More phishing scams since I started reporting

[Farelf]

Oddly coincidental, but since making that post, I've received 10 of the SAME email from the same IP. ...

That does seem unusual - but then I guess you are comparatively 'visible'.

... Dumb spammers. ...

Yes, these spam are often/sometimes much more 'individually' distributed (being from places without a whole lot of internet presence I guess). I hope this is not an indication that 419s are going 'mainstream' (or, worse yet, onto the 'new mainstream' - the botnets). - but the signs and sightings, taken together, do seem to be pointing that way.

[Miss Betsy]

This site is a godsend to all user of e-mail. I can't commend it enough. It is, however, just a bit 'techie'. The forums are, presumably, to remedy this. A lack of knowledge by me makes some choices difficult.

At one time, I tried to write (or edit) FAQ for the 'technically non-fluent' since that's what I am. For a long time now, I haven't had time to contribute. And it is difficult - techies want lots of details. You can see how the 'server admin' section of the 'Why Am I Blocked' FAQ kept growing and growing.

My contention is that the 'technically non-fluent' can understand the concept of how email works without knowing the details - just as non-mechanics can understand the concept of how piston engines work and how to maintain an automobile in good running order without being able to actually 'fix' it.

For example, I leave spam reports to 'abuse[at]bigtelephonecompany.com' checked, because I'm assuming they have an automated method of checking on smaller ISPs if they continue to receive 'carbons' of complaints. But I don't know that this is correct; and I wouldn't want to put all of AT&T on a blacklist. :-)

If it is the source IP abuse address, you are probably correct. If it is a spamvertized site, perhaps not. However, since spamvertized sites are not added to the blocklist, it wouldn't be a major problem.

Learning that my spam reports are used, though as resonably as possible, for a dynamic blacklist makes it all the more important that I understand the implication of checking a little box on my report. spam is a whole world of organized crime I know nothing about. Some links to sites that discuss how this organization works might help me, at least, in making the human decisions needed in reporting spam. Yes, I know such information is somewhere on the internet; but the internet only works if users get from it far more than they put into it.

spam is the name of a meat product produced by Hormel. spam is the word for unsolicited email. one of our regular posters has a link to the Hormel page that asks people to not use all caps to designate unsolicited email. Although I can rarely find what I am looking for, you might be able to find it. Sorry I just don't have time this morning. Spamcop is the only public blocklist that allows non-technically fluent people to contribute. The source IP abuse address is rarely 'wrong' though sometimes the techies think that there is a better address (better meaning one where there is a likelihood that they will do something to stop the spam). Learning about headers and how blocks of IP addresses are allocated would be a start on how an abuse address is chosen.

<snip>(Back in the '80s, I was among those consulted by the Gore Commission about releasing the internet to the public. Censorship & restricting knowledge to those who could pay were the principal worries: {permitting} its use for other forms of crime never crossed my mind. Big surprise!)Rapakiwi

There are many people who want to close spamvertized sites using the rationale that if the site isn't there, the spam is useless to send. However, the aversion to censorship is one of the reasons that approach is not as successful as blocklists. Blocklists are the internet polite way of dealing with inconsiderate use of the internet - in the same way that the 'cut direct' is the mannerly way of dealing with rudeness offline. And it works online because there is no 'force' that can change what a server admin decides to do with his server. There is no 'force' that can be applied that can make an end user read an email or reply to it after reading it.

Miss Betsy

[turetzsr]

<snip>

spam is the name of a meat product produced by Hormel. spam is the word for unsolicited email. one of our regular posters has a link to the Hormel page that asks people to not use all caps to designate unsolicited email. Although I can rarely find what I am looking for, you might be able to find it. Sorry I just don't have time this morning.

<snip>

...Please see the first part of my post in Forum thread "Seeking suggestions for handling bounces/misdirects".

[Rapakiwi]

<SNIP, SNIP>

S P A M is the name of a meat product produced by Hormel. spam is the word for unsolicited email.

<SNIP, SNIP>

Miss Betsy

Miss Betsy, I'm very impressed by your posts; and I benefit greatly from them. However, I should use your above request to argue that you may actually qualify as a 'technie' (at Dartmouth, 'knurd': 'drunk' spelled backward). However, I shall respect Hormel's request (lest one confuse the two!); but I shall compromise and begin my sentences with a capital letter. :-)

Most respectfully,

Rapakiwi

[Farelf]

...you may actually qualify as a 'technie' (at Dartmouth, 'knurd': 'drunk' spelled backward). ...

