eclectical engineering

Look here, at the fanciful geometric shapes, the little sparkles, the garish play of colors, the warped lines of text: it all points to a new interest among spammers in groundbreaking graphic design. Somewhere between the color-fields of a Mark Rothko and the drippings of a Jackson Pollock, this example from a recent stock spam freely mines one of the most important developments in the visual arts of the last 50 years: abstract painting.

Mind you, these stock spammers are no more interested in your cultural enrichment than they are in your financial enrichment; at a guess, I'd have to say that the aim here is to evade yet another spam countermeasure that has recently been deployed by at least one anti-spam vendor: optical character recognition.

In a July, 2006 press release, Barracuda Networks, the makers of a hardware-based back-office spam filtering appliance, announced that they were deploying optical character recognition to find and evaluate text buried within images embedded in e-mails. The number-one targets of this new filter are undoubtedly the stock spammers, who now liberally use embedded image files in their messages in order to elude what would otherwise be almost-certain detection by text-based content filters.

We note that the text is somewhat lighter than black, while the background is considerably darker than white, which would tend to have the effect of reducing the “signal-to-noise ratio” of the image, making OCR less certain to work. The crude font and crazy alignment is probably also done for the same reason.

I realize that applying logical rigor to debunk claims made by spammers is a bit like trying to shift a pile of pig manure with a silver spoon; it demeans the instrument, and you'll never finish the job anyway. However, I'll press on...

What caught my attention was this statement made on behalf of a product known as FastLength PRO:

Hmm...my stats professor would tell me that "average" is more or less the same as "mean," which is technically defined as the 50th percentile for the distribution. That should mean that 50% of men have this size (or smaller) and not 90%. Indeed, if 90% of men have 5.5-inch penises, then I don't feel nearly so bad about mine. Anyhow, I'm confused, because on their FAQ page, these penis growers quote Kinsey:

Looks as though our penises have actually shrunk by nearly 3/4 of an inch in the decades since Dr. Kinsey's research. Good God, what will be the state of things a century from now?

And, why is it necessary to call this stuff FastLength PRO anyway? Do you have to be a professional to use it? Is there an amateur version that will only give me half the results for a quarter of the price? In any case, the authors go on to muse on the prospects of averageness:

Well, I could think of a lot of folks who would settle for average this or average that, particularly if it is the kind of average that is actually on the 90th percentile.

Ugh. Imagine going home from the club with Cindy and having her pop a FastLength PRO in your hand ("here, shorty, take this"). Kinda detracts from the mood, n'est-ce-pas?

So, people have to order this stuff "again and again?" Don't you just keep taking it until you get to the size you want, and then stop? The mind reels with images of guys walking around with three-foot penises after having taken this stuff once a day for a year or two. Well, maybe Cindy from Livonia has a legitimate need to place numerous repeat orders, given the apparent diameter of her, eh, social circle.

I have described elsewhere how stock spammers frequently embed their come-ons in images that are directly attached to their spam messages; in this way, they figure, spam filters will be unable to read their text and tag it as spam, although a message that consists only of some gobbledegook and a CID-embedded image attachment is likely to attract at least as much attention (and little of this sort of spam gets through my SpamCop filters).

One stock spammer has recently "improved" on the technique by cutting the image into several pieces that each reside in a separate MIME attachment, and then using the HTML markup in the message body to stick them back together again. Unfortunately for the spammer, this trick can have unintended consequences.

This message looks more or less the way the spammer intended. However, if you try to save a bit of desktop real estate by narrowing this message's window, the layout is destroyed:

According to Postini and others, porn spam currently (June 2006) accounts for a tiny proportion (less than one percent) of the world's spam load. This wasn't always true, but even in my own case I can attest that the volume of porn spam has dropped like a rock over the last couple of years. My guess is that the internet porn industry has taken positive action to limit the spam sent on its behalf. Due to the, eh, particular nature of their business, and its heavy dependence upon the affiliate model of promotion, porn website operators are particularly vulnerable to the consequences of uncontrolled spamming, and most now seem to be keeping a sharp eye on the activities of their affiliates.

