Boing Boing 

Clinton's sensitive email was passed through a third-party spam filtering service


It's been years since the spam wars were at the front of the debate, but all the salient points from then remain salient today: when you let unaccountable third parties see your mail and decide which messages you can see, the potential for mischief is unlimited.

Read the rest

Social graph of mysterious twitterbots


Terence Eden has mined the social graphs of thousands of mysterious, spammy twitterbots, which may or may not be the same larval spambots I wrote about.

Read the rest

Brian Krebs's "Spam Nation"

In Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door, Brian Krebs offers a fascinating look at the mass-scale cybercrime that underpins the spam in your inbox and provides an inside peek at a violent fight among its principle players. Cory Doctorow reviews.Read the rest

Google Maps' enduring security holes put businesses at risk


It's been more than a year since a series of high-profile articles demonstrated that Google Maps' crowdsourcing function can be used create new listings, alter existing business listings, and even create fake Secret Service offices that real-life cops end up calling.

Read the rest

Russia's army of paid astroturfers message-bomb western coverage of Ukraine


A set of documents leaked by a group identifying itself as Russian hackers purports to be training materials for Russian psyops agents who were paid to make favorable comments about Russia's position in Ukraine on western media websites. The group of fake commenters, called the Internet Research Agency, is based in Saint Petersburg, and its operatives were ordered to maintain multiple commenter identities based on certain archetypes, and to post a minimum quota of pro-Russia messages every day. Included in the documents are per-site strategy notes for preventing moderators from erasing messages (for example, on Worldnetdaily, do not use "vulgar reactions to the political work of Barack Obama.")

These tactics are familiar ones. Rebecca MacKinnon's indispensable book Consent of the Networked describes the Chinese government's "Fifty Cent Army," each paid 0.5RMB per message pro-government postings. And of course, the 2011 HB Gary leak revealed the existence of a US Air Force RFP seeking "persona management" software that would let US psyops operatives maintain up to 20 fake identities from which to post pro-US messages on Arab-world websites.

Read the rest

Comment-spammers threaten to sabotage their victims through Google Disavow if the evidence of their vandalism isn't removed

Tim got an email from someone trying to get rid of comment spams -- ever since Google started punishing sites that left comment spam on blogs, this has been going on a lot. When Tim told the guy to buzz off, he threatened Tim with sabotage by means of Google's "Disavow" tool, growing progressively more abusive as Tim stood his ground.

Read the rest

Orange UK plumbs the depths of insulting, stupid marketing, finds a new low


I had the above-reproduced SMS exchange with a bot from my horrible mobile phone carrier, Orange UK (now called "EE" after the high-pitched noise my incipient aneurysm makes whenever I have to deal with them, and because vowels) today. They have "good news" -- I have been subscribed to "special offers" from "great brands" via SMS. And I can opt out. Except, surprise, it takes three weeks to process these opt-outs.

Not sure what I should do apropos of any "great brands" who pay Orange to spam me in the runup to Christmas: maybe just name-and-shame them here? Any other ideas?

Rise of predatory, parasitic spambooks


Charlie Stross considers the confluence of bookspam; Turing-complete, Javascript enabled ebooks, and auctorial disappointment and posits a hostile ecosystem of parasitic ebooks who go around devouring the competition.

Read the rest

The Internet Police: How Crime Went Online, and the Cops Followed


Nate Anderson is one of my favorite Ars Technica writers -- always thorough and always evenhanded, but never shrinking from venturing an opinion or trying to put individual incidents in the context of the wider Internet. His new book, The Internet Police: How Crime Went Online, and the Cops Followed, is a brisk, eminently readable, and important history of the relationship between law, law enforcement, and the net, and as you'd expect, it's excellent.

Read the rest

Where Twitter spam-accounts come from

A pair of researchers -- one a grad student working at Twitter -- bought $5,000 worth of fake Twitter accounts (with Twitter's blessing) and developed a template for identifying spam Twitter accounts. The spammers were using cheap overseas labor to solve Twitter's CAPTCHAs, registering the new accounts with automatically created email boxes from Hotmail and Mail.ru, and spreading the registrations out across a range of IP addresses, courtesy of massive botnets of infected computers. Twitter nuked zillions of spam accounts and prevented new ones from signing up -- for a while. Quickly, the spammers adapted their tactics and went back to registering new accounts. The researchers, Kurt Thomas and Vern Paxson, presented their results today at Usenix Security DC, in a paper called Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse (PDF).

