Legend:  new window    outside link    tools page  glossary link   

Classic Spam: Modem Dialer Hell

The bottom line: For Pete’s sake, don’t fall for any spam pitch that requires you to download and run executable software on your computer; this warning applies to porn dialers (as here), but also to other rackets like online casinos.

This particular variety of spam racket reminds me of one of my favorite jokes, the one in which the gullible young man goes to what he’s told is a discount house of prostitution:

The man knocks on the door, and a voice answers, “What do you want?”

“I wanna get screwed,” says the man, cutting directly to the chase.

“OK, slip fifty bucks under the door and wait.” says the voice.

The man takes a bill from his wallet and slips it under the door, whence it immediately vanishes. However, even after a couple of minutes, the door still doesn’t open, and there’s no sign of actvitity behind it.

“Hey,” says the man, banging again on the door, “What gives? I gave you the money, now I wanna get screwed!”

From behind the door, the voice says, “you just were.”

Pornography is truly a cash cow of web commerce, as it has been for most other forms of mass communication down through history. Don’t tell John Ashcroft I told you, but there are ways to download porn virtually around the clock, tailored to your particular fetishes, free of charge, and with nearly complete anonymity. Most thrill-seekers don’t know how to do this, so in steps the porn spammer to offer to drop the product literally into their laps (pardon).

Most “free porn” spams send you to a website with an impressive-looking main page (boy, these pornographers really know their way around Photoshop) that may offer “free” access. They may even give you a “username” and “password” to use to get this access. There is a catch: you usually have to give up your e-mail address (and, if you do, you can count on getting buried under an avalanche of porn spam from all over the globe) or even a credit card number (for “proof of age,” you understand). Actually, you won’t get in much trouble (at least not from the spammer) simply by browsing the truly free parts of these sites as long as the spam doesn’t contain a beacon link or any other feedback.

On the other hand, another more pernicious breed of porn spammer relies upon the private dialer approach, as in this example:

Received: from [206.46.170.12] ([203.251.69.235]) by
  mta010.verizon.net
  (InterMail vM.5.01.05.33 201-253-122-126-133-20030313)
  with SMTP id
  <20030613125837.PWFA23139.mta010.verizon.net
  @[206.46.170.12]>;
Fri, 13 Jun 2003 07:58:37 -0500
Received: from [138.54.72.160] by 206.46.170.12 id
  q1bRb0ijn7Z7; Fri, 13 Jun 2003 12:14:38 -0200
Message-ID: <rv91mq-2$$f$65ixlks9o6m4@3nl5c>
From: "Alden Maynard" <ey7pff4y6t@yahoo.com>
To: not my address
Cc: not my address, not my address, not my address,
not my address, not my address, not my address,
not my address, not my address, not my address,
not my address
Subject: Pure Black Gay Guys lj n r ygbk
Date: Fri, 13 Jun 03 12:14:38 GMT
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: The Bat! (v1.52f) Business
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_EBEBE345DFFAE_.102A.D"

This is a multi-part message in MIME format.

--_EBEBE345DFFAE_.102A.D
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<META HTTP-EQUIV=3D"Content-Type"
CONTENT=3D"text/html;charset=3Diso-8859-1">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html;
charset=3Dwindows-1252">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR></HEAD>

<body bgcolor=3D"#000000">
<center><table bgcolor=3D"#000000" border=3D"3"
bordercolor=3D"#990000" width=3D"75%" height=3D"86%">
<tr><td><br><br>
<center><table width=3D"85%" height=3D"70%" border=3D"2"
bordercolor=3D"#990000"><tr><td>

<p align=3D"center"><font face=3D"Trebuchet MS" size=3D"4">
<br><strong><font color=3D"#FFFF00" size=3D"+3">
No Credit Card Required for</font><br><br>
</strong></font><strong><font face=3D"Trebuchet MS"
color=3D"#00FFFF" size=3D"5">Access to the best gay porn
sites on the internet</font></strong>


<p align=3D"center"><font size=3D"3" face=3D"Verdana"
color=3D"#FF00FF"><b>
Athletic Men can be found on the ultimate site for anyone
who likes to see hot <b><font size=3D"3" face=3D"Verdana"
color=3D"#FF0000">gays</font> go wild in front of the camera!
<b><font size=3D"3" face=3D"Verdana"
color=3D="#FF0000">Fantastic oral and anal sex guranteed</font>,
these men love to explore their sexuality!

<p align=3D"center"><font size=3D"4" face=3D"Verdana"
color=3D"#FFFFFF"><b>
To access the site directly using your modem, <br>
<a href=3D"
http://directplugin.com/dialers/XXXXXXX.exe"
style=3D"color: hotpink; text-decoration: none">CLICK HERE</a>
</b></p>

<br><br>

</td>
</tr>
</table>

</center>

<br><br>

</td></tr>
</table>

</center>

</body>
</HTML>

oinpg xvckyefcwi fyzmlaytpqriutaeve c xxgzf bszz
m
--_EBEBE345DFFAE_.102A.D--

Many spammers like to claim that they can make things bigger for you, but here’s one who really delivers: he can give you a much larger phone bill than you now have. If you click on the link in red (I have munged it for your protection), your computer will download an executable program called a “dialer;” the dialer simply dials the porn server directly through your computer’s modem, bypassing your normal internet access. I hope I don’t have to explain why this is a Very Bad Idea, but just in case:

Any or all of these things could happen without your being aware of them, thanks to the horrendously poor security of most versions of Microsoft Windows (neither Unix-style systems, nor the old and new versions of the Mac OS, are nearly as susceptible to this approach; you may download the dialer, but you won’t be able to run it).

If you didn’t understand any of the above, just ask yourself this: is it really a good idea to run a program given to you by a spammer? I don’t think so.

The first Received: line in the header is a forgery; it contains a HELO name that looks like an IP address (206.46.170.12), one that resolves to “relay.gte.net” (so the spammer is sort of trying to hide behind GTE’s coattails). The actual address (203.251.69.235) appears to belong to a Korean service. The second received-line is a forgery (the by-address does not match the true from-address in the first line). The large list of to- and cc-addressees included several accounts in my ISP’s domain with user names alphabetically very close to mine; this suggests to me that my ISP’s entire list of users must somehow have fallen into the hands of a spammer. Gee, and here I thought I was being singled out for special treatment!



 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   


(c) 2003-2007, Richard C. Conner ( )

03749 hits since March 27 2009

Updated: Sat, 18 Aug 2007