So I decided to let Facebook check my Gmail contact list to see if I had missed some contacts (people using aliases, etc …). After carefully selecting a couple of FB friends to invite (a buddy from the army, …), I clicked ‘Select’ and then ‘OK’ on the next screen that I supposed was a ‘Confirm’ window. I didn’t even read what was written on it. Some minutes later I saw emails starting to come in on different email aliases I had created in all my years of Internet activity. Apparently I allowed Facebook to send email messages to all Gmail contacts with email addresses that were not yet ‘known’ in Facebook. I have about 1500 addresses in my Gmail, let’s say some 500 already have a FB profile: so I just allowed Facebook to send out 1000 ‘unsollicited commercial emails’ or *spam* on my behalf. There is no way for me to know how many emails went out, nor to whom. I feel strongly embarrased, since I have been a strong opponent of spam for years, and since I have no idea who I have bothered with this bulk mail.

A company like Facebook probably has a whole team concentrated on user experience and workflow streamlining, so I can only assume that this strategy is by design. They probably have to keep the monthly exponential growth numbers so they use every opportunity to collect new email addresses. This is plain wrong. The default should be ‘opt in‘, not ‘opt out‘ (that is, select those you want to invite instead of unselect those you don’t wanto to invite).

So dear Christopher Cox and/or Chamath Palihapitiya at Facebook, while you will probably say that ‘but it is clearly written on the page that they’re about to send an invitation to (in my case, 1000??) contacts‘, you know that you are wrong on this one. You’re spamming. Big time, like real jerks. Since you’re probably not going to do anything about it, Google: any ideas?

http://www.google.com/support/forum/p/gmail/thread?tid=46004a5733eee4f0&hl=en

http://blogs.zdnet.com/social/?p=266

http://www.smartmobs.com/2007/09/02/facebook-friending-spam/

Related posts:

1. My first Facebook spam The Belgian Facebook community is growing and I was...
2. Colorbar: belgian spam In the last three days I have received 3 mails...
3. Who knows a spam pigeon? I wrote about the economics of spam earlier: P$...

Rather suspicious, right? So I started checking some of them out:

Most of them were similar: very few updates (1-2), a lot of ‘Following’ and hardly any ‘Followers’. And, most importantly, a link to the same website in their profile: ‘the6figureteam.com’. This has all the looks of a spammer at work. The ‘6 figure’ website is a promotion for a DIY kit to convert your car so it runs on water.

(in the small print you can read it’s actually water AND gas, not just water.)

The owner of the domain cannot be traced (Domains-by-proxy). But the site points to a redirection service, which is run by Clickbank:

Now we’re getting somewhere: Clickbank is a company from Boise, Idaho.

It also operates as Keynetics or Click Sales Inc. What they do is described in a lawsuit they got for ‘regular’ email spamming:

Apparently the company is quite big, they allow low-tech customers get money for referrals, which means a lot of people without scrupules will use it to let other suckers click on their links. Colleagues of theirs: Tradedoubler, CommissionJunction, Affili.net.

Who is to blame for the spam Twitter accounts? Clickbank just runs the technical redirection platform, Centemax (11K hits in Google all of them spam/landing pages) just set up a commision scheme for a ‘Run your car on water’ product, and the affiliates just used that scheme to try to make money. Capitalism at work, right?

SOLUTION: better detection

The best thing Twitter could do is enhance their detection:

• if a large number of new twitter accounts are created with the same URL in their profile: SPAM
• if they have almost no own updates, no followers, but they’re following 5000 other accounts: SPAM
• if the URL they refer to is a page full of ClickBank redirects: SPAM
• …

Related posts:

1. Adsense: The long tail of spare change Last year, Google took in about $2.7 billion through...
2. MySpace: bulletin and other spam MySpace spam MySpace is a vast collection of web real...
3. My first Facebook spam The Belgian Facebook community is growing and I was...

Dear Mr. Bob Flora,

you are probably a collaborator for the “Linkeroever” movie. I see you were a sound designer for “Dju!” by Daniel Lamberts, who’s a friend of mine. So you’re connected to the Belgian cinema scene. But might I point out that we have never talked or met in person. So when you send me an email like the one above, that is not only impolite, it is also spam.

