In the last three days I have received 3 mails from Colorbar, a “lively private club for colorful people”. The first one didn’t trigger my suspicion, since I am subscribed to some music-related mailing lists. The two next mails came for 2 @forret.com aliases of which I am certain they never subscribed to any list. So I took a closer look at the email. No contact details are given, no indication of where the email addresses came from, no possibility to unsubscribe, i.e. it’s a spam mail. To be even more specific: a belgian spam message.
Continue reading ‘Colorbar: belgian spam’
Archive for the 'spam' Category
Page 2 of 4
(This is a blog post about an Austrian spammer. The reason I did not put anything more offensive in this post’s title, is because there is another Mark Hostetler, a Florida-based Wildlife Ecology professor. He’s probably a nice guy. I’m talking about a scumbag who lives in Vienna)
Belgian spammers?
I was just looking at today’s catch by my Akismet comment spam filter. BTW: the existence of spam filters like Akismet and Spam Karma is the only reason blogs can still be interactive. I already have more than 2600 detected spam comments since I migrated to Wordpress: that’s 2600 in 3 months or 30 a day on average. Since it’s an accelerating thing, I guess I must be at 100 spams per day now.
I noticed a lot of .be domain names, which seemed kind of new to me:
Are there really Belgian spammers, with Belgian addresses that you actually could go to and throw bricks through the window? Not really. The first traces went to Poland:
A Mr Pikod Darek from Poznan (Poland) has registered a load of .be domains on Dec 7th, 2005 through EuroDNS. The DNS registration was last updated on May 29th, 2006, probably because they were ready to start spamming then. All these .be sites are hosted at theplanet.com with 70.87.15.* IP addresses. I doubt Pikod hired multiple dedicated servers himself, he probably just bought a minimal shared hosting from a reseller. Why minimal? Because the only thing the .be domain does is forward you to an URL like http://www.find.fm/?aid=4077. Who is behind this ’search engine you trust’? Enter Hostetler!
Continue reading ‘Mark Hostetler, Austrian spammer’
Sometimes a spam mail escapes my filters and shows up in my inbox. Last week I got a “Enlarge your …” mail with some girl’s name in the From field. I deleted it right away but subconsciously I had already read some of the content. So I went back and retrieved it from my Deleted Items just to be sure: they really talk about “enlarge a penis up to 10 cm“? (UPDATE: I read this as 10cm TOTAL length, not 10 cm EXTRA length)
Indeed:
First off: as a straight guy I have no practical knowledge of what average size a girl has to put up with these days. Nor am I about to disclose my own dimensions (I want women to like me for my personality). Nevertheless, 10cm or 4″ strikes me as rather short, certainly as an ideal to be reached by taking pills. For those who cannot estimate dimensions: that’s the height of a cheap Nokia phone (the 1100, say).
Continue reading ‘Size doesn’t matter’
I wrote about the economics of spam earlier:
P$ = [N * (I% * S% * W% * B% * M$)] – (N * E$) – (L% * C% * R$)
where
P$ = profit, bottom-lineN = number of emails sent (can be millions!)
I% = % of addresses that are valid/correct
S% = % of addresses that are not intercepted by anti-spam software
W% = % of emails to cause the receiver to go visit the website
B% = % of site visitors that actually buy the product
M$ = margin per product soldE$ = cost of sending 1 email
L% = risk of having legal action taken against you
C% = risk of getting convicted when you’re in court
R$ = average fine you would have to pay
What I often ask wonder about is the B%: people that actually buy the product. People actually order blue pills upon receiving emails like the one above? People believe they have been chosen to transfer millions of dollars out of some banana-republic?
Continue reading ‘Who knows a spam pigeon?’
I was reading about a technique to discourage spammers: let an organised mob fill in thousands of fake submissions so that there is no way telling how to distinguish them from real responses. They targeted a known spammer, Alex Polyakov, currently #8 in Spamhaus top 10 and he did feel the pain.
During the 13-minute call, Polyakov claims that his “interest is only to make honest dollars.” As a peace offering, Polyakov proposes to create a global opt-out list, “the anti list of all anti lists.” Polyakov says he has no interest in sending spam to people who don’t want to receive it, and he guarantees that he will persuade all his spam-business associates to clean their mailing lists.
from Spamkings blog via digg.com
Let’s consider such a global opt-out list:
DISTRIBUTED OPT-OUT LIST
- let’s say it would be something like 1 million addresses (just a ballpark figure). All in lower case, with no funny characters.
- In order to make sure the list is not used as a spamming list itself (since these guys are not known for playing by the rules), it should be communicated not as email addresses, but as a list of hashes (e.g. MD5/SHA-1) of email addresses. (Which means you cannot get back the email addresses from the hash)
- SHA-1 is 160 bits or 20 bytes per address. MD5 is 128 bits or 16 bytes per address. MD5 is less secure but for this purpose, who cares (false positives are not a big issue).