HM Prison Service, Dartmouth? You old silver-tongued devil you, Rapakiwi. Though I thought their languague was a little more pithy there - and that's just the staff.

And you can do with "spam" as you will. Wazoo has fixed it, following David's brilliant suggestion.

[Miss Betsy]

No, NO, I am technically non-fluent. There is nothing that I know about spam and email that anyone who wants to know basic information about the world about them cannot understand. I know how to change a tire (from the textbook and observation), but I never have had to actually do it - gender characterization is sometimes ok! I also know a few other useful things about the automobiles I drive. And I know a little bit about how email works. But only with extreme effort and lots of books, could I ever build (or repair) an engine or run a server - that is what mechanics and techies do.

Miss Betsy

[Rapakiwi]

To the original poster/question: NO.

FWIW, I've seen a huge increase in the number of 419 messages I've received lately... I have received over 100 this week alone, when I usually get 10 a week.

OK, Was it here I promised to test whether reporting spam increases it? Earlier I reported only phish. After on a week or so of rapid reporting, some spam was sent 'from' me (for I identify myself openly), then I never received any more phish. I assume I was taken off the phishing list. (Not what I wanted.)

Last week I started, for the first time, reporting 'innocent' spam (well, I consider those with hyperlinks not so innocent). My spam, which was a constant 12 or so a day for at least a year, has dropped continuously to one today. In every report I send, I add a personal comment, and I offer my full name and email address. Thus far I have received no email with nasty attachments or anything but silence. Most of the s-p-a-ms, by the way, were selling fake diplomas to Dartmouth alumni. :-)

This is clearly too early to tell, but I don't remember a decrease like this before. I was prepared to (and still am, I suppose) expect a decrease only after months of rapid reporting, when my address was blacklisted by those ... well, blacklisted.

If this decrease genuine, it suggests spam is sent by very few, very active organizations.

Rapakiwi

[Rapakiwi]

HM Prison Service, Dartmouth? You old silver-tongued devil you, Rapakiwi. Though I thought their languague was a little more pithy there - and that's just the staff.

<SNIP>

Ahem ... I deplore this attempt to impugn by 'record', for it's not the prison, but the jail I spent some quality time at, as you can clearly see by comparing the images.

HM Prison Service, Dartmouth

HM Gaol, Dartmouth

Proudly yours,

Rapakiwi

[Farelf]

...it's not the prison, but the jail I spent some quality time at, as you can clearly see by comparing the images.

HM Prison Service, Dartmouth

HM Gaol, Dartmouth

Ah yes, I see the similarity - not to be confused wth Dartmoor University (formerly Dartmoor College of Advanced Education).

[Rapakiwi]

<SNIP>

And you can do with "spam" as you will. Wazoo has fixed it, following David's brilliant suggestion.

Once, when I wrote a paper on mathematical software in a newsletter for a supercomputer center, the editor marked every other work with a trademark or registered trademark. I had to comment then that I believe the purpose of such trademarks is to legitimately prevent others from selling a product with the same name. The capitalized word is, to my knowledge, not an acronym involving e-mail, so I have no objection to anyone correcting my spelling.

In other words, I thank SpamCop for preventing me from discussing food products. If any should not, remember Hormel's reasoning: 'We coined this term in 1937 and it has become a famous trademark. Thus, we don't appreciate it when someone else tries to make money on the goodwill that we created in our trademark or product image, or takes away from the unique and distinctive nature of our famous trademark spam.' -Hormel Food Corporation

From this, I conclude that their objection to our writing a capitalized word appears to be for our benefit: they would never want the resemblance of the two products to lure us into opening some.

Rapakiwi

PS. Once, after being lured into a life of geology, I had to break some rocks at Dartmoor. But I was very young then.

[Farelf]

...PS. Once, after being lured into a life of geology, I had to break some rocks at Dartmoor. But I was very young then.

We're well O/T but yes, I believe you've "nailed" the Hormel trademark thing. And, to stray even further, I once knew a yachtsman - he used to break wind.

[cdavis999]

In order for you to get more scam mail due to your SpamCop activities, it would be necessary for SpamCop to have given your e-mail address (or allowed it to be given) to the crooks.

...which would seem inconceivable, in this of all places.

And yet I, who signed on to Spamcop using a specific mailbox i created specifically for the purpose - a mailbox that has never been used for anything except mail from SpamCop to me - have consistently been receiving spams sent to that mailbox! How could this happen?

