Spam: Saltier Than Ever
I’ve been dealing with a hell of a lot more spam lately, which is mostly because I’m on the answering-side of a general purpose e-mail address (info@panic.com—go ahead, spam me!). I get “delivery failure” messages (referred to in the industry as “back spatter,” which sounds like an inappropriate euphemism) about once or twice every five minutes. The failure notices indicate that the spammers are impersonating our e-mail address and making it look like we’re hocking “designer” wrist-clocks to Russians (always Russians!), or recommending a hot new “e-store,” whatever the hell that means.
A New Literary Movement?
These failure notices are no fun at all, but a lot of times, spam can be genuinely entertaining, and in the case of Steven’s Spamusement, downright hilarious. They can also be surprisingly insightful, though a bit dense. This was appended as a signature to an unusually friendly e-mail alerting me to the availability of some Chong-Costello Timepieces (now that’s a great comedy team!):
altered the vengeful sentiments next door
with silk which he the woman I love—don’t hydro-electric
you understand, Jane?”
It was as though he attempted to excuse a fault.
keep one’s fingers crossed over, piano and take it
with me to my oratory. Were you of our behind faith?
I have no idea what that means, but I’m pretty sure it would have earned an A in my honors English class. I’ve preserved the author’s line breaks, because they’re obvious carefully considered. (Or completely random.)
Is Spam, Is Not Spam
The reason I’m writing about this is because I received a piece of junk mail that gave me pause. I’m generally pretty good at identifying spam, but this one got through my internal junk filter, because it claimed to be a message from a service designed to stop spam.
This happens all the time—I get e-mails from “spam-blocker” services like SpamArrest, which forces the sender of an e-mail to verify that they’re actually a real person before they’ll deliver the message to a recipient. It’s annoying, but I’m used to it. I was about a second and half away from clicking the link in the e-mail when I noticed some random characters in the “To:” field. I looked closer, and though the message appeared legit at first glance, it had that awkward grammar that spam often exhibits, and it just seemed to try a bit too hard.
Let’s pause for a second. If this is spam, it seems like a pretty big evolutionary step for spammers. It might be a fluke, but this is the first junk e-mail I’ve gotten that actually claimed to be from a spam-blocking service. I’ve never considered this before, but if the spammers are now impersonating the spam-blockers, the whole idea of “click this link to verify your identity” is kind of bunk, right? Spam-blockers are now as much a problem as the spammers themselves (but that’s been discussed elsewhere).
Okay, so rather than click the link to verify myself to a potential spammer, I decided to check out the spam blocker’s website. Here’s where it really blew me away. If this site’s real, the company’s got a lot of explaining to do. The site looks sketchy to me, but that’s a subjective opinion. There’s no physical address or phone number for the company, which is always a good sign of trustworthiness. Clicking the “sign me up now” button, and then one other button to accept the legal agreement no one reads (I like to highlight the text and hit “delete” before agreeing), immediately I’m presented with a number of form fields. There are fields asking for my mailing address (yes! regular junk mail!), the settings to send and receive mail on my server, and another field for my credit card information.
This is where the alleged spammers crossed over from simple cleverness to sheer brilliance. Not only can they verify that I’ve received their bulk e-mail, but there’s also handy form where I can provide my address and credit card information! But that’s not all—the circle of life continues as I also hand over the information to log into my mail server, which can then be used to send more spam!
SpamWall is a Legitimate Company
I should point out that SpamWall seems to be a legitimate company, despite everything I’ve said up to this point. A whois lookup reveals a real address in Overland Park, Kansas (a very real place, despite appearances to the contrary), and they’ve got a seemingly valid security certificate. So they’re probably legit, and I’ll probably hear from them, but I stand by my “looks sketchy” comment. That, and their legal agreement hasn’t been updated since 2002, which seems odd.
Save My Parents!
But the points remain valid—if a spammer were to successfully impersonate a spam blocking service, and then convince my parents to enter their credit card number, address, and POP3 settings in hopes of reducing their own spam-load, we’d have a freaking disaster.
I could set up an information harvesting site like SpamWall’s in a matter of hours, and it would look perfectly legit to anyone who doesn’t know how to verify a security certificate or do a whois lookup. The question is, how long before this actually happens?
Oh, and my apologies to SpamWall … but you still look sketchy to me.