I've been meaning to blog something about this for a while, Mikes rant just reminded me. I had to shut down most of my domain catch-alls recently because of a massive increase in spam, it wasn't actually direct spam but bounces and autoresponders due to people spoofing with my domains. I had a massive list of forwards to set up though, for all the companyx@domain addresses I've used. There is of course an easier way, plus addressing, except I keep coming across websites with incorrect email validation. I make a point of contacting every one I come across (please do the same!). I also discovered my current host 1and1 doesn't support it, even though every major mailserver does (I've got a whole other post about the problems with 1and1 in my drafts). Then there is another teeny little issue, if people start using plus addressing a lot, the spammers can simply strip the + off. You'd have to make a point of always giving out plussed addresses and blocking anything that doesn't have one.

Labels: email, plusaddressing, spam

I saw a bit of Ed Gibsons impromptu talk at DDD on security, he's a bit of a caricature of the hard case FBI guy, quite funny though (some people were a bit upset about him hijacking others sessions). One of the points he made was that the criminals out there today aren't interested in your personal details, they don't want to login in to your bank, they want your bandwidth. If they can get a trojan horse on your machine then they can use you as a spam relay. You might think "hangon a minute, I get loads of phishing emails after my personal details", but where do those phishing emails come from? Compromised PCs. Hijacking your bandwidth is just the first step though, they then need to turn that in to money. The people who control the trojan horses simply hire them out to anyone who wants to spam, so then how do the spammers make money? Well a lot of it is just marketing some products, something they can sell easily and make plenty of profit on, like cheap drugs. There are quite a few new tactics on the rise though, like stock spamming. The spammers choose a target company with cheap stock, buy a load up, then spam millions of people telling them about this hot stock tip, for some reason people buy it (maybe they think if they're quick they can make money a long with the spammer), the spammer sells high and the stock quickly crashes. The genius of this technique is that there is no direct link between the spamming, and the money making, there is no need to launder the money or try and move it between countries, you can sit in your aparment in Liverpool and buy up stock online, then hire a spambot network from some Russians. There is another tactic that people are using to extract money from stolen credit cards, this is even more incredible! The person simply creates an account with a stolen card on a betting site, and creates another account with their own card. Then they bet on a sports event on one account, and bets against that event on the other account. If they win on their own card, they withdraw the money, if they win on the stolen card they bet again until it's in their favour. This is called bet matching, and it allows the criminal to withdraw massive amounts of cash from a card, over the internet with absolutlely no traceability! It never ceases to amaze me how money can inspire people to come up with such things, this is the ongoing arms race and it looks like us law abiding folk are loosing! One last thing, lots of betting sites offer some free cash when you setup a new account, which you can't withdraw. It's possible to get that money out though using bet matching, I've heard of quite a few people doing it. Doesn't seem worth the effort to me but if anyones had any success with it let me know!

Labels: crime, phishing, security, spam