Targeted for Spamination

This morning at around 11am, I noticed an unusually high number of emails in my Gmail spam folder. I had a quick look and saw there was a lot of ‘Mail delivery failed: returning message to sender’ emails – not unusual, but in this case there were literally hundreds of them. As I was watching, the number increased. A bit over five hours later, I have over 21,000 bounces – so around 3,600 bounces per hour.

Turns out someone got a hold of my Gmail email address, and decided to make it (and my name) the ‘from’ field for a new spam campaign for their latest scam – http://tinyurl.com/moneyonline2010 (deliberately not linked). The email is as follows:

Good Morning,
Thought id share a link that helped me and my bank balance out!
Finally an easy way to make $1000 every day , without further hype check out the link below
http://tinyurl.com/moneyonline2010
To your success online
David

If you have received that email, please note that I am not sending it to you – someone is forging the ‘From’ header so it simply looks like it is coming from me.

Believe it or not, this is how the email system works – anyone can send an email claiming to be from anyone else, from any email address. Most email clients should let you do this – you can send as anyone, but obviously if someone hits ‘reply’ and sends something back, it will go to the person you’re pretending to be (if you used their actually email address, anyway).

Almost all of the bounces appear to be from a mail server that is rate limiting the send, as they all have the text: “Domain bristolz.co.uk has exceeded the max emails per hour (500) allowed. Message discarded.” So that’s at least some good news, in that it means ‘only’ 500 spams are making it out into the world with my name on it.

My first thought was that maybe my Gmail had been hacked and someone was actually sending these emails through my account, so I had a quick scan through to confirm this was not the case. I thought it was unlikely anyway as I assume Gmail have filters and limits in place to prevent people sending that many emails per hour.

– none of these messages were present in my sent mail, or IMAP sent mail
– ‘Last account activity’ indicated no-one other than me had logged into my account

I have contacted abuse@sky.com, which appears to be the ISP that owns the originating IP address (I will be amazed if I hear back), and I’ve also contacted tinyurl.com (as their terms specifically prohibit using their service for spam). In the meantime, sorry – but it ain’t me and it ain’t my fault!

MBF Newsletter Mail Merge Mistake

Either someone is doing an excellent job phishing for MBF member details, or they screwed up sending out their most recent email newsletter.

The newsletter’s subject is “Your chance to win 10K worth of prizes” and it contains the following text:

Hi William,

At MBF we want to help you get the most from your health insurance.

Register to receive our updates via email today and we can help to keep you healthy and happy.

To register click here, login to myMBF and make sure you complete your contact details and update your communications preferences to email. If you’re already registered, make sure you check your details in case anything has changed since you last visited.

Two things immediately jump out at me here:

  1. My name isn’t William. Something has gone wrong with their mail merge and it’s put someone else’s name on my email. Embarrassing, but not fatal.
  2. I have all my MBF communications set to ‘post’ – all email options (that I can find) are switched off.

To complicate things further, the links are all of the form: http://p1.eservicesesp.com/cts/click?q=randomcharactershere – no doubt this is a mailing service that they’re using to track newsletter click throughs, but to a casual observer, it looks like it might be a phishing attempt.

The net result of this email is that it looks like a phishing attempt. But it’s almost certainly just a screw-up on behalf of MBF and/or the marketing agency they’ve employed to handle their bulk emails.

To make things even more painful, there’s no easy way to report the problem to MBF listed in the email (a simple “if you believe you have received this message in error, click here” link would have done the trick, or on their website. Even logged in, you don’t get an option to provide feedback over the web or via email – you have to use the phone or write them something called “a letter”.

Sending newsletters to lots of people is hard. But it’s not that hard. We’ve done it at Mammoth every week for almost eight years, sending millions of emails to hundreds of thousands of subscribers, so if you need some advice on how to do it right, maybe you should ask us :)

Chase Bank’s Email Security

For a few months I’ve been getting emails from Chase, which appears to be a financial establishment of some kind. These emails are addressed to a ‘Barbra Harrison’, who is not me. These are coming to my Gmail address – a fairly common occurrence, as many people mistakenly think they own my Gmail address.

People not knowing their email address – or simply mistyping it by accident – is a ridiculously common occurrence. In fact, I was working on how to mitigate it on AusGamers just before writing this. It seems a little scary though that people would screw up their actual email address in anything related to their bank or financial institutions.

But what’s worse is the emails don’t provide me with a clear way to notify the bank that they’re coming to the wrong place. I’ve tried replying to them a few times (despite the notice saying they won’t read them – sometimes they do). I’ve tried navigating their website, but it’s a maze and the only way I can seem to do it easily is to either log in with the account details of Barbra (which I might be able to retrieve as I am in control of the email address she submitted for her online account!), or call them.

