Spamming to hide fraud

An interesting article at NetworkWorld last month, describing spam bombs to victims of fraud and identity theft to hide the transactions and notifications from financial institutions.

The targets are individuals, whose identity and personal information the thieves already have. The victims’ email inboxes suddenly get flooded with thousands upon thousands of emails — as many as 60,000 during a 12- to 24-hour period — that contain no links, no graphics, and no advertisements. “[The contents are] nothing but mash-ups of words and phrases from literature,” he wrote.
[…] the real point is to distract the user from valid email, which will likely include confirmations of purchase receipts or balance transfers from fraudulent transactions made with the victim’s credentials.

This doesn’t seem to be a widespread problem currently, and I expect that many of the major ISPs will identify this as a mailbomb and stop the mail. As many of these mails are coming from botnets, too, many ISPs will block the mail during the SMTP transaction. I think for most people, there isn’t a huge risk. However, that doesn’t mean we shouldn’t be aware.

Related Posts

Motion to dismiss in Penkava v. Yahoo case

Earlier this month Yahoo filed a motion to dismiss in the Penkava v. Yahoo. This is the class action lawsuit where an Alabama resident is attempting to sue Yahoo for violation of the California wiretapping law.
Here’s the short synopsis.
People send mail to Yahoo. Yahoo “creeps and peeps” on that mail so they can profit from it. Plaintiff doesn’t like this, and thinks that he can use the California Invasion of Privacy Act (“CIPA”), (Cal. Penal Code § 630, et seq;) to stop Yahoo from doing this. Additionally, there is a whole class of people who live in every state but California who have also been harmed by Yahoo’s actions. The plaintiff would like the court to make Yahoo stop doing this. (First Amended Complaint)
Yahoo’s motion to dismiss is actually pretty dry and there aren’t really any zinger pull quotes that make sense without reading the whole 35 pages. The short version is that what Yahoo is doing is not a violation of California law, it is simply handling email as it has to be done to get it to recipients. Plus, California law cannot apply to mail sent from a non-CA resident to a non-CA resident because that would violate the dormant commerce clause. The class as defined makes no sense. Finally, the plaintiff continues to send mail to Yahoo addresses knowing the mail is being “scanned” and that is implicit permission for Yahoo to do it.
In the initial complaint there was an allegation that Yahoo’s behaviour was a violation of Federal and/or California Wiretapping laws. These allegations appear to have been dropped in the First Amended Complaint.
Right now there is a hearing scheduled for March 13, 2013. I’ll keep an eye on the filings.

Read More

Spammers are funny

Dear Spammer,
If you are going to send me an email that claims it complies with the Federal CAN SPAM act of 2003, it would be helpful if the mail actually complies with CAN SPAM.
In this case, however, you are sending to an address you’ve harvested off my website. The mail you are sending does not contain a physical postal email address. You’re also forging headers. Both of those things are violations of CAN SPAM. Given you have also harvested the laura-questions@ email from this website, that is treble damages.
Oh, and while we’re at it, you might want to consider your current disclaimer.

Read More

They really think we're stupid

Read More