Spamming to hide fraud

An interesting article at NetworkWorld last month, describing spam bombs to victims of fraud and identity theft to hide the transactions and notifications from financial institutions.

The targets are individuals, whose identity and personal information the thieves already have. The victims’ email inboxes suddenly get flooded with thousands upon thousands of emails — as many as 60,000 during a 12- to 24-hour period — that contain no links, no graphics, and no advertisements. “[The contents are] nothing but mash-ups of words and phrases from literature,” he wrote.
[…] the real point is to distract the user from valid email, which will likely include confirmations of purchase receipts or balance transfers from fraudulent transactions made with the victim’s credentials.

This doesn’t seem to be a widespread problem currently, and I expect that many of the major ISPs will identify this as a mailbomb and stop the mail. As many of these mails are coming from botnets, too, many ISPs will block the mail during the SMTP transaction. I think for most people, there isn’t a huge risk. However, that doesn’t mean we shouldn’t be aware.

The challenge of Gmail
Happy Valentines Day

Related Posts

Light blogging for a while

Sorry for the lack of substantive posts, things seem to have gone completely out of control and I’m not finding a lot of extra cycles to sit down and blog. I’ll try and get some stuff up this week, but I’m also getting ready for MAAWG and the sessions I’m a part of there.
There was an interesting post by Romer over on his personal blog. If you don’t know, Romer helps maintain one of the commercial mail filters. He recently got spammed by one of his vendors and talked about how this is probably not the best idea. Al adds his own take on companies assuming permission. I’ve talked about taking permission in the past but haven’t touched on things like “spamming the guy who runs the filter.”
You’d be surprised, or maybe you wouldn’t, about how many people who run filters for large organizations get spammed regularly. You wouldn’t be surprised to find out that those people do factor in their own personal spam load when adjusting their organizational filters.

Read More

Who's sharing data

Al has a post asking what people would do if their information was shared after opting out of any sharing.
It’s a tough call and one I think about as I see mail coming to my mailbox to such addresses as laura-sony and laura-quicken and laura-datran. All of these were addresses given to specific companies and where I attempted to opt-out of them sharing my data with other companies. Somewhere along the line, though, the addresses leaked and got into the hands of spammers.
Those addresses are overwhelmed with spams and scams. The frustrating part is there is no way to fix it. Once the addresses are leaked, they’re leaked. They will be receiving spam throughout eternity, even if the companies involved stop selling data or fix their data handling problem.
I don’t know what to do, honestly. If I think it was a one time thing, such as the addresses that started getting spam after the iContact data leak, then I’ll change my address at the vendor and retire the address the spammers have. But with other vendors, I don’t know what happened and I suspect the vendor doesn’t either, and so I can either deal with the spam or hope that I don’t lose real mail from that vendor.
There’s no easy answer. Any time you hand over an email address, or any other form of personal data, you’re trusting in the company, all of their employees and all of their vendors and partners to be honest and competent. This is often not the case.
What do you do?

Read More

Motion to dismiss in Penkava v. Yahoo case

Earlier this month Yahoo filed a motion to dismiss in the Penkava v. Yahoo. This is the class action lawsuit where an Alabama resident is attempting to sue Yahoo for violation of the California wiretapping law.
Here’s the short synopsis.
People send mail to Yahoo. Yahoo “creeps and peeps” on that mail so they can profit from it. Plaintiff doesn’t like this, and thinks that he can use the California Invasion of Privacy Act (“CIPA”), (Cal. Penal Code § 630, et seq;) to stop Yahoo from doing this. Additionally, there is a whole class of people who live in every state but California who have also been harmed by Yahoo’s actions. The plaintiff would like the court to make Yahoo stop doing this. (First Amended Complaint)
Yahoo’s motion to dismiss is actually pretty dry and there aren’t really any zinger pull quotes that make sense without reading the whole 35 pages. The short version is that what Yahoo is doing is not a violation of California law, it is simply handling email as it has to be done to get it to recipients. Plus, California law cannot apply to mail sent from a non-CA resident to a non-CA resident because that would violate the dormant commerce clause. The class as defined makes no sense. Finally, the plaintiff continues to send mail to Yahoo addresses knowing the mail is being “scanned” and that is implicit permission for Yahoo to do it.
In the initial complaint there was an allegation that Yahoo’s behaviour was a violation of Federal and/or California Wiretapping laws. These allegations appear to have been dropped in the First Amended Complaint.
Right now there is a hearing scheduled for March 13, 2013. I’ll keep an eye on the filings.

Read More