Boing Boing » spam

Bestiary of unimportant envelopes that look important

Cory Doctorow — Thu, 28 Feb 2013 20:26:46 +0000

The Evil Mad Scientist folks have compiled an annotated bestiary of junk-mail envelopes that are camouflaged to look like important correspondence. It's a fascinating study in meatspace spam.

Often times, these envelopes are quite well done. Above is an example that might cause a genuine double take— with its “FINAL NOTICE ENCLOSED“ — and bank-PIN style tear tabs on the sides...
And then, there’s the fine print, so that you really take it seriously. A $2,000 fine or 5 years imprisonment(!) are threatened under §1702 should you fail to deliver this fine specimen of ~~junk mail~~ letter to its intended victim. (This penalty is true but somewhat misleading; the law refers to obstruction of mail in general, not this “final notice” in particular.)

Envelopes That Claim to be Important

Corporations are people, so the city of Seattle can't have an opt-out policy for spammy phonebooks no one wants

Cory Doctorow — Thu, 21 Feb 2013 23:12:03 +0000

Jeff sez,

Seattle will spend $500,000 to settle a lawsuit it lost with phonebook companies over its sensible opt-out program for residents.
Beginning in May 2011, Seattle began allowing residents to opt out of unwanted phonebook deliveries. The program was so popular, the city reports that more than 2 million pounds of paper are saved annually as a result. The phonebook companies sued the city and lost, but won on appeal. The city has chosen not to appeal to the Supreme Court.
The phonebook companies alleged in their complaint that the phonebook ordinance, 'denies [their] rights guaranteed by the First and Fourteenth Amendments to the United States Constitution.'(free speech and due process). If not for the legal concept of 'corporate personhood', the phonebook companies wouldn't be able to sue Seattle to assert Constitutional rights originally written only for people.
Rather than ask the question, 'are the phonebook companies people?'and 'do they have the right to free speech?'the courts have focused largely on whether the content in the phonebooks (advertisements and phone listings) represent free speech which can't be regulated or commercial speech, which can be.
The companies claim, 'The First Amendment to the United States Constitution prohibits government from -- enforcing the desire of citizens to avoid communications [and] from prying into citizens' preferences regarding communications they seek to avoid.'

Corporate Personhood to Cost Seattle $500,000 to Settle Phone Book Lawsuit (Thanks, Jeff!)

(Image: Seattle Phone Book Spam, a Creative Commons Attribution (2.0) image from edkohler's photostream)

Music industry hates anti-spam laws

Cory Doctorow — Thu, 21 Feb 2013 15:21:18 +0000

Michael Geist sez,

The business opposition to Canada's anti-spam and spyware legislation has added an unlikely supporter: the Canadian Recording Industry Association, now known as Music Canada. The organization has launched an advocacy campaign against the law, claiming that it "will particularly hurt indie labels, start-ups, and bands struggling to build a base and a career." Music Canada is urging people to tweet at Canadian Heritage Minister James Moore to ask him to help bands who it says will suffer from anti-spam legislation.
Yet Music Canada's specific examples mislead its members about the impact of the legislation. It wrongly claims that bands and labels won't be able to contact venues or stay in contact with fans. To top it off, the industry that introduced lawsuits against individuals for file sharing (CRIA members first commenced such actions in 2004) and brought us the Sony Rootkit debacle is now concerned with lawsuits against its own members for failing to abide by an anti-spam and spyware law.

Is the Road to Music Success Paved with Spam? Canada's Music Lobby Apparently Thinks So spam,copyfight,corruption,canada,corporatism

YouTube confiscates 2 billion views from Universal and Sony

Cory Doctorow — Sun, 23 Dec 2012 16:12:45 +0000

Universal and Sony Music have both had their YouTube view-counts and channels drastically cut by YouTube. A spokesman for YouTube was cryptic about the slashing, saying "This was not a bug or a security breach. This was an enforcement of our viewcount policy." The DailyDot repeats speculation from Black Hat World ("a forum where users trade tips about unethical search engine optimization tactics") where users have suggested that the entertainment giants got their ears pinned back after they were caught buying fake "likes" and "views" from a crooked botmaster.

Sony/BMG was the second largest sufferer, dropping more than 850 million views in one day, bringing its total number of views to a mere 2.3 million. RCA, which got off scot free by comparison, dipped 159 million views. Its tally now sits more modestly at 120 million views.
In addition, each label's YouTube archives are now surprisingly thin. UMG, which had long held a heavy hand in YouTube operations, now only boasts five videos on its YouTube channel, none of which are actual songs—and none of which last more than 1:23.
Sony's page, by comparison, is currently empty. The company did not respond to the Daily Dot's request for comment.