First off: didn’t your mom teach you proper manners? You don’t address me, you don’t introduce yourself, you just start shouting “Check it, rate it, forward it!”. Do you think that exclamation mark is gonna convince me? Never heard of the word ‘please’?

Secondly: where did you get my email address? I sure never gave it to you. I’m gonna reply to you to request to be removed from your spamming list, and it would be a good idea to comply with that.

Finally: do you think you’re doing Linkeroever or Pieter Van Hees a favour with stunts like that? I’m not linking to the movie or the Youtube trailer, as you might notice. That’s because you pissed me off. Your marketing skills are severely underdeveloped. Do something about it, or stick to designing sound.

 Regards,

Peter

Related posts:

1. Mark Hostetler, Austrian spammer (This is a blog post about an Austrian spammer. The...
2. Why spam opt-out lists won’t work I was reading about a technique to discourage spammers:...
3. The sneaky shall inherit the earth “Wie niet waagt, blijft maagd”, as they say over...

“Wie niet waagt, blijft maagd”, as they say over here. This guy promises to ask his spam buddies to stop comment-spamming, als long as you put a link to his site. A while ago, he used to promise only “If you dont like advertising comments please send me an email with your site address to tedirectory(at)yahoo(dot)com and I will not write on your site” (cf yahooinsiders), but now he seems to have expanded his influence. He is spamming several of my websites continuously. The source seems to be some people over at Global Net Access, Atlanta (via spam.tinyweb.net).

Which makes me dream of ‘Big Spammer’, a TV-show where known spammers are followed by a hidden camera for a couple of weeks (’see how he has been wearing the same shorts for a whole week now’) after which they are sued, convicted and dragged to jail, while all their computers are crushed by a huge truck. Mmmm, revenge …

Related posts:

1. Avoiding wiki spam in Mediawiki The great thing about Wiki’s is that everyone can...
2. Why spam opt-out lists won’t work I was reading about a technique to discourage spammers:...
3. Don’t unsubscribe from spam Brian McWilliams, author of Spam Kings has published an...

When I joined Facebook, there were only a few people on it that I knew. The last couple of weeks, there have been invitations coming in on a daily basis of people that I (sort-of) know. The typical early adaptors, of course, but also some outsiders. Juliane is the first spam attempt I get – not a full-fledged Nigerian scam or erection drug, I admit, but still. I hope Facebook can control misuse; because MySpace surely can’t.

Other articles on Facebook spam: Marketing Sherpa – Organized Confusion

Related posts:

1. Facebook tricked me into my own spam FAIL So I decided to let Facebook check my Gmail...
2. Colorbar: belgian spam In the last three days I have received 3 mails...
3. Who knows a spam pigeon? I wrote about the economics of spam earlier: P$...

Attention Mr. Forret,

It has been brought to our attention that you published or caused to be published an e-mail communication and/or internet bulletin containing words that are false, misleading and defamatory to our firm. More specifically, these publications can be found at:

blog.forret.com/2004/12/domain-registry-of-america-scam/

More specifically your statement “Domain Registry of America scam”. That statement is false and misleading in many ways:
1) The title of the publication accuses Domain Registry of America as being involved or perpetrating some type of scam, which his false.
2) Domain Registry of America’s mailings do not “urge” or “scare” anyone to take any action towards the mailing. It informs domain name holders that they now have the option to “transfer and renew” their domain name with any Registrar of their choice and take advantage of lower pricing and better service.
3) Your use of the phrase “it’s a scam”
4) Unaware to you, this mailing has been approved by the Federal Trade Commission as clearly describing it meaning and purpose. (PF: Actually they’ve done quite the opposite)

Your publication has caused and continues to cause Domain Registry of America irreparable damages and we intend to hold you responsible for these damages both past and present. You are hereby notified that we demand these false, misleading and defamatory statements mentioned above that you have published or have caused to be published be removed by no later than 15 days of your receipt of this notice.