No mail has ever been sent from the address cdspamcop[at]smouse.demon.co.uk. No mail should ever have been sent to it by anyone other than Spamcop.net themselves - who should be the only people who know the address.

And yet this morning I received a distinctly nasty piece of spam, advertising an honest-to-god child porn site, illustrated with a pair of barely pubescent kids doing something their mums wouldn't approve of - addressed to this very mailbox.

It isn't the first spam sent to this address - though it is the nastiest. In the current climate, just having this picture is bad enough.

In previous correspondence, Spamcop admin have told me that the spammers probably got the address by guesswork. Pardon me, but - bollocks.

So - what is the explanation, I wonder? I hesitate to suspect malice, or malicious passing on of mailing lists by Spamcop admin, but how did it happen? I know that unique addresses I've used on other public forums have been passed to spammers before - which is why I use unique ones every time. Although I would expect Spamcop to be especially diligent about such things, I can't help thinking what a coup it would be for any spammers to get hold of this list, and how much they might pay for it.

And as it has happened, how vulnerable are any of us?

Any information gratefully received.

CD

[rconner]

In previous correspondence, Spamcop admin have told me that the spammers probably got the address by guesswork. Pardon me, but - bollocks.

I beg to contradict (tho I will not use the B-word): this sort of thing is quite common, it happens millions of times per day. If your e-mail address was composed of common names or words, it is subject to be harvested during a directory harvest attack. See this SpamCop Wiki page or http://www.rickconner.net/spamweb/analysis11.html.

-- rick

[Wazoo]

In previous correspondence, Spamcop admin have told me that the spammers probably got the address by guesswork. Pardon me, but - bollocks.

It would be so much easier to take your viewpoint if the address you specified wasn't so 'simple' ...

[Miss Betsy]

I created a hotmail account that I thought would be very unlikely to be 'guessable' (an acronym of six letters - never reported spam from it or sent any mail from it (it was just used to receive email forwarded from another address which I then could read in OE instead of online because I still had a dial up). Within two weeks, it received its first spam. I think I read somewhere that it is really easy to generate a lot of variations - we know that they deliberately send spam to spamcop.net addresses. how easy it would be to add initials in front? And we also know that they combine every possible email address with different domains. If you ever had any spam to any address at that domain, then you are doubly likely to get attempts, I would think.

Miss Betsy

[rconner]

I just abandoned my 10-year-old SpamCop account because it was beginning to get a significant amount of spam directly sent to it (something I hadn't noticed until about a couple of months ago). This time, I picked a long and weirdly random string of numbers and letters, we will see how long this one lasts.

-- rick

[cdavis999]

I beg to contradict (tho I will not use the B-word): this sort of thing is quite common, it happens millions of times per day. If your e-mail address was composed of common names or words, it is subject to be harvested during a directory harvest attack. See this SpamCop Wiki page or http://www.rickconner.net/spamweb/analysis11.html.

I'm most grateful for the information you supply, but I have to say that I still have doubts - which I'd be delighted to discover were merely misunderstandings. Let me give you a little context:

I have a couple of domains, one of which is the ancient smouse.demon.co.uk that I used, years ago, to use for signup to Spamcop and the like. The email account will accept mail sent to [anything][at]smouse.d.c.u

So early on I started creating unique mailboxes for any forums etc. I signed up to. These boxes would all be in the form cd[?*][at]s.d.c.u . This has allowed me to catch practically all dictionary and guesswork spam by validating the opening 'cdxxx'.

As anticipated, some sites I've signed up to in this way have indeed resulted in a spamvalanche - and I can just add exception processing to my Regex filters to ignore them. My signup for Koko the Gorilla's site produces tons of such crap, for instance.

If I understand you, you consider 'cdspamcop' an easy one for the spammers to have guessed. OK, so why no 'caspamcop', 'cbspamcop', 'ccspamcop' et seq. ? As these, too, would have been accepted without objection by the server, how likely is it that spammers would [a] have hit on the right combination, and not tried any others?

(I do monitor the addresses to which spam is sent, and if one turns up repeatedly I save my filters some work by catching them. Nothing has ever to my knowledge been sent to [*]spamcop apart from the magic 'cd' combination.)

Perhaps I've missed a vital point in your references, but I can't see how spammers would have tried 'cdspamcop' unless they somehow knew it would work. Could the handful of legitimate mails sent, by spamcop.net themselves, somehow have been intercepted?