What this means is that when I do get the occasional porn spam, it tends to stand out in sharp relief. These days, for example, I'm getting a couple of mailings per day from a particular porn spammer who refuses to get the message (or who perhaps may have a message of his own).

Out of sheer curiosity, I've started following the commercial website links given in the spams, and I find that as often as not the links lead to messages indicating that the offending affiliate account has been terminated for spamming (or else I sometimes get redirected to some other unrelated site). In other words, the website operators manage to drop the hammer on this moron before I even open the message.

It seems to me like sheer stupidity for someone to set up an affiliate account with a porn site and then immediately start spamming for it. He is usually given clear notice in the affiliate agreement that spamming will get him in trouble. He must surely know that he's going to be busted and terminated before he even gets a payout from the website operators, so there will be no point to the affair. I'd even be willing to let him try the trick for a week or two, until he learns that it won't work. However, the fact that this outfit has been tilling this barren soil for a couple of months now suggests to me that there may be something else going on.

Why send out commercial website links that you know are going to fail? Why send out your own "portal" link that just flat won't work because of a 404 error, and why claim that people are going to be given usernames and passwords for this non-existent site? Why include a toll-bearing foreign telephone number that few, if any, will use except possibly to file complaints of one sort or another?

One possible answer to these questions, at least as far as I can tell, can be summed up in two words: JOE JOB. Is this spammer deliberately pissing in the pool just to make trouble for the porn webmasters and the hosting service? Is he a competitor? A disgruntled employee? An anti-porn crusader? I'm speculating here, but I just don't buy what may be the most obvious answer, that the spammer is exceedingly stupid.

I'm getting a lot of stock spams lately touting L-International Computers (symbol LITL.PK), urging me to buy in on the strength of the company's announcement of a new hi-po notebook computer called the Olympus. Here's a sample:

Today's Hot Stock News

LITL.PK - 0.51

Considered Buy

L International Computers Inc Announces the Olympus, the World's First 20'' Widescreen PCI-XPress Series SLI Laptop Computer Tuesday May 30, 9:00 am ET

L International Computers Inc., through its wholly owned subsidiary, Liebermann Inc., a renowned manufacturer of high-performance computers and personal technology, today announced the Olympus 20", the world's first desktop replacement Professional notebook computer fitted with a 20" UltraSpeed High-Resolution Display.

[remainder snipped]

Normally, I am supremely uninterested in the firms and industries promoted in these mailings, but being something of a computer wonk, I was intrigued by this particular (and oft-repeated) announcement.

L-International, founded by a chap named Miguel Liebermann (who is identified as a film director -- he's not in IMDB, but, hey, they say he directed one TV commercial for lingerie), seems to be quite a lightning rod for the computer press. Here's a link to one of several articles that The Register (an enjoyably chatty IT news website from the UK) has done on Liebermann and his (putative) products. From what I can find on the web, stock scamming for this company's shares (as well as commentary on their ethics and tactics) goes back at least a couple of years.

From the online stock reports, I found a URL for this outfit, http://www.l-computer.com/, only it was completely out to lunch (couldn't even be resolved by DNS). I found another website, http://go-l.com that displayed an extremely broad range of high-performance high-fashion notebooks, desktops, servers, and multiscreen monitors, a product line much larger than you'd probably find even at much larger companies like Dell or Apple. Trouble is, most of them were "coming soon," (uh-huh), and even those that were supposedly already here could not be researched (the offered links for pricing and customization at the "store" section of the site weren't links at all and went nowhere). It was hard to tell, but some of the photos of equipment looked distinctly photoshoppy. In any case, it seems clear that L-International is much more proficient at writing product announcements and press releases than in delivering actual products. Indeed, I could find no evidence on the web that anyone actually paid for and took delivery of any of these systems.

