Legend:  new window    outside link    tools page  glossary link   

Classic Spam:
Big Brother Is Watching You
(or maybe he isn’t)

"First, create a need;
then, offer to sell something to fulfill it."

That’s the motto of modern advertising, and it goes a long way toward explaining why we have such products as ice cream for dogs, telephones that take and send pictures, and the Sport-Utility Vehicle.

Spammers are using the principle, too, judging by this sort of message that occasionally makes its way to my inbox:

Hmm...this is scary. Let’s click on the link and find out what’s up... (clicking) ...dum da dum dee, oh, here comes the page:

Oh, my God! Look at this! Quick hide the porn and the warez...they’re onto me at last!

Well, maybe not. Actually, all of the info here either (1) is made up completely, or (2) comes from the data routinely passed in every normal web connection.

You may or may not know it, but every time you use your web browser to load someone else’s web page from a server, the server collects information (quietly, without your being aware) about the transaction. Some of this information is provided by your browser program, while other items are obtained by the server itself from the network connection you made. Much of this information, known collectively as an “HTTP request”, is stored by the server in log files; these logs help website operators determine what kind of traffic they’re getting and where they may have problems in their website configuration. This HTTP information, by itself, actually reveals very little about you personally despite what this spammer would have you believe. An “investigator” would need a lot of computer (and human) brain power, plus possibly a warrant or a subpoena, to link this information to you personally.

Returning to our spammer, Let’s take a line-by-line look at his “warning page”:

  1. (“449 VERIZON investigation”) This line looks like an HTTP status code, but “449” is not defined in official HTTP 1.1. Microsoft does appear to use (or at least reserve for use) this status code for its web servers, but it has nothing to do with investigations. The spammer gets “VERIZON” by using IP-whois (or similar) to look up the owner of the IP address given below.
  2. (“Your computer is being tracked”) My computer is being tracked? It hasn’t moved from my desk since I put it there a year and a half ago, but then again I don’t know what it may do while I’m at work.
  3. (“Your IP is under investigation”) Well, no. First of all, it isn’t “my” IP, it is Verizon’s, dynamically assigned to me for the length of a single broadband (ADSL) session. Tomorrow I may have a completely different IP address. In any case, you can seldom “hard-link” a given IP address with a given computer, much less one of many possible users of that computer.
  4. (“Your ISP is cooperating”) With what, a reverse DNS lookup? How dare they!
  5. (“They know you are using...”) They know I’m using Win98 and MSIE6? Boy, there’s some damning evidence; that narrows it down to a few million suspsects. (Pssst, nobody tell them, but I was actuallly using OmniWeb for Mac OS X, which I had set to identify itself as MSIE for Win98. Otherwise, I find that many overengineered corporate websites refuse me service if I tell them I’m using OmniWeb on a Mac. )
  6. (“Evidence of your activities”) You mean the website I visited actually knows its own address? I’ll be damned, what will they think of next?
  7. (“The authorities know about you”) Which ones? Hell, there’s no actual evidence here, just the actual word “EVIDENCE.” Sheesh.
  8. (“Your risk status for further investigation”) My risk is very high? I suppose it is, since having clicked onto this page I’m that much closer to being sucked in to this pathetic scam.

Most of us have probably seen or done things with our computer that we would not like for others to know about. The spammer depends upon our guilty consciences to turn a poor assortment of cheap HTTP parlor tricks into a full-blown imminent threat of arrest. How can I stop this fascist harassment? How can the cops tell what is stored on my computer just by extracting a couple of fields from an HTTP request? Maybe I’ll just click on that link down at the bottom...

Now, we arrive at a professional-looking website (http://www.evidence-eliminator.com/product.d2w) selling a software package known as “Evidence Eliminator,” which for $149 promises to scrub all the nooks and crannies of your computer and get rid of all that pesky evil stuff. I know nothing about this package, but I suspect it simply clears data or files from certain cache locations (some of which are not generally known to users), and then overwrites “blank” spaces on disk with zeroes or other patterns (so that the remains of old deleted files cannot be recovered). At least that’s what I think it does. Hell, it might not do anything at all. I’ll leave it to you to decide whether you need or can use such a program (it isn’t available for the Mac, I guess I’ll just be going to jail).

This spam is a classic case of an online seller enlisting affiliates to do the dirty work of spamming so that they can stand serenely above the fray. The people behind the EE package (Robin Hood Software, in the UK) probably did not send this spam, so even though they stand to benefit by it they are supremely uninterested in your spam complaints. In fact, they appear not to understand exactly what spam is (or maybe they’re just pretending not to).

 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2006, Richard C. Conner ( )

03449 hits since March 27 2009

Updated: Fri, 15 Sep 2006