Personalized Spam Rising Sharply, Study Finds

designperfection9 writes "A new study by Cisco Systems Inc. found an alarming increase in the amount of personalized spam, which online identity thieves create using stolen lists of e-mail addresses or other poached data about their victims, such as where they went to school or which bank they use."

30% of all Web traffic?

[alain94040]

From the article:

The latest study was based in part on [Cisco's] ability to monitor 30 percent of all Web and e-mail traffic

I hope the journalist misunderstood something, otherwise all my fears about the NSA just got crunched.

--
iPhone Apps review site looking for bilingual testers

Re:30% of all Web traffic?

[morgan_greywolf]

Not to worry. The NSA monitors 100% of all Web and e-mail traffic! Thanks to The New AT&T: Your World, Delivered. To the NSA.

Anti-spam Legislation

[unlametheweak]

It's a good thing there is anti-spam legislation.

Re:Anti-spam Legislation

[oldspewey]

Your response demonstrates a ...

[ ] clueless
[x] sarcasm-based
[ ] battlescarred
[ ] well informed

... approach to interpreting spam stories ...

Re: Anti-spam Legislation

[rs232]

"It's a good thing there is anti-spam legislation"

Except the 'anti-spam' legislation, legitimizes spam, provides for safe harbor and prevents the endusers suing the ISPS for fowling their inboxes ..

Re: Anti-spam Legislation

[Progman3K]

Except the 'anti-spam' legislation, legitimizes spam, provides for safe harbor and prevents the endusers suing the ISPS for fowling their inboxes ..

As if regular spam wasn't enough, now I have to worry about 'em jamming chickens into my inbox.

What bothers me more is

[rolfwind]

the rise in "security questions" which are essentially weaker passwords. This personalized spam proves getting to much of that info is easy. But now, so often, when I register an account, in addition to a password, there is always a "security password" to null and void that password and get back in easier.

Some of the better services let you choose your own security password, but others only have a short list of really lame ones (1st car, pet, place of birth) which is not secure at all. I make sure to put in a nonsensical random string as an extra security measure. And this just proves it fallible.

Re:What bothers me more is

[unlametheweak]

The real problem is people visiting Web sites through email links, and replying to unsolicited email (from companies they recognize or not). Banks don't conduct business through yahoo email addresses. The real issue is educating consumers, or having consumers educate themselves. One does not drive a car without knowing the rules of the road (despite what people may think of cliched analogies), and email clients shouldn't be Web 2.0 browsers.

Re:What bothers me more is

[zappepcs]

What you are saying is true, but it can't be legislated. It can, however, become a vocation. Yes, for just 3 easy payments of $19.99 we'll teach you how to be safe on the Internet.... blah blah

An internet driver's license seems like a good idea till you think about all the absolutely retarded drivers you saw on the way home from work recently. Then it sinks in: some people are NOT trainable.

If you think of the Internet as a huge data warehouse and spend some time with a scripter it will not take long to find out that you can personalize millions of spam emails with little to no effort other than writing a script or two. All you need is for 1-2% of those to reply and enter logon details and you have a profitable business plan, albeit illegal.

When so little return can still make you profitable, it's hard to discourage spammers. Internet driving licenses would not prevent that 2-5% of the population that can't be taught to tie their shoes from answering unsolicited emails. There is a base or root value where crooks and con artists will always be able to find prey, whether they are selling gilt edged bibles or offering better sex or longer life. Hell, there are those that are flogging lame do-nothing anti-spyware software in an effort to fleece them of their money.

As long as there are humans and an Internet there will be spam problems. You could even set up a business as an online retailer clearing house where people would send you money to pay for things for them, trusting you to tell them when it is a con job. There are those would would pay for it... say $2.50 per event to be sure they didn't get conned. How's that for a scam?

See... this problem won't go away anytime soon. Washington? Are you listening? New laws will only make this situation WORSE, not make it go away.

Re:What bothers me more is

I totally agree that email clients should not be able to read or display HTML email.

When a person has to copy and paste a link from their email then there is at least a implied consent buffer.

Sorta like a person can drink a lot of beer but still has to figure out how to use the car keys to get in the car and turn it on ( in keeping with the car analogies ).

Re:What bothers me more is

[xaxa]

A bigger problem is when you can't provide a decent, random string for the "security question". I opened a bank account online last week, but had to go to a branch to prove my identity (fair enough). The banker didn't like where her PC said I'd put "438@@/arcCHK" as my mother's maiden name, and asked for a real name. I'm waiting for the online banking activation codes to come through, I hope it doesn't depend on this value.

Re:What bothers me more is

[unlametheweak]

I'm certainly not advocating licenses to use the Internet; just education. As for the car analogy; it all depends on the diligence and intelligence one puts into it, and if you aren't sure of yourself then have somebody qualified help you along.

Best regards,

UTW

Re:What bothers me more is

[Spazztastic]

A bigger problem is when you can't provide a decent, random string for the "security question". I opened a bank account online last week, but had to go to a branch to prove my identity (fair enough). The banker didn't like where her PC said I'd put "438@@/arcCHK" as my mother's maiden name, and asked for a real name. I'm waiting for the online banking activation codes to come through, I hope it doesn't depend on this value.

I'd rather give my SSN then some stupid weak question like that.

The only reason I'm with Bank of America is because to login to my bank account you have to put in a six digit code that gets text messaged to your phone. I prefer this over "What is your home town?" or something that isn't randomly generated.

