Fun with 419 spam

If you are a carbon-based, oxygen-breathing mammal with an Internet connection, you’ve undoubtedly received countless 419 scam spams.
In case you’re wondering what I’m talking about, I’m talking about messages coming from people from distant countries with vaguely African-sounding names who have had a close relative or business associate, usually with a high-ranking position, killed under tragic or mysterious circumstances, leaving behind a large amount of money that they now want your help in embezzling or laundering through your U.S. bank account, and in return for your services, they’ll give you a percentage.

And you thought you were the only one who had all these connections to powerful people. Sorry to burst your bubble, Sparky.

What do you do when you get one of these? Some people get irritated and delete them. Some people call me. It usually takes me about 4 seconds to figure out it’s a scam and finish their story (and mine’s usually better, if I do say so myself). Some people write back and mess with them. That takes time and creativity. Unfortunately, my oversupply of creativity is matched only, it seems, by my oversupply of humility and my shortage of time.

What you’re supposed to do (if you’re a U.S. citizen, which I know a good number of you are not) is forward the mail to Include the words NO LOSS. That helps the Feds know who’s doing this. They won’t contact you if you haven’t lost any money. But the key to catching crooks is data. So send ’em data. Typically I’ll paste the full mail headers back into the message as well.

If you’re lazy but want to mess with them, you can use the Business Reply Generator. Plug in the name of the guy who e-mailed you and the details of the letter, and it generates a rambling response. Copy and paste it and send it back to ’em. Some people are afraid of responding because they might get more of this stuff. I doubt it. These aren’t typical spammers who are paid in volume–they only make money if people respond and fall for the scam, which involves advancing money for bribes/expenses/whatever, until they lure the victim into a foreign country where they can kidnap and hold the victim for ransom and get even more money.

So I would think wasting their time is more likely to get you put on a don’t-waste-your-time-with-this-guy list than to get you put on a quick!-fire-up-the-mail-server-we-found-a-working-address list.

If nothing else, the automated reply generator is amusing. Click “more” to read the response it put together for me. I especially like the last sentence, which, the way I read it, means “I’ll post it on my Web site.”

Read more

Spam, spam, spam, spam–how I got less of it

Someday we’ll get a spam filter at work, and the day can’t come soon enough. On Wednesday I got fed up with getting 8-12 messages a day from “Fulfillment Center”–I was much more irate than usual today–so I took a desperate measure.
I dug up the abandoned freeware Windows tool Bounce Spam Mail (search for it with your favorite search engine; there’s no official homepage). As spam came in, I pasted its headers into Bounce Spam Mail and sent back a bounce. Sending back bounces hours later has never been effective for me, but in these instances, I only sent bounces when I was sitting right there when the mail came in. And it seems to have helped a little.

Ultimately, it’s better to have SpamAssassin on the mail server, or install POPFile. I’m stuck with Outlook connected to an Exchange server in corporate workgroup mode at work, and the last I’d checked you couldn’t use POPFile that way. But checking last night, now there’s a way you can, by installing POPFile followed by an add-on called Outclass.

My fake bounces aren’t ideal, but at least they seem to be better than nothing. But I’ll be installing POPFile and Outclass really soon.

Another look at Mozilla’s anti-spam features

I downloaded and installed the most recent Mozilla 1.3 alpha build today (actually from Dec. 12).
For the past few weeks, I’d been using a nightly build I downloaded back in early November. It was buggy, but without assurance that any given night’s build would be any more or less stable than what I already had, I stuck with the familiar.

Initial impressions: The spam filtering still isn’t complete but it works (it just won’t act on the spam it finds–yet). The speed is comparable to anything else I’ve used, and one annoying bug in the mail client is gone. I’ve grown so used to having the spam filtering that I’ll put up with almost anything in order to have it–I get an unbearable amount of spam, and Mozilla quickly identifies it all for me. After a couple of months of using it, I think it’s pretty safe to say only one or two messages per week get past it anymore. I can definitely live with that.

Once when I visited in the browser and clicked on a link, after I hit the back button I got a confusing “The file / can’t be found”. The nightly builds I used previously had the same bug. So far that’s the only one I’ve found, and the workaround is to visit a couple other sites, then go back to the troublesome one.

I’ve only been messing with it for a few hours so I can’t make any sound judgments on its quality. But as an evolutionary, not revolutionary, upgrade from its predecessor, it ought to be fairly stable.

If you’re desperate to get unburied from beneath an avalanche of spam and you’re willing to put up with a few quirks from your Web browser in order to do it, this is the most effective filter I’ve found yet.

These guys want your spam

In case you haven’t heard, the FTC wants you to forward spam to them at But they’re not the only ones who want your spam.
So does Spam Archive. Their goal is to accumulate a nice cross-representative sample of spam, for example, to use in seeding Bayesian filters. It’s taken me about a week to accumulate 146 spam messages and with that sample set, now my Bayesian filter works more often than not. But wouldn’t it be nice to be able to go download an archive of, say, a couple thousand spam messages and seed a Bayesian filter with that?