I'm all ears. Please forgive me if I'm being thick, but this nasty child porn mail has decidedly micturated me off. It's quite the most unpleasant spam I've received (out of about 100/day all told), and the fact that it has apparently tapped into a communication line to an anti-spam organisation is bloody irritating.

CD

[rconner]

Perhaps I've missed a vital point in your references, but I can't see how spammers would have tried 'cdspamcop' unless they somehow knew it would work.

I think the answer to this question would have been found in the links I posted above. Spammers find (or guess) addresses and then test them for deliverability using DHA probes. If an address is more "guessable" it is more likely to be tested in a probe. No, I can't tell you exactly what makes an address "guessable," nor can I tell you why one address might be harvested and spammed, while another similar one might not be; these are questions best directed to the spammers.

-- rick

[StevenUnderwood]

What is your "Full Name" setting on your reporting account under Preferences, Change Email address or name? http://mailsc.spamcop.net/mcgi?action=wizard&stage=1

That moniker goes on every report that goes out.

[Farelf]

You're not saying how you were aware of the specific content of that child porn spam (nor of the 'credentials' of the porn site it was pushing) - the possibility being that anything from 'trackers' to installed spyware of some kind might come into the equation depending on your past 'safe hex' practices.

[cdavis999]

I think the answer to this question would have been found in the links I posted above. Spammers find (or guess) addresses and then test them for deliverability using DHA probes. If an address is more "guessable" it is more likely to be tested in a probe. No, I can't tell you exactly what makes an address "guessable," nor can I tell you why one address might be harvested and spammed, while another similar one might not be; these are questions best directed to the spammers.

Rick, I did read your references, and although they are informative and comprehensive, I didn't find anything that addressed my specific concerns:

• I don't believe there exists a cdspamcop MX record to be harvested
  
• I have never, to my knowledge, received either a spam or a probe aimed at [xxx]spamcop, which I would expect if the spammers had just guessed the address
  
• While in the context of this forum 'cdspamcop' may not look very random, it's not a string that would be found in any dictionary. Remember that choosing 123456 as your lottery numbers is no less likely to win than 942738.
  
• The string 'cdspamcop' finds no hits on Google (I checked when it first happened). If the spammers found that string somewhere legitimate, then where?
  

Again, I'd be delighted to be told that I missed something, but what is it?

But let me not seem to be nagging you - that's the last thing I want.

CD

[cdavis999]

What is your "Full Name" setting on your reporting account under Preferences, Change Email address or name? http://mailsc.spamcop.net/mcgi?action=wizard&stage=1

That moniker goes on every report that goes out.

Hmm, that's interesting: the URL to which I'm referred to change my Spamcop setting is <a href="http://www.spamcop.net/mcgi?action=wizard&stage=1" target="_blank">http://www.spamcop.net/mcgi?action=wizard&stage=1</a> . When I try the one you refer to, I get a popup dialog instead of a Web form, and entering my name and PW denies me and spits me to the 'Forget your password?' page - even if I'm already logged in.

I assume/hope that your URL is for another account type. I believe I have a pretty basic one, and it's very old. Do you have any info on this?

My name for emails is set to 'Chris' - very good call, though. Thanks!

CD

[rconner]

"cdspamcop" would not have an MX record. Your domain would -- e.g., "cdspamcop [at] domain.foo" is in domain "domain.foo," you look up the MX record for "domain.foo" in order to deliver mail to cdspamcop. While you are at that MX, you can also try delivering to a few thousand other possible random addresses to see whether any might work.

"cdspamcop" is made up of dictionary words: "cd", "spam", and "cop." "sb2zn33f" (for instance) is not made up of dictionary words.

-- rick

[cdavis999]

You're not saying how you were aware of the specific content of that child porn spam (nor of the 'credentials' of the porn site it was pushing) - the possibility being that anything from 'trackers' to installed spyware of some kind might come into the equation depending on your past 'safe hex' practices.

Not sure quite how to answer that. The machine on which I received the spam was a laptop not equipped with spam filters (I host my own heavily-protected mailserver for my main account. Smouse is mostly for emergencies now.)

All the machine in my domain run AVG antivirus and -spyware. They all autoscan daily. The domain is Sygate firewalled, as are the individual machines in it. Tracking cookies are zapped. Sadly this doesn't remove the possibility that the machines have been hacked at some point. Nothing does, alas.