Re:What bothers me more is

[zappepcs]

That's the problem. When people delete .dll files from a system directory, do you think that somewhere in their mind is the thought "hmmm, maybe I should get someone who is qualified to look at this?"

To you and I, this makes sense, but to the great unwashed masses looking at files and configurations inside their PC is about as daunting as trying to fix their tv when the sound stops working. They open up the case, and with screwdriver in hand, start poking around looking at various bits inside the tv. Yes, I'm aware that is a bad analogy, but here's the kicker: if you had to have a screwdriver to get inside your computer's system files perhaps more people would take it to a professional to get it fixed.

Sidenote: This is one of the things that I think Ubuntu has done right. They made it as easy as possible to be a new user, to install and start using. They also have done what can be done to hide the internals from that user, and to try to prevent that user from having too easy of access to things they really don't need to be messing around with.

To put it another way, novice skydivers should not pack their own chutes. New drivers should probably never be asked to change a distributor. Novice computer users should not be asked to be administrators. In my home I'm the sysadmin and everyone else are just users who don't have access to much except using the computer. They can't install anything, can't change system settings, nothing. For all that effort, they ask me for something maybe 1-2 times every two months. Most recent was login problems due to disk quota being reached by one user. I had notifications setup incorrectly so didn't get warnings. Click click, problem gone. I really want to figure out how to run a business based on this. A business where normal end users can contract out a sysadmin at reasonable cost.

Re:What bothers me more is

[eliphalet]

Banks don't help the situation when they use names like cardmemberservices.net that have nothing to do with the bank name.

Re:What bothers me more is

Simply, this is not going to happen. Haven't this been tried for at least 10+ years?

Spam happens because too many people look the other way. Google for McColo to understand what I mean.

Spam is not going to stop my "educating people". Nor is spam going to stop by taking 2 or even 3 spammers to court a year.

Spam is going to stop if "we" make the middle man pay dearly. It's crazy that something like "McColo" has to be taken down with the help of the Washington Post.

And as long as "we" keep thinking about McColo as an exception, and that spam is mainly a non-USA problem, it will grow and grow. Check the stats at spamcop.net, and you can see it yourself.

Re:What bothers me more is

[unlametheweak]

The banker didn't like where her PC said I'd put "438@@/arcCHK" as my mother's maiden name, and asked for a real name. I'm waiting for the online banking activation codes to come through, I hope it doesn't depend on this value.

Maybe you should choose a more intelligent and security conscious bank. Rewarding bad business practices through patronage is just as bad as rewarding spammers by purchasing penis enlargement devices; they are both dubious practices.

Re:What bothers me more is

[xaxa]

They have the equivalent to my SSN anyway (my National Insurance number), but they'll never ask for that. They just tell the government how much tax I've paid on any interest I earn on the account.

A text message code is a decent idea, I don't know if any UK banks do that. My current bank asks for two digits from a PIN (not my ATM PIN!), and three characters from my password. If I forget it I have to get another code by snail-mail. If I want to transfer money online to someone I haven't transferred money to before, I need to put my debit card into a smart-card reader they sent me, input a code into the reader, and put the code generated by the reader into a web form.

I've chosen my new bank account purely because they refuse to invest in arms manufacturing etc.

Re:What bothers me more is

[oldspewey]

Internet driving licenses would not prevent that 2-5% of the population that can't be taught to tie their shoes from answering unsolicited emails.

That's why we need to get proactive. We need some kind of white hat agency that sends out trojan-riddled spam to everybody on the planet. Those who are sufficiently stupid or gullible will open and act on the spam, which will immediately reconfigure their computer: my recommendation is that it irrevocably turn their machine into a slightly more advanced equivalent of a Fisher Price Activity Center, with lots of shiny buttons and spinning graphics the users can click on but no network connectivity of any kind.

Re:What bothers me more is

[xaxa]

Maybe you should choose a more intelligent and security conscious bank. Rewarding bad business practices through patronage is just as bad as rewarding spammers by purchasing penis enlargement devices; they are both dubious practices.

I chose the bank because they have an ethical investment policy, and refuse to invest in arms manufacturing, companies that exploit third world countries etc. They don't pay as much interest on savings though, and they have less branches.

As I said, I haven't got online banking sorted out yet (I only opened the account last week!) but I'll write to them if I don't think their system is secure. They say "our Internet Banking channel has now been recognised by the BSI under ISO27001 the Information Security Standard".

Re:What bothers me more is

[characterZer0]

You do not need to get ANY replies to make money as a spammer. You just need the fool paying for your services to think there are enough other fools to reply.

There are plenty of fools who will pay spammers to spam on their behalf. Even if we went five years without anybody responding to spam, we would still get it.

Re:What bothers me more is

[unlametheweak]

I chose the bank because they have an ethical investment policy, and refuse to invest in arms manufacturing

I obviously didn't refresh the window before I posted. At least you put some thought into things. I'd also advise you to change that security password -:)

Re:What bothers me more is

[Vancorps]

The problem with spamming isn't that 1-2% reply and buy, it's that 98% of us ignore it so they endure no penalty. The 98% need to reply and present false information to waste their time which will result in them no longer being profitable. You'll have a short term problem with the fact that your address is now verified but over the long run it will die on its own and spammers give up.

This is of course easier said than done considering a great many of the links in the emails go to malware ridden sites so you need a secure web browser to do it effectively preferrably running something like noscript.

Re:What bothers me more is

[ldhertert]

What I don't understand is why more banks don't even allow the option of purchasing an RSA token and requiring that along with a password for all significant changes to an account. I can understand them a) Not wanting to force everyone to use them, and b) not wanting to pay for it, but it blows my mind that they don't have some sort of opt-in service.