YouTube strips Universal and Sony of 2 billion fake views [Chase Hoffberger/Daily Dot] (via Reddit)

Spam kingpin chatter

Cory Doctorow — Sat, 01 Dec 2012 14:00:10 +0000

Security researcher Brian Krebs picks out some choice exchanges out of a dump from an elite Russian spammer message-board, and suggests that this contains clues to the identities of the world's most prolific spammers.

“Everything is all right with John. We drank with him recently in Europe. He is getting married soon. He is no longer spamming stocks. He got squeezed [arrested/questioned] once very badly some time ago. Now he is all clean. His friend – SP – screwed him and also is not working with stocks now. Rin is in total shit. He is going to be in jail (or he is going to be hiding) for a long time. He calls me pretty often, so he is alive so far. I am helping his wife with money from time to time.”
The two exchange recommendations about their favorite nightclubs in St. Petersburg, Russia. Tarelka inquires how Severa is doing, which elicits the following reply:
“I am okay. Damn, where to find sponsors? I am sure I can spin off stocks even in the current market. Are there any more contacts? Maybe I will ask Apple. Maybe he can give me some referrals. Who could think two years ago that this “theme” would die, huh? Give my regards to Igor [possibly Igor Gusev, the co-curator of SpamIt]. I wish you luck and patience.”
Tarelka says he tried to convince John/Apple that there was still money to be made in stock spam, but that John insisted the market was dead, and that no one was coming forward to pay spammers to send pump-and-dump spam anymore.

A Closer Look at Two Bigtime Botmasters

Kill robocalls, get paid

Cory Doctorow — Fri, 19 Oct 2012 01:48:51 +0000

If you hate robocalls and love money, the FTC wants to hear from you. They're offering a $50K bounty for practical robocall-killing technology. Details at robocall.challenge.gov.

Spam of the day

Rob Beschizza — Fri, 12 Oct 2012 14:03:00 +0000

In reply:

UK Tories put a spam kingpin in charge of the party

Cory Doctorow — Sun, 16 Sep 2012 17:34:06 +0000

Grant Shapps is the Conservative Member of Parliament for Welwyn Hatfield and the new co-chair of the UK Conservative Party. He's also co-owner (with his wife) of a spam factory called HowToCorp, which markets a product called TrafficPaymaster, a program that scrapes blogs/RSS/search results, runs the text through a thesaurus (seemingly to avoid copyright infringement charges) and pastebombs the resulting word-salad onto pages slathered in display ads, in the hopes of tricking search engines into returning them as results for highly ranked queries and racking up accidental click money.

Danny Sullivan explains the workings of "spinner" software like TrafficPaymaster, and documents the tricks that the Shappses' company uses to market its wares, including a web of aliases and elaborate, misleading accounts of how Google views products like TrafficPaymaster and its useless output (here's a sample of the material the Shappses' program outputs: "A free of charge golf swing lesson appears a very little as well superior to be accurate." Here's another: "So the to begin with phase to getting a quality golfer is to order some clubs that match you.")

It’s high-profile, of course, because it’s fairly hard to believe that the new co-chair of the UK’s ruling political party (mostly ruling, the Conservatives share power with the much smaller Liberal Democrat party) is behind software that “plagiarizes” content to spam Google.
Technically, I’m not sure if the spinning is plagiarism, but both UK papers I’ve mentioned are running with that angle. They’re also big on this quote posted on Warrior Forum that appears to be from the aforementioned Sebastian Fox:
Google may or may not like a particular approach, but the real question is whether there are any signs about how a page has been created. If the answer is no, well then it doesn’t much matter what Google officially thinks.
The Guardian cites that as if the quote is dismissive of “Google’s attempts to police the internet,” whereas The Telegraph suggests that it means “Google would be unable to stop the copying of websites.”
The reality is that the claim isn’t some type of gauntlet being thrown down against Google. It’s simply meant to reassure a prospective buyer of what I covered above, that Google probably can’t tell that the page was created using automation, so even if Google has official rules against that (it does), TPM users probably won’t get caught.

Danny finishes: "The Conservatives came under accusations that they were too close to Google earlier this year. Having the party run by someone who created, and still seems associated with, a business designed to help people spam Google probably will serve as a nice balance to that."

