Spamming to hide fraud

An interesting article at NetworkWorld last month, describing spam bombs to victims of fraud and identity theft to hide the transactions and notifications from financial institutions.

The targets are individuals, whose identity and personal information the thieves already have. The victims’ email inboxes suddenly get flooded with thousands upon thousands of emails — as many as 60,000 during a 12- to 24-hour period — that contain no links, no graphics, and no advertisements. “[The contents are] nothing but mash-ups of words and phrases from literature,” he wrote.
[…] the real point is to distract the user from valid email, which will likely include confirmations of purchase receipts or balance transfers from fraudulent transactions made with the victim’s credentials.

This doesn’t seem to be a widespread problem currently, and I expect that many of the major ISPs will identify this as a mailbomb and stop the mail. As many of these mails are coming from botnets, too, many ISPs will block the mail during the SMTP transaction. I think for most people, there isn’t a huge risk. However, that doesn’t mean we shouldn’t be aware.

Related Posts

Light blogging for a while

Sorry for the lack of substantive posts, things seem to have gone completely out of control and I’m not finding a lot of extra cycles to sit down and blog. I’ll try and get some stuff up this week, but I’m also getting ready for MAAWG and the sessions I’m a part of there.
There was an interesting post by Romer over on his personal blog. If you don’t know, Romer helps maintain one of the commercial mail filters. He recently got spammed by one of his vendors and talked about how this is probably not the best idea. Al adds his own take on companies assuming permission. I’ve talked about taking permission in the past but haven’t touched on things like “spamming the guy who runs the filter.”
You’d be surprised, or maybe you wouldn’t, about how many people who run filters for large organizations get spammed regularly. You wouldn’t be surprised to find out that those people do factor in their own personal spam load when adjusting their organizational filters.

Read More

About that spam suit

John Levine has a longer blog post about the Smith vs. Comcast suit. Be sure to read the comment from Terry Zink about the MS related claims.

Read More

Harvesting is alive and well

I’m finding out that email address harvesting off websites is alive and well on the Internet. We have a rotating address on the contact page, which does get harvested but usually the spam is attempting to sell me blog related services. I didn’t expect to get a very different collection of emails to the address I posted here. I’m quite surprised that address is getting a completely different type of spam from the contact address.
The one thing that harvesters appear to have in common is sending CAN SPAM violating email. Both the contact address and the questions address get lots of mail that is in violation of US (and California) law. One of these days I might get bored enough to file a suit against one of them and blog about it.

Read More