Re:What bothers me more is

[castironpigeon]

I propose legislation that mandates the education of consumers. Who's with me?

Re:What bothers me more is

[inviolet]

The real problem is people visiting Web sites through email links, and replying to unsolicited email (from companies they recognize or not). Banks don't conduct business through yahoo email addresses. The real issue is educating consumers, or having consumers educate themselves. One does not drive a car without knowing the rules of the road (despite what people may think of cliched analogies), and email clients shouldn't be Web 2.0 browsers.

In real life this "don't talk to strangers" / "don't buy from some guy in a back alley" issue is solved with our eyes and our sense of context. There is no context or visual aid when browsing to a website or reading an email... hence, people will click anything. They are still subconsciously relying on their vision ("a normal-looking email message") and context ("here safe in my home") to judge the safety of interacting.

So let's stop trying to fix people, rowing upstream as such, and instead go with the flow. Write a web browser and an email client that change their appearance based on trust chains or certificates or whatever we use to authenticate known-good entities. When reading an email from a stranger, or an email from bankofamerica.com that lacks the proper signature, the email window turns black and gets covered in spikes. Same with the web browser.

Or bring back clippy, and have him appear as a shady-looking guy in an overcoat, standing next to the email, and he opens his coat to sell you something if your mouse hovers over a link. Or whatever. Point is, work *with* humans' natural authentication mechanisms, rather than whine about how users are clueless.

The real cluelessness is us programmers who ignored our knowledge of existing human authentication systems when we wrote email clients and web browsers. Gee, "let's make all web pages appear equally clean and safe, and then expect users to not click the mean ones!"

Re:What bothers me more is

[cdrguru]

You are conflating the spammer with the spam contractor. The spammer doesn't see any replies and has no interest in what the response rate might be. The spam contractor probably learns after the first attempt that spam doesn't really work. And moves on to other, more intrusive marketing techniques.

The problem is the spammer's services are in constant demand. Ever day some new folks decide to cash in on the potential of email marketing. They pay the spammer. As long as they are paying, the spammer has a wonderful business model.

Re:What bothers me more is

[noidentity]

The banker didn't like where her PC said I'd put "438@@/arcCHK" as my mother's maiden name

"438@@/arcCHK" is my mother's maiden name, you insensitive clod!

Re:What bothers me more is

[againjj]

To you and I, this makes sense, but to the great unwashed masses looking at files and configurations inside their PC is about as daunting as trying to fix their tv when the sound stops working. They open up the case, and with screwdriver in hand, start poking around looking at various bits inside the tv.

Then they touch the CRT, get a massive electrical discharge, and earn a Darwin Award.

Re:What bothers me more is

[aztektum]

I say there is no better an education than getting scammed by a Nigerian viagra peddler who will give you 10 million dollars and a penis that could hammer in rail road spikes.

Re:What bothers me more is

[Dan541]

One does not drive a car without knowing the rules of the road

Yes they do, what rock have you been living under?

Re:What bothers me more is

[unlametheweak]

Yes they do, what rock have you been living under?

Fraggle Rock

Re:What bothers me more is

funny, my mother's maiden name was '); DROP TABLE Accounts;--

Re:What bothers me more is

[sootman]

Are you of the Boston 438@@/arcCHKs?

Re:What bothers me more is

[Vancorps]

I'm not conflating anything, you stated the end result rather nicely. The spam contractor will move on to something else and thus will end the email clog as fewer and fewer people contract for spam.

It's a much simpler solution than changing fundamentally how the Internet operates to eliminate the problem when you can simply starve the supply and achieve a specific goal of reduced levels of spam.

The next technique will have a different solution. We can deal with it when it arrives.

Re:What bothers me more is

[zix619]

very interesting read: www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamalytics.pdf amny often the conversation rate is somewhere around 1/ 100 000 this is very low, the problem is that there is almost no cost for sending 100000 spams! Then even with this low rates you can still make money. I only see one problem, associate some expense (very low) to the email you send, This will make the spam economics unbearable for mass spamers.

Re:What bothers me more is

[zappepcs]

Do you know of an implementable plan to do this? I've not been able to think of one that would work. I can always see the backlash on any implementation, but agree that a very small cost would ruin the economics of sending spam.

Re:What bothers me more is

[Opportunist]

No, the ones from UnK)z5qs.

I have no idea what the town was called before the earthquake, sorry.

Re:What bothers me more is

[xaxa]

All UK bank customers have an encryption device, in the form of the chip in their credit/debit card (Wiki: Chip and PIN). The main use is to authenticate with a PIN rather than a signature when making a purchase in a shop, but the larger banks have sent their online banking customers portable challenge-response device things. They look like a small calculator. The online banking gives you a number which you put in the reader, the reader queries the card and spits back another number. That goes in the web form to authenticate. So far, my main bank only uses this when I ask to transfer money online to somewhere I haven't sent money before. If it was required for normal online purchases it would be annoying, since I might buy something away from home, but so far they haven't tried that.

(Slightly related: now it's effectively impossible to steal a UK card and use it in a UK shop the fraud has shifted to the USA. The cards are stolen here, and fake cards produced and used in the USA (and other places) where they don't have the equipment to authenticate with the chip. The bank recently sent me a letter saying if I was going to use the card outside the EU that I should tell them first, or they'd assume it was fraudulent -- in which case, they try and phone me before refusing the transaction.
Alternatively, criminals try and steal/copy the card *and* get the PIN, e.g. by hiding a tiny camera on an ATM.).