L-Computers appears to want to position itself as a sort of Apple Computer for the Windows crowd, offering high performance and high style (for high prices). The go-L website is obviously patterned after Apple's own website, but is a rather deficient copy. On the other hand, it features more icons and badges and sidebars than Apple's own web designers could even imagine, and lots of techno-speak to go along with. Unlike the Apple website, where most of their tubthumping makes some sort of sense to a technically-savvy reader, most of the golden prose on the go-L site seems rather confusing and circular on close inspection. For example, they have at least five separate buzz-terms (and accompanying descriptions) for what appears to be simple RAM-caching of disk files (which goes back far enough in history for me to have used it in 1986 on my desparately slow and floppy-disk-bound 8MHz Fat Mac); here's their description of what they call "Cache flow™:"

You can find rehashings of the same RAM-disk stuff under the headings "Boot-up Mirrored DataCaching Engine," "Enhanced Hard Disk Sub-layer Cache Buffer." "Dynamic Preepmtive Data Re-allocation," "Dynamic A.I. SysCache and I/O Page Spread," "Variable Data Depth Burst Priority, "Zero CPU Time Dynamic Security Data Mirroring," "Boot-up Mirrored DataCaching Engine," "RAM Defrag and No-lossy Variable Data Compression," and (finally) "X: Drive - System Temp RamDisk Cluster." Whew. Better put on my waders, it seems to be getting deep.

I'll give Mr. Liebermann & co. the benefit of the doubt and assume that they really do intend to offer all the goodies they display on their site -- it seems clear, however, that this magnitude of engineering, design, and production has to be completely beyond the resources of such a small company. That would explain why they are attempting to attract investors. One wishes, however, that they wouldn't use stock spamming in this effort.

On very rare occasions, I get messages from righteously-indignant spammers via one of the "temporary" e-mail addresses that SpamCop issues to allow contact between the compainer (me) and the parties complained about. Just recently I got such a note apparently from Hamby Hutcheson, proprietor of something called Smart-Traveler. This outfit had sent two unsolicited bulk-mailings to my work address, which I duly reported using SpamCop. Mr. Hutcheson, however, begs to differ with my assessment of his mailings, and seems genuinely convinced that he is providing a true public service. He claims that his mailings are "public service announcements," and are therefore not spam...but let's let him speak for himself (with my observations interleaved):

Hello SpamCop user,

THIS MESSAGE IS NOT SPAM:

It originated from a recognized publisher of Public Service Announcements in E-mail format.

OK, I'll bite...who "recognized" you to distribute PSAs?

All messages are sent using Sender Policy Framework (SPF) and Direct Mail Format (which requires the recipient server to acknowledge Smart-Traveler PRIOR to any message being sent to the recipient).

SPF, when properly deployed, can be used by a receiving MX host to confirm that the return-path address of an e-mail message is not forged. However, it does not guarantee that the message itself is neither unsolicited nor bulk-delivered (i.e., even SPF-clean mail can be spam by my own definition of the term). As for the "Direct Mail Format," I can't find anything on the web about it. The rest of this paragraph is rather vague: If, indeed, "Direct Mail Format" does require the recipient's server to "...acknowledge Smart-Traveler," this still doesn't mean that the messages aren't bulk delivered or are sent with the prior permission of the recipient. (Actually, every recipient mail server "acknowledges" the transmitting mail host several times during each SMTP transaction, so it isn't clear how much more is done by "Direct Mail Format").

Smart-Traveler apologizes for any inconvenience a message regarding saving the lives of children or our families may have caused you, solicited or not.

This is pure non-sequitur argument, an attempt to deflect the topic of discussion away from Mr. Hutcheson's activities and to shame me for my reactions to them. It shows his rationalization that what he does is a "public service," and that anyone who objects to his activities is a heartless misanthrope whose opinions are not worth considering.

Please note that most Public Service Announcements (PSA's) published today, in print, on TV or on the Radio are sponsored. Without sponsorship, it would be impossible to publish either AMBER Alerts or NOAA weather warnings in a timely manner!

No, sorry, PSAs are by definition NOT sponsored. They are run for free by those media outlets that choose to run them. They are not supposed to contain commercial messages; if they do, then they are commercials with public-service content, and not PSAs.