If we do not receive written notification that these publications have been removed by the above deadline we will without further warning, advise our lawyers to commence a lawsuit in an Ontario court for damages and a permanent and interlocutory injunction restraining you, your employees, agents and representatives from making and publishing such publications. Domain Registry of America/Canada has successfully taken legal action in the past against other publishers of similar false, misleading and defamatory statements.

Govern yourselves accordingly,

Domain Registry of America/Canada
Relations Department
legal@droa.com

Small recap: DROA sends letters to owners of domain names urging them to renew their domain names with them. The letter looks like a bill that has to be paid. If someone falls for it, his or her domain names are transferred to and invoiced by the DROA. It is true, they include a notice in small print ‘This is not a bill’, but it is a scam nevertheless: they try to trick people. And so now they send me a cease-and-desist.

As I researched earlier, the founders of the company, Daniel Klemann, James Tetaka and Peter Kuryliw (all from Toronto, Canada) spend a lot of time in courtrooms since they seem to be all kinds of nasty business. The person who sent me the letter, Alan Benlolo, is apparently member of the same club:

• The defendants – Michael Risman (”Risman”), Alan Benlolo (”Benlolo”), Stephen Dale (”Dale”), and Lenny Nacher (”Nacher”) – approached the victimized investors and claimed to represent an investor who was prepared to purchase the shares at a substantial premium, but insisted that the proposed seller first post a “deposit” to insure the closing of the transaction. 1999
• “He had been indicted and charged in Pennsylvania for his participation in the fraudulent telemarketing scheme involving the sale of indium. He pleaded guilty and was incarcerated for 18 months 2003“
• Investigators dubbed the stock-swindle case Project Opulence–a fitting title since Alan Benlolo, 36, and his 38-year-old brother Elliot lived so lavishly off the proceeds of their scams 2004.
• The individuals (Alan Benlolo, Elliot Benlolo, Simon Benlolo, Victor Serfaty) sent out mail pieces that falsely appeared to be bills or invoices from Bell Canada or Yellow Pages, when in fact they were solicitations to have the recipients’ business details appear in Internet-based directories operating under the names Yellow Business Pages.com and Yellow Business Directory.com. Between May and December 2000, they sent the mail pieces to approximately 900,000 businesses and non-profit organizations in Canada and generated sales of over $1 million.2004

Birds of a feather …

So, Mr Benlolo: I don’t think you’re going to sue me, nor do I think you can. I am causing the DROA “irreparable damages” with my little blog? That just made my day!

Related posts:

1. “Domain Registry of America” scam UPDATE: I received a cease-or-desist from DRoA in March 2006...
2. Amy Cross spamming Technorati If you look through the posts under the Technorati tag...

When I take a look at the website that was cited (I won’t link to it), it is not clear to see what the service is actually about: I’m guessing it is to see who blocked you (MSN contacts that look off-line to you, but that are actually online). To check if one of your MSN buddies has blocked you, you ‘only’ have to fill in your Hotmail username and password. This should already make you nervous: you should never give those credentials to a site that’s not Hotmail or MSN.

Take a look under the “Verder” (= “Continue”) button. In a very light gray (#dfdfdf to be exact), there is the option to email all your MSN buddies, and by default it’s ON. Since it is hardly visible, I guess most people who try out the service leave it like that and as such ‘give permission’ to send out a couple of dozen to several hundreds of emails. You only need a few gullible recipients to create a ‘viral’ effect.

In the terms and conditions on the bottom of the (very long) page, you’ll find:

6. De gebruiker die deze dienst gebruikt is zelf verantwoordelijk voor het goed bekijken van de opties alvorens hij of zij op de knop [ verder ] drukt.
7. U dient zelf de optie [ mailen naar uw MSN vrienden ] uit te vinken als u uw vrienden niet wilt mailen.
8. Er kan geen aanspraak worden gemaakt op de werking van onze diensten omdat wij het checker systeem niet zelf hosten. Wij zijn alleen een technische kant die er voor probeert tezorgen dat u contact kunt krijgen met de MSN server. De MSN server/checker kan soms offline zijn. Wij mailen absoluut zelf niet. Alle mailtjes worden door de gebruiker zelf gedaan. Hij of zij is hier dus ook zelf verantwoordelijk voor. Bij overmatig gebruik kunt u mailen naar de persoon waarvan u het mailtje heeft ontvangen. Bij gebruik van onze dienst stelt u ons vrij van enige schade aan derden.

