I've written before about the increased use of URL shorteners in spam. For spammers, the advantage of using a URL shortening service is that the URLs in their messages aren't immediately recognizable as spam domains, and recipients may be reluctant to reject messages just because they contain a shortened URL. On the other hand, if the shortening service admins are on the ball, they can set up tools to do mass purges of spammy URLs. But they must want to address the problem ...
Stock spam is back
15 December 2009 - 07:48 AM | PermalinkFor a long time, one of the core features of this site was the index of recently-spammed stocks. At the peak, we once saw 18 distinct spam-advertised stocks promoted in a single day, and for a long time 5 or 6 symbols a day was common. Then all that changed. Stock spam took a body blow. While it would be nice to think that our documentation played a part in raising public awareness and reducing the profitability of stock spam, the truth is that the sharp fall-off was almost certainly due to two high profile arrests. Following the July 2007 arrest of Darrel and Jack Uselton, and the subsequent arrest of arrest of Alan Ralsky in early 2008, stock spam fell off a cliff. It's hard to be sure, but just looking at the graphs, it certainly looked to me as if the Feds had got their men.
Continue reading 'Stock spam is back'
Hotmail Hijack #4
14 November 2009 - 10:20 AM | PermalinkWe continue to get reports from users who have had their Hotmail accounts taken over by a particular Chinese 'fake-storefront' scammer. The compromised accounts are then used to send out email advertising the fake shopping sites set up by this scammer.
Initial reports of this problem came from Windows users. Since then, however, we've had reports from users of both MacOS and Linux that their Hotmail accounts have been compromised. This makes it very much less likely that the passwords are being stolen by some piece of malware, and more likely that some other mechanism is being used.
Continue reading 'Hotmail Hijack #4'
Murk-o-sur
16 October 2009 - 07:32 AM | PermalinkOur spamtraps get hit with a fair amount of unsolicited email from Latin America, particularly from Brazil, Argentina and Peru. By and large, this email is from actual businesses (albeit sometimes small or shady ones) rather than pharmacy spammers or penis pill vendors.
Some of the senders are knowingly abusive, as can be seen by the contortions they go through to try to avoid spam-filtering or identification. The word 'publicidad' ('advertising') which several Latin American spam laws require to be included in the subject line of the message, is often permuted in interesting ways. Others actually comply, to a greater or lesser degree, with whatever laws are in force in their country. And then there are the disclaimers ...
Continue reading 'Murk-o-sur'
"opt-out" is not a "policy"
01 October 2009 - 12:29 PM | PermalinkA recent piece of unsolicited email, promoting a Brazilian retailer called Chic Mix, carries the following interesting message (loosely translated from the Portuguese):
Anti-Spam Policy: if you don't want to continue receiving news from Chic Mix, please click here
If you spotted that the words 'anti-spam policy' don't really belong there, give yourself a small prize. Whatever that message is, it's not a 'policy'.
Continue reading '"opt-out" is not a "policy"'
Jose Thomaz goes crazy
12 September 2009 - 07:59 AM | PermalinkSpammers come and go. Some spammers, however, just keep on spamming. One of the most prolific and persistent is a Brazilian spammer advertising health insurance plans. For a long time, this spammer was an unknown. He used a constantly changing lineup of email addresses, some of which featured the word ‘saude’ ('health') or some variation on 'jcthomaz'. Eventually, however, he started advertising a domain - jcplanosdesaude.com. In some cases, the domain didn't appear in the message, but phone numbers that were also listed on that domain did.
Continue reading 'Jose Thomaz goes crazy'
Hack'n'spam
30 August 2009 - 07:14 AM | PermalinkOne of the perennial problems for spammers is finding what the intelligence community refers to as 'clean skins': identities that aren't associated with known bad actors. For spammers, the problem is two-fold: they want their emails to originate from netblocks that aren't known to be spam-infested, and they want the URLs that they cite to refer to domains that aren't known as spam domains.
Continue reading 'Hack'n'spam'
Hotmail Hijack #3
27 August 2009 - 08:22 PM | PermalinkIn a blog post, Microsoft has acknowledged that some Hotmail users' accounts are being hijacked, a problem that has been previously discussed here. The article claims that a "worm or virus"
is involved.
Continue reading 'Hotmail Hijack #3'
Yahoo! vs .cn
15 July 2009 - 09:00 AM | PermalinkAs mentioned in a recent post about abuse of URL shorteners, Yahoo! is currently a popular choice for spammers wanting to host their ads on a 'trustworthy' domain. Spammers create Yahoo! groups or profiles, post their ad copy to the profile page or as a message to the group, and then send out spam containing the relevant URLs. Because the URLs contain the 'yahoo.com' domain name, they aren't good candidates for URI DNSBL filtering.
Our traps have been picking up a lot of this kind of spam recently, so I decided to try to work out how big the problem really is.
Continue reading 'Yahoo! vs .cn'
The Long and the Short
07 July 2009 - 08:37 PM | PermalinkMessageLabs is reporting that use of URL shorteners in spam has exploded, with more than 2% of all spam now containing shortened URLs. The technique is reported to be heavily used in spam sent by the Donbot botnet.
Continue reading 'The Long and the Short'