New UK Conservative Party Co-Chair Grant Shapps Founded Google Spamming Business

Your daily Twitter enema

Rob Beschizza — Mon, 20 Aug 2012 19:56:57 +0000

Benjamin Jackson recommends daily efforts to kill the 'bots following you on Twitter, for the greater good: "consistently reporting real spammers does work. If you're older than 35 and it helps, you can think of it as picking up litter off the streets of the Information Superhighway." [Buzzfeed]

Commercial spamflooding used by crooks to tie up their victims at key moments

Cory Doctorow — Thu, 19 Jul 2012 23:32:49 +0000

Security expert Brian Krebs was the target of a malicious email flood, and writes firsthand about the experience. These floods -- which can be directed at any and all of your phone (voice or SMS) and email -- are used by crooks who want to busy-out all their victims' communications channels while they are ripping them off electronically. This kind of flooding is available as a (surprisingly cheap) commercial service.

Used mostly in private for myself and now offered to the respected public.
Spam using bots, having decent SMTP accounts.
Doing email floods using bots. Complete randomization of the letter, so the user could not block the flood by the signatures.
Flooder is capable of the following functionality:
Huge wave of emails is being instantly sent to the victim. (depending on the server load and amount of emails to be flooded)
Delivery rate of 60-65% — depending on the SMTP servers.
Limit for flooding single email account on this server is 100,000 emails.
Plan – Children – 25,000 emails — $25
Plan – Medium – 50,000 emails — $40
Plan – Hard – 75,000 emails — $55
Plan – Monster – 100,000 emails — $70

Cyberheist Smokescreen: Email, Phone, SMS Floods

Large collection of default spam-comments from a slimy SEO tool

Cory Doctorow — Sat, 14 Jul 2012 03:10:46 +0000

I get a ton of spam sent to my personal WordPress site, which is evidently sent using some kind of toolkit for would-be SEO scumbags. The spams use the SEO-target's URL as the sender's web-page, and consist of a bland, usually mildly positive, usually ungrammatical comment.

This morning, I woke up to find that someone who was new to the tool (or unclear on the concept) had left a spam with all of the default comment messages in it, dumping the full database of anodyne comments intended to fool both the spam-filter and the human operator into thinking that the sender had read the post and was replying to it. The comments are necessarily generic, as they are meant to apply to literally any WordPress post on any site, ever. I wonder if the poor grammar and odd phrasing is deliberate, intended to make human moderators less suspicious and to lead them to think that some earnest foreigner is trying desperately to compliment them across the language barrier.

The comments also tend to invite replies, with mild complaints about RSS errors and layout problems. They mention spouses, cousins and friends. All in all, they're a curious collection of spammers' hypotheses about what will appeal to the vanity and goodwill of people who run legitimate WP sites.

I do like the way you have framed this issue and it does supply us a lot of fodder for consideration. On the other hand, because of everything that I have seen, I simply just trust when other opinions stack on that folks continue to be on issue and don't get started upon a tirade regarding some other news du jour. Still, thank you for this fantastic piece and though I do not necessarily concur with the idea in totality, I regard your point of view.
Almost all of the things you mention happens to be astonishingly accurate and it makes me wonder why I had not looked at this with this light before. This particular piece truly did switch the light on for me as far as this specific topic goes. Nevertheless there is actually one particular factor I am not too comfortable with so while I attempt to reconcile that with the actual core theme of your point, permit me see just what the rest of your subscribers have to say.Very well done.
The core of your writing whilst appearing agreeable initially, did not settle very well with me after some time. Someplace within the paragraphs you were able to make me a believer but just for a short while. I however have a problem with your leaps in assumptions and you would do nicely to help fill in those breaks. In the event that you actually can accomplish that, I will undoubtedly be impressed.

WordPress Spam Dump

The best spam I've received in a long time

Maggie Koerth-Baker — Tue, 29 Nov 2011 19:48:12 +0000

I love unintentionally funny email spam so much. Sadly, it's been a long time—like, years—since I got any that wasn't just a boring re-tread of now-standardized routines. Then, this morning, a wonderful change of pace. In my in-box I found a strange hybrid of the Nigerian prince scam + the foreign lady looking for love scam + the Craigslist I-scam-you-while-you-think-you're-scamming-me scam.

The result of this innovation is a little bit genius, and a little bit completely insane.

Shorter version: My "dear friend" Helen Small, who is very sad that she hasn't heard from me in a long time and thinks I might have abandoned her, wants to send me some of her birthday gifts as a token of her love and affection for me. For overly complicated reasons, she wants to send me these gifts in the care of her boss. That brings us to the following, amazing, couple of paragraphs:

Please do accept this token of love, I know it isn't much but I sent it from my innermost heart and belief you gonna appreciate everything inside the package coz it is coming from a special friend and in a special way to remember me on my birthday.

The content of the pack are;
2 Dell laptop computer,
4 ip-phones, AN ENVELOPE,
A Video Camera
and some jewelries.

