Spamming to hide fraud

An interesting article at NetworkWorld last month, describing spam bombs to victims of fraud and identity theft to hide the transactions and notifications from financial institutions.

The targets are individuals, whose identity and personal information the thieves already have. The victims’ email inboxes suddenly get flooded with thousands upon thousands of emails — as many as 60,000 during a 12- to 24-hour period — that contain no links, no graphics, and no advertisements. “[The contents are] nothing but mash-ups of words and phrases from literature,” he wrote.
[…] the real point is to distract the user from valid email, which will likely include confirmations of purchase receipts or balance transfers from fraudulent transactions made with the victim’s credentials.

This doesn’t seem to be a widespread problem currently, and I expect that many of the major ISPs will identify this as a mailbomb and stop the mail. As many of these mails are coming from botnets, too, many ISPs will block the mail during the SMTP transaction. I think for most people, there isn’t a huge risk. However, that doesn’t mean we shouldn’t be aware.

Related Posts

Spammers are funny

Dear Spammer,
If you are going to send me an email that claims it complies with the Federal CAN SPAM act of 2003, it would be helpful if the mail actually complies with CAN SPAM.
In this case, however, you are sending to an address you’ve harvested off my website. The mail you are sending does not contain a physical postal email address. You’re also forging headers. Both of those things are violations of CAN SPAM. Given you have also harvested the laura-questions@ email from this website, that is treble damages.
Oh, and while we’re at it, you might want to consider your current disclaimer.

Read More

Harvesting is alive and well

I’m finding out that email address harvesting off websites is alive and well on the Internet. We have a rotating address on the contact page, which does get harvested but usually the spam is attempting to sell me blog related services. I didn’t expect to get a very different collection of emails to the address I posted here. I’m quite surprised that address is getting a completely different type of spam from the contact address.
The one thing that harvesters appear to have in common is sending CAN SPAM violating email. Both the contact address and the questions address get lots of mail that is in violation of US (and California) law. One of these days I might get bored enough to file a suit against one of them and blog about it.

Read More

Harvesting and forging email addresses

For the contact address on our website, Steve has set up a rotating set of addresses. This is to minimize the amount of spam we have to deal with coming from address harvesters. This has worked quite well. In fact it works so well I didn’t expect that publishing an email address for taking reader questions would generate a lot of spam.
Boy, was I wrong. That address has been on the website less than a month and I’m already getting lots of spam to it. Most of it is business related spam, but there’s a couple things that make me think that someone has been signing that address up to mailing lists.
One is the confirmation email I received from Yelp. I don’t actually believe Yelp harvested my address and tried to create me an email account. I was happy when I got the first mail from Yelp. It said “click here to confirm your account.” Yay! Yelp is actually using confirmations so I just have to ignore the mail and that will all go away.
At least I was happy about it, until I started getting Yelp newsletters to that address.
Yelp gets half a star for attempting to do COI, but loses half for sending newsletters to people who didn’t confirm their account.
I really didn’t believe that people would grab a clearly tagged address off the blog and subscribe it to mailing lists or networking sites. I simply didn’t believe this happened anymore. I know forge subscribing used to be common, but it does appear that someone forge signed me up for a Yelp account. Clearly there are more dumb idiots out there than I thought.
Of course, it’s not just malicious people signing the address up to lists. There are also spammers harvesting directly off the website.
I did expect that there would be some harvesting going on and that I would get spam to the address. I am very surprised at the volume and type of spam, though. I’m getting a lot of chinese language spam, a lot of “join our business organization” spam and mail claiming I subscribed to receive their offers.
Surprisingly, much of the spam to this address violates CAN SPAM in some way shape or form. And I can prove harvesting, which would net treble damages if I had the time or inclination to sue.
It’s been an interesting experience, putting an unfiltered address on the website. Unfortunately, I am at risk of losing your questions because of the amount of spam coming in. I don’t think I’ve missed any, yet, but losing real mail is always a risk when an address gets a lot of spam – whether or not the recipient runs filters.
I’m still pondering solutions, but for now the questions address will remain as it is.

Read More