Some Slashdotters questioned the group’s motives. The admin contact on the site has connections to a commercial anti-spam company. If this is a front for a for-profit company and they benefit from the contributions, I say so what? I’m not one of those “everything should be free” people. I certainly hope they will keep their word and make the spam archive available to all comers. And if they do that, I really couldn’t care less who benefits.

I have seen the future, and it works!

Now appearing nightly, in the nightly Mozilla builds, the Open Source community is very proud to present a very special feature: Naive Bayesian spam filtering!
And you’re probably wondering why I’m excited about something as boring-sounding as that. Don’t worry. I’m no less sane than I was yesterday and I’ll prove it.

Bayes’ Rule is a method of pattern recognition. You tell it what is spam and what isn’t and over time it learns how to recognize what is and isn’t spam. Click here for an explanation of what it is and why it works.

Its main selling point is that when implemented properly and trained thoroughly, Bayesian filtering is very effective at identifying spam and produces nearly zero false positives.

So I excitedly downloaded and ran the Nov. 14 Mozilla nightly build. The filtering doesn’t presently filter, it only marks the messages as spam and non-spam. That’s OK, I can sort them and then zap them myself for a while. I trained it on about 1,400 non-spam messages (I only had a few dozen spams). It doesn’t identify much spam yet, but I’ve had zero false positives. It recognizes my most incessant spammer, the Smartmall Success Group (Kevin Butthead, take your Amway-meets-ecommerce scheme and stick it. I’m much more interested in joining the mafia.) and it’s starting to recognize unsolicited credit card spam.

Spam normally irritates me. Really irritates me. But now it’s a game. I look forward to spam coming in to see if Mozilla recognizes it. And it’s encouraging to watch it learn and get better. I’m going to win this battle. Within a month, I expect that time I waste deleting spam and making sure I didn’t delete anything important will be free for me to do something else with it. Like answer legitimate mail from people I’ve never heard of.

Some people argue this filtering belongs on the server, but not everyone is willing to filter spam on the server. My employer never will (because many of my employer’s departments engage in questionable e-mail practices themselves) and I’d be shocked if my ISP ever did. I can set up my own mail server, but this is a lot easier. It’s probably a lot easier for you too, even if you’re one of the half-dozen or so experienced Unix sysadmins who regularly read these pages.

If you’re like me and you have 1,000+ e-mail messages squirreled away somewhere, and you don’t mind playing with alpha-level code (which you don’t if you’re running Windows, since Microsoft is in the habit of shipping alpha code and charging you hundreds of dollars for the privelige of alpha- and beta-testing it for them), go get this thing. Start training it. And watch the spam go bye-bye.

And if you’re better than me about cleaning out your inbox, get it anyway. It’ll just take you longer to train it.

Spammers must die… And it’s possible their enterprises will. With your help.

Hi. My name is Dave Rhodes.
Sorry, that’s not funny. Remember the good old days, when the closest thing we got to spam was the occasional Dave Rhodes chain letter? (I found a joke about him that I found amusing.)

But something great happened today. Besides finding that joke, I mean. I came up with a foolproof way to make buckets and buckets of money through UNSOCLICITED COMMERCIAL E-MAIL. Now, remember, UCE isn’t spam. Spam’s bad.

Here’s how it works. You don’t have to buy anything from me. I’m not going to sell you a CD-ROM full of three-year-old e-mail addresses harvested by some scriptkiddie’s code. You don’t need it. Making money from UCE doesn’t even require you to send out a single piece of e-mail! Not a one!

Believe it or not, your customers will come to you! About the only thing you have to do to build up your list of victims, I mean clients, is to get an e-mail address, then sit back and wait!

Best of all, this method is safe and completely legal! It hasn’t been approved by the Postmaster General. It does, however, have the blessings of the Federal Trade Commission and the legislatures of 17 U.S. states! (Dave Rhodes ain’t got nothin’ on me!)

Did you know that 17 states have laws regarding unsolicited commercial e-mail? Yes, those 17 states have very strict regulations and requirements. Certain types of spam are illegal in those states. So why don’t spam laws work? Because nobody uses them! And in the end, the loser is you!

You see, when a spammer violates those regulations, you can sue them! One attorney in Washington state sues spammers in small claims court and so far has collected more than $13,000! One Missouri resident, bombarded by unsolicited e-mail from a free webhosting service after he cancelled his account with them, sued in small claims court and received $2,525! That’s $500 per unsolicited message that didn’t meet with Missouri law, plus the spammer even had to pay his court costs of $25!

Just think… That unsolicited e-mail that annoys you could be worth thousands! But in order to cash in, you have to be, you know, in the know (wink wink), if you know what I mean. What’s that information worth to you? A hundred bucks? Two-fifty?

