Thousands of UK students are furious with the country’s Universities and Colleges Admission Service after receiving an email from them with the subject line “You’ve Been Accepted”. The message, which led students to believe it was an acceptance notice from a university, was actually a spam message advertising discounted HP laptops. This infuriated students, as this is the time of year when they are awaiting their A-level results and scrambling to apply to the limited amount of university openings available. In the UK there are more qualified students than there are spots at the most sought after universities. Many students feel that the spam message was not only misleading, but cruel and in poor taste. The UCAS, red-faced, quickly offered an apology.

A UCAS spokesman said: “We understand and apologise for the confusion this has caused to some applicants, and we are looking at reviewing our quality filters to avoid this type of situation in future.”

It’s not known who approved the message or its deceptive subject line. HP has declined to comment on the matter. This story illustrates how important it is to use care in sending newsletters and other bulk mailings to the customers on your mailing list. A deceptive subject line, even if it wasn’t intended to be, can cause a real public relations headache for your company, and thanks to social networking services like Facebook, your unhappy customers can make themselves heard in a hurry! Avoid wordplay and other attempts to be cute and keep your subject lines and messages simple and straightforward. The old saying, “Keep it simple, stupid!” really is the best policy.

Spammers have begun sending out fake LinkedIn notices that have spam attached to them. At first glance they look like the notices you get when someone wants to add you to their network but they have a linked image attached which is usually an ad for Viagra Cialis and other related types of drugs. The link leads to a site called PathTasty. PathTasty appears to be one of the hundreds of fake internet pharmacies that fall under the “Canadian Pharmacy” umbrella. This isn’t a phishing scam – if you place an order you will get it but it will be a counterfeit version of the drugs you paid for. These fake drugs are made in China and India with unknown ingredients and are completely untested and unregulated. There have been no reports of anyone getting sick or dying from taking the fake drugs but the FDA was concerned enough to issue an alert warning consumers to stay away from these sites.

Canadian Pharmacy has been around for quite sometime now. Its spam is pumped out by the massive Rustock and Mega-D botnets and is run by GlavMed, which bills itself as an “affiliate program” but most security experts consider it a criminal organization. It’s located in Russia however which makes it difficult to track down.

Ironically there is a very legit company called Canada Pharmacy and they are said to be quite irate over the association with Canadian Pharmacy. Canada Pharmacy is a real pharmacy doing business on the net and unlike Canadian Pharmacy, they won’t dispense drugs to anyone without a valid prescription for them.

Google and Verizon set off a blizzard of chatter on the Internet this week when they aired their “open Internet framework.” The framework bars a provider of broadband Internet access “from engaging in undue discrimination against any lawful Internet content, application, or service in a manner that causes meaningful harm to competition or to users.”

Under the proposal, any “[p]rioritization of Internet traffic would be presumed inconsistent with the non-discrimination standard.” “Prioritization” is a euphemism for a service provider acting as a traffic cop for content aimed at the users of their systems.

When pulling the wraps off their proposal, the companies have put a pro-consumer, open-Internet spin on their proposal.

          “Google and Verizon have been working together to find ways to preserve the open Internet and the vibrant and innovative markets it supports, to protect consumers, and to promote continued investment in broadband access,” they said in the preamble to the framework.

But consumer groups aren’t buying the pitch. Their criticisms of the framework are similar to those expressed by the Free Press’s Joel Kelsey.

          “Google and Verizon can try all they want to disguise this deal as a reasonable path forward, but the simple fact is this framework, if embraced by Congress and the Federal Communications Commission, would transform the free and open Internet into a closed platform like cable television,” he said in a statement.

Continue reading Is Verizon-Google plan boon to spammers?»

BusinessWeek has a great article about the FTC and how they’ve evolved to become a fixture in the war against spam and online fraud. They have a server that holds over 314 million spam messages and receives over 200,000 more a day. Investigators analyze the messages in their efforts to track down spammers and prosecute them under the CAN-SPAM law. Successful investigations lead to spammers being fined and sometimes jailed. They’ve also begun moving into the areas of social networking and identity theft.