Incidentally, this has all been done for "free" (we don't pay a monthly fee for accounts anyway, but the money must have come from somewhere). Card fraud has been reduced a lot, so the banks are saving money there.

Re:What bothers me more is

[xaxa]

I registered for internet banking tonight. The security is crap, I'll email them after I've written this.

I phoned up. I asked to register for internet banking. I gave the person my account number. First problem: I'd rather have typed my account number into the phone before I was connected to someone who then knows all my details. He asked for my name, address, overdraft limit and secret name (the one from the GP post) the overdraft limit is the default for the account, which is clearly advertised on the website. The rest is easy to find out. He then said I needed to provide five pieces of secure information, my place of birth easy to guess, and you can find it in the public records if you really want to, first school I'm in the "I attended X school" group on Facebook, and it wouldn't be difficult to work out anyway if you knew where I lived until I was 18, last school which is named after the place of birth, I said I wasn't comfortable having two answers the same, but he said I couldn't change the question, a date the most secure, I think?, and a four-digit number also secure. I asked if I could change them later, and he said yes but it seems I can't change them online. Do I have to phone again?.

I've just logged in. I was asked for my account number why? A username would have been more secure, two digits from the four-digit number good, they didn't want the whole PIN, and my last school but they did want all of that.

I'm also surprised I can access it already. I was expecting to be sent a letter with a secret number in.

So... I'm a bit disappointed.

Personalized, but not personal.

[Boogaroo]

Really, at this point, who is falling for this stuff?
Even with personalization, I am getting the same "custom" messages from 15+ "female" names.When you get your forula spam message, does anyone click on them anymore?

Is there still money in spam, other than the money from selling the spam lists and spam network?

Re:Personalized, but not personal.

[polle404]

Is there still money in spam, other than the money from selling the spam lists and spam network?

yes there is.
Unfortunately it only takes very few people buying their products, for it to be profitable.

IANAS (I Am Not A Spammer), as it is...

Re:Personalized, but not personal.

[gstoddart]

Really, at this point, who is falling for this stuff?

Seriously? There's a lot of people coming onto the web who have never been there. I was stunned last year when my retired (not computer literate) parents bought a laptop and got a broadband connection.

Increasingly everyone is being told that if you're not on line you're missing out on something. Unfortunately, the sophistication and knowledge required to do this safely belies the ease with which people can connect and then if they don't know anything about such things, they're at risk. People just aren't being made aware of the danger, and don't really understand all of the ways that they can get into trouble.

When my parents first went on-line, I gave them a fairly stern lecture telling them of what to be wary of -- specifically I said don't ever give any identifying information to a site you don't know and trust, and trust almost nothing which comes into your inbox, especially if it's claims to be from a bank or the government. So far, a healthy dose of skepticism about the truth of what's in their inbox has probably served them fairly well.

The world hasn't exhausted its supply of people who just don't know all of the risks and dodgy areas they need to watch out for, and the tools they're using may not be nearly as safe as we'd like. The fact that it's being marketed as easy to do without explaining some of the danger is a contributing factor.

Is there still money in spam, other than the money from selling the spam lists and spam network?

Of course there is, otherwise you wouldn't see it. It only has to have a very small hit rate to be hugely profitable. When you're sending a couple of million emails at a time, the 1% of people who fall for it are plenty enough.

Cheers

Re:Personalized, but not personal.

[kabocox]

Seriously? There's a lot of people coming onto the web who have never been there. I was stunned last year when my retired (not computer literate) parents bought a laptop and got a broadband connection.

Increasingly everyone is being told that if you're not on line you're missing out on something. Unfortunately, the sophistication and knowledge required to do this safely belies the ease with which people can connect and then if they don't know anything about such things, they're at risk. People just aren't being made aware of the danger, and don't really understand all of the ways that they can get into trouble.

Reminds me of all the general complaints about Mac Users being so generally uneducated about IT crap and on the internet pre 2000. The big joke was that any PC user that un-educated would never have been able to get on the internet. The Macs made it trivial for any one that owned the PC to get on the internet. Jump ahead about a decade and what do you see now? Cell phones that you could browse the internet on, $350 laptops, and broadband at what dial up used to cost. Now anyone that is willing to make the minor effort can get on the internet fairly easily without being generally educated about computers, cell phones or the internet.

You'll see all those old Mac user jokes come back re-written for whatever is the current lowest knowledge level demographic. Things are getting easier to do on the internet without having to be educated much. Spam and scams in general seem to be about it that you need to tell people to watch out for. I almost think that we need a high school class on IDing scams and how not to fall into them.

Re:Personalized, but not personal.

[Sage+Gaspar]

They manage to catch me off guard with a new trick or just a convenient circumstance once every couple years. I still remember one of the first big worms that went around when I was in high school, I got an e-mail from this girl I had a nerd crush on promising me some manner of lewd photos. Had I thought about it for a moment I would've realized, but damn skippy I clicked that link inside of two seconds hehe.

Re:Personalized, but not personal.

[dmneoblade]

That, and email is so cheap, that 1 response out of 12 million emails is still a good profit.

Re:Personalized, but not personal.

[Haoie]

You only need, say, 1 response in 1000 for it to be profitable.

Annoying huh?

Re:Personalized, but not personal.

[gstoddart]

The people who send bullshit bank or fraudulent emails asking for your information is not legal spam.

