Due to a disk crash and backup failure, this site has been restored from an old backup with a number of more recent articles missing. The missing site content is being restored as time permits. We apologise for any inconvenience.

When Spamming Gets Personal

or "Spam, Spam, Spam, Spam, Brett, and Spam"

A Constrained Rant by The Famous Brett Watson, 19-Mar-2003.

This is ridiculous. Spam (of the unwanted email variety) is now almost the defining element of my life. Last year I did a thesis on it for my BSc(Hons) degree; for the last month and a half I've been doing contract programming work for an anti-spam company; for the last couple of weeks I've been writing to Bob Cringely about it, thanks to his recent columns [1] [2] on the subject; and last night I had not one, but two, newsworthy spam incidents. Not just spam incidents, but newsworthy spam incidents. Read on if that kind of thing floats your boat, bearing in mind that all times mentioned in this document will be local to Sydney, Australia, which was +1100 at the time of writing.

The first of these is newsworthy in a mainstream sense, but it was actually a lower priority for me, for reasons which will become obvious later. I received two copies of a sinister spam which pretended to be from "admins@commonwealthbank.com" with the subject, "Netbank Security Server Update". I'm not a Commonwealth Bank customer, so it was immediately obvious that it was spam. The message advised the recipient to log into their NetBank account, helpfully providing a link and a form to do so. The thing was badly written and HTML-only, and done in such a way that my mail client rendered it as text, so all the deceptive tricks were immediately obvious. This was a basic password-stealing fraud.

You'd have to be a bit of a sucker to fall for this, but there are plenty of suckers with bank accounts, and I'd hate to see the thing succeed, so I forwarded the message to technical contacts for the bank and web hosting company at about 4am my time. (It was a long night.) A bank representative responded with an email thanking me at about 8:45am, saying the matter had been passed on to the security department. By the time I checked the scam-hosting site at around 11am, it had been deactivated. Later in the day, it made news at several sites. [1] [2] [3] Apparently there was a similar scam relating to the domain name registrar, Melbourne IT, but I didn't receive that one. I don't know whether I was the first to report the CBA fraud.

You may think there's a certain coolness factor in having tomorrow's news spammed to you, albeit in an annoying kind of way, but that's nothing. That was the minor incident. The major incident was one that had been brewing for a couple of days and then finally came to my full attention last night. Some vindictive spammer(s) were spamming out advertisements for my website, forging my identity, and attempting to provoke complaints which would result in my Internet service being shut down. I've had spammers use my address as a "from" address before, but this was a whole different ball game.

On the plus side, I've weathered the storm unscathed so far, and now have a rare opportunity to provide a first hand report of this complaint-baiting attack.

The attack first came to my attention on Sunday night (2003-03-16), during my usual Apache-log perusal. I have a small Perl script which summarises the day's activity on Nutters.org, mostly so I can see if there are any interesting traffic spikes or suspicious downturns which may indicate a technical problem. The Nutters.org home page isn't the most popular page on the site — most of my traffic is direct to some article or other, usually The Mathematics of Monkeys and Shakespeare. The hit-trend on the home page, from the 11th to the 16th, went like this: 14 hits, 18 hits, 21 hits, 25 hits, 54 hits, 106 hits. The 54 hits made me raise an eyebrow, but the 106 hits made me seriously concerned. There's usually a preponderance of hits which have no referrer record, but in this case there were 88, and of the remainder, all but two were obviously click-through from web-mail systems.

Either I'd been mentioned on a very popular mailing list, or someone was spamvertising the Nutters.org home page. Spikes in traffic like this almost invariably attach themselves to a particular article, not the home page. Although I had no idea why someone would spamvertise the Nutters.org home page, spam (or a virus) seemed like the more credible option. It came to my mind that I'd received a complimentary but odd mail earlier in the day from "J.D.", thanking me for sending him the link to my page, and asking if I'd sent it in response to his own page (which had some tangentially related stuff). This confused me at the time, since I had no record or recollection of sending any links to anyone in recent times, but in the context of this traffic spike, I suspected he'd received a forged mail. I sent a response thanking him for the message, and requesting a copy of "my" message.