- The size of the list would be 16 bytes x 1 million = 16MB, which is manageable for daily/weekly updates.
- One could accept domain wildcards (*@example.com) but since Hotmail, Yahoo, Gmail … would want to add a wildcard for their users, this would kill the spammers’ lists so no one would use it. Plus, some people might object to the fact that they are not kept up-to-date with the latest Ci@lis/Vi@gr@ prices.
- Let’s say a spammer would use a 100-million addresses target list. This means 100 million emails of something like 30 bytes on average (high estimate, I know). So he would need to calculate the MD5 for 100.000.000 x 30 bytes or 3GB. Looking at some MD5 throughput stats (20MB/s) this is a matter of minutes, not hours.
- Then the spammer has to remove all addresses that feature in the opt-out list. This can easily be done as a merge of 2 sorted lists. The overhead is negligible.
- If the opt-out list grows to 100 mio addresses, and the size to 1.6 GB, download is still done in less than 1 hour over ADSL.
- HOWEVER: dictionary attack! I am ruthless spammer and I just got a list of 1 million hashes? Mmm … I could create a dictionary of probable email addresses and see if they actually exist! An email consist of the letters [a-z], numbers [0-9] and the characters [-._] before the ‘@’ sign. So all combinations up to 10 chars are around 40^10 (gross simplification, I know) or 10^16, and if I filter out the incorrect ones (44444444444@) and use the billion most probable ones (e.g. “jill.jackson@” is more probable than “a77..-_-8@”), combined with the postfixes hotmail.com, yahoo.com, comcast.com, … I could probably find some addresses of notorious anti-spammers, send them loads of email and destroy the credibility of the opt-out list immediately.
EMAIL SERVICE PROVIDER
- someone that sends email on behalf of spammers, that always uses the opt-out list, and that because of this admirable behaviour gets treated more leniently by anti-spam software.
- Advantage: the opt-out list never has to be sent to spammers, and no mails go to the opt-outers.
- Disadvantage: ain’t never gonna happen. Spammers would have to pay for this service and they won’t, the service would have to be operated by a trusted 3rd party but who would want to do that?
SELF-REGULATION
The American Direct Marketing Association (DMA) has the e-Mail Preference Service (e-MPS), the Belgian Direct Marketing Association has the Robinson-list. As I recall from my Direct Marketing days, the Robinson list was always used to clean up addresses.
But getting the emailers in the DMA to use a global opt-out list will only help very little. They’re not the real problem. The real problem are the Russian/American vilains on the Spamhaus top 10.
Conclusion
I would have to agree with Spamhaus:
1. For-a-fee Address Remove Lists are operated by conmen.
2. No legitimate marketing firm sends Unsolicited Bulk Email in the first place.
3. Can you imagine spammers doing this?
4. All spammers believe their junk is different from the junk other spammers send.
from spamhaus.org
For some reason, if I search for “baeyens” on Technorati (sorry, John), all I get is a list of splogs (spam blogs). The first ‘real’ result is somewhere at #50, drowned between WEBCAM, CAMERA and PHONE CARD splogs.
They all have the same characteristics:
- all on Blogger’s blogspot.com
- post title is up to three spam words in upper case
- blog title is up to three spam words in lower case
- blog post contents is a sequence of words without any meaning (apparently ‘baeyens’ has become part of a standard splog dictionary)
- at the end of the blog post is an
iframepart - the
iframeinserts code from www.webs-search.com in the page that also redirects the browser to e.g. http://www.webs-search.com/search.php?key=guns (if the blog topic was ‘guns’) - that page is filled with ads that go through www.peakclick.com, an Austrian PPC site
What I mean is: Dave, you guys should be able to filter this scum out! And Matt, can’t you give the Blogger team a hand in attacking the splog problem from their side? We don’t want Technorati installing a if (domain ends in "blogspot.com") {/* treat as splog */ ... } rule, do we? Or do we?
webs-search.com
- domain is registered by a “Anrev, Kovacz contact@mwayc.com – 1003 Star Street – Novambark, na 88737363 – CA”
- the registration address for mwayc.com is “41 State Street – New York, NY 12345 – US”
- domain is hosted on an EV1 server: ev1s-67-15-104-73.ev1servers.net [67.15.104.73]
- the page title is ‘Licht und tonanlage’, which could mean that either the above Kovacz speaks German, or -more probable- that the site’s code was delivered by the Austrian PPC site.
Technorati: technorati – splog – blogspot – detection
The great thing about Wiki’s is that everyone can edit them. The problem is that this attracts a new strain of spam morons: the wiki spammers. My Tango Wiki has gotten spammed several times per day since I launched it. A page gets changed to a list of URLs for various drugs, mostly ‘male performance related’, let’s say.
