Summer Spam

Spam is occupying more than its customary share of my attention in recent weeks. I’ve long had a morbid fascination with sleazy human communication (hence That makes the always-relentless stream of spam, though not exactly welcome, at least interesting.

Spam volume also seems to have increased during this period. The number of spam attempts my mail server rejects per day had been steady at around 3,000 for months. Now it’s back up around 5,000 or 6,000.

I run my own mail server and fight spam via greylisting, blacklisting, and other strict technical rules. This setup rejects 99+% of the spam aimed at the domains I host, but some still gets through to me. Never enough to displace real mail, but enough to keep my little hobby-interest alive. Here are some of the spam highlights of my summer so far:

  • After one too many identical HTML spams, I took the rare step of adding a custom rule to my mail server config. I started rejecting all mail with “Content-Type: text/html; charset=us-ascii”. In this age of Unicode, that’s turned out to be a pretty safe bet. Lots of rejections and no known false positives.

  • I received a weird email about money via Craigslist. It looked like a response to an ad – one I’d never seen before, and certainly hadn’t placed. Naturally my first thought was that the Craigslist bit was all a ruse, but a at the message headers showed it was real: it had been sent via Craigslist in response to an ad with my email address attached. In other words, a Craigslist ad that had been created (copied verbatim from a legit ad) just to send spam to me via Craigslist’s email forwarding feature.

  • I spent a few minutes trying to convince (via email) of the fact that since I received spam at an email address that I had invented purely for use with their service, and which had never been used for anything else, this meant that somebody had poached their list from inside. They are still thinking about this silently.

  • I encountered a new form of referrer-spam. Remember referrer spam? Spammers would put their URLs in the HTTP_REFERER header when hitting blogs and other websites that had dynamically generated lists of “top referrers”, then the spammers' sites would show up in those lists. Well, this week I saw an inscrutable but surely related anomaly in the headers of some requests made to one of my sites (which I was looking at for other reasons, not spam-hunting). This HTTP_REFERER header was a giant comma-delimited list of approximately 10 or 15 URLs.

And finally, there was the phishing message I received today. It was a fake eBay notice, with the usual “click here to resolve the dispute” links. Those links were supposed to take the victim to a fake eBay page the scammers had set up (where the victim would type in all sorts of exploitable personal information). Looking at the message’s raw source, I noticed something very odd – the pages they were trying to link to were on an FTP server in Russia. Even weirder and better, the link code contained their FTP username and password! A minute later I was logged into their FTP server, looking at the one file there: the fake eBay page.

This was a darkly humorous reminder that the international spam-and-scam business is, from what I can see, a refuge for IT people (or wannabes) with poor skills and poorer ethics. So by this point I was kind of feeling bad for the incompetent underling who had put this thing together for his terrible boss.

However, I didn’t let my compassion interfere with my sense of justice and fun. I replaced their fake eBay page with my own content, a much simpler message in plain text: “We are scammers.”

Paintball Kolbudy commented :

I made my mail config as you pointed out in the first outline…great :)

But i cannot completely disable mails which come to me to free mail. Is there any way to block the adverts>?

And something new lately, mails with RE:RE in the subject, suggesting you mailed earlier eith the person…

And I received mail which said I am the beneficiant of my grand father in USA and they are looking for me to pay the will :D