As a preemptive measure, I decided to temporarily shift the Nutters.org home page and put up a notice requesting information about the source of the traffic. I put up an email address (one which is less picky about spam filtering than most of my addresses) at which I could be contacted, but the silence was deafening. Late the following day, with traffic on the home page seeming to ebb slightly (at 87 hits) and no sign of complaint, I decided to add to the message. I mentioned that I hadn't received any complaints, so perhaps it's not spam, and that I understood if people were hesitant to contact me by email for privacy reasons. I added a do-nothing text box on the page and requested that people type something in it to clue me in. I could read the messages so entered in my normal Apache-log perusal session without the need for a form-processing script.

I only got one message in the text box, and that was not relevant to the current report, but at around 2:29am on Tuesday, 2003-03-18, I received my first mail message in response to my solicitation for information. This message was from Derek, and it confirmed that I was dealing with a spam, but it didn't have the full headers, so I sent back a response thanking him and asking for more detail. The attached spam was quite a surprise: it advertised Nutters.org as a sex-site, with pictures of European teenage girls, among other things. That's a really bizarre concept. Can you imagine someone turning up at Nutters.org, salivary glands charged and ready to drool, and then thinking, "what's with all the text?" I think it would have been funnier if they'd advertised Nutters.org as the personal soapbox of a pontificating git with a penchant for paradox and probability as though people drooled over that sort of thing the way some do over nude, nubile European teenagers. But I digress.

So I now had hard evidence that this was a spam situation. The spam contained links to Nutters.org, to my personal home page, and to contact addresses for planetdomain.com (the domain registrar for Nutters.org, although I go through a reseller) and telstra.net (who are providing a secondary name service for Nutters.org, plus some other services not directly related to Nutters.org). The "from" address was "abuse@planetdomain.com", the "reply-to" address was "abuse@telstra.net", the body was HTML, and it also contained an image tag pointing to one of the Nutters.org logo images. This was obviously an attempt to frame me as a spammer, but more to the point, to provoke complaints against me: a worrying situation. I took immediate action on Nutters.org and my own personal web page, explaining the situation, and inviting further submissions of spam to the address "spamfraud1@epsilon.com.au".

At around this time, another mail message turned up. This one looked like a bounce message, and it was a different spam. It invited recipients to "visit my site for articles and info on the cyberworld!", and, "visit my homepage for more fun stuff". It also provided convenient links for submitting complaints to Planetdomain and Telstra. A snippet from my personal home page was also pasted in there, and the entire thing was text rather than HTML. "My site for articles and info on the cyberworld?" "Info on the cyberworld?" Folks, I've checked Google, and nobody has used that lame phrase before: it's now irrevocably associated with Nutters.org. The full extent of the damage being done to my site was now becoming clear.

It's interesting to note at this point in time that the links to Nutters.org in these spams were not to the home page, but to the "Nutter Log" index page. I have no idea what their rationale was for selecting that particular page, but it's worth noting that I received no hits on that page at all until the 17th, and then the total number of hits was only three. On the 18th this increased to 57 hits, but that was still mild compared to the 107 hits on the home page, most of which were still obvious email links. There were also five hits on a malformed link, and there may have been others which I don't see due to the way I summarise the activity. On the same two day period there were 13 hits and 15 hits respectively on the Nutters-dot-org logo image (used in the "europorn" spam) which didn't admit to a referrer, and may thus be email-related.

From these figures, I would deduce one important fact: people are extremely wary of all links in anything they perceive as spam. The click-through rate on the link is lower than the count of people who took the more cautious route of cutting and pasting just the domain name part. One or two people went so far as to use a copy of the page cached in Google rather than expose themselves to it directly (a fact revealed by referrer log records on some image requests).

