stupidstupidspammer

How did you know, Buford? How did you know?

Recently I was poking around a very spam-besieged server running RedHat Linux and noticed that the default sendmail configuration included these lines:

dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
FEATURE(`accept_unresolvable_domains')dnl


This is a stupid default for the current spam climate. These days, we’re seeing tons of spam traffic from completely bogus domains. We can safely reject all that email without subjecting possibly legit entitities to bounce messages. In most cases, you’re going to be much better off if you comment this feature:
dnl # FEATURE(`accept_unresolvable_domains')dnl
rebuild sendmail:
make -C /etc/mail
and restart it:
service sendmail restart or sendmail.restart

But the comment is a little confusing and may scare some novice sysadmins into leaving the feature enabled.

However, the laptop
I think what they’re getting at here is a machine that’s getting its traffic through a local gateway, either a wireless router or a firewall that’s on a local subnet and will fail DNS. Even if you’re in this circumstance, you could run bind locally and create DNS entries for the local gateway(s).

users on computers that do not have 24x7 DNS
This would be a computer that has an active net connection (sendmail is receiving) but can’t reach either a local DNS server or the ISP’s DNS server. In other words, almost nobody will ever be in this situation.

Most of the discussion around stemming the flood of email spam centers on stopping incoming spam from reaching your inbox, usually with a mixture of filtering rules and blacklists (or in some cases, whitelists for permitted senders).

There’s another possible approach, which is to reduce the amount of spam that spammers attempt to send you. This is unlikely to be completely effective, but it has a great advantage over stopping incoming spam with filters and blacklists in that it doesn’t consume resources on the server that handles your email. And one way or another, the cost of those resources gets passed on to you.

Spammers get email addresses in two ways:

1. They harvest them from sources including webpages with contact information, posts to newsgroups/mailing lists, and address books on “zombified” personal computers. (Every address in this post contains the word “example” to make it less likely that spammers will harvest valid domain names from it.)
2. They just make them up — they create likely-sounding email addresses using lists of common words and names. This is often referred to as a “dictionary attack.”

Later we’ll devote some posts to keeping your email address out of spammers’ clutches. But you’ll be better off if the next email address you create for yourself doesn’t draw tons of spam to start with.

When I set up a domain for a small business, I’m often asked to create email addresses like info@exampleSmallBusiness.com and sales@exampleSmallBusiness.com.

They’re short, easy to type, logical email addresses and they are absolute spam magnets.

You’re much better off using an address that’s specific than one that’s generic. For example, if you manufacture outboard motorboat engines, you might want to use something like greatEngines@exampleOutboardMotors.com instead of info@exampleOutboardMotors.com. Including your business name in the address, like outboardMotorInfo@exampleOutboardMotors.com is redundant, but it will vastly reduce the amount of spam sent to you.

Likewise, many individuals want to use a common first or last name at their personal or business domain like john@exampleJohnSmith.com or williams@exampleSmallBusiness.com. Spammers know that.

Within days of registering a new domain for a client, I frequently see attempts to send mail to aaron@exampleNewClient.com, abigail@exampleNewClient.com, adele@exampleNewClient.com, etc., as well as to anderson@exampleNewClient.com, jones@exampleNewClient.com.

Sometimes I also see traffic to aaron1, aaron2, aaron3, and so on.

If your email address follows a formula construction like first name + last initial or last name + first initial, you’ll still probably get a certain amount of “dictionary attack” spam. But you’ll get much less, and it’s easy to see why: it takes 26 times as long to send mail to aarona@exampleNewClient.com, aaronb@exampleNewClient.com, etc..

When you multiply this by variants like aaron-a, aaron_a, aaron.a, etc. it suddenly takes hundreds of times longer for the spammers to run a dictionary attack. At some point, the law of diminishing returns takes over. If spammers spend a lot of bandwidth and computational resources without generating many valid addresses that accept email, it doesn’t contribute favorably to their profit margins.