No, it's a complete scam, and should be pursued and prosecuted as such.

Most mailers send out real products that people want and ads such as debt consolidation and stuff like that. It's from real companies, it's not all bullshit.

Horseshit. Penis enlargement? Cialis? A degree without university? Designer goods? Canadian pharmacies dispensing cheap drugs? Some chick who is waiting at an internet cafe to talk with me?

There's so much stuff out there that is so outright fraudulent, that in my books, I simply refuse to believe that it's possible or safe to pick the wheat from the chaff and identify legit products. Anyone choosing that form of advertising is summarily tuned out as being crap.

If you're marketing your product by unsolicited emails to gazillions of people, at the very best you're an ass, and at the very worst, a complete scam artist. Want to be treated like a legitimate company? Don't act the same as the guys peddling fake prescriptions or just running cash scams.

You simply can't tell the general populace that since maybe 5% of the spam you receive isn't just plain bullshit we should try to give the rest of the benefit of the doubt. The only way to really respond to this is to tell everyone as loudly as possible that they simply should not trust commercial or financial email unless they can 100% verify its source. And, if you're 100% sure you know how to be 100% sure, err on the side of being cautious.

Educating people to not risk falling prey to this shit, and it will go away.

So far, anti spam legislation has been completely toothless. Do you know how many emails I see which claims to be from a company and gives the links to their opt-out that are completely bogus? All it did is tell people how to format their message to look legit.

Cheers

Just a coincidence

[sunking2]

Cisco will soon be introducing a product to address this exact problem!

Re:Just a coincidence

[TomSawyer]

Cisco will soon be introducing a product to address this exact problem!

Please, this is Cisco. They've already purchased the company that makes the product to address this.

http://www.ironport.com/

Pretty scary

[spyrochaete]

I received one spam email this year which was addressed to me, using my proper first, middle, and last name, as well as my old address back from when I used to live with my parents. The only place I would have volunteered this information online was the Monster job website several years back. I emailed Monster, rather furious at how lax their privacy was. They confirmed that this was their fault but were completely unapologetic.

Fortunately (I think) I never received a second email like this.

Re:Pretty scary

[CBravo]

There are two kinds of spam: spam by known entities and spam by anonymous entities. The first kind should always be targeted by sending a complaint to spamcop.net (because it will blacklist their mailservers which they should care about). 5 complaints and their server is blacklisted for a day and the servers get higher spamcredits.

You should never respond to the second kind and I think there is not much use in sending a complaint to spamcop (anybody knows differently?).

I do email-marketing (spam@request) for a living and we hate spamcop notifications.

Re:Pretty scary

[pjt33]

When I was young (16) and (more) foolish I was interested in the stock market and registered at the Motley Fool, which for some reason wanted my snail-mail address. Got some amusing snail-mail spam out of that, including one from a fund manager who offered to manage my investments before adding that he only bothered with accounts of £100k or more.

Re:Pretty scary

[spyrochaete]

The email came from gmail.com. I verified the IP address in the headers and it seems to have really come from Gmail. I reported it to Google but got no reply. Something tells me Spamcop wouldn't be surprised by this.

Re:Pretty scary

[cdrguru]

The problem is that SpamCop treats pretty much all spam reports as golden information to be relied upon. So intelligent computer user purchases something on the Web, gets an emailed receipt and reports it as spam. This, being the one and only report, does not carry much weight but it is indeed logged and counted.

Following this savvy computer user #2 signs up for a mailing list and for some reason then reports all said mailings as spam to SpamCop. Now we have a trend - obviously this organization is a den of spammers.

Because rule #1 in the anti-spam world is "Spammers Lie", there is no point in trying to contact anyone about the behavior of the dedicated team of zealots behind SpamCop. They are anonymous, uncontactable and uncaring. Their mission is to stamp out spam in all forms and anything that is emailed that is not specifically desired at the time it is received is clearly spam. This definition covers just about anything, including receipts, mailing list sign up confirmations and subscribed-to mailings. Even those that are personalized including the date the user signed up and confirmed the subscription embedded in the email.

Email is fundamentally unusable for contacting people unless you have a prior relationship with them and they know who you are. Anything else, you may as well assume they are behind a whiltelist filter that blocks all incoming email. There is virtually no point in sending email to people unless it is their job to receive and respond to sales prospect email. Even then, you may discover they have an agressive spam filter that blocks your email. And when this filter is implemented by their outsourced email provider, nothing is going to get your email read.

Re:Pretty scary

[AaronLawrence]

Spamcop reporters are NOT allowed to support "email they don't like" and lose their reporting privileges if they repeatedly do it.

That said, it is is somewhat open to abuse. However, there are much more aggressive blacklists out there, and notably Spamcop will automatically remove you from their lists if a day or two goes by and there is no further reports, whereas other lists are near-impossible to get off.

Re:Pretty scary

[wces423]

Dear Mr. Spy Rochaete Hyppy. We are pleased to announce that we have a product which detects and stops personalized spam. Please send a cheque of $200/- to have a spam-free inbox.

Re:Pretty scary

[CBravo]

For me that would be an 'unknown' since a gmail user is not trackable.

Just Shotgun Spamming...

[damn_registrars]

Is it really personal spamming? I've seen spam posing as bank notices for a long time. Generally, first you see them (posing to be) from the largest banks, and then over time you start seeing them (posing to be) from regional and local banks as well.

And considering how many people use online banking, it is pretty reasonable for many people to expect to see an email from their bank on occasion.

Re:Just Shotgun Spamming...