In short:
#6: the user is responsible for verifying all options before clicking [ Continue ]
#7: you should disable the option [ send mail to all MSN friends ] if you don’t want to send those messages
#8: we don’t send the emails, the user does. If you have complaints, contact that person, not us.

I certainly don’t agree with their point #8. Technically, they send the messages. They could claim the user ‘requested it’. In any case: it’s spam!

The person responsible for the site is already known as the “Mongool van scripthosting“: ene P.J. (Peter) Bierling from Groningen.

Related posts:

1. The sneaky shall inherit the earth “Wie niet waagt, blijft maagd”, as they say over...
2. Facebook tricked me into my own spam FAIL So I decided to let Facebook check my Gmail...
3. Spam economics: government role The Belgian Minister of Economy, Marc Verwilghen, recently announced the...

MySpace is a vast collection of web real estate begging to be spammed. I keep receiving spam bulletins from some of my MySpace friends, so this is a little explanation of what MySpace spam is and how it can be fixed:

Tricks used by MySpace spammers

Trick #1: hidden bulletin post form
As described by ericis.com, MySpace did not protect the bulletin submission page enough. Bulletins could be sent by an unsuspecting logged-in user through a hidden form, instead of only through the official submission form. So you might click on what seems to be just a link to a site/profile, but you are really sending a bulletin to all your friends. This mail might invite them to click on a link which hides another hidden form and …
STATUS: This vulnerability has been addressed by MySpace, but whether it is completely fixed is another question.

Trick #2: man-in-the-middle password theft


You click on a link, and you are taken to what seems to be the MySpace login page. “That’s weird“, you think, “I thought I was already logged in, but what the heck“, you give your password and you get to the page you wanted to get to. In reality, the login page was not on a myspace.com server, but on a malicious site (they just used the exact same layout) and they now have your password (cf chyna.wordpress.com)! They can now use automated scripts to log in and change your profile, or to send bulletins to all your friends. This password stealing technique is also called ‘phishing’.
That sounds improbable? Well: it costs $15 to send a bulletin to 100k MySpace “Friends”. Where do you think those 100.000 friends come from?
A recent example: Aug 27 2006.
STATUS: the only way to protect against this would be to disable external links. I don’t see that happening, so this is still something to look out for!

Trick #3: Cross-Scripting (XSS) or MySpace worms
As reported by xavsec.blogspot.com, Kuro5hin and namb.la, malicious Flash (SWF) files have been used to infect profiles: you get to a page, the SWF (which might be a visible animation or just hidden) detects that you are logged in on MySpace and uses a non-protected (unsanitized) variable to reset your MySpace name and profile.
The first one of these was the “Samy popularity worm“:

1 hour later, 9:30 am: You have 74 friends and 480 friend requests.
Oh wait, it’s exponential, isn’t it. Shit.

STATUS: the known worms are blocked, new ones aren’t.

Trick #4: fake MySpace profile pages
Profile pages that look like a real person (mainly female, young and attractive), but in the ‘Thank you for the add’ comments the links are actually advertising for e.g. webcam sites. You get invited to become their friend and when you check out their profile page, you see the advertising. This could also be combined with any of the 3 above tricks for more damage. (via photomatt.net)
STATUS: if they misbehave too much, their profile might get deleted by MySpace. Otherwise, they’re still around.

The main reason why all this is possible on MySpace and not on most other sites is that

• MySpace has a “everything is allowed except …” security policy for their content checking, instead of a safer “everything is forbidden unless …” approach.
• MySpace allows anyone to insert whatever HTML + Javascript into their pages. JS is like a Swiss army knife evil: it can be very useful, but in the wrong hands, the effects can be devastating.

