned pdf, 33 pages) from the office of the Attorney General in Texas.

To summarize: named are Ryan Pitylak and partners Mark Trotter, Gary Trappler, and Alan Rafaeli. Very strict restrictions are placed on them with respect to future commercial emails (to my eye, they're required to obey the CAN SPAM law). Very strict restrictions are placed against them with respect to business record keeping, reporting, and so on.

But the big news is the penalties: LeadPlex, Inc. Payperaction LLC, and Eastmark Technology (Pitylak's businesses) are ordered to pay $7.5 million in civil penalties. Pitylak is personally ordered to pay $225,000 in legal costs. Pitylak will also pay $1 million in civil penalties if he fails to pay the legal costs, spams again, or is found to have lied about his assets. Mark Trotter and Alan Refaeli are each ordered to pay $40,000. Claims against Gary Trappler were dismissed.

More coverage in the Houston Chronical.

Wednesday, June 07, 2006

Scumware vendors 180solutions and Hotbar team up

Today's new name to revile: Zango. According to Ziff-Davis, adware vendor 180solutions has merged with Hotbar. The new company will be known as Zango.

I've written about 180solutions before; they were among the adware vendors connected to Yahoo! in Ben Edelman's report How Yahoo Funds Spyware. In January, the Center for Democracy and Technology filed complaints against 180solutions for adware and other network abuse.

I'm not as familiar with Hotbar, but Ziff-Davis has an article about a suit between Hotbar and Symantec over whether or not Symantec would flag Hotbar for its users.

The new company, Zango, will supposedly give away free content such as videos, games, and tools in exchange for displaying ads. In other words, the "free" content will come bundled with adware. Say hello to the new business, same as the old business.

Tuesday, June 06, 2006

Today's new vocabulary term: Domain Kiting

Domain Kiting takes advantage of a loophole in ICANN regulations. Many domain registrars give you a five-day grace period after you register a domain, during which you can change your mind and cancel the registration for a full refund. The idea, presumably, is to protect registrants from needing to pay for typos they made when registering the domain, false registrations, and so on.

Domain Kiting involves registering hundreds, thousands, or even more domain names, filling them with advertising content, and then canceling them just before the five-day grace period. Often, the domain names are then registered all over again for another five days, and so on.

According to GoDaddy founder Bob Parsons, who coined the term, in April of this year, 35 million domain names were registered, and 32.7 million of them were not paid for. On the last day of March, approximately 764,672 .COM names were registered, but only 61,169 (less than 10%) were actually retained. DirectNic alone registered 8.4 million domains in April, but only retained 51.4 thousand of them. He estimates that on any given day, 3.5 million domain names are tied up by domain kiters. The process is clearly automated.

Why do they do this? Once the domain names are registered, they're immediately filled with pay-per-click advertising and paid links to other sites. The benefits are several: First, a small portion of users who come to the site by accident will click on a link and generate some revenue. Second, many of the kited domain names belong to legitimate sites which allowed their registration to expire for one reason or another — these domains will retain links from major search engines for a while, bringing in enormous valuable traffic. Third, these domain names may be typos for legitimate businesses and thus bring in a small amount of traffic from users who mis-type an address.

These kited domains will bring in a small amount of revenue from the pay-per-click advertising they carry, and are also used by illegitimate search engine optimizers to increase the Page rank of the linked sites.

The amount of revenue generated by an individual kited domain is very small, but they cost nothing and the domain kiters can register a great number of them.

Further, the same process which automatically registers the domain names and places the advertising also keeps track of which domain names generated the most revenue. In some cases, the domain name may be valuable enough to keep permanently.

How does this hurt the rest of us? In several ways. First, kited domains are a form of search engine spam, and as such, poison the well so to speak by causing the search engines to return less relavent results and more trash to wade through to find the information we're looking for. Secondly, the domain kiters tie up domain names that legitimate business would want to use. Those businesses must then either engage in a costly battle to obtain the domain name, or hope for the name to be dropped and hope they can grab it up in the brief window before it's re-registered.

What can be done about it? First and foremost, the registrars should simply not allow it. They could stop issuing repeated refunds to the same clients. They could set a limit on how many domains any one client can register per day. The registrars may be disinclined to put a stop to this, however, as they do make a small profit themselves from the money the kiters keep on deposit with them.

Parsons' suggestion is even simpler: make the ICANN portion of the registration fee (25¢) non-refundable. This may be harder than it sounds, as ICANN is a concensus organization, and as I said above, many registrars may be disinclined to go along with such a change.