A sample of the IP addresses of the offenders (basically all over the place):
- 67.86.88.200 (optonline.net – Brooklyn, USA)
- 80.58.4.46 (rima-tde.net – Madrid, Spain)
- 80.58.50.107 (rima-tde.net – Madrid, Spain)
- 81.56.56.80 (proxad.net – Paris, France)
- 81.138.240.12 (btopenworld.com – Watford, UK)
- 82.131.14.62 (starman.ee – Saue, Estonia)
- 82.92.4.145 (xs4all.nl – Amsterdam, Netherlands)
- 140.116.39.112 (ncku.edu.tw – Taipei, Taiwan)
- 195.175.37.7 (ttnet.net.tr – Istanbul, Turkey)
- 195.175.37.70 (ttnet.net.tr – Istanbul, Turkey)
- 196.7.0.160 (alter.net – Cape Town, South Africa)
- 210.55.18.80 (global-gateway.net.nz – Auckland, New-Zealand)
- 212.138.47.21 (isu.net.sa – Riyadh, Saudi-Arabia)
- 212.190.198.36 (uunet.be – Belgium)
They try to hide the spam by putting it inside a <div style="height: 1px"> (CSS hidden spam) so they are not visible to visitors, but get picked up by Google anyway. The goal, just as with splogs, is to create Google juice, not to get read or clicked on.
The ways to fight this abuse are based on the following techniques:
- editor whitelist: only certain IP addresses, or only logged-in users, can edit the pages
- editor blacklist: certain IP addresses are blocked (e.g. those of anonymous proxies – often used by spammers)
- spam word detection: when the text contains certain words, the edit is not accepted
- spam link detection: when outgoing links contain certain words, the edit is not accepted
- rel=nofollow: makes the outgoing links valueless for Google
A lot of valuable information on fighting wiki spam can be found on: chongqed.org and on meta.wikimedia.org. What I have already done on my MediaWiki installation is to add the following to LocalSettings.php:
$wgShowIPinHeader = false; # so no information on IP addresses can be added $wgSpamRegex="/<div/"; # so the hidden CSS trick does not work $wgWhitelistEdit = true; # so only logged-in users can edit
The Belgian Minister of Economy, Marc Verwilghen, recently announced the efforts the Belgian government would take to restore trust in the Internet as a way of doing business. This includes a directory of trustworthy online shops (e.g. in the travel business), but also some efforts to reduce spam. On the site spamsquad.be the following 4 basic rules are described to avoid spam: 1) don’t leave your email address, 2) don’t answer dubious emails, 3) camouflage your email address and 4) protect your computer.
As I said before, I think they forget one important detail, the main reason spam exists: “Don’t be an ass”.
- Don’t buy your V*agra from people who can’t even spell the drug’s name right
- If you buy the product that would make you “SCARE PEOPLE WITH YOUR HUGE C*CK”, how exactly is that going to help you?
- Don’t give money to a perfect stranger who needs you to help recover X million from his father, the recently deceased president of some banana republic.
- Don’t buy a economics degree on-line, you’re only proving you’re not worth it.
SPAM ECONOMICS
If you try to distill the spammer’s logic into a simple formula, check this:
P$ = [N * (I% * S% * W% * B% * M$)] – (N * E$) – (L% * C% * R$)
where
P$ = profit, bottom-lineN = number of emails sent (can be millions!)
I% = % of addresses that are valid/correct
S% = % of addresses that are not intercepted by anti-spam software
W% = % of emails to cause the receiver to go visit the website
B% = % of site visitors that actually buy the product
M$ = margin per product soldE$ = cost of sending 1 email
L% = risk of having legal action taken against you
C% = risk of getting convicted when you’re in court
R$ = average fine you would have to pay
The parameters I%, S% and E$ are defined by technology, and government should not mingle with that. Spam detection technology is a very active line of research and new products and/or services are coming out all the times. Yahoo, Microsoft, IETF, … are trying to reshape email so sending email to 5 million addresses isn’t so darn easy, but again, these issues are technical, we don’t need any minister to tell us or buy us a solution. L%, C% and R$, on the other hand, are very much things that should be dealt with on a national level: law-making and law-enforcing. But I doubt if many of the big spammers are Belgian, so there is little the Belgian government can do about that.
SPAM-EDUTAINMENT
The main focus of this country should be focused on reducing W% (website conversion) and B% (buyer conversion), the ‘naivite’ parameters, and the weapon of choice there is education. The Belgian federal agency Fedict has already done a fine job by launching peeceefobie.be, a consumer-oriented portal on PC security with some good advise on spam-mail (Dutch). But to reach Average Joe and Jane, they should use TV and radio. I would like to see an entertaining program on internet security that teaches people the PC security basics and that has humoristic sketches like In De Gloria. I would like to hear a program on Internet crime in the Sample Minds style.
If someone drives a gasoline car and fills it with diesel/fuel, he will be made fun of, because you’re supposed to know these things when you have a car. The same should happen with someone who lost money in an on-line scam. Invest $500 and get $50.000 from a dyslexic Russian dude who won’t disclose anything but a Hotmail address? Come on, you fell for that one?
Technorati: belgium – spam – edutainment
Recent Comments