419ing the 419er: In Which a Nigerian Scam Artist is Scammed

Is there anyone here who hasn't been at least a little curious at one time or another - what would happen if someone actually responded to one of the Nigerian 419 scam emails - you know, the ones where the spammer contacts you claiming to represent the fortunes of a deposed ruler, of a deceased distant relative of your own, or of their own dearly departed? What would happen if you actually came out to play? Well, one person found out recently, responding "just to see", and before you could say "Miriam Abacha", he found himself $39,000 richer - for a while. Read how here.

Curiouser and curiouser – Scott Richter RejectedRealBig by Ironport’s Bonded Sender Program

From the "things which make you go hmmmm...." department, it turns out that Scott "I am a legitimate businessman who is also the King of Spam" Richter, who is suing Ironport Systems over their listing of his IP addresses in their SpamCop anti-spam database, also applied to participate in Ironport's Bonded Sender Program, which was today announced as being implemented by Microsoft, and was roundly rejected. This reported by InformationWeek. Richter is almost certainly in a position to provide whatever bond Ironport may demand to participate in their Bonded Sender Program, so their rejection of his request to participate is unlikely to be a case of "he wouldn't pay the size of the bond we deemed necessary for someone with his spamming history." This adds an interesting dimension to Richter's lawsuit against Ironport, as he may be able to allege that Ironport is functioning as a gatekeeper to the Internet - or certainly, given Microsoft's announcement today, to a substantial portion of it. Not only are they facilitating the blocking of his email (and most likely rightly so), but they won't give him any remedy for the email which he is prepared to bond to prove it is legitimate and wanted. Furthermore, he can claim that even if he wants to go completely legitimate, he is being kept from going legitimate, because he is being prohibited from participating in programs which would allow him to rehabilitate his image (or at least his IP addresses), and to get any legitimate mail delivered. And hey, if someone really cares about stopping spam, and cares about wanted email getting through, then what more perfect set up than providing both the stick to use against the spam, and the carrot to facilitate good email getting delivered - why not let Richter pay handsomely to get his legitimate mail through (if there is any) while causing all of his spam to be blocked? If all of these things are, in fact, the case, then the question which is begged is this: should any one (or two) entities have the power to keep someone from sending any email at all, even completely legitimate email, to a significant sector of the Internet? If Microsoft is indeed going to only accept bulk mail which comes from a Bonded Sender listed IP address, and Ironport is going to refuse to allow certain senders to list themselves with Bonded Sender even with the money guarantee that only legitimate mail will be sent through those IP addresses, then ... well ... we're back to our old friend Aunty Trust. Of course, if this is the case, Microsoft's MSN and Hotmail users will probably bail to other, less megalomaniacal and more reasonable ISPs, and the whole thing will become moot.

Microsoft and Ironport’s Bonded Sender: Good Sense, or Unholy Alliance?

The industry is abuzz with today's announcement by Microsoft that they are "implementing Ironport's Bonded Sender program" - whatever that means. For those of you not familiar, Bonded Sender is one of the whitelists out there - bulk email senders can post a bond to guarantee that the email they send is not spam, and get their IP addresses listed in the Bonded Sender database. If they then send spam from those IP addresses, their bond can be debited for the infraction. This way receiving systems such as ISPs (such as Microsoft) can accept that email and know with some certainty that it is wanted email, and not spam. (As an aside, given that this site is sponsored by ISIPP, I'd be remiss if I didn't mention that ISIPP's Accreditation Database, "IADB", another list of IP addresses which allows email recipients to check on the background of a sender, also tells the receiving system whether someone participates in Bonded Sender, along with a host of other useful information unique to IADB. Meaning that MS, and anyone else, can get that same information, and much more, with a lookup to IADB. And for free. http://www.isipp.com/iadb.php) But I digress. There are, of course, any number of things that "we are implementing Ironport's Bonded Sender program" could mean. Does it mean that they are going to only accept bulk email if it comes through an IP address listed in the Bonded Sender database? That would be a huge mistake, and while it would put the hurt on bulk mailers in the short term, in the end it would likely backfire, and cause MS to lose lots of users - users who can no longer get mailing list email they want because the sender won't kowtow to the MS/Ironport triumvirate (you figure out who the third party is). One might even imagine that there could be the possibility of anti-trust raising its ugly head, if we didn't know that Microsoft would never... Or does it mean, as some industry insiders speculate, that MS is about to acquire Ironport, lock, stock, and Bonded Sender? That makes a lot more sense than some might think, even though this move did raise Ironport's bank, particularly as the founder of Ironport was some single-digit-numbered employee at Hotmail. There is definitely already an MS/Ironport bond (no pun intended), and this may well turn into the Microport Bonded Blender program. Then again, perhaps it means that MS has been throwing away a lot of email babies with their spam bathwater, and, much as in the inimitable way in which they "announce" a security patch as a big deal without actually first announcing the problem which they created in the first place which the patch is supposed to fix, this announcement is nothing more than "we're going to use Bonded Sender so that we stopthrowing away good email which our users actually want. Or, is this just one more text-based photo-op for Microsoft, sending out yet one more press release which, once the world really understands what it means, will lead to a collective "so what?", not unlike their huge announcement recently that they had sued some spammers along with AOL, Earthlink, and Yahoo - that release amounting to "hey, we're still doing what we said we'd be doing three months ago", with a collective response which was indeed "so what?". So, you decide: Microsoft and Bonded Sender - good sense, or an unholy alliance?

