[sf-lug] spam vs. anti-spam

Michael Paoli Michael.Paoli at cal.berkeley.edu
Tue May 11 00:16:33 PDT 2021

> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: Re: [sf-lug] spam vs. anti-spam
> Date: Fri, 7 May 2021 17:09:49 -0700

> Quoting Akkana Peck (akkana at shallowsky.com):
>> Oh, wow. Is that why I keep getting mail from services like paypal
>> (and other real services) for someone with an obviously autogenerated
>> realname, but my email address? I've never been able to figure out
>> what possible good that would do spammers, since the owner of the
>> email address obviously isn't going to confirm it.

Yeah, there's massive armies of spambots ... and though often rather to
quite capable, at the same time they're often pretty stupid too.  E.g.
often where they think they can leverage their spamvertising - via
email, or web, by exploiting something on web ... even when that use on
web gets them nothing other than burning resources - no email sent, no
web pages changed - sometimes the bots are too stupid to realize that
... and not only waste the spambots' resources (yea!?), but also burn a
lot of resources on innocent servers (e.g. like wedging BALUG.org as it
once was in past, to the point of unresponsive and requiring a reboot
to recover).

They'll often also continue to exploit if they can get their
message/text out in any form anywhere - e.g. even if they change the
"Full Name" on a From: header but can't change the email, e.g.:
From: "http://Get-Rich-Quick.example.com/" <legit_sending_site_email>
To: some_target_email

And body contents they can't change/control ... or can only change part
of that text - like the "Full Name" from the email addresses, e.g.:
Dear http://Get-Rich-Quick.example.com/,
text the spammer can't change or control...
Or even:
Dear http://Get-Rich-Quick.example.com/ - please ignore the text that
follows this as we're having a problem with our software at the moment,

> Not sure.  I've also seen a lot of the other combination, UCE and other
> junk that cites real-to-recipients and relevant realnames, but
> associated with junk, throwaway e-mail addresses.  One thing is
> apparent, though, a lot of this noise traffic relies on massive capture
> of who-communicates-with-whom data (probably much of it harvested on
> virus-infected MS-Windows desktop boxes) that then is fed through a
> humungous Bayesian classifier program that cranks out plausible
> names/addresses who might credibly be claimed to be known contacts /
> correspondents for other names/addresses.

Yes very much that - the harvesting of email addresses and "Full Name"
from compromised Windows Boxen or the like.  So many of those may be
From: a forged email address To: a recipient, where they've exchanged
email before ... increasing the probability the recipient will
read/open the email, and egad, click on something within, recipient
presuming it actually came from who appears in the (forged)
From: header.  Basically phishing ...  or bit more towards spear
phishing (spear phishing essentially being a much more crafted/targeted
selectively used phishing ... using From: and To: that have existing
relationship, is just somewhere along the continuum between those two).

E.g. spam I've received - and likely even still receive (but probably
well below the threshold I even look at it or even see Subject: etc.),
an ex-friend (only one of those I have, but that person quite "earned"
it - but that's another story).  Well, I'd get spam, forged from them,
and CCed to ... every bloody damn person that was quite obviously in
their address book(s) / contact list(s) - yeah, I don't otherwise know
or have any association with any of those other folks, don't know their
emails, etc., don't know most of their names ... but some I very much
recognize as, oh, friend or family member, or coworker or other
associate, etc. of the ex-friend.  Yeah, some spammer got all that
contact information and details from ex-friend.  So, may have been
compromised Windows Boxen.  I think another way it happens, many
(dis-)"service"s, e.g. Facebook, have an option like "upload all your
contacts" (usually along with we pinky promise not to abuse or lose it)
- often they even have the user feed such "service" their login and
password(!) to, e.g. gmail, or wherever they have all this contact
data, so the "service" can suck that all out.  And, so it can then make
it also "convenient" for the user to use such "service" to, well,
contact their contacts with the "service", but the "service" can also
tell the user, "hey, so-and-so you know is also using our service here
and their account name here is <whatever> - contact them by" ...
because the "service" found a match by email address, as it uses that
for login or requires user to provide (and often validate) their email
address.  What could go wrong?  Well, in addition to all to obvious
direct abuse potentials, often these sites/"service"s end up
compromised/cracked/hacked, yet another data breach, and ... yup,
spammers got it now too, of course.  And of course they leverage it.
So ... I think it's a mix of compromised Windows Boxen and the like,
and users naively providing all their contacts information (and often
even the user's login and password to access all that information) to
some "service" ... and that data ends up subsequently