At about 3:30am I received another email from Derek, this time with full headers, revealing the mail source to be an MTA at rcn.net, which seems to have relayed from an attbi.com customer, so I fired off an abuse complaint to abuse@rcn.com, which, in retrospect, was the wrong target. This demonstrates the danger of acting on "received" headers unless you are personally familiar with the systems in question. Derek also mentioned that he had been concerned (before he received my email) that my benign little text-box soliciting information on the home page of Nutters.org was a malicious trap of some kind. Spam certainly inspires suspicion — and not without reason.

The fact that the spams were attempting to direct complaints towards Planetdomain concerned me. Domain registrars in general have a pretty bad reputation for withdrawing domain names at the drop of a threat (I migrated away from Network Solutions for precisely this reason), and my fears were compounded when WHOIS queries started turning up no results for Nutters.org. This was a false alarm, however: it's just a side-effect of the ".org" domain being redelegated from Verisign to a new registry ("Public Internet Registry") a little while back, and the fact that my WHOIS tool isn't up with the latest ICANN shuffles. It had me worried for a moment there, though.

It was at around this time that I was finally able to deal with the Commonwealth Bank "NetBank" fraud mail. Then I went downstairs, and finished washing the dishes that had been waiting all night for me, before going to bed. I should spend more time with my bed — I think it's feeling rejected.

The dawn of the 18th brought a few more messages. Someone called "Pete" submitted two, both of the "info on the cyberworld" variety, one of which came via Brazil, the other of which seems to have come via a Comcast cable modem, although Pete would have to confirm that, since it was handled by more than one MTA on his network, and the Comcast modem could be his for all I know. Anyhow, someone by the name of "Ron" also submitted an "info on the cyberworld" spam which was sent via Korea. Clearly this is a serious spammer we're dealing with here, folks; one who doesn't put all his eggs in one basket. I also received a reply from "J.D." (who contacted me early on in the piece, as you may recall), but he wasn't able to forward me a copy of the spam at the time.

Lastly, I received an honest-to-goodness complaint (as opposed to a solicited copy of the spam, or unsolicited friendly mail) from a "Rick", who sent mail to the "postmaster" address at Nutters.org, requesting an end to the spamming. He thoughtfully attached the spam, which was one of the "europorn" variety, which seems to have originated at the same attbi.com address as the one submitted by Derek.

It was well into the 18th before it occurred to me to check my mail server logs, given as how I'd disabled some of my spam-blocking facilities in order to allow more complaints to arrive, yet received so few. When I finally got around to it, I was very surprised to see the number of bounce messages my mail server was rejecting. At 02:57 2003-03-18 (+1100), my mail server started receiving (and rejecting) bounce messages sent to addresses of the form "Xfamous@nutters.org", where the "X" was an additional two to four random letters. Approximately 24 hours later, there have been 1605 such distinct bounce addresses rejected by my system in 2566 delivery attempts. The thousandth distinct address and 1500th delivery attempt occurred within three and a half hours of the first, and it's slowed to a trickle in the more recent hours. These bounce messages appear to have been associated with the "info on the cyberworld" flavour of spam, but I can't say so for sure, given as how I didn't accept any of the messages.

It looks a lot like I have at two distinct spammers here, using two distinct messages and two distinct distribution techniques to victimise me in the same way at roughly the same time. My vote is on the "info on the cyberworld" guy as being the nastier and more devious lowlife, but why are they doing it in the first place? Is there a fraternity of spammers, worldwide? Did I offend a local spammer when I submitted a complaint recently that resulted in the culprit losing his hosting? Did the offended spammer call upon his slimy brethren to exact revenge on me, at one degree of separation to hide the motive? I dunno, and I haven't been inconvenienced enough to care. So far, their rage is impotent; the spam may fly thick and fast, but the results just aren't there.

I do hope that was their best shot, however.

Nutters.org Author: The Famous Brett Watson
Date: 2003-03-19
Public Domain: the author waives copyright on this document. Other sources (if any) are quoted with permission or on the principle of "fair dealing" and retain their original copyrights.