Complete contact information including Toll Free (800) phone numbers and Help Buttons are on each message along with the usual CAN-SPAM requirements. Please use the REMOVE line at the bottom of the Message you received. I assure you Smart-Traveler will remove your address and send you confirmation of doing so.

Sorry, no soap. Why should I be obliged to take action to stop getting mail that I didn't ask for in the first place? Must I submit to having to pay for and accept mail (or take action post facto to stop mail) from ANYONE who feels that he has information of compelling public interest (like, f'rinstance, these guys)? How can I trust you to do as you say and stop mailing to me, and not simply to sell my address to others once I identify to you that it works? Also, you should not assume that what you are doing isn't spam just because you may be in minimal compliance with CAN SPAM. The law defines criminal behavior, not ethical practice.

Respectfully,

SMART-TRAVELER.

A PSA is generally understood to be something run by a broadcast outlet -- for example, a radio or television station, or even a magazine or newspaper. The radio and TV folks, in particular, air PSAs to earn "brownie points" toward their next license renewals. The PSAs can be created and submitted for broadcast by anyone (even by commercial businesses, as for example liquor distributors producing spots about responsible drinking), and broadcast outlets are likewise free to accept or decline PSAs offered them. E-mail is a medium for one-on-one communications, however, and not a broadcast outlet, so it seems to me to be quite a distortion to euphemize outright spam as "public service announcements."

This message to me is not the only venue where Mr. Hutcheson has tried out his arguments in favor of "e-mail PSAs," and against those who consider them spam and want them stopped. Here's a bit from a web-board discussion (that also mentions some of his other less-than-salutary past business activities):

And here's a posting he made that describes his view of spam ("We are being pressured to believe that anything that moves across the Internet that was not "invited" or "approved" prior to sending is SPAM. This is not true!"):

On my website, I describe the use by spammers of public redirector URLs as a means to disguise or camouflage the actual URLs of their websites. One such redrecting host, rd.yahoo.com, was pretty heavily abused before Yahoo began intercepting such usage and posting warning messages before handing the visitor off to the target site.

Recently, I've been getting spams that use another Yahoo redirector, rds.yahoo.com; it appears that the extra "s" does not stand for "secure", since this host does not provide the same warning page.

Here's one of the spam URLs, with the redirector and the actual URL highlighted in blue and green respectively:

Note that the spammer has added a lot of extra bric-a-brac to the call as further camouflage. I'm not an expert on parsing URLs, but I suspect that this stuff is just gibberish, and that the "*-" business just before the target URL may somehow affect the processing of this extra stuff.

There's nothing like being able to post a couple of awards to help you boost the prestige of your website. At least, that's what one particular spammer figures. And, if the "awards" aren't quite laudatory, you can always hammer them into shape yourself...

I received the message in question from an IP address in a big block belonging to telefonica.es in Spain (apparently a direct-to-MX, possibly an open proxy or "zombie" host). It was mailed to an unused default address at my virtual domain. It advertised the website www.newportcorp.cn, the momentary home of the "Newport Emailing Broadcast Corporation" (sic). Although the site lists the firm's headquarters in Seattle, the website is (presently) hosted in China; for that matter, the domain is Chinese as well (the domain-whois info is in Chinese and unreadable to me, although I can see that the domain was registered just hours before I got the spam).

A Google search leads me to conclude that this mailing seems to be the work of one Robert Soloway, a particularly stubborn spammer with a number of pending civil and criminal judgements, and a long rap sheet in the ROKSO database. Mr. Soloway's trademark gimmick is his offer of free bulk-mailing service to charitable organizations, an offer that he has used in court as a figleaf to deflect attention from his spamming, to posit his own operations as charitable works, and to cast aspersions on his attackers. I don't know how many chartiable organizations may have been foolish enough to take him up on his offer, but I do know that I get very little or no spam of that sort.