The header of the nasty mail is as follows:

From - Sat Jun 21 12:34:32 2008
X-Account-Key: account3
X-UIDL: 1K9vsk-0miknw-02-FeL
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:																				 
Return-Path: <problem[at]mail.nugransid.com>
Received: from punt3.mail.demon.net by mailstore
	for cdspamcop[at]smouse.demon.co.uk id 1K9vsk-0miknw-02-FeL;
	Sat, 21 Jun 2008 05:43:26 +0000
Received: from [194.217.242.95] (lhlo=anchor-hub.mail.demon.net)
	by punt3.mail.demon.net with lmtp id 1K9vsk-0miknw-02
	for cdspamcop[at]smouse.demon.co.uk; Sat, 21 Jun 2008 05:43:26 +0000
Received: from [202.191.61.82] (helo=orion.websiteactive.com)
	by anchor-hub.mail.demon.net with smtp id 1K9vsg-00039p-OH
	for cdspamcop[at]smouse.demon.co.uk; Sat, 21 Jun 2008 05:43:26 +0000
To: cdspamcop[at]smouse.demon.co.uk
Subject: Instant Access to C.P. Video
Date: Sat, 21 Jun 2008 15:43:19 +1000
MIME-Version: 1.0
From: Sonia Lanier <problem[at]mail.nugransid.com>
X-Mailer: LOI Webmail 747-STD
Received: from 224.250.226.254 by mail.nugransid.com (69.25.142.5) with HTTP (WebMailUI); Sat, 21 Jun 2008 15:43:19 +1000
Message-ID: <019253717.20070829090343[at]mail.nugransid.com>
Content-Type: multipart/mixed;
 boundary="----------EAA0537D2D"
X-CNFS-Analysis: v=1.0 c=1 a=zbfNaPuGxtBw7HMn7Ikoyw==:17 a=Aa0CmRER98ApXqSXMD4A:9 a=FM1epHXxEhw9TEjD3z0A:7 a=6pSPgIjrDq93WPdrWogqGrKwPwUA:4 a=Sz-0p1zU2dQA:10 a=mSGVt1QvotDfUeFsNjIA:9 a=e5Bm7nuXIO4K_tB2wHkKzfu01A0A:4 a=bC4pTEGzVWIA:10 a=KQqxNPgzF0kA:10 a=M0kiJebNe1CeGr_d:18
X-Antivirus: AVG for E-mail 8.0.130 [270.4.1/1511]

The punt addresses are part of Demon's store&forward system, and are legitimate. The mail seems to have been sent to Demon from 202.191.61.82, which Whoises as MD Web Hosting in Australia. I assume that the sender is just a slave in someone's botnet.

The body of the mail consists of a few lines of anti-bayesian rubbish text and a single large JPEG. This picture has text, surmounted by a pair of kids. The text reads:

Hard CP

HOW TO GET INSTANT ACCESS TO CHILDREN PORNO

You must buy our Antivirus 2008© (Online security Scanner)

1. Use any site line to join (below)

http://XXXXXXXXXXXXXXX

http://XXXXXXXXXXXXXXX

http://XXXXXXXXXXXXXXX

http://XXXXXXXXXXXXXXX

2. pay for Antivirus 2008®

3. Get email with access info to children porno

4. plus you'll get Antivirus 2008® too!

5. Be careful, FI works against yourself.

I bet that's more information than you wanted! Apologies for all the screed, but I thought I should supply this stuff for completeness' sake.

CD

[cdavis999]

"cdspamcop" would not have an MX record. Your domain would -- e.g., "cdspamcop [at] domain.foo" is in domain "domain.foo," you look up the MX record for "domain.foo" in order to deliver mail to cdspamcop.

Correct. Which was sort-of my point.

"cdspamcop" is made up of dictionary words: "cd", "spam", and "cop."

True, but stringing together any three words from even a small dictionary of, say, 50,000 words would give - what? - 2P^n permutations? Seems pretty steep to me.

"sb2zn33f" (for instance) is not made up of dictionary words.

Also true, but generating all the radix36 numbers between 00000000 and zzzzzzzz is no more of a chore than the dictionary trick.

But I won't argue the point, except to say that I receive plenty of dictionary-attack spam - some of which (predictably) even hits the magic cdxxx combination - and I still think it statistically unlikely that 'cdspamcop' was a lucky guess.

They got that string from somewhere.

CD