An example: at some point MySpace removed all <script> tags, but there were <div id="mycode" expr="alert('hah!')" style="background:url('java
script:eval(document.all.mycode.expr)')"> tricks invented around that. Which MySpace then fixed. MySpace is continuously playing catch-up with inventive hackers.

I actually have some ideas of the hacks we will see in the future (it’s not that hard to predict), but I don’t want to help anyone that would use them, so I’ll just shut up. What I can say is:

Protect yourself

1. Do you get complaints from your friends about spam bulletins that were sent in your name? Bad sign!
2. Check your “Sent” mail. Are there messages there that you did not send? Bad sign!
3. Do you see friends on your list that you did not add yourself? Bad sign!
4. Change your password: go to your “Account settings” and click “Change Password” (this reverses the effect of #2)
5. Clean out your profile: go to your “Edit Profile” page and clean out the “About Me”, “I’d like to meet”, “Interests”, … text boxes. (this reverses the effect of #3)
6. Don’t click on links in bulletins. Better still, don’t read your bulletins at all.
7. If you unexpectedly get a MySpace login screen, make sure the URL starts with http://login.myspace.com.
8. So if you use Myspace, use your head. Don’t download or install software from untrusted sources, even those apparently recommended by your friends (Washington Post)
9. Only become ‘friends’ with people you know or artists you know. This blonde chick from Houston with 5000 friends is dying to become your buddy? Chances are, “she” might actually look more like Onslow. If that is actually your type, forget I said that.
10. Go easy on the profile pimping. If you just take whatever HTML you get from some site and paste it in your profile, that’s like taking a drink from a stranger. Next thing you know you’re screwed.

Related posts:

1. Avoiding wiki spam in Mediawiki The great thing about Wiki’s is that everyone can...
2. My first Facebook spam The Belgian Facebook community is growing and I was...
3. Facebook tricked me into my own spam FAIL So I decided to let Facebook check my Gmail...

Related posts:

1. Don’t unsubscribe from spam Brian McWilliams, author of Spam Kings has published an...
2. Who knows a spam pigeon? I wrote about the economics of spam earlier: P$...
3. Facebook tricked me into my own spam FAIL So I decided to let Facebook check my Gmail...

Belgian spammers?

I was just looking at today’s catch by my Akismet comment spam filter. BTW: the existence of spam filters like Akismet and Spam Karma is the only reason blogs can still be interactive. I already have more than 2600 detected spam comments since I migrated to Wordpress: that’s 2600 in 3 months or 30 a day on average. Since it’s an accelerating thing, I guess I must be at 100 spams per day now.
I noticed a lot of .be domain names, which seemed kind of new to me:

Are there really Belgian spammers, with Belgian addresses that you actually could go to and throw bricks through the window? Not really. The first traces went to Poland:

A Mr Pikod Darek from Poznan (Poland) has registered a load of .be domains on Dec 7th, 2005 through EuroDNS. The DNS registration was last updated on May 29th, 2006, probably because they were ready to start spamming then. All these .be sites are hosted at theplanet.com with 70.87.15.* IP addresses. I doubt Pikod hired multiple dedicated servers himself, he probably just bought a minimal shared hosting from a reseller. Why minimal? Because the only thing the .be domain does is forward you to an URL like http://www.find.fm/?aid=4077. Who is behind this ’search engine you trust’? Enter Hostetler!

Austrian spam mob

Find.fm looks like an old style web directory: you can search for products you want to buy. The results are presented in a Google-like formatting, and all links go through a domain peakc.com. The latter is owned by a Stefan Meyer from Salzburg, Austria, and the first, as you might suspect, by Mark Hostetler, Rudigergasse 4, 1050 Vienna, Austria. Stefan Meyer is a too common name in Gemran to find anything specific about the guy, but Mark was easier to track down. Rojisan outs him as the owner of Cashwebsearch.com / Peakclick.com. So we can easily suppose that he is in fact also the one behind peakc.com . He even has a Peakclick GmbH company that boasts: “We have the highest bids in the Pay-Per-Click industry; we aggregate bids from twelve paid search partners to provide you with the highest revenue potential possible.” They’ve been doing that since October 2005. One of the affiliates claims that according to the console interface some webmasters earn up to $2000 per day with (of course, that is something you *would* tell them). Peakclick also got mentioned in the recent Guardian’s quest for a spammer and in a Spamhuntress post.