Update: Here's the full research team: "Kurt Thomas is a grad student at UC Berkeley who works at Twitter; Alek Kolz works at Twitter, Damon McCoy is a professor at GMU, Chris Grier is a researcher at ICSI and UC Berkeley and Vern Paxson is a lead researcher at ICSI and a professor at UC Berkeley."

Read the rest

Bestiary of unimportant envelopes that look important


The Evil Mad Scientist folks have compiled an annotated bestiary of junk-mail envelopes that are camouflaged to look like important correspondence. It's a fascinating study in meatspace spam.

Often times, these envelopes are quite well done. Above is an example that might cause a genuine double take— with its “FINAL NOTICE ENCLOSED“ — and bank-PIN style tear tabs on the sides...

And then, there’s the fine print, so that you really take it seriously. A $2,000 fine or 5 years imprisonment(!) are threatened under §1702 should you fail to deliver this fine specimen of junk mail letter to its intended victim. (This penalty is true but somewhat misleading; the law refers to obstruction of mail in general, not this “final notice” in particular.)

Envelopes That Claim to be Important

Corporations are people, so the city of Seattle can't have an opt-out policy for spammy phonebooks no one wants


Jeff sez,

Seattle will spend $500,000 to settle a lawsuit it lost with phonebook companies over its sensible opt-out program for residents.

Beginning in May 2011, Seattle began allowing residents to opt out of unwanted phonebook deliveries. The program was so popular, the city reports that more than 2 million pounds of paper are saved annually as a result. The phonebook companies sued the city and lost, but won on appeal. The city has chosen not to appeal to the Supreme Court.

The phonebook companies alleged in their complaint that the phonebook ordinance, 'denies [their] rights guaranteed by the First and Fourteenth Amendments to the United States Constitution.'(free speech and due process). If not for the legal concept of 'corporate personhood', the phonebook companies wouldn't be able to sue Seattle to assert Constitutional rights originally written only for people.

Rather than ask the question, 'are the phonebook companies people?'and 'do they have the right to free speech?'the courts have focused largely on whether the content in the phonebooks (advertisements and phone listings) represent free speech which can't be regulated or commercial speech, which can be.

The companies claim, 'The First Amendment to the United States Constitution prohibits government from -- enforcing the desire of citizens to avoid communications [and] from prying into citizens' preferences regarding communications they seek to avoid.'

Corporate Personhood to Cost Seattle $500,000 to Settle Phone Book Lawsuit (Thanks, Jeff!)

(Image: Seattle Phone Book Spam, a Creative Commons Attribution (2.0) image from edkohler's photostream)

Music industry hates anti-spam laws

Michael Geist sez,

The business opposition to Canada's anti-spam and spyware legislation has added an unlikely supporter: the Canadian Recording Industry Association, now known as Music Canada. The organization has launched an advocacy campaign against the law, claiming that it "will particularly hurt indie labels, start-ups, and bands struggling to build a base and a career." Music Canada is urging people to tweet at Canadian Heritage Minister James Moore to ask him to help bands who it says will suffer from anti-spam legislation.

Yet Music Canada's specific examples mislead its members about the impact of the legislation. It wrongly claims that bands and labels won't be able to contact venues or stay in contact with fans. To top it off, the industry that introduced lawsuits against individuals for file sharing (CRIA members first commenced such actions in 2004) and brought us the Sony Rootkit debacle is now concerned with lawsuits against its own members for failing to abide by an anti-spam and spyware law.

Is the Road to Music Success Paved with Spam? Canada's Music Lobby Apparently Thinks So spam,copyfight,corruption,canada,corporatism

YouTube confiscates 2 billion views from Universal and Sony

Universal and Sony Music have both had their YouTube view-counts and channels drastically cut by YouTube. A spokesman for YouTube was cryptic about the slashing, saying "This was not a bug or a security breach. This was an enforcement of our viewcount policy." The DailyDot repeats speculation from Black Hat World ("a forum where users trade tips about unethical search engine optimization tactics") where users have suggested that the entertainment giants got their ears pinned back after they were caught buying fake "likes" and "views" from a crooked botmaster.

Sony/BMG was the second largest sufferer, dropping more than 850 million views in one day, bringing its total number of views to a mere 2.3 million. RCA, which got off scot free by comparison, dipped 159 million views. Its tally now sits more modestly at 120 million views.