Once again, the more unique your address is, the less dictionary-generated spam will be sent to it. Obviously, there’s a lot more leeway for personal addresses than in business addresses. But you may be able to come up with a unique address that’s sufficiently businesslike for your company, like wshelton_photo@exampleSheltonStudios.com.

On May 6th I created a new email account to use for two mailing lists which don’t protect their archives from address harvesting. The email address in question has been used for nothing else. On May 15th, I got the first barrage of spams to that address:

• A phishing scam purportedly from eBay, actually from what looks like a Comcast user infested with one or another of the trojans
• Something allegedly from Blue Solutions JCCF Com with a fairly tangled header chain also passing through a Comcast machine
• Something allegedly from Star RW Lim. with another header chain implicating Comcast servers, and linking to a spamvertised site in the same domain as the Blue Solutions email. Has attached GIF file that I didn’t open
• A nearly identical copy of the Star RW mail that did not travel through Comcast machines
• Another eBay/PayPal phishing message
• A phishing scam targeting LaSalle bank customers, with bonus JavaScript popup ad code, that appears to originate from a hacked school machine in Wisconsin
• An ad whose content is apparently in a GIF file that PINE doesn’t display, possibly from conyers dot us

From: Dr Yinka Lawrence Lawrence (a stupid, stupid spammer)
Reply To: Dry Ink Lawrence [maybe he uses a lot of white boards — ed.]
Subject: hello (urgent)
DEAR FRIEND,

REQUEST FOR YOUR CO-OPERATION/ASSISTANCE{PLEASE THIS IS NO SCAM}

So, what’s wrong with this picture? Let’s look at the rule violations, shall we?

1. If it says it’s “urgent,” it probably ain’t.
2. If I’m so dear to you, why don’t you know my name?
3. If it’s in all caps, it’s probably bogus.
   There are a few exceptions — some folks with visual impairments may get the caps lock key stuck. But they’re fairly rare.
4. This is the biggie. A woman recently told me about being followed down a dark side street by a guy. It was in a good neighborhood, close to her home, and she said she didn’t really think twice about it — until the guy said, “You don’t have to be afraid of me,” at which point, of course, she suddenly was.
   Same deal. When you get legitimate email from family, friends, or business associates there’s no need for the senders to include disclaimers. You know it’s not spam; it’s Uncle Bob. Anything that says it’s not spam (or a scam) almost certainly is.

This arrived with a copy of the Netsky virus the other day:

From: A stupid, stupid spammer
To: [TarantulaHawk]
Subject: Re: Where my money?

Hello!
I have sent money to you yesterday and I don’t know why you haven’t received them yet. I can prove my words by screenshot of my e-gold history page. Look at the attach to the letter. I hope that you won’t have any questions to me?

—– Original Message —–
From: [supposedly the TarantualaHawk]
To: A stupid, stupid spammer
Date: Saturday, March 16, 2005 1:24 AM
Subject: Where my money?

Hi!
You have promised to send money to my e-gold account yesterday. But there is still no money, what’s the matter?

This instantly became one of my alltime faves. I love how obvious it is that the authorial voice of both the email to me and the email supposedly from me is identical. And I’m not completely sure, but I think the virus payload was damaged such that it wouldn’t have gone off even if I’d run the attachment on a Windows box.

But, um, we all know never to do that, right? Right.

Do You Use Crime Scene Supplies?

Um, no. Not as such.

The point of this site is to give you some tools to fight spam and spammers.
Our secondary objective is to make you confident that you really are smarter than the enemy.
Our tertiary objective is to have some fun while we do it. And around here, that means making fun of stupid, stupid spammers.
So without further ado, let’s introduce Julie (or possibly Roxanne):

From: Roxanne Eddy
To: [The Tyrannosaur]
Hi, I am Julie from Texas, Alabama. I find design to be so interesting that I decided to put all my life on traveling and experiencing new things…

Well Julie, I sure hope all the traveling helps your grasp of geography.

…smarter than the enemy.