[m.ducharme]

I think by "personal", more is meant than just appearing to come from your bank. The spammers seem to be getting hold of more personal details of people and targeting those people specifically.

As for online banking, I know that my banks send me e-mail that basically says "you have a statement/message/notice waiting, please log into your account and check it", and these e-mails generally do not even directly link to the bank's web page.

My banks all have excellent security, including original/customizable security questions, image keys, etc. Some require you to speak to an actual human before they'll reset a password. None of my banks offer cookies to save my password from one session to the next, and prevent the browser from offering to store the password locally.

In all, I would expect that if spammers are getting personalized information on me, they're not getting it from my banks.

Re:Just Shotgun Spamming...

[digitalunity]

I routinely get spam addressed to Mike, which is my name.

It's kind of creepy really since they ONLY place online I use my real name is my bank website. I guess there is no reason hiding it anymore, since obviously the spammers have it anyway.

~Mike

Re:Just Shotgun Spamming...

[0x2A]

My bank only sends PGP-encrypted and signed messages. Very cool indeed.

Very personalized...

[jshackles]

How did they know I was looking for penis enlargement pills and cheap viagra?!?!

Suspicion runs high

[Drakkenmensch]

I use email so rarely these days that any piece of email I get which I did not directly request from the sender I treat as suspicious, no matter who sent it. So far it's been proven to be a perfectly valid policy to follow.

Re:Suspicion runs high

[morgan_greywolf]

So that's why you never respond to my e-mails. You're fired!

Now I am going to be worried

[Chrisq]

Personalized Spam Rising Sharply

Now I am going to be worried every time I get one of those adverts for penis enlargement

....who told them?

Re:Now I am going to be worried

[jollyreaper]

Personalized Spam Rising Sharply

Now I am going to be worried every time I get one of those adverts for penis enlargement ....who told them?

Data mining. You must have ordered some of those little finger condoms people use in food service to cover up cut fingers and they just assumed it was for something other than food service. I'm still enraged that from my purchase history of metal they were able to decide Madonna's latest would be a good recommended buy for me.

Re:Now I am going to be worried

[DevConcepts]

Just got an email...
With the success of Viagra, many new performance drugs for men go into development:

--PROJECTRA: Men given this experimental new drug were far more likely to actually finish a household repair project before starting a new one.

--COMPLIMENTRA: In clinical trials, 82% of middle-aged men noticed that their wives had a new hairstyle. Currently being tested to see if its effects extend to noticing new clothing.

--BUYAGRA: Married men report a sudden urge to buy their wives gifts after taking this drug for only two days. Still to be ascertained: whether the results extend to not minding when women spend money on themselves.

--ANTI-AGRA: Promises the exact opposite effect of Viagra. Currently undergoing clinical trials on U.S. Senators.

--NOSPORTAGRA: This drug makes men want to turn off televised sports and actually converse with other family members.

--FLATULAGRA: This complex drug converts men's noxious intestinal gases into air freshener.

--FLYAGRA: This drug shows great promise in treating men with O.F.D. (Open Fly Disorder).

--LIAGRA: This drug helps men lie more successfully when asked about their sexual affairs. Will be available in Regular, Grand Jury and Political Strength versions.

Re:Now I am going to be worried

[edalytical]

And with the cheap v1@gra, spam won't be the only thing rising sharply.

Re:Now I am going to be worried

[DeeVeeAnt]

Dear Chrisq It is common knowledge amongst my associates that you do have a particulary small penis. Perhaps I could interest you in a prescription for our new improved Donkey Dong tablets. Simply reply with your full bank details, address, mothers maiden name etc. for security purposes. Regards Robin Suckas

Re:Now I am going to be worried

[Chris+Burke]

--LIAGRA: This drug helps men lie more successfully when asked about their sexual affairs. Will be available in Regular, Grand Jury and Political Strength versions.

Forget all those other drugs. I'll take three cases of this and MOAR V14GRA!!!

Surprise surprise

[DrSlinky]

Poached data, eh?

And here I thought it was simply common knowledge online that I had a small penis. Go figure.

Comment removed

[account_deleted]

Comment removed based on user account deletion

reunion.com

[fprintf]

My father just kicked off a flurry of spam from his inbox, and I have been helping him to reach out to his entire address book to stop it from spreading any further. According to him:

"I receieved an email from my dearest friend from England, who I have not spoken to in some time, asking me to join Reunion.com. I clicked on the button in the email and sent me to a site giving me the option to sign up for the service. Until I got your call, I had no idea that it sent out emails to everyone in my address book. It was a nicely worded email and didn't seem like spam at all.

Now that they have his email address, one that he does not want to give up, I am afraid he, and everyone on his address list, will now be the target of even more personalized spam. I hope my gmail filter catches most of everything, but I have no doubt in a few months I'll be looking for pen!s enlargement devices, v!agr@ etc.

Re:reunion.com

[rohan972]

My daughter got sent something like that from a cousin. The site asked for your email login and password for you to sign up. They then logged into you email and spammed your contact list, wash, rinse, repeat.

p.s.

[WindBourne]

Please do not forget to deport your paycheck from walmart to your Wells Fargo account 777-888888.

Re:p.s.

[elrous0]

It is very important you speedily do these. Big payment is anxious for you! It will being travel for you when you send account number!

Re:Not just them

[elrous0]

They understand it. They just don't give a shit.

What is worse

[WindBourne]

is that it will probably increase as more site are electing to run Windows.

Re:What is worse

[Toll_Free]

Yeah, since most SPAM originates from idiots and their home computers.