In addition, each label's YouTube archives are now surprisingly thin. UMG, which had long held a heavy hand in YouTube operations, now only boasts five videos on its YouTube channel, none of which are actual songs—and none of which last more than 1:23.

Sony's page, by comparison, is currently empty. The company did not respond to the Daily Dot's request for comment.

YouTube strips Universal and Sony of 2 billion fake views [Chase Hoffberger/Daily Dot] (via Reddit)

Spam kingpin chatter

Security researcher Brian Krebs picks out some choice exchanges out of a dump from an elite Russian spammer message-board, and suggests that this contains clues to the identities of the world's most prolific spammers.

“Everything is all right with John. We drank with him recently in Europe. He is getting married soon. He is no longer spamming stocks. He got squeezed [arrested/questioned] once very badly some time ago. Now he is all clean. His friend – SP – screwed him and also is not working with stocks now. Rin is in total shit. He is going to be in jail (or he is going to be hiding) for a long time. He calls me pretty often, so he is alive so far. I am helping his wife with money from time to time.”

The two exchange recommendations about their favorite nightclubs in St. Petersburg, Russia. Tarelka inquires how Severa is doing, which elicits the following reply:

“I am okay. Damn, where to find sponsors? I am sure I can spin off stocks even in the current market. Are there any more contacts? Maybe I will ask Apple. Maybe he can give me some referrals. Who could think two years ago that this “theme” would die, huh? Give my regards to Igor [possibly Igor Gusev, the co-curator of SpamIt]. I wish you luck and patience.”

Tarelka says he tried to convince John/Apple that there was still money to be made in stock spam, but that John insisted the market was dead, and that no one was coming forward to pay spammers to send pump-and-dump spam anymore.

A Closer Look at Two Bigtime Botmasters

Kill robocalls, get paid

If you hate robocalls and love money, the FTC wants to hear from you. They're offering a $50K bounty for practical robocall-killing technology. Details at robocall.challenge.gov.

Spam of the day

In reply:

UK Tories put a spam kingpin in charge of the party


Grant Shapps is the Conservative Member of Parliament for Welwyn Hatfield and the new co-chair of the UK Conservative Party. He's also co-owner (with his wife) of a spam factory called HowToCorp, which markets a product called TrafficPaymaster, a program that scrapes blogs/RSS/search results, runs the text through a thesaurus (seemingly to avoid copyright infringement charges) and pastebombs the resulting word-salad onto pages slathered in display ads, in the hopes of tricking search engines into returning them as results for highly ranked queries and racking up accidental click money.

Danny Sullivan explains the workings of "spinner" software like TrafficPaymaster, and documents the tricks that the Shappses' company uses to market its wares, including a web of aliases and elaborate, misleading accounts of how Google views products like TrafficPaymaster and its useless output (here's a sample of the material the Shappses' program outputs: "A free of charge golf swing lesson appears a very little as well superior to be accurate." Here's another: "So the to begin with phase to getting a quality golfer is to order some clubs that match you.")

It’s high-profile, of course, because it’s fairly hard to believe that the new co-chair of the UK’s ruling political party (mostly ruling, the Conservatives share power with the much smaller Liberal Democrat party) is behind software that “plagiarizes” content to spam Google.

Technically, I’m not sure if the spinning is plagiarism, but both UK papers I’ve mentioned are running with that angle. They’re also big on this quote posted on Warrior Forum that appears to be from the aforementioned Sebastian Fox:

Google may or may not like a particular approach, but the real question is whether there are any signs about how a page has been created. If the answer is no, well then it doesn’t much matter what Google officially thinks.

The Guardian cites that as if the quote is dismissive of “Google’s attempts to police the internet,” whereas The Telegraph suggests that it means “Google would be unable to stop the copying of websites.”

The reality is that the claim isn’t some type of gauntlet being thrown down against Google. It’s simply meant to reassure a prospective buyer of what I covered above, that Google probably can’t tell that the page was created using automation, so even if Google has official rules against that (it does), TPM users probably won’t get caught.

Danny finishes: "The Conservatives came under accusations that they were too close to Google earlier this year. Having the party run by someone who created, and still seems associated with, a business designed to help people spam Google probably will serve as a nice balance to that."