Dear Aunty Spam: Spam with No Unsubscribe Link – What to Do?

Dear Aunty Spam, I am getting a LOT of spam that doesn't give you the option to unsubscribe. Is there anything I can do about it, with the new laws that are effective now? Kim --- Dear Kim, Aunty is very sorry to hear that you are getting spam from people who are so rude as to not include an unsubscribe link, let alone a functioning one. It is so unmannered and impolite, that even though I like to think myself a gentle and moderate soul, it really gets my dander up. Why, it causes me to think that there should be even stricter laws against spam, ones where the penalty is "use a spam, get the chair"! But that doesn't help you right now. The law is indeed that there must be clear, functioning unsubscribe links in commercial email, especially mailing list mail. However, as we all know, if spam is outlawed, only outlaws will use spam. So what's a gentle reader such as yourself to do? Complain. The first place to which you should complain is the Federal Trade Commission. They are the primary agency vested with enforcement of the new Federal CAN-SPAM anti-spam law. They want your spam. They love your spam. They have a refrigerator full of spam. So forward your spam to uce@ftc.gov. And in case you haven't read all of Aunty's previous columns (and really, you should), let me remind you that address harvesting - the act of taking an email address from a web page such as, oh, say, this one, is illegal. But I'd sure like to see some spammer harvest the email address uce@ftc.gov and send spam to uce@ftc.gov because that would mean that when the spam went to uce@ftc.gov the FTC could really nail them for harvesting the address uce@ftc.gov and sending spam to uce@ftc.gov. P.S. --->>uce@ftc.gov<<---harvest here After sending your spam to the FTC, if you are feeling really motivated, you can read the fine print in the spam's header information to determine from where the spam really originated, and complain to the ISP who is hosting the spammer. That may get the spammer's Internet access turned off. Next, you can contact your State Attorney General's office to find out with whom you can file a complaint at your state level, because CAN-SPAM allows State Attorney Generals to sue spammers who violate CAN-SPAM. In fact, your ISP can sue them too. Finally, once you have done some or all of these things, delete the spam, and be grateful for small favours - such as the fact that the spam did not contain a bogus unsubscribe link, which when you clicked it, rather than unsubscribing you, alerted the spammer to the fact that they had a warm body at the other end of the line. And for goodness sake, get a better spam filter! Kissy kissy, Aunty Spam

Dear Aunty Spam: Love/Hate Relationship with WinXP SP1

Dear Aunty Spam, Time and again I have heard and read that after one installs WinXP SP1, there is a 20% to 40% chance it will damage your computer in one way or another. I did install SP1 in my computer and it crashed. I had to use a floppy to get it started, and then I ran System Restore. It worked, but I am still out SP1, and it seems that SP1 is important to install. So, now what? I really like your blog. I've learned a lot from it. Thanks! Matthew --- Dear Matthew, Thank you for your kind words! Even though Aunty is not a Windows expert, but rather a spam expert, your lovely note moved me to do some research on your behalf. The WinXP SP1 (Service Pack 1) was released in September of 2002. Aunty hopes that you have only recently installed your WinXP, and that you haven't been having unprotected WinXP for a year and a half! Shortly after the release of WinXP SP1, users started to complain that SP1 was making their computers run extremely slowly; many others complained that their systems started crashing, or refused to start at all, after installing SP1. So take heart, dear Matthew, you are not alone. Fortunately for those of you who are unlucky enough to have an XP system which doesn't play nice with SP1, Steve Gibson of Gibson Research developed XPdite, which patches the most horrific of the security holes which are supposed to be patched by SP1, without the nasty crashes. You can check out XPdite at http://grc.com/xpdite/xpdite.htm Now, go forth and patch your holes, and for gosh sakes make sure that you wear clean underwear in case you get into another accident! Kissy kissy, Aunty Spam

New Sasser Virus Worm Attacks Windows Computers

The newest of the sinsister worm types of viruses, Sasser, has attacked Windows-based computers around the world. Even more insidious than its earlier siblings, Sasser scans the Internet for computers with the Microsoft security flaw which allows it to do its dirty work, and then Sasser installs a copy of itself there. And Sasser does not need the user to activate it by opening an email attachment, running a program, or anything else like that. It arrives and runs all by itself! Microsoft announced the security hole in the Local Security Authority Subsystem Service, and an update, last month, but many computers still have not been upgraded. Users can get more information about the Microsoft security hole and fix at: http://www.microsoft.com/technet/security/CurrentDL.aspx Just one more reason why Aunty is happy to be using only OSX and other flavours of *nix and BSD.

