July 25, 2017

Assorted targeted spam

You can run, but you can’t hide. Here are a few of the latest things I’ve seen, in no particular order.

  • On a PHPBB-style chat board which I sometimes frequent, there was a thread about do-it-yourself television repair, dormant for over a year. Recently, there was a seemingly robotic post, from a brand new user, that was still on-topic, giving general diagnosis advice and offering to sell parts for TV repair. The spam was actually somewhat germane to the main thread of the discussion. Is it still spam?
  • In my email, I recently got a press release for a local fried chicken franchise celebrating their 40th anniversary. My blogging output generally doesn’t extend to writing restaurant reviews (tempting as that might be), although I do sometimes link to foodie things from Google Reader which will also show up in my public FriendFeed. Spam or not spam?

Targeted political spam

I’ve complained about spammers before, but this one is new. I recently received a spam that supports the case of Michael Skelly for Congress, saying negative things about incumbent John Culberson. What’s interesting: this is my home precinct. These people are actually competing for my vote. This leads to the question: how on earth did the Skelly people manage to map my work email address to my home mailing address? Is there a database out there that they used? Maybe they just spammed everybody at my employer, since this particular Congressional district includes our campus; all of our students, in our dorms, who are registered locally will be voting in this particular race.

Part of me wants to bias my voting decision against the idiot candidate who thought that email marketing was a good way to efficiently reach voters. Sadly, that decision will have to be based on more substantial issues, like which candidate I think will perform better in Congress. Instead, I’m going to direct my fire at VerticalResponse, the service provider who the Skelly campaign used to send me the spam. According to their anti-spam policy,

VerticalResponse has no tolerance for the sending of spam and unsolicited mail, and we prohibit the use of third-party, purchased, rented, or harvested mailing lists. Any customer found using VerticalResponse to send such mail is banned from the use of our service.

VerticalResponse takes several steps to keep abuse to a minimum. Among other things, we:

– Interview new clients about both the origins of their mailing lists and their marketing practices. Clients who do not meet our standards are not allowed to use the VerticalResponse service.

– Read most emails before they can go out the door. Email sent through our system goes to a staging area where it is looked over by a member of the VerticalResponse staff. If we have any concerns, the mailing is stopped and we contact the client.

Really? I find that impossible to believe. In what way could any reasonable human have decided that a blob of partisan political attack messaging being delivered to what we can only presume is a non-trivial mailing list is, in any way, anything other than gratuitous spam? For the record, I have never supported either the Democratic or Republican parties financially. I am not a member of either party. The only possible way my email address could have been used is that it was either harvested in bulk, along with other Rice email addresses, or perhaps more charitably, if somebody thought “ahh, that Prof. Wallach seems like he’d be interested political propaganda from our party and/or candidate.” Neither one would appear to be compatible with VerticalResponse’s stated anti-spam policies.

I’ll also note that, while VerticalResponse provides a one-click way for me to opt out of this particular spam source, they provide no way for me to opt out of any other future source or otherwise specify any sort of policy from my end. There’s no way, short of training my spam filter, for me to say “I never want to receive email from VerticalResponse, ever again.” Surely, I figured, I can’t be the first person to complain about them, yet a Google search on any of the usual terms didn’t find anybody else complaining like this.

Instead, I started digging through my historical email. It appears that there have been a handful of VerticalResponse “campaigns” that I considered to be non-spam and have kept. One series of non-spam messages were from a house builder who I thought I might want to use at one point. Another was an update notice for a web service that I use. Historically, I’ve reported one other spam to them, via their abuse email address. They stated, in response, that they removed me from that particular mailing list and would investigate the infraction. I received no subsequent email about the resolution of that case.

Of course, that’s far from everything. Generally, when I get these things, I generally just click the “unsubscribe” link, retrain my spam filter, and move on with life. I haven’t kept count of how many such spams I’ve treated this way.

I did a similar search through my old mail for ConstantContact, one of VerticalResponse’s competitors. I found not a single email, from them to me, that I had kept, although several were forwarded to mailing lists that I archive, so those I kept. I have no records of having ever contacted their abuse department.

Does this mean that one vendor is more spammy than the other, does it mean that one vendor just has more market share than the other, or does it mean that my spam filter is removing more of this stuff before I have to look at it? It’s hard to say without more data.

Okay, big policy question: given that political campaigns and everybody else on the marketing side of the equation deeply loves the idea of targeted email marketing campaigns, how should we accommodate them? Should they be required to provide better proof to to firms like VerticalResponse or ConstantContact that their email addresses were harvested in some proper fashion? How on earth could they actually do such a thing? Short of having users opt-in directly at the email distribution service, everything else boils down to the email service taking the marketer at their word, which seems about as likely to be true as those “no documentation required” mortgages.

Maybe the answer is for “ethical” email distributors to pay fees, per message, perhaps as a government tax. Call it “spam postage”, and tweak the fee structure so the sender ends up paying more money when the recipient hit the “unsubscribe” or “abuse” button. First off, by adding a real monetary expense to the process, senders might be incentivized to reduce their mailing lists. The penalties incentivize them to cull their lists down to their true supporters. The only problem with a structure like this is that it tends to push email marketers away from “ethical” email distribution services and toward either do-it-yourself solutions or toward shady vendors who don’t charge the postage fees. (And, we all know that the real-money postage costs of physical mail do seemingly little to deter all the paper spam that we receive.)

For better or for worse, we’ll never get rid of email spam. Maybe we can filter out recurring messages from Nigerian dictators or overseas pharmacies, but no training-based spam filter is going to be able to learn every new thing to come down the block when it’s still new. The only thing that will ever truly work is if and when people just stop paying attention.

[Sidebar: so how should a political campaign effectively reach people like me to convey their message? I tend to go out and surf their web sites, read their policy papers, and I pay attention to the endorsements of newspapers, bloggers, and others who I trust. For the “down-ballot” races, I tend to spend some quality time with the non-partisan League of Women Voters guide. The LWV asks candidates to respond to a variety of relevant questions, but space constraints limit the answers. An online version could presumably give the candidates space to really explain their positions (and/or firmly demonstrate their lack of clue). At the end of all that, I make a cheat sheet with my favorite candidates and bring it with me to the polls.]

A curious phone scam

My phone at work rings.  The caller ID has a weird number (“50622961841” – yes, it’s got an extra digit in it).  I answer.  It’s a recording telling me I can get lower rates on my card (what card?) if I just hit one to connect me to a representative.  Umm, okay.  “1”.  Recorded voiced: “Just a moment.”  Human voice: “Hello, card center.”

At this point, I was mostly thinking that this was unsolicited spam, not a phishing attack.  Either way, I knew I had a limited time to ask questions before they’d hang up. “Who is this?  What company is this?”  They hung up.  Damn! I should have played along a little further.  I imagine they would have asked for my credit card number.  I could have then made something up to see how far the interaction would go.  Oh well.

Clearly, this was a variant on a credit card phishing attack, except instead of an email from a Nigerian dictator, it was a phone call.  I’m sure the caller ID is total garbage, although that, along with the demon-dialer, says that the scammer has some non-trivial infrastructure in place to make it happen.

So, the next time one of you receives an unsolicited call offering to get you lower rates on your card, please do play along and feed them random numbers when they ask for data.  At the very least, there’s some entertainment value.  If you’re lucky, you might be able to learn something that would be useful to mount a criminal investigation.  Maybe half-way through you could suddenly have an important meeting to get to and see if you can get them to give you a callback phone number.

Update: reader “anon” points to an article from The Register that discusses this in more detail.