New UK Conservative Party Co-Chair Grant Shapps Founded Google Spamming Business

Your daily Twitter enema

Benjamin Jackson recommends daily efforts to kill the 'bots following you on Twitter, for the greater good: "consistently reporting real spammers does work. If you're older than 35 and it helps, you can think of it as picking up litter off the streets of the Information Superhighway." [Buzzfeed]

Commercial spamflooding used by crooks to tie up their victims at key moments

Security expert Brian Krebs was the target of a malicious email flood, and writes firsthand about the experience. These floods -- which can be directed at any and all of your phone (voice or SMS) and email -- are used by crooks who want to busy-out all their victims' communications channels while they are ripping them off electronically. This kind of flooding is available as a (surprisingly cheap) commercial service.

Used mostly in private for myself and now offered to the respected public.

Spam using bots, having decent SMTP accounts.

Doing email floods using bots. Complete randomization of the letter, so the user could not block the flood by the signatures.

Flooder is capable of the following functionality:

Huge wave of emails is being instantly sent to the victim. (depending on the server load and amount of emails to be flooded)

Delivery rate of 60-65% — depending on the SMTP servers.

Limit for flooding single email account on this server is 100,000 emails.

Plan – Children – 25,000 emails — $25
Plan – Medium – 50,000 emails — $40
Plan – Hard – 75,000 emails — $55
Plan – Monster – 100,000 emails — $70

Cyberheist Smokescreen: Email, Phone, SMS Floods

Large collection of default spam-comments from a slimy SEO tool

I get a ton of spam sent to my personal WordPress site, which is evidently sent using some kind of toolkit for would-be SEO scumbags. The spams use the SEO-target's URL as the sender's web-page, and consist of a bland, usually mildly positive, usually ungrammatical comment.

This morning, I woke up to find that someone who was new to the tool (or unclear on the concept) had left a spam with all of the default comment messages in it, dumping the full database of anodyne comments intended to fool both the spam-filter and the human operator into thinking that the sender had read the post and was replying to it. The comments are necessarily generic, as they are meant to apply to literally any WordPress post on any site, ever. I wonder if the poor grammar and odd phrasing is deliberate, intended to make human moderators less suspicious and to lead them to think that some earnest foreigner is trying desperately to compliment them across the language barrier.

The comments also tend to invite replies, with mild complaints about RSS errors and layout problems. They mention spouses, cousins and friends. All in all, they're a curious collection of spammers' hypotheses about what will appeal to the vanity and goodwill of people who run legitimate WP sites.

I do like the way you have framed this issue and it does supply us a lot of fodder for consideration. On the other hand, because of everything that I have seen, I simply just trust when other opinions stack on that folks continue to be on issue and don't get started upon a tirade regarding some other news du jour. Still, thank you for this fantastic piece and though I do not necessarily concur with the idea in totality, I regard your point of view.

Almost all of the things you mention happens to be astonishingly accurate and it makes me wonder why I had not looked at this with this light before. This particular piece truly did switch the light on for me as far as this specific topic goes. Nevertheless there is actually one particular factor I am not too comfortable with so while I attempt to reconcile that with the actual core theme of your point, permit me see just what the rest of your subscribers have to say.Very well done.

The core of your writing whilst appearing agreeable initially, did not settle very well with me after some time. Someplace within the paragraphs you were able to make me a believer but just for a short while. I however have a problem with your leaps in assumptions and you would do nicely to help fill in those breaks. In the event that you actually can accomplish that, I will undoubtedly be impressed.

WordPress Spam Dump

The best spam I've received in a long time

I love unintentionally funny email spam so much. Sadly, it's been a long time—like, years—since I got any that wasn't just a boring re-tread of now-standardized routines. Then, this morning, a wonderful change of pace. In my in-box I found a strange hybrid of the Nigerian prince scam + the foreign lady looking for love scam + the Craigslist I-scam-you-while-you-think-you're-scamming-me scam.

The result of this innovation is a little bit genius, and a little bit completely insane.

Shorter version: My "dear friend" Helen Small, who is very sad that she hasn't heard from me in a long time and thinks I might have abandoned her, wants to send me some of her birthday gifts as a token of her love and affection for me. For overly complicated reasons, she wants to send me these gifts in the care of her boss. That brings us to the following, amazing, couple of paragraphs:

Please do accept this token of love, I know it isn't much but I sent it from my innermost heart and belief you gonna appreciate everything inside the package coz it is coming from a special friend and in a special way to remember me on my birthday.

The content of the pack are;
2 Dell laptop computer,
4 ip-phones, AN ENVELOPE,
A Video Camera
and some jewelries.