I was a little amused when I got this email from them today:

chase-email-security

I decided to spend a bit more time reading the email to see what my options are. I can unsubscribe from mailouts – which I don’t want to do, because my email address might still be attached to Barbra’s account, which is not great for anyone. I can report it as fraud, which I don’t want to do because it’s not really appropriate.

The FAQs have one useful question: “I don’t have an account with Chase, but I’m getting e-mail about my Chase account. How does that happen?” The answer to that, however, assumes that I’m the victim of a phishing attempt. I’m confident that is not the case here.

They have an email address for other inquiries – emailquestion at chase.com. I always feel like mailing addresses like this is a total waste of time, but I’ll give it a go – for Barbra.

Update: emailquestion@chase.com bounces:The original message was received at Tue, 4 Aug 2009 20:44:45 -0400 (EDT)
from sg3.svr.us.jpmchase.net [155.180.248.7]

—– The following addresses had permanent fatal errors —–

(reason: 550 5.2.0 /var/mail/t000900: irregular file)

They sure make it hard.

PayPal Changes Their Email Address

I recently got an email from PayPal (an actual one, not a phishing attempt) telling me that they’re changing their email address (subject: “Important Address Change Information from PayPal”).

I noticed this part:

How do I know if an email is really from PayPal?
PayPal emails only come from a ‘paypal.com.au’ or ‘paypal.com’ address. We will always address you by your first name AND last name.

It’s important to note that the first part of this answer is utterly useless from a security point of view. Anyone that knows anything about the Internet will tell you that it is completely trivial to send an email so it looks like it is coming from any email address. Email has no built-in security to stop this from happening.

It’s a little annoying that PayPal focus on that by putting it first, because it’s much, much less of a useful security measure than the second thing they propose – using your first AND your last name. Most email spam/phishing attempts simply attempt to guess your name by deriving it from your email address – for example, if your email address is david@example.com, then they’ll start their email with “Dear David”.

However, there’s (almost) no way to derive your last name in bulk mailing attempts like this – unless you already have that information, like PayPal would if you had an account with them. (I say ‘almost’ because there are fringe cases where spammers could guess your first and last name – for example, if your email address is formatted like david.harrison@example.com).

If you’re reading emails and wondering whether or not they’re from who they purport to be, bear in mind that looking at the actual email address is never a good way to do it. You’ll need to look for other clues.

Unless, of course, they’re using PGP or some other mechanism to digitally sign their emails. It boggles my mind that financial institutions aren’t offering this as a matter of course, even if only a handful of people would actually use it.

BigPond Billing Scam Email

Another good email scam, this one purporting to be from BigPond:

Dear Customer,

This e-mail has been sent to you by BigPond to inform you that we were unable to process your most recent payment of bill. This might be due to either of the following reasons:

1. A recent change in your personal information. (eg: billing address, phone)
2. Submitting incorrect information during bill payment process.

Due to this, to ensure that your service is not interrupted, we request you to confirm and update your billing information today by clicking here [note the link: http://tusdrei.de/futtern/telstra.com.au/members/myaccount/LANGUAGE/ECareServ/ID12549JDk23/Online%20Billing.htm].

If you have already confirmed your billing information then please disregard this message as we are processing the changes you have made.

Regards,
BigPond
Billing Department

It looks like the link has already been removed (and it is also flagged by Firefox automatically as a scam site), but I couldn’t find a lot of reference to this email with a Google so I figured this might help other people: it’s definitely a scam/phishing attempt.

‘Astronaut Sunita Williams Pics of Earth’ – Forwarded email

My mum forwarded me an email containing a PowerPoint presentation purporting to be a bunch of images taken by NASA astronaut Sunita Williams while she was up in space.

While space pictures are awesome, as always my first instinct upon receipt was that it was probably bullshit, and so I did a bit of Googling. Turns out at least one of the photos was taken pre-2003 and from a quick Google I did it seems that there’s a bit of dispute about several of the other photos too.

I can’t actually find any authoritative source for any of those photos actually being from Sunita – I haven’t seen them on any of the websites that I visit (with nerdish regularity) that have photos from the Shuttle missions, NASA, etc.

While the pictures are neat and hopefully will encourage people to take more of an interest in getting us off this rock, it serves as yet another reminder not to automatically believe anything you read in your inbox. Or on the Internet. Or in the newspaper, or on the news, or anything anyone tells you, ever.

Edit: I should point out that _some_ of the photos might actually be hers – but I can’t find any proof that they in fact are. All I can find is that at least one of them is probably not hers, which raises doubt over the others.