More baseless BS from a fanboi.

--Toll_Free

Re:What is worse

[shentino]

Indeed.

I think it's called a botnet.

Self-generated spam

[macraig]

You can't get much more personal than spam that you send to yourself. I'm apparently doing this every night in my sleep, since I can't ever recall clicking Send when I'm awake....

Re:Not just them

[Sfing_ter]

Of course they do, it's just that if they don't do as NSA says, then they don't get to continue to rebuild their monopoly. It be Bidness, and the constitution gets in the way of Bidness.

Simple Solution

[WagonWheelsRX8]

There is a surprisingly simple solution to the SPAM problem but no one likes it. Charge to send e-mail. It doesn't have to be much (heck a penny an e-mail would probably suffice).

Re:Simple Solution

[Haeleth]

Great idea! And given our global history of perfect peaceful cooperation, I'm sure we'll have no trouble at all persuading every single country in the world to collect one penny from every email sender.

Re:Simple Solution

[pne]

Your post advocates a

( ) technical ( ) legislative (x) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Not just them

[jlarocco]

Maybe that's because understanding the constitution isn't the telcos job? Get pissed at the government. Defending the constitution is their fucking job, and they were the ones who telling the telcos what to do.

Don't get me wrong, I'm not happy that the telcos went along with it, but you have to place the blame where it belongs - on the government people who initiated the action in the first place.

So *thats* why

[Tablizer]

Explains all the one-eyed midget pr0n spam i get.

Personalised? That explains it

[6Yankee]

One sneaked through my Gmail filter last night.

"Break down walls with your massive c0ck," it said. I'm not sure what Facilities would have to say about that, but clearly this spammer knows all about me. :)

Re:Personalised? That explains it

[Beardo+the+Bearded]

c0ck is a brand name of sledgehammer.

So the spam was technically true.

Facilities would certainly have a problem if you brought one to work and started smashing the walls.

a.k.a. targeted ads...

[Lazy+Jones]

There is really no large qualitative or quantitative difference between e-mail spam and targeted ads nowdays. Both account for a lot of traffic, both are usually not appealing nor desired (targeted ads being generally more intrusive). Why does e-mail spam have a so much worse reputation? Because it's limited to a few daring advertisers I suppose (and you can't have that advertising spot!).

Re:Not just them

[dmneoblade]

Telco's do, however, have a responsibility to say "Sure, as soon as you give us a court order, we'll get right on that." If they don't, then they are waiving the right to your privacy for you, and they are just as guilty.

Re:Not just them

[tnk1]

Defending the constitution is their fucking job

Yeah, all the oaths say that, but the reality is that the best parts of the document are the ones that realize that the worst defenders of that document are the guys it was written to restrain.

Its not really anyone's job to to protect the constitution, but it's sure as hell in most people's interests to do so. Even the telcos.

alarming increase in personalized spam ..

[rs232]

What are the ISPs doing about it, such as blocking relaying of spam from open or unauthorized email relays.

the real problem is ..

[rs232]

"The real problem is people visiting Web sites through email links, and replying to unsolicited email (from companies they recognize or not)"

No, the real problem is the ISPs not blocking spam from open or unauthorized email relays. And the gazillion compromised desktop PCs out there being used in botnets ..

Who needs identity theft?

[jmcvetta]

Someone remind me, what is the difference between spam sent by "identity thieves", and spam sent by corporations that have "legitimately" obtained my info?

Re:Not just them

[cdrguru]

(a) When Mr. Government Man says to the person at the telco "Well, Form XYZ34B/NS3 says we don't need a court order, you just have to comply." and hands over a copy of a evidently properly signed and executed form XYZ34B/NS3 who the heck is going to say "No"? Because should anyone do that, the next is to bring out form ABC37Q/VR5 which says a failure to comply with XYZ34B/NS3 can possibly result in a 34 year prison term. Of course it is all BS, but it is BS conducted from a position of untimate authority. Upon someone that really doesn't know.

(b) In the US I am not aware of any legislation that says you have any such "right to privacy". There are some pretty weird interpretations of the 14th Amendment that when suitabily tortured seem to come up with something that sounds like a "right to privacy" in the right situations. But outside of Roe V. Wade, I've never heard of anyone in a legal sense asserting a true "right to privacy". You might get somewhere saying it is an illegal search violating the 4th Amendment, but I think they have that covered. At least that argument has been fought over already and lost as far as the telco monitoring is concerned.

Re:Not just them

[greg_barton]

Maybe that's because understanding the constitution isn't the telcos job?

Understanding the constitution is every American's job.

So what?

[BCW2]

99% of the personalized crap is so obvious it doesn't matter.
Even the bank phishing attempts are funny. An email with my name from a bank I never have done business with is a cause for concern?
How about those from a bank I never heard of?

OK folks, how many people had ever heard of The Fifth Third Bank before they saw the phishing email? Raise your hands now.
That's what I thought.

Re:So what?

[HAKdragon]

I've heard of Fifth Third. They have branches all over the Cleveland (OH) area...

Re:So what?

[BCW2]

Nobody out of their area had. Who dreamed up such a goofy name? When I saw it I wondered who would do business with one and two thirds of a bank.

Re:So what?

[HAKdragon]

From Wikipedia:

Fifth Third's unusual name is the result of the June 1, 1908 merger of two banks, The Fifth National Bank and The Third National Bank, to become The Fifth Third National Bank of Cincinnati. Because the merger took place during a period when prohibitionist ideas were gaining popularity, it was believed that "Fifth Third" was better than "Third Fifth," which could be construed as a reference to three "fifths" of alcohol. The name went through several changes over the years, until on March 24, 1969, the name was changed to Fifth Third Bank.

