"Personal Attack" Spam: Anybody Else Noticing It?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Last several weeks (months?), I've started to see a new kind of spam
where the subject line warns of personal attacks against the recipient
and, buy implication, seems to offer the prospect of more detail.

Anybody else notice this?   Is there a back story above and beyond
separating users from money?
--  
Pete Cresswell

Re: "Personal Attack" Spam: Anybody Else Noticing It?

PeteCresswell wrote:

Quoted text here. Click to load it

You're getting e-mails from someone you don't know whining "woe is me"?
Or do these e-mail claim you are attacking this unknown recipient?

Is that all or are there hyperlinks in the e-mail?  Are there externally
linked images (which hopefully you configured your e-mail client to
block)?

You sure they weren't whining to the wrong person (i.e., sent their
whine to the wrong person)?  It's quite possible the e-mail user hasn't
a clue on how to decipher the headers to know from where an e-mail
originated.  Someone forges your name in the comment field of the From
header and perhaps even uses your e-mail address there.  You can claim
to be whomever you want in the comment and e-mail address fields in the
From header created by your e-mail client.  You may have never sent them
that e-mail but they just lazily click on the Reply button.  Spammers,
phishers, malcontents, and other evil doers never do use their own
e-mail address but they might use yours.  That clients never do know the
source of an e-mail (only the receiving mail server knows that) is why
anyone that uses a client that automatically bounces back a message,
like a fake NDR (non-delivery report), is themself generating spam (aka
backscatter) and are eligible for reporting to Spamhaus, Spamcop, other
DNSBLs, and to their own e-mail provider.

It could be a spammer trying to cull a list of active e-mail addresses.
Someone says you attacked them.  You reply that you never heard of them,
don't care about them, and never sent them any e-mails.  Now the spammer
knows your e-mail address is active and monitored, something very
delicious to them.

I'd just wait a couple days to see if the whine e-mails stop.  If not,
filter them out.  Preferrably use a server-side filter so you don't even
have to use the bandwidth to download and the CPU cycles for your e-mail
client to permanently delete them.  If they had a legitimate gripe, they
would contact their own e-mail provider who would contact yours to
resolve the issue of any attacks against their customer.  

It's not your job to filter their Inbox.  Don't get stuck divulging your
e-mail address as active and monitored to a spammer.  You may want to
help who you perceive an innocent but it can backfire.

To be frank, your post seems more on-topic in alt.spam than here.  Not
sure how this has anything to do with a virus (on your end).

Re: "Personal Attack" Spam: Anybody Else Noticing It?

Per VanguardLH:
Quoted text here. Click to load it

That rings true to me.

Quoted text here. Click to load it

It's been weeks and weeks.   They're no problem to me - since nobody
except a few people know my "Real" address and they're all coming to
bogus addresses that I've supplied where needed to online merchants and
such..   More a matter of idle curiosity than anything else.

Quoted text here. Click to load it

Thanks.  Never heard of that group.   I'm about to add it to my list of
groups and I'll take it thee - if it isn't already under discussion.
--  
Pete Cresswell

Re: "Personal Attack" Spam: Anybody Else Noticing It?

Per (PeteCresswell):
Quoted text here. Click to load it

Oops..... Just skimmed about 1,600 posts there and it looks to me like a
heaving mass of actual spam and wacko extremist political rants.

Oh well...
--  
Pete Cresswell

Re: "Personal Attack" Spam: Anybody Else Noticing It?

wrote:

Quoted text here. Click to load it

That's a trick as old as the net.  It still works, I guess.

Quoted text here. Click to load it

This group is dang near empty for me.  If more people use their
killfiltering there would be less trolls and O.T. posters.   It isn't
just the trolls that need filtering, anyone who answers them gets the
same.  I don't care if that someone is a regular "contributor" or not.
Killfile *anyone* who answers obvious trolls.

(Yeah, I know.  No one is going to follow this "age old" advice.)


Re: "Personal Attack" Spam: Anybody Else Noticing It?