Dear Aunty Spam: Is the FTC Going to Come After Me?

Dear Aunty Spam, I just read how the FTC has filed lawsuits against two different groups of email senders (spammers). If these really are spammers, more power to them! But I also read about how a private ISP sued Bob Vila! The man who does "This old house"! Some of my friends have even started putting their home mailing addresses in all of their email, because they say that a new federal spam law, called "CAN-SPAM", requires it! Is this right? Do I have to start putting my home mailing address in all my email? Is the FTC going to come after me if I don't? Can I be sued by an ISP if they don't like the email I send? Help! I only use email to talk to my family, friends, and online buddies, and I don't really want to tell everyone my home address! Signed, Worried Average User --- Dear Worried, The CAN-SPAM Act of 2003, which is the new Federal anti-spam (not to be confused with Aunty Spam!) law, only applies to commercial email. It does not apply to the private, personal email which you send (unless, of course, your private, personal email is sent for a commercial purpose, in which case you do need to be careful to comply with the CAN-SPAM Act. But that's another question for another day.) Generally speaking, if you use email only for personal use, and especially if you do not run any email mailing lists, then you don't have to worry about the provisions of CAN-SPAM. Similarly, nobody, including the FTC or an ISP, can use the CAN-SPAM act to sue you just because they don't like your email (but this does make Aunty wonder what kind of email you are sending!) You have to have violated the CAN-SPAM law, of which you are in no danger if the email you send is not commercial. So relax, write to your friends and online buddies all that you want, and remember, practice safe spam-filtering! Kissy kissy, Aunty Spam Questions may be submitted to Aunty Spam by sending email to "aunty at aunty-spam.com".

Dog eat Dog: Scott Richter’s OptInRealBig Sues SpamCop

In a move which surprised many, but others not at all, Scott "I am a legitimate businessman" Richter, and his Evil Twin Scott "I am the King of Spam" Richter, of OptInRealBig, sued SpamCop and Ironport over a recent SpamCop listing of OptInRealBig. Ironport, manufacturers of the Ironport email sending appliance, and providers of the Bonded Sender service, recently purchased SpamCop for an undisclosed sum of money. In the lawsuit Richter, himself a defendant in a lawsuit by New York State Attorney General Eliot Spitzer, for ..gosh...whodda thunk it...spamming, accuses SpamCop of interfering with OptInRealBig's contracts and their potential revenue, and of defamation for calling a spammer, well, a spammer, and reporting them to their ISP, leading to their ISP cutting off their Internet access. The amount of damages alleged, "not less than $150,000" according to the complaint, is but a drop in the Kentucky Fried Chicken bucket compared to the amounts which Richter has claimed to pull in for even a single month's worth of his high volume email deployment services. Yet Richter complains that the issues with SpamCop started in 2003, meaning that the issue has been going on for at least 4 months (and, let's face it, probably much longer), and yet then goes on to ask for injunctive relief, which is, particularly at the TRO stage, to be granted only if the plaintiff would suffer irreparable harm if the defendent wasn't forced to stop the offending behaviour immediately. So, let's see, the "issue" which OptInRealBig has with SpamCop has been going on for at least 4 months, but has cost Richter only a tiny fraction of his substantial income from spamm..er...emailing, and yet all of a sudden now he complains about it, and right now, today, he needs injunctive relief. Something doesn't smell right in Denmark. Could it be that Richter needs to Lose Money Fast because he made so much money sending millions of pieces of spam per month that he Added 6 Inches to his tax bracket? Or perhaps he simply wants to Fire His Boss, and to Work From Home, and sees Ironport's recent multi-million-dollar infusion of VC cash as a quick way to achieve that end. Or, who knows, maybe he'll surprise us all, and show us that he's as educated and savvy about the legal system as he is about the female anatomy, and that he can demonstrate to a judge or jury that he's a clean, opt-in emailer just as easily as he can find a woman's clitorious. On the other hand, between Attorney General Spitzer's lawsuit against Richter, and the amount of perjury which would likely be necessary to make the suit against SpamCop stand half a chance, perhaps he'll just DoTimeRealBig.