Re:Not just them

[daigu]

Aren't the people that work for telcos also citizens of this country? As citizens, it is our responsibility to make sure that the government does not over step its bounds. So, I think I'll remain pissed at them too, thank you very much.

Re:Not just them

[jlarocco]

Understanding the constitution is every American's job.

Okay, you got me there ;-)

What I mean is, when the NSA, CIA, or FBI says "Here's this official government order telling you to wiretap.", the telco doesn't know how it was obtained, they just know it's an official government order to wiretap. They shouldn't have to investigate how and why it was obtained before they comply. Not like they could even do that if they wanted to.

It's the government agency's responsibility to make sure the order is done legally and constitutionally, not the company that gets served the order.

Re:Not just them

[Vakara]

The case against the telcos is based on violations of law, not constitution. The telcos violated provisions in FISA which placed specific parameters around what they are legally allowed to do (and required to obtain) in order to perform surveillance on US citizens or within US territories. The provisions are specific enough that civil damages are specified in the actual law (per incident!) to further incent the telcos to obey the law.

The government asked for something they shouldn't have, and most of the telcos (not all!) gave up something they were legally obligated to protect. As far as I'm concerned they are both fair game.

It's as secure as you make it yourself

[Opportunist]

My first car was an XQ3'tt9w, my mother's maiden name is 6P$n(we.

(These being examples, don't even try...)

Suitable reply

[Opportunist]

Thank you for confirming my worries that your system is not secure.

Sorry, but the ISO27001 is outdated. Why? It's older than a month, so it's outdated. We're talking IT security here.

Re:Suitable reply

[xaxa]

Thank you for confirming my worries that your system is not secure.

Sorry, but the ISO27001 is outdated. Why? It's older than a month, so it's outdated. We're talking IT security here.

I see your point, but people don't want to change how they log in to their banking every month.

The security is disappointing though, see http://slashdot.org/comments.pl?sid=1066923&cid=26176013

Use it to your advantage

[Opportunist]

Years ago I started creating online accounts with false names. Well, not false, just ones I found in the local phone book.

Then my spam filter learned that mails to those phonebook people were unwanted, because nobody I know would mail me something under that name.

Since those "personalized" spam mails are only so much personalized (i.e. name and maybe a few other tidbits), mails that were sent to my phonebook people were used as patterns to weed out other mail that actually went to my name.

The most difficult task for a spamfilter is to discriminate between wanted and unwanted mail. It gets a heck lot easier when the spammer himself gives you a sample of what you want to filter for.

Re:Not just them

[unlametheweak]

The same line of reasoning was used by the military to justify the torture of (innocent) civilians at Abu Ghraib prison, but in that case only the Generals and politicians got immunity.

Re:Not just them

[unlametheweak]

Y'know, maybe it's just me, but I always thought the constitution is clear enough for pretty much *everyone* to understand it

Yeah, the problem is that if you ask ten people what it means, they will all agree that it is absolutely clear with no room for any doubt, and they will all disagree on what it means...

If there was any doubt, then they should have consulted the general public to ask them whether what they were planning on implementing was constitutionally correct. Democracy has a way of weeding out the extremes (of abuse, when it is practiced).

Re:Not just them

[gum2me]

It's actually the job of the people to defend the Constitution. We're here to keep the Government in check.

When?

[Nishi-no-wan]

When are they going to get personalized? I guess I don't have enough information out there, because the past few days I got about 50 messages from Hot Chicks who thought I was "hawt" and want to chat on MSN.

1. I don't advertise on dating sites. Any profile I have is professional, not looking for a bonehead blond.
2. I am not "hawt" now, nor was I a few decades ago when I was actually available.
3. You couldn't pay me to use a Microsoft product, and that includes MSN.

That's 0 for 3 for the most recent spew of spam that's getting through the filters. I'm afraid that they need more help with the personalization still. Or is it that I need more make more of my personal life available to them?

Re:When?

[Nishi-no-wan]

Oh, and with this new spurt of spam, my first thought was that there must be some new 0-day method to infect MS users via MSN. Perhaps related to Microsoft's sudden desperate need to patch IE?

Why don't I miss the pain of using Microsoft? I'm coming up on the 9th anniversary of overwriting my last Microsoft partition (at work no less) - hitting [Enter] at the stroke of midnight, January 1, 2000 (while awaiting the world to end due to the Year 2000 Bug).

Re:Not just them

[Loopy1492]

I disagree. There's a clear difference between a jovially-executed man-pile and murky-as-hell privacy laws.

Re:Not just them

[Loopy1492]

Also true. At least until they finally convince the voters that the only reasons to own a gun are for hunting and home defense. Then we're fucked.

Pure inbreed slashdotter found!

[freaker_TuC]

Finally we're seeing one of our fine pure inbreed slashdotters again ! ;)

I thougth we were extinct..

rule of thumb: 1cm on Internet is 0.5cm IRL

[freaker_TuC]

If centimeters really count, general dating rule of thumb:

1 centimeter on the Internet is 0.5 centimeter In Real Life!

conclusion: These spammers know the rule of thumb better than you do! ;)

Nobody did! It's a rule!

[freaker_TuC]

It's a rule [general dating rule of thumb] not a word! ;)

Ready to be standardized by any millionaire on the world! Stay tuned!