PeteCresswell wrote:

Quoted text here. Click to load it

You mean their To or Cc header doesn't include your e-mail address to
which their message got delivered?  The client adds the To, Cc, From,
Date, and other headers.  It is data of the message (sent during the
DATA command to the SMTP server).  So the sender can specify whatever
they want in those headers which obviously do not necessarily have
legitimate values.  Even you in your e-mail client can specify what
comment and e-mail address values you want to put in the From header.
Mailing lists work by sending a template message to the mail server.  A
separate list of recipients is also sent to the server.  For each
recipient in the list, a copy of the message gets sent to them.  So
whatever is in the client's To and Cc headers won't match on the
recipient's e-mail address in the separate list.

The To, Cc, and other headers are data included in the message by the
client.  It is the RCPT TO command the client sends to the mail server
that defines who is the recipient of a message.  A normal e-mail client
compiles an aggregate list of recipients from the To, Cc, and Bcc
*fields* in the client's message and sends a RCPT TO command to the SMTP
server for each recipient in that aggregate list.  Then it sends the
message, including the headers added by the client, using the DATA
command.  For n recipients in the To, Cc, and Bcc fields, the client
sends n RCPT TO commands to the server, and then it sends 1 DATA command
for the message (headers and body).  A bulk mailing client doesn't care
what is in the To, Cc, and Bcc fields of a message.  It will send out a
RCPT TO command for each recipient in its mailing list followed by 1
DATA command for the message (usually held in a template file).  So you
can see that the destination of an e-mail depends on the RCPT TO
command(s) and not on headers added by the client that is merely
sender-defined data in the message.

While not in every account, I have some with a server-side rule that
junks any e-mails that do not specify my e-mail address in the To or Cc
headers.  If someone BCC's me then this rule fires but the only time
that happens is for newsletters, auto-replies, or oddball one-time
messages, so I add them to a whitelist or a whitelisting rule (if I
expect to get more messages from that source).  For those accounts, if
it wasn't sent to me (i.e., the e-mail address for the account to which
the e-mail was delivered) then I either don't want it (discarded which
means it doesn't show in any folder, not even Trash) or it gets junked
(move into the Junk/Spam folder).

Quoted text here. Click to load it

If they are sending to "bogus addresses" then why are you still getting
their e-mails?

For sites that require you to divulge a working e-mail address, like to
register for a forum where they send you a confirmation e-mail that has
a hyperlink you must click, don't give them your true e-mail address or
even a semi-permanent alias or a temporary disposable account (that you
monitor or have forward to your real account).  For unknown or untrusted
senders, give them an alias that you can kill at any time or
self-expires (by time or number of emails through that alias).

I don't care how well known is a site or sender.  If I haven't dealt
with them for over 6 months (often the time for you to show up in spam
mailing lists from them or their "affiliates") then they aren't trusted
yet.  I give them an alias that uses the default account-configured
maximum number of uses or the use-count that I specify in the alias.
You might want to look at Spamgourmet to provide aliases to untrusted
senders.

Note: Spamgourmet uses the # character in the username (left token) of
an e-mail address which the parsers at some e-mail providers will reject
(e.g., Hotmail, Gmail, etc).  See my forum post about this problem at:

http://bbs.spamgourmet.com/viewtopic.php?f=7&t=1415&sid=2cf68d394e6375c6295109dc02457f46

Spamgourmet lets you dole out aliases on-the-fly.  No having to login to
your account to create them.  If someone asks you for an e-mail address
in person, you don't even need a computer to give them an alias.  Just
make up an alias right then and there in your head to give them.  I used
to use Sneakemail (requires you to login to create aliases) until they
stopped providing a free service tier.  If you're willing to pay,
Sneakemail ($2/mo) and SpamEx ($10/yr) are probably the best aliasing
services.  Spamgourmet is free albeit with the # parsing problem so I
use them.