Who cares! Go to and check to see what your state’s laws on spam are. It’s free. You don’t even have to tell ’em I sent you. It won’t do any good to tell ’em I sent you anyway, because they don’t know me from Adam.

Man. I ought to be in infomercials. I sure know how to use italics and exclamation points. Though most of these creeps think quotation marks are for emphasis. That’s one of my biggest pet peeves.

Someone else e-mailed me at work and sent me a link to a link to a link that led me to this Brian Livingston column, which eventually led me to, where I learned that 17 states have anti-spam laws on the books. I looked into the laws, which are printed on the site. Surprisingly, Missouri is one of the more enlightened states. If a spammer sends e-mail to Missouri and fails to include an opt-out e-mail address or 800 number, you can sue the spammer for 500 smackers.

Most spammers include an opt-out Web page. That complies with the spirit of Missouri law, but not the letter of it. Maybe someone pointed out to lawmakers that it’s harder to implement an e-mail opt-out than a Web page opt-out. Who knows. The law is a stroke of genius, whether by design or accident. I don’t know if that’ll hold up in court, because that really is a technicality. But a lot of spam doesn’t provide any opt-out at all, which means they have no defense whatsoever.

This got me thinking. I get tons of spam. I might have $3,000 worth of spam in my inbox just from this week. I probably ought to check. I could make a decent living suing spammers until the laws change.

And this got me thinking some more. Who cares if 55 people buy stuff when they send out 100,000 messages? Fancy this possibility: What if every time a spammer sent out 100,000 messages, 55 of the recipients sued? The number of sales is irrelevant when you’re faced with that many lawsuits. And let’s face it. Most spammers are idiots trying to get rich quick working out of a spare bedroom. They don’t have a lot of resources. I know the type of individual who tries this crap because I’m related to one. (Fortunately for the world, there’s probably not enough left in his head for him to be able to operate a computer these days. But I’m pretty sure if he had my phone number he’d be calling me, asking me to hook him up. Don’t worry. If he ever gets my phone number, I’m changing it the next day.) This type of person is not well-equipped to handle a few dozen separate lawsuits, especially a few dozen lawsuits outside his home state. And he’s dead meat if multiple suits in different states happen to end up landing on the same court date, since generally if you’re not present you lose by default.

It makes no sense to fight a Missouri lawsuit. Unless you live in the same county as the plaintiff, you’ll probably spend more than $500 to defend yourself, and judges aren’t very sympathetic to the plight of a spammer because so many of them are con artists anyway. It’s much cheaper to just settle. The nature of the spammer is to just ignore it, which of course becomes even more costly. Getting on the wrong side of a judge is a lot more dangerous than getting on the wrong side of an ISP.

So, here’s what you and I need to start doing to really make a difference. Spam filters mostly work, yes, but why should we bother with that when we can sue the lowlives out of business and pick up a little extra cash? And no, my libertarian tendencies are against a federal anti-spam law, because it’s much harder to comply with 17 states’ varying laws than it is with one Federal law, which would probably be watered down anyway. And if more of the remaining 33 put laws on the books, it’ll be even tougher to comply. That would be a very good thing. Wouldn’t it be absolutely fantabulous if some state required a toll-free opt-out number? That would significantly raise the cost of doing business…

The Missouri law is good in that someone can make a lot of money by suing people who don’t comply, but the people who do comply can simply disregard the opt-out stuff. I’ve seen spammers use 800 opt-out numbers. I’ve even called. It’s funny how they never pick up the phone. Missouri laws will drive the less-crafty spammers out of business if enough people use them, but it’s the Washington laws that’ll really hurt. They’re stricter still. In Washington, the state holds the opt-out list, and if you spam an account on that opt-out list, you’re lawsuit bait. Period. And apparently, a printout of the e-mail is sufficient evidence. Sounds like some influential guy in Washington really doesn’t like spam.

The difficult part is tracking down the spammer so you can sue them. There’s a nice primer on decoding mail headers here and some more information here.

I know. It’s my journalistic responsibility to go nail one of these creeps and step you through the process. (And get 500 bucks to boot.) Maybe this weekend I’ll start walking down that road. Tracking down a physical address from a mail header so I can slap a guy with a lawsuit in St. Louis County ought to be interesting. But we journalists have ways of tracking down people who don’t want to be tracked down.

And then there’s this. Go here to read about a guy who set up a Paypal account, sent threatening notes to 15 spammers, and netted 300 bucks in 10 minutes. And his page makes it sound like you can go to a state with tougher spam laws and sue them there if you wish. Strange. You can sue somewhere other than in your hometown? Looks like I need the services of an attorney.

There’s a certain poetic justice to the idea that you can make more money off a spammer’s mass e-mailing than the spammer makes, isn’t there? I think we can fight and win this war.

WordPress Appliance - Powered by TurnKey Linux