Tuesday, May 31, 2005

Creative Spam

Most spam you get is rather boring, I assume, making it look like spammers are evil and verbose, but not creative. Yet sometimes, you might also receive an email telling you about a dead link on your site, or a reply to your post in a newsgroup. Of course these bulk emails are fully automated as well, but in a more clever way – they’re personalized to you and thus make you more inclined to read them or click on their links. I wonder why spammers aren’t creative like this more often. I could imagine several ways to automate this. And keep in mind – to paraphrase the quote about serial killers and horror movies by Wes Craven, or who it was – I’m not creating the spammers, I’m only making them more creative.

1. Pointing out spelling errors

This email could simply run sites through a spell-checker and send off an email to the webmaster if it discovers spelling errors. The email could go like this:

“Hey... just saw you misspelled the word ’separate’ as ’seperate’ on your URL http://example.com ... I’m always using my Spamalot Guide to Better English* to train me in avoiding those.”

*By the way, I’m using Spellcheck.net for all my spellchecking needs (unfortunately, that site doesn’t understand many tech words – like “blog”, for example – and marks them as errors).

2. Redesigning the site

There is software which can make a screenshot of any web page. And of course, this screenshot can then be sent through some image retouching filters – like inverting the colors, or painting everything cyan. The final arranged screenshot could then be inserted into a spam mail like the following:

“I love your site’s design, so I took the freedom to redesign it a bit... I can give you this mock-up screen for free, if you want a full design I’m available as well. You can call me at ...”

3. Suggesting similar domains

If the spammer would like to sell domain names to the unassuming webmaster masses, he might just crawl through different domains and send variations to their catch-all email addresses. For example, upon encountering outer-court.com, the spammer may send out an email advertising the domain “outercourt.com” or “outer-court.net”. The spammer could write:

“I reserved this domain just for fun a while ago, but now I saw you have a similar domain name... oh well, if you want it, I can give it to you pretty cheap for just the price I bought it ($500), so if you’re interested give me feedback...”

Of course, it would be too costly to actually do reserve those variations of the main domain name. Instead, the spammer would simply only register the domains upon arrival of a reply to his spam (in other words, he lied; don’t all spammers?).

4. Fake Quote

Here’s the evil scheme: many blogs quote from other sources (like other blogs). They do so by using quote characters, or HTML quote elements. A spam approach could simply abuse this. It would grab quoted text from millions of blogs. For each of this quote it would create an entry in a database and a resulting web page which spits out the quote in a blog like environment when requested by its ID – making it look like the quote originates from this blog post (which is actually fake). The spammer could now easily collect backlinks by sending off the following email:

“I saw you quoted someone at http://... , but actually, that quote originates in my blog... he was a copy-cat... it would be great if you could update your blog post with a link to my original article...”

(The original article, of course, would be spiced up with some AdSense cash-flow.)

5. HTML Validation

Some webmasters won’t care about W3C compliancy and HTML validation. Some do care. This automated spam program would simply validate different domains according to their doctype, and if the homepage of a domain validates, but a sub-page on it does not, the spammer might have found those who are interested in their HTML mistakes. The email could be like this:

“I always learned from your HTML source in the past, and I think it’s great your front-page validates... just by accident, I realized this sub page on your server doesn’t validate: http:// ... I found this out by downloading this nice little shareware which checks a whole domain for HTML validation errors, it’s pretty cool, take a look: ...”

Creative Spam by Philipp Lenssen | Comments (2)

>> More posts

Advertisement