For your edification, the video at the top is about a different kind of Spam. If you would like to find out more about what is in Spam-the-food and why it's in there, follow this video link to HowStuffWorks.com

Unicode's "right-to-left" override obfuscates malware's filenames

Cory Doctorow — Mon, 03 Oct 2011 18:59:21 +0000

Unicode has a special character, U+202e, that tells computers to display the text that follows it in right-to-left order; this facility is used to write text in Arabic, Hebrew, and other right-to-left scripts. However, this can (and is) also used by malware creeps to disguise the names of the files they attach to their phishing emails. For example, the file "CORP_INVOICE_08.14.2011_Pr.phylexe.doc" is actually "CORP_INVOICE_08.14.2011_Pr.phyldoc.exe" (an executable file!) with a U+202e placed just before "doc."

This is apparently an old attack, but I've never seen it, and it's a really interesting example of the unintended consequences that arise when small, reasonable changes are introduced into complex systems like type-display technology.

Some email applications and services that block executable files from being included in messages also block .exe programs that are obfuscated with this technique, albeit occasionally with interesting results. I copied the program that powers the Windows command prompt (cmd.exe) and successfully renamed it so that it appears as “evilexe.doc” in Windows. When I tried to attach the file to an outgoing Gmail message, Google sent me the usual warning that it doesn’t allow executable files, but the warning message itself was backwards:
“evil ‮”cod.exe is an executable file. For security reasons, Gmail does not allow you to send “this type of file.
Unfortunately, many mail applications don’t or can’t reliably scan archived and zipped documents, and according to Commtouch and others, the malicious files manipulated in this way are indeed being spammed out within zip archives.

(via Command Line)

‘Right-to-Left Override’ Aids Email Attacks [krebsonsecurity.com]

Technique for fighting submission-form spam

Cory Doctorow — Sat, 01 Oct 2011 00:04:55 +0000

Ned Batchelder sums up a series of technique to keep spammers from attacking submission forms with automated bots (it won't work against humans, but even cheap humans are more expensive than bots). Some of these techniques look like they'll continue to work even if they're widely known, while others depend merely on exploiting vulnerabilities in spammer techniques that will be refined as soon as the exploits are widespread.

We get titanic amounts of spam to the anonymous Boing Boing submission form, and most of it gets stopped using variations on these techniques. One interesting thing about our submission spam is how indiscriminate it is: various scumbags have gone to some lengths to figure out how to send spam to a form whose output is emailed to four people, and who will never, ever accidentally post their submission to this blog -- indeed, I just bulk-delete the stuff that makes it through the filter without even opening it -- our spammers are indiscriminate enough to use spammy subject lines, which means, I suppose, that they think they're going to end up someone a human being won't see them but a search-engine might.

The comment form has four key components: timestamp, spinner, field names, and honeypots.
The timestamp is simply the number of seconds since some fixed point in time. For example, the PHP function time() follows the Unix convention of returning seconds since 1/1/1970.
The spinner is a hidden field used for a few things: it hashes together a number of values that prevent tampering and replays, and is used to obscure field names. The spinner is an MD5 hash of:
The timestamp,
The client's IP address,
The entry id of the blog entry being commented on, and
A secret.
The field names on the form are all randomized. They are hashes of the real field name, the spinner, and a secret. The spinner gets a fixed field name, but all other fields on the form, including the submission buttons, use hashed field names.
Honeypot fields are invisible fields on the form. Invisible is different than hidden. Hidden is a type of field that is not displayed for editing. Bots understand hidden fields, because hidden fields often carry identifying information that has to be returned intact. Invisible fields are ordinary editable fields that have been made invisible in the browser.

(via O'Reilly Radar)

Stopping spambots with hashes and honeypots [nedbatchelder.com]

Later, Spam! Twitter add-on keeps track of how many spammers' accounts you've had deactivated

Cory Doctorow — Mon, 26 Sep 2011 16:15:53 +0000

Andre Torrez was inspired to build a Twitter add-on service that allows you to track what happens to the accounts you report for spamming. Later, Spam! remembers the spam reports you've made and keeps track of whether Twitter has deactivated those accounts, giving you a little running tally of how many spammers' accounts you've helped to nuke.

In my experience there isn’t much of a spam problem on Twitter. Yes, it’s annoying to mention something about your iPad and have a spam bot or two tell you how you can get a free one just by “clicking this URL,” but I feel like that happens once or twice a month at most.
I normally just mark the thing as spam and move on. But the last time it happened I clicked over to see the account’s timeline and saw they had been at it for quite some time. Even tweeting innocuous tweets in between the mention spam which I guessed was to throw off Twitter’s own spam algorithms...
So I built laterspam.org because I thought people might get a little satisfaction out of marking something as spam and knowing Twitter did something about it.

Later, Spam! [laterspam.org]