Mark can answer all other questions via phone:+43-1-198.465.48.84 or ICQ: 241091072. Although, his social skills apparently leave something to be desired:

I have approached Mr Hostetler via e-mail and he has denied instigating the spamming of our guestbook, despite all links leading to his www.find.fm site. He additionally told me that, as he is in Austria, there is nothing I can do about it anyway. He has also denied knowledge of the .pl domain names. While he has quite rightly pointed out that none of the spam actually says www.find.fm, each of the links posted over the past two months have taken the browser to that site. Throughout our correspondance today, I have found his tone to be unhelpful, scathing and dismissive, hence I do not believe that he will cease this activity. During this time, after I had requested that Witchgrove not receive such spam, appealed to his better nature and explained that I was taking legal advice, another entry appeared in the guestbook.
from witchgrove.org guestbook administrator

Any lawyers out there that have some feedback on his “as he is in Austria, there is nothing I can do about it” ? Is Austria the new Russia?

Related posts:

1. Blogspot splogs in Technorati For some reason, if I search for “baeyens” on Technorati...
2. Bob Flora is a spammer Dear Mr. Bob Flora, you are probably a collaborator...
3. Amy Cross spamming Technorati If you look through the posts under the Technorati tag...

So why was the spammer using these ridiculous measurements? I have 2 theories:

1. to make even the most miniscule endowed men feel good about themselves (“I don’t need no pills to get to 4 inch! I just have to think about Pamela Anderson! And not drink for an hour, that’s the hard part.”)
2. an author that is either not familiar with both the metric and imperial system (is there a third?), either not familiar with the English language or just too lazy to re-read the whole message.

At the other side of the spectrum of well-hungness, I once heard the story that in WWII the CIA was planning to distribute XXL condoms in Germany that were labeled “Made in the US. Medium size.”. They never executed it, so no telling what the effect on the war would have been. Unfortunately I can’t find any web page on that topic. Anyone?

No related posts.

P$ = [N * (I% * S% * W% * B% * M$)] – (N * E$) – (L% * C% * R$)
where
P$ = profit, bottom-line

N = number of emails sent (can be millions!)
I% = % of addresses that are valid/correct
S% = % of addresses that are not intercepted by anti-spam software
W% = % of emails to cause the receiver to go visit the website
B% = % of site visitors that actually buy the product
M$ = margin per product sold

E$ = cost of sending 1 email

L% = risk of having legal action taken against you
C% = risk of getting convicted when you’re in court
R$ = average fine you would have to pay

What I often ask wonder about is the B%: people that actually buy the product. People actually order blue pills upon receiving emails like the one above? People believe they have been chosen to transfer millions of dollars out of some banana-republic?

So I have 2 questions (presuming the audience on this blog is clever enough not to buy through spam sollicitations themselves):

• who knows someone who has bought spam-advertised stuff?
• who knows someone who knows someone who has bought …?

There really is a task there for public television:

“And today we visit … Kevin! Kevin, you are now live on TV. You ordered something through the Internet, didn’t you, Kevin. You thought I was just the mailman delivering, but no, I am not. I am Tom Van Dyke, and you’re on “Spam Pigeon of the Week” ! Now, let’s see what you just ordered, let’s open the package. What did the spam mail say, Kevin? Hours of guaranteed pleasure? Make your girlfriend ask for more? Ha-ha-ha! Ok, it’s a box, and the box has a label that says … “Golden Enhancement Package”? Now what would we want to enhance, Kevin? Oh look, it’s a … (gets hit in the face with box)

Related posts:

1. Spam economics: government role The Belgian Minister of Economy, Marc Verwilghen, recently announced the...
2. Facebook tricked me into my own spam FAIL So I decided to let Facebook check my Gmail...
3. My first Facebook spam The Belgian Facebook community is growing and I was...