I wonder though, of all the spam messages they collect what percentage originates from somewhere other than the U.S. Most hardcore spamming operations are safely overseas on bullet proof hosts in countries that don’t investigate or prosecute cybercrime either due to lack of understanding, lack of resources, or law enforcement corruption. Since these spammers can be convicted and fined without having to actually appear in court, yet can’t be made to pay up unless they enter the U.S., it seems such investigations could all be done in vain. Suing spammers doesn’t work well either – they just declare bankruptcy and move on to a new scam. There have been a few cases lately about spammers who’ve gotten themselves pretty hefty jail sentences but again, it doesn’t really work when the spammer is overseas somewhere.

So yes, the FTC is doing a great thing by investigating spammers and holding them accountable under the CAN-SPAM Act, but fighting spam will only be truly effective when all countries do so together and have similar anti-spam laws.

Spammers appear to have taken their summer vacation in July, if the junk mail that evaded my gauntlet of garbage filters is any indication of their activities during the period. They stuck to shopworn and even hoary pitches with little in the way of inventiveness.

One vein that was worked extensively prior to July faked support messages from my Internet Service Provider. It seems my ISP wised up to these attacks and only a pair managed to make it to my inbox in July. One was a typical inept attempt to obtain my user ID and password. If the fact that the sender of the message spelled user incorrectly wasn’t enough of a tip off, the “reply to” address to an AOL account sealed the deal. The other lame pitch had a security angle. “This message is from Your Service provider kindly send your Login information because we noticed your account is being accessed from three different location,” it said. I don’t know about your service provider, but mine doesn’t refer to itself as “Your Service Provider.” It also knows a thing or two about punctuating sentences and when to use plural nouns.

One of the oddest messages landing in my inbox had a subject line in an alphabet I didn’t recognize, but had an English message beckoning me to go to kasate.com for a sealed lead acid automatic battery charger.

Continue reading Spammers lack imagination in July»

A security firm has put together a top 10 most wanted list of botnets. These botnets are responsible for pumping out the majority of the global spam volume which is now at a whopping 230 billon messages a day. Most of them have originated in Eastern Europe which makes the criminals behind them very hard to track down. Lets take a look at the list:

1. Rustock- Responsible for 43% of the global spam volume this is the biggest active botnet on the web. It pumps out millions of pharmaceutical spam messages for the infamous Canadian Pharmacy and others.
2. Mega-D- Coming in second with 10.2% of total spam volume, this is one of the longest running botnets around. It too sends out mainly pharmaceutical spam and gets its name from one of the fake drugs it hawks.
3. Festi- This newcomer is responsible for 8% of the total world spam volume and seems to work in tandem with the Pushdo bot net.
4. Pushdo- This is  a very complex botnet that carries out multiple campaigns and distributes malware as well as spam. Currently responsible for 6.3% of the total spam volume.
5. Grum- This is another pharmaceutical spam spewing botnet, currently responsible for 6.3% of total spam volume.
6. Lethic-Responsible for 4.5% of total spam volume and also acts as a spam proxy.
7. Bobax- Responsible for 4.3% of total spam volume. Pumps out pharmaceutical spam.
8. Bagle- Primarily acting as a proxy, Bagle is responsible for 3.5% of the total spam volume.
9. Maazben- With 2% of the total spam volume, Maazben sends only casino related spam.
10. Donbot-Another pharmaceutical spam spewing botnet responsible for 1.3% of total spam volume.

It’s really not surprising but it’s disgusting anyway. A new phishing attack is aimed squarely at the victims of the disaster in the Gulf. Emails claiming to be from BP CEO Tony Hayward are circulating on the net. The emails offer a $500,000 “grant” from the company in exchange for some personal info such as their bank account number and social security number, so the email claims, they can deposit your grant funding right away.

Authorities say the emails actually originate in Nigeria. The Florida Attorney General’s office is so concerned they issued a statewide alert about the scam. It’s not the first time scammers have exploited a tragedy and it won’t be the last. After pop legend Michael Jackson’s sudden and tragic death last year, spam campaigns exploiting the event exploded across the net, offering links to “exclusive” videos and autopsy photos. Similar spam campaigns have exploited the financial crisis, the death of actress Brittany Murphy, Swine Flu, the World Cup and other big news events. Holidays are also exploited and we can expect to see Halloween and Christmas themed spam start rising in a few months. Those types of spam campaigns often hawk fake pharmaceuticals and designer goods.