The full text of Bob Parson's articles on the problem may be found at The add/drop scheme. How millions of .COM names are used but never paid for and 35 million names registered in April. 32 million were part of a kiting scheme. A serious problem gets worse.

A new round of the Bagel virus on the way?

Correspondents inform me that a mysterious email spam that's been making the rounds may be a harbinger of the Bagel virus (see also InfoWorld). The emails have been widely received, but contain no payload. Instead, they simply have a number in the subject, a number in the message body, and headers that indicate that they come from Turkey or France. They'll also have your own email address in the From: line (possibly to evade spam filters or to exploit sendmail relaying functions). Check your trash; you may have received one yourself. (Update: I received one just after writing this that came from UUnet; why am I not surprised?)

Often, a spam with no payload indicates either a test run of new software, a deliverability test, a botched spam run, or a botched virus.

In this particular case, certain signatures in the message indicate that the Bagel author is involved. This mail may have been a test run of some sort, or a botched seeding.

In either case, we can expect another run any day now containing the actual virus. Users are urged to be extra careful about not opening email attachments. Or to switch to Mac or Linux*.

Update: The Internet Storm center has some coverage of the spam. They haven't come to a conclusion yet.

Monday, June 05, 2006

Circuit City unknowningly distributes spam bots

As reported in ZDNet and the Washington Post: Circuit City learned that their customer forum had been hacked, exposing their users to infection by a spam bot called Galapoper.C. Estimates are that between 80 and 200 registered customers were exposed. It's impossible to know how many were actually infected, or how many unregistered users visited the site. Only unpatched versions of Internet Explorer* were vulnerable.

Circuit City has now installed a more secure version of their forum software.

Galapoper.C is a nasty piece of work which periodically connects to controlling web sites and downloads commands from those web sites. It can then download other software or updates to itself or send out spam. The spam is morphed every ten minutes or 70,000 messages, making it harder to filter. The good news is that Galapoper.C is not self-replicating or spreading, so the small number of infections from Circuit City's forum is not the threat it could have been.

In Brian Krebs' Washington Post article, he notes that the sites from which Galapoper.C gets its commands are in the same block of IP addresses in Russia as a group of servers he investigated earlier this year which are involved in keystroke logging, bogus anti-spyware software, and porn sites.

Suzi Turner, in her ZDNet article, points out that there are American servers affiliated with the bad Russian sites, most notably InterCage.

Ryan Pitylak settles for $1 million

Ryan Pitylak, once listed as the world's 4th most prolific spammer by Spamhaus has settled a lawsuit with Microsoft and the state of Texas, according to a ZDNet article. Pitylak claims to have been converted to the path of righteousness (Guardian), but then, Sanford Wallace once made the same claim.

The "Talkback" comments in the ZDNet article show the same skepticism I'm feeling.

Jennifer Clason saga still not over

In March, I wrote about porn-spammer Jennifer Clason who pled guilty in Arizona for violating the CAN SPAM act.

Today, I was alerted to more coverage about her at the WahmDirect forums. A lot of the information there is old, but it's still worth reading.

A few highlights:

The final post on the porn thread is precious. Readers are enticed into spending $40 at a porn site with promises of $500 in rebates and valuable prizes. However, before anybody can collect, they're informed that Hacker X has broken into the site and ruined everything. Raise your hand if you didn't see that one coming.

Friday, June 02, 2006

Spam Filter Causes Erectile Dysfunction

I wish I could take credit for that headline, but I can't.

Yet Another case of of the hidden costs of spam: According to the Society Guardian, a citizen's emails to the town council objecting to a neighbor's plans for a house extension were lost because the emails contained the word "erection", and the council's spam filters threw it away. By the time the mistake was caught, the neighbor had been given the go-ahead to build.

Yahoo finds themselves on SpamCop list

Yahoo's outbound email servers have managed to put themselves onto the SpamCop list. The reason given by Spamcop is that Yahoo has sent mail to SpamCop spam traps in the last week.

Without a copy of the spam to look at, I can only speculate as to what happened. It's possible that there are really spammers operating from Yahoo. Another theory which crossed my desk is that Yahoo's "spam a change of address" feature triggered the listing, although I'm not too clear on how a change of address notice would find its way into an unlisted spam trap.

Update: I've had a chance to look at a couple of the spams in question. Definately real spam; one was a Nigerian 419 scam and another was for penis pills.

This only means that Yahoo! needs to be a bit more diligent about cleaning out their spammers. Given that gmail is also in and out of various DNSBLs from time to time, there's no surprise here. It's just one of the expected risks you take when you run a free email service.