Dear Aunty Spam: What is Website “Address Harvesting”, and How Can I Prevent It?

Dear Aunty Spam, What is website "address harvesting", and how can I prevent it? Signed, Ima Webmaster --- Dear Ima, The term "address harvesting", in this context, refers to the unsavoury practice of finding and copying email addresses from the pages of websites. You know all of those lovely "contact us" webpages which everyone has? Well, spammers just love to pick those tasty little ripe email addresses from the orchard of your website. The recently enacted CAN-SPAM act of 2003 makes it illegal to send spam to email addresses which have been harvested, and provides for enhanced sentencing (would you like fries with that?) for a spamming defendant who is found guilty of address harvesting. But, like that's going to stop it from happening. So here are a few tips, dear Ima, which will allow users to contact you through your website, while not allowing your email address to fall into the wrong hands: 1. Employ the use of javascript to create your email address ad hoc when user runs the script in order to submit mail to you. 2. Use some form of mailform (cgi, php, etc.), but be wary of versions which have security issues. 3. Provide an html form through which users can contact you, as an alternative to email. 4. Alter your email address on your website to make it unreadable by machines, such as substituting the word "at" for "@", adding a character string to the email address which you instruct the user to remove, or writing it in Klingon with a pointer to an online Klingon dictionary. 5. Display the email address as a graphic, rather than text. There is a wealth of information about each of these methods available on the web. Good luck, and remember, practice safe spam-filtering! Kissy kissy, Aunty Spam Questions may be submitted to Aunty Spam by sending email to "auntyspam at slamaspammer.com".

Spam Filtering and Your Duty to Your Users

Spam filtering has always been a hot topic around the IT water cooler. The question most frequently asked is "how". But increasingly, a question which needs to be asked is "whether", followed closely by "how not" in addition to "how". (If you're stilll back at "why?" then a) I want to know how you are reading this as you clearly don't spend much time on the Internet, and b) I want to meet the person who administers your anti-spam system.) The bottom line here is your duty to your users. Sure, users want to see less spam in their inbox. But they really don't want to see legitimate mail end up in the spam folder, which is second only to their not wanting to see mail which they are expecting vanish into a black hole. More than a passing whim, however, your users rely on you to make sure that their legitimate email gets delivered. To them. In their inbox. A legitimate email occasionally ending up in the spam folder is forgiveable; possibly even acceptable. But legitimate email completely vanishing is not. Amazingly, many spam filters being used in a user environment today are configured to simply discard certain types email which the system determines to be spam. Not flags. Not filters. Discards. Aside from the issue of economics (and that really is a only a side issue here), that is not unlike the USPS deciding to throw away your Victoria Secrets catalog rather than letting you decide whether or not you want to read it (yes, there is also text in those catalogues). Worse, in the case of wanted, legitimate email which is erroneously discarded by overzealous spam filters, it is akin to the USPS throwing away your tax return because it comes in a windowed envelope, and everyone knows that only junk mail (and bills) comes in those envelopes. The bottom line is, just as the USPS cannot choose to discard, rather than deliver, your mail, neither should you make such a decision for your users. If you must discard email addressed to your users before they ever see it, then at the very least you should - no, must - advise them up front as to what processes of elimination you are using. I am personally aware of a site which lost their domain due to their ISP's overzealous spam blocking, which resulted in the domain registration renewal notice which their registrar sent them being tossed as spam. Such an outcome is completely unacceptable and, indeed, may be legally actionable. Your users expect you to protect, not interfere with, their mail. So where does this leave the IT professional charged with maintaining their company's mail servers on behalf of their users, other than between the proverbial rock and a hard place? Sticky a wicket as it is, these following steps can help you to avoid ethical, and even possibly legal, email delivery snafus. First: Never ever discard incoming email which is addressed to one of your users. Filter, yes - delete, no. Second: Do make liberal use of "spam folders", a secondary inbox for your users into which email which your system identifies as likely to be spam can be deposited. Third: Make sure that your users know what your spam filtering policies are, and that they know to check their spam folders regularly. Fourth: Know the policies and practices of any third-party spam filtering, blocking, or identification solution to which you may subscribe. It doesn't do you any good to keep a careful shop if the spam filter to which you are subscribing lists anyone and everyone every which way from Sunday. Fifth: Post your email acceptance and delivery policies somewhere public on your website, so that not only will your users know what your spam-filtering policies are, but their correspondents (i.e. the people sending them email) will know how to play nice with your sytem to avoid erroenously triggering your spam filter. Remember, there's a fine line between the killer app, and killing the killer app. Make sure that in your efforts to keep your users' inboxes usable you remain a part of the solution, and not a part of the problem.