For your edification, the video at the top is about a different kind of Spam. If you would like to find out more about what is in Spam-the-food and why it's in there, follow this video link to HowStuffWorks.com

Unicode's "right-to-left" override obfuscates malware's filenames

Unicode has a special character, U+202e, that tells computers to display the text that follows it in right-to-left order; this facility is used to write text in Arabic, Hebrew, and other right-to-left scripts. However, this can (and is) also used by malware creeps to disguise the names of the files they attach to their phishing emails. For example, the file "CORP_INVOICE_08.14.2011_Pr.phylexe.doc" is actually "CORP_INVOICE_08.14.2011_Pr.phyldoc.exe" (an executable file!) with a U+202e placed just before "doc."

This is apparently an old attack, but I've never seen it, and it's a really interesting example of the unintended consequences that arise when small, reasonable changes are introduced into complex systems like type-display technology.

Some email applications and services that block executable files from being included in messages also block .exe programs that are obfuscated with this technique, albeit occasionally with interesting results. I copied the program that powers the Windows command prompt (cmd.exe) and successfully renamed it so that it appears as “evilexe.doc” in Windows. When I tried to attach the file to an outgoing Gmail message, Google sent me the usual warning that it doesn’t allow executable files, but the warning message itself was backwards:

“evil ‮”cod.exe is an executable file. For security reasons, Gmail does not allow you to send “this type of file.

Unfortunately, many mail applications don’t or can’t reliably scan archived and zipped documents, and according to Commtouch and others, the malicious files manipulated in this way are indeed being spammed out within zip archives.

(via Command Line)

Technique for fighting submission-form spam

Ned Batchelder sums up a series of technique to keep spammers from attacking submission forms with automated bots (it won't work against humans, but even cheap humans are more expensive than bots). Some of these techniques look like they'll continue to work even if they're widely known, while others depend merely on exploiting vulnerabilities in spammer techniques that will be refined as soon as the exploits are widespread.

We get titanic amounts of spam to the anonymous Boing Boing submission form, and most of it gets stopped using variations on these techniques. One interesting thing about our submission spam is how indiscriminate it is: various scumbags have gone to some lengths to figure out how to send spam to a form whose output is emailed to four people, and who will never, ever accidentally post their submission to this blog -- indeed, I just bulk-delete the stuff that makes it through the filter without even opening it -- our spammers are indiscriminate enough to use spammy subject lines, which means, I suppose, that they think they're going to end up someone a human being won't see them but a search-engine might.

The comment form has four key components: timestamp, spinner, field names, and honeypots.

The timestamp is simply the number of seconds since some fixed point in time. For example, the PHP function time() follows the Unix convention of returning seconds since 1/1/1970.

The spinner is a hidden field used for a few things: it hashes together a number of values that prevent tampering and replays, and is used to obscure field names. The spinner is an MD5 hash of:

The timestamp,
The client's IP address,
The entry id of the blog entry being commented on, and
A secret.

The field names on the form are all randomized. They are hashes of the real field name, the spinner, and a secret. The spinner gets a fixed field name, but all other fields on the form, including the submission buttons, use hashed field names.

Honeypot fields are invisible fields on the form. Invisible is different than hidden. Hidden is a type of field that is not displayed for editing. Bots understand hidden fields, because hidden fields often carry identifying information that has to be returned intact. Invisible fields are ordinary editable fields that have been made invisible in the browser.

(via O'Reilly Radar)

Later, Spam! Twitter add-on keeps track of how many spammers' accounts you've had deactivated

Andre Torrez was inspired to build a Twitter add-on service that allows you to track what happens to the accounts you report for spamming. Later, Spam! remembers the spam reports you've made and keeps track of whether Twitter has deactivated those accounts, giving you a little running tally of how many spammers' accounts you've helped to nuke.

In my experience there isn’t much of a spam problem on Twitter. Yes, it’s annoying to mention something about your iPad and have a spam bot or two tell you how you can get a free one just by “clicking this URL,” but I feel like that happens once or twice a month at most.

I normally just mark the thing as spam and move on. But the last time it happened I clicked over to see the account’s timeline and saw they had been at it for quite some time. Even tweeting innocuous tweets in between the mention spam which I guessed was to throw off Twitter’s own spam algorithms...

So I built laterspam.org because I thought people might get a little satisfaction out of marking something as spam and knowing Twitter did something about it.