On Spam and Viruses, part two

Don’t Open Junk Mail

(If you do, a lascivious gorilla wearing a diver's helmet will come for you.)

Some spam comes in the form of html code. When you open the email, it sends a message to the spammer’s server telling it your email address is a working address. When you open the email, you become a qualified prospect and your email is ripe for selling. You can also trigger this response by using the preview pane in your email program.

Unsubscribing is another trick of the trade. By clicking on the unsubscribing link, you’re also let the spammer know your email is an active address.

On Spoofing

You get an email from somebody saying a message was undeliverable. Yet you never sent an email to that person. What happened?

Most likely somebody is spoofing your email address. Just as anyone can put a return address on an envelope that says, for example, “George W. Bush, 1600 Pennsylvania Ave, Washington DC 12345”, you can make up any address you want as a return address in email (this is not true with your corporate email account by the way – if you want to try it, do so from your home account).

So, if I pretend to be John.Doe@acme.com and send an email to Jane.Doe@bricks.com, if there is a Jane Doe in that organization she will get that email. If there isn’t, a reply will be sent back to the real John Doe, saying his message was undeliverable. Since John Doe never sent that email in the first place, he will understandably be confused at getting the undeliverable message.

Unfortunately you can’t stop someone from spoofing your email address. Your best bet is to figure out where the email is really being generated from, and complain to the originator’s ISP. If you get a lot of undeliverable responses to messages that you never sent out, contact your administrator.


Phishing
Spam is the medium of choice for scam artists. Phishing is where a scam artist sends you an email pretending to be from a company you already do business with or other legitimate source. The official looking email asks you confirm your personal information on one pretense or another. The email can even have a link to what appears to be the company’s site, complete with logo and graphics. The information requested can range from account information, account balances, pin numbers, mother’s maiden name, or passwords. Once received, they use your information for identity theft or direct embezzlement.

Police Departments report that older Americans are more likely to fall prey to this method, as they tend to have more savings, larger credit-lines, and are less likely to be computer adroit.

This makes sense to me. Who wants to target scam 16-year-old-computer-nerds with no money?

Common Sense
There is an FTC complaint form to report spam and spam related fraud to, but in the end, it really comes to common sense and controlled usage of your machine and email. I actually have multiple email addresses.

I have an employer provided email address which I use for company related communications. In my case it’s cumbersome as it’s on Lotus Notes and requires a VPN.

I have a professional email address off my outlook, which I use for convenience as no VPN connection is required. I also use it for my efax account. I tend to monitor this address through out the day and use it for business. No friends or relatives have this address.

Both of my professional email addresses have remained spam free for over two years now.

Then I have personal accounts. These are “throw-away” accounts on yahoo. The advantage here is that I can discard them easily without undue trouble should I suddenly become overwhelmed with offers to view Britney Spears’ breasts or chemical help for some sort of “male-enhancement” issue. (I don’t know about the rest of you guys, but I find the latter particularly insulting.)

Because this can prove cumbersome, I limit it to one “active” personal email account at a time. This personal account is not consistently monitored by me on a day to day basis, but, looked at as curiosity or need for a distraction from work arises. Should spam become an issue, as it did for several of my personal email addresses over the past five years, I simply move on to another disposable email address.

You might also consider having a “junk” email address. Say you want to read a newspaper article, but the site makes you register before you can read it. This is the address you provide, ditto for any other web junk activity.

Lastly, I won’t cover the forwarding articles/graphics using the web pages “forward to a friend” button; the down-side there is self evident. I also won’t cover the dangers of irresponsible web browsing, or not automatically stopping pop-ups on your browser. A person who falls into either of these traps is just proving Darwin right.

JP

On Spam and Viruses, part one

Spam and computer viruses are two of the most annoying scourges our time. In the past two years I’ve gone through several personal email addresses because of spam. I suspect my email address was on a machine which got infected by a virus.

History

Electronic junk mail is called spam after a famous Monty Python skit. In the skit, set in restaurant that serves only Spam dishes, a group of Vikings sings “Spam, Spam, Spam, lovely Spam, Wonderful Spam!” as a couple decides what Spam dishes to order. (You'll find a link to the video at the bottom of this post. It's funny.)

Not surprisingly the first documented case of spam came from a group of lawyers trying to advertise in a cheap cost effective manner. And for the record, Spam the lunch meat is capitalized, and spam the junk mail is lower case.

The Problem

We all know the exasperation of sifting through multiple offensive junk emails in search of legitimate messages. There’s also annoyance of treating them like plutonium as we take care not to open them and gingerly place them in the trash folder for deletion.

But there is also the secondary issue of bandwidth and security which inescapably costs you real money. Bandwidth is the amount of stuff that can be transmitted in a fixed amount of time. When an ISP or a business has to increase it’s bandwidth to deal with the spam, or put safeguards in place to block it, the cost is passed on you as the consumer.

The How

The moment you buy something online, you begin to get unsolicited email from various vendors. It’s not unusual for companies to sell addresses of existing customers. Also vendors are not very good about honoring their “don’t send me email” check boxes.

Aside from companies you do business with, spammers get your address from a variety of sources.

There are programs that scan web sites for email links. There are also programs that scan internet newsgroups constantly. So, if you post to an internet newsgroup even once, you will start getting spam almost immediately.

Another way email viruses propagate is by scanning the address book and emails of an infected machine, and then mailing viruses to every address it finds. That’s why you can get a virus-infected email from someone you don’t know.

This is an important point.

You don’t have to send an email to someone in order for them to have your address. Say you receive an email addressed to yourself and fifty other people. One of those fifty people forwards the email onto a bunch of other people, who keep forwarding it on ad infinatum. Oftentimes all the email addresses of each recipient in the chain are included in the forwarded email. One of the recipients down the chain gets infected with a virus, and bam, everyone who received the email is also sent a virus infected email.

The chain email can also be "captured" by a spammer and the addresses are then sold. I suspect this has happened to my personal email addresses over the past two years.

This is why email administrators generally loathe and despise chain emails, joke lists, etc. If you know someone who sends you chain mail, politely ask them to use the bcc for the addresses. That way your address won't get captured by spammers.

JP

(to be continued)

Next: HTML confirms, Spoofing, and Phishing

Monty Python Spam Skit Video-