Visiting the newportcorp.cn website, I found evidence that Mr. Soloway can't help blowing his own horn, even if that horn is decidedly off-key:

For some reason (but probably not an excess of modesty), Mr. Soloway did not provide external links to allow visitors to read about these honors for themselves; I, however, will be happy to fill the breach:

One of the non-technical tricks that spammers often use to get you to open their messages is to provide a provocative subject line. Recently, a mortgage spammer has begun tarting up his otherwise very routine mailings with some subject lines calculated to catch the eyes of those who may be concerned about their creditworthiness:

Whether you worry about mysterious stains on your credit history, theft or misuse of your credit record data, or just plain "insufficiency" of your credit, come-ons like these can tempt you to open the message to see what's going on. Of course, like most mortgage spams, these are insecure e-mails that may not even have been directly addresed to you (i.e., your address may be only one of many in the "To:" field, or may not even be present at all). The people who send this mail have no money to offer you; they are simply trawling for leads that they can sell to "real" mortgage companies, or at least companies that aren't so picky about where and how they get their sales leads.

Big-name computer-game publisher Eidos Interactive was so excited about the recent release of Tomb Raider: Legend that they sent me not just one, but two unsolicited mailings in the space of three days, and to my office address yet. Maybe I'll get more, who knows (and doesn't Lara look rather goth these days)?

The messages, of course, did not come from Eidos directly but from an outfit apparently known as valuedat.com (the domain registered by a party in Boca Raton, Florida); their mail host operated at IP 207.210.68.2 in a block assigned to Global Net Access (GNAX) of Atlanta.

Eidos fared better with their spamhaus than did Loehmann's (see earlier post), since it managed to stay on the net long enough for me to have a look. The images, web links, and (yes) web bugs were served from hosts in the pyrophylliterequisitioner.com domain (apparently registered to the same crowd in Boca Raton, but hosted at IP address 72.4.161.90 (assigned to Affinity Internet in nearby Fort Lauderdale). This looks like yet another house-of-cards South Florida spam operation.

What I'd really like to know is why Eidos, which controls one of the longest-running and most popular action-game franchises in computer-game history (a series so popular that it spawned two Hollywood blockbuster feature films), would find it necessary to promote this product through indiscriminate spamming. Maybe that's what happens when you put the wrong new management on the job.

For a year or so, I was getting spam from Loehmann's department store with low but consistent frequency (others, apparently, were also getting it). Then, it seemed to have ceased. Now, Loehmann's has returned to darken my inbox courtesy of a new partner-in-spam.

The message came from an outfit using the domain name dentaltestingimagery.com (how's that for a mission-focused, above-board, and descriptive name for a remailer outfit?). They were apparently using a small group of addresses (like 64.69.46.247 for their mail host) provided by the California collocation service CoreExpress. They were running their authoritiative name service (and possibly their websites) from these same addreses as well. Unfortunately for them, by the time I was able to track this mail down, their name service was shut down cold and removed from DNS altogether, taking the rest of the operation with it (including the secret web-bug that was supposed to trip if I opened the message).

Obviously, Loehmann's won't take a hint to stop spamming, so the best we can hope for is that they continue to piss away their ad budget on chickenboners like these.

Lately, a few specialists in pharmacy and mortgage spam have been getting a lot of mileage out of a CSS-based trick for obfuscating their HTML markup. They break up their sales pitches every few characters with a <SPAN> of text with its FLOAT attribute set to RIGHT, so that the SPANned text is moved out of the way of the spam pitch and sent to the right side of the line. You will see the pitch as intended (albeit with some extra garbage on the right hand side), while your content-based non-CSS-savvy spam filter will see diddley.

The object appears to be to prevent spam filters from seeing "spammy words" (like "LOWER" as here).

Here's a bit snipped directly (and slightly modified for format and anonymity) from one of these spams (widen your browser window to watch the gibberish "stick" to the right margin, and view the source of this page to see how the trick works):

One interesting bit of HTML trivia we learn here is that the <A> hyperlink can be extended across one of these "floated" bits of text as an anchor (I redirected this hyperlink for obvious reasons). This may even be useful to someone someday.

I guess someone was very proud to have figured out how to deploy this trick; seems to me, though, they could have achieved the same result any number of other ways that would not litter the right margin of your browser window with all that cruft.