Egad ex-friend ... tell you another 'lil story.  So, that person
actually worked in IT(-related) area/field ... not particularly
competently, but, whatever. Anyway, once upon a time, they were
complaining about problems on their laptop computer.  So, I had a
little peek.  Well, their web browser, I kid you not, the damn thing
was so bloody overloaded with random generally crud 3rd  party plug-in
toolbars, that web browsers in full-screen mode, only about 1/3 of the
screen remained for actual web content.  Well over 1/3 of the screen
was damn bloody toolbars from all kinds of random 3rd party stuff of
mostly dubious or worse use and quality.  Ugh.  To say I was shocked
and appalled would be bit of understatement.  And, as one might guess,
this person very repeatedly failed to follow my good sound advice and
that of many (and any) other competent tech folks ... Dunning-Kruger
Effect?  They also fancied themselves to be a computer/tech security
expert and thought they ought write a book on that 'cause, to their
mind, they knew so much more about it than all those 'so called
experts' - I sh*t you not.  Anyway, they basically screwed themselves
over - and many others too ... so, over time got downgraded to charity
case ... and eventually ex-friend (I'll spare y'all the details).
Sometimes stupid (or crazy, or whatever) can't be fixed.

> E.g., I've seen more-modern spam and phishing e-mails that obviously
> were designed to target known fellow members/posters on private mailing
> lists, by forging sender IDs to simulate one member/poster and try to
> fool a different one.  Under the circumstances, the most plausible way
> for them (the criminals) to have gotten that data was for one or more
> subscriber to have been operating on a virus-beset Windoze box.  (And,
> as a reminder, these campaigns are in general 100% software-run and
> generated, spun out by some big perl script in Eastern Europe.  The
> notion of victims being personally targeted by master criminals is
> unrealistic.  Spammers and scammers automate to the greatest possible
> degree.)

Yeah, I've seen a fair bit 'o spam that attempts to do some
list-related spoofing - thus far none that seems quite "smart" enough
to mostly make it thorough as legitimate - i.e. most of the typical
anti-spam and typical list behavior currently seems enough to stop most
(if not nearly all or all) of that.

>> But maybe they could use it to test whether my email address is live
> Certainly, there is a _lot_ of probing of e-mail targets, SMS targets,
> landlines, and cellular lines just to log into a database 'this can be
> used to reach a warm body on Fridays around 5pm local'.  Because those
> are higher-value, higher-priority targets once validated to have a warm
> body in attendance.

I'm sure many spammers do stuff to quite track which email addresses
are "live" - or at least deliverable or accepted the email ... and
which actually generated a human (or human-like) response - e.g. used a
tracked link in the email.

And ... for better and/or worse, many armies of spambots aren't
coordinated.  They effectively compete.  So, once one spambot has
figured something out, there are thousands or more that haven't yet
figured that out ... like that particular attempt is just burning
spambot resources, or such-and-such email accepts, such-and-such is
rejected, and such-and-such got a "live" response.  Because, yeah, the
next spambot generally has no clue what the others already figured out.
And ... a lot of their operations are so huge (and, dang it,
profitable), they just don't care - they keep trying, as a lot of
inefficiencies aren't a big deal to them.

More information about the sf-lug mailing list