Authorities say while the person or group responsible for the fake BP emails hasn’t been tracked down yet, the United States Postal Inspection Service is investigating. The scammers may have to rethink their scam though as Tony Hayward is no longer CEO of BP.

I’ve been dealing with spam for a long time now, and even though we see changes every year in the major threats and new techniques that spammers come up with, one of the things that never seems to change are the myths about spam that people still cling to.

Here are a few of my favourites.

Spam Isn’t a Problem Anymore

Every now and then a journalist will write a column declaring that spam is no longer a problem for the internet.  Their argument is usually based on their own individual experience, and usually includes a description of a complex series of forwarding addresses through multiple services and add-ons before a message actually arrives in their inbox.

Then they add a caveat like “And for the handful that do slip through…”

Unfortunately for businesses a complex solution that can’t scale is no option at all, especially one that still lets the spam through despite all that effort.

I Don’t Give Out My Email Address

This myth usually lasts as long as it takes for the first spam email to arrive at that email address, which is quickly followed by shock and outrage (and wild accusations that their ISP “sold” the address to a spammer). Continue reading 5 Top Spam Myths that Still Haven’t Changed»

Fan noise, at least in the United States, can’t be too loud. For years, the faithful of the Minnesota Twins baseball club brought opposing teams to their knees with the ear splitting decibel levels they could reach in the now-defunct Metrodome. In fact, fans and the cacophony they create give clubs such an edge at home, they’re considered an additional player–the so-called 10th man in baseball or the 12th man in American football. So it’s puzzling to read about there being too much noise at World Cup soccer games.

When critics grouse about the noise levels at World Cup games, their favorite target is the vuvuzela. It’s a long horn that reminds one of those trumpets seen in movies about medieval times and is responsible for this eternal din that can be heard in the background of every World Cup match. The noisemaker has become so prominent of late that Amir Lev, spinner of the Security Levity column at Computerworld, decided to add his voice to the crescendo condemning the horn by comparing it to spam. So, in the tongue-in-cheek spirit in which that column was written, we submit for our readers’ consideration 10 reasons why vuvuzelas are not like spam.

10. Noise from vuvuzelas is continuous, but avoidable

It’s undeniable that the noise level from the vuvuzela is constant, just as constant as the stream of spam sprayed daily at our email boxes, but unlike the cynical senders of spam, vuvuzela players are celebrating a joyous event. Has anyone ever described the arrival of spam in an inbox as an event worth celebrating? In addition, avoiding vuvuzela noise is easy. Become a fan of nice quiet sports like golf and tennis.

Continue reading 10 ways vuvuzelas aren’t like spam»

VOIP provider Vonage has won a startling court victory when a California judge threw out a lawsuit alleging CAN-SPAM violations saying that deliberately designing emails to bypass spam filters is not illegal.

The suit was filed by the LA County DA’s office after many people complained about getting spam messages from the company with from lines that indicated that they had come from domains that had nothing to do with Vonage. The marketing agent working for the company sent the emails from a list of mostly nonsensical domains registered to them:

• superhugeterm.com
• formycompanysite.com
• ursunrchcntr.com
• urgrtquirkz.com
• countryfolkgospel.com
• lowdirectsme.com
• yearnfrmore.com
• openwrldkidz.com
• ourgossipfrom.com
• specialvrguide.com
• struggletailssite.com

Surprisingly, Justice Ming Chin ruled that the accusations of the spam mails being deliberately misleading were not true:

          “We find,” found Justice Ming Chin, “that a single e-mail with an accurate and traceable domain name neither contains nor is accompanied by ‘misrepresented … header information’ … merely because its domain name … is ‘random,’ ‘varied,’ ‘garbled’ and ‘nonsensical’ when viewed in conjunction with domain names used in other e-mails. An e-mail with an accurate and traceable domain name makes no affirmative representation or statement of fact that is false.”

Obviously Vonage was doing everything they could to prevent their spam from being caught in spam filters, including sending it from ridiculous, nonsensical domains in order to hide, and sadly, it’s all perfectly legal.

How do you feel about the judge’s ruling? Do you agree, or do you think this loophole in the law needs to be closed?