Do NOT look at forwarding services that sometimes pretend to be aliasing
services.  Forwarding just means the sender sends to your forwarding
account which then forwards to your true e-mail address.  If you reply
to a forwarded e-mail, it goes directly back to the sender.  You end up
divulging your true e-mail address (as configured in your e-mail
client).  A true aliasing service has replies go back through their
service.  They strip out some or all headers so the e-mailed reply looks
like it originated from the domain of the aliasing service.  They may
even scan the body of your e-mail to strip out your true e-mail address,
like in a signature your client adds to your outbound e-mails.  Messages
go in through the aliasing service and replies go back out through the
aliasing services.  Forwarding services are just one way: coming in and
then forwarded.  Replies don't got back through the forwarding service
but directly to the sender.

Re: "Personal Attack" Spam: Anybody Else Noticing It?

Per VanguardLH:
Quoted text here. Click to load it

That's what I was trying to describe.   I think my use of the word
"Bogus" muddied the waters.    The addresses are not truly bogus....
they get to me... it's just that I know that nobody has any legitimate
business sending mail to one of those addresses.
--  
Pete Cresswell

Re: "Personal Attack" Spam: Anybody Else Noticing It?

PeteCresswell wrote:

Quoted text here. Click to load it

Are you a Spamcop reporter so you can submit exhibits of that spam?
It's free.

"Personal Attack" Spam: Anybody Else Noticing It?

+ User FidoNet address: 1:3634/12.71
On Thu, 12 Jun 2014, PeteCresswell wrote to All:

 P> It's been weeks and weeks.   They're no problem to me - since  
 P> nobody except a few people know my "Real" address and they're all  
 P> coming to bogus addresses that I've supplied where needed to online  
 P> merchants and such..   More a matter of idle curiosity than  
 P> anything else.  

FWIW: that might be a sign that their systems have been hacked and customer
information harvested...

)\/(ark

One of the great tragedies of life is the murder of a beautiful theory by a
gang of brutal facts. --Benjamin Franklin
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: "Personal Attack" Spam: Anybody Else Noticing It?

wrote:

Quoted text here. Click to load it

//    Attn !!!! We have a video of you cheating on your wife
    See the proof:

    hxxp://an_URL_/cheat.mp4.scr

    (or a zip, or another fake extension)
//
    That kind ? Pretty common. Someone must fall for it, or they
would not bother.
    Download with wget or whatever,  and send them off to:

    http://www.uploadmalware.com/

    It will be in your AV defs in a few days.
    []'s

    
--  
Don't be evil - Google 2004
We have a new policy  - Google 2012

Re: "Personal Attack" Spam: Anybody Else Noticing It?


Quoted text here. Click to load it

Shadow your link doesn't work.  

Quoted text here. Click to load it

How can you be sure that's not a site set up by haxors to collect
new viruses? Think about it!

--  
Jax        

Re: "Personal Attack" Spam: Anybody Else Noticing It?

It happens that Jax formulated :
Quoted text here. Click to load it

It worked fine here.



Re: "Personal Attack" Spam: Anybody Else Noticing It?

FromTheRafters wrote:
Quoted text here. Click to load it

Works for me too! :-)

Quote:
*****

We currently submit files to the following AntiMalware Vendors:

A-Squared, Ad-Aware, Ahnlab, AntiVir, ArcaBit, Arbor Networks,  
Authentium, Avast, Bit9, BitDefender, BoClean, Central Command, ClamAV,  
ClamWin, Comodo, Computer Associates, Counterspy, DialogueScience,  
DrWeb, eAcceleration, eSafe, Eset (NOD32), Ewido, Fortinet, Frisk /  
F-Prot, F-Secure, Grisoft (AVG), Ikarus, Kaspersky, McAfee, Protector  
Plus, Windows Defender, Norman, Panda Software, Proantivirus Lab,  
Sophos, Spybot S&D, SpySweeper, SuperAntiSpyware, THAV Antivirus, The  
Cleaner, Trend Micro, Trojan Remover, TrojanHunter, ViRobot,  
VirusBlokAda, QuickHeal, UNA, Virusbuster

==

I note that Malwarebytes is not included, yet SuperAntiSpyware is.

Does anyone else find this a little odd?


Site Timeline