Well of course they didn’t actually make the eBay purchase - because it never happened. But the fear that you are about to lose several hundred dollars from your Paypal account ($347.85 in the example below, but we’ve seen them as high as $1200 or more) causes people to not think clearly - and when the email really looks like a legitimate email from Paypal, they are likely as not to click the links in the email so they can get the problem resolved quickly, before “their money” is wrongly sent away.

Of course ironically, the very act of clicking the link and logging in to “Paypal” ensures that all of the money will be drained from their Paypal account. Because what they are really logging in to is a clone site which looks like Paypal, but is being run by the phishers, who capture the victim’s Paypal username and password, and then log in and drain the Paypal account of all of its funds - after also grabbing all of the user’s banking information.

Here’s an example of the Paypal eBay phish that was caught in our net today.

This is the view not that the end user sees with an html-enabled email reader, but the actual, underlying text - see if you can spot the nasty bits:

From: service@PayPal.Inc.com
Subject: Receipt for Your Payment to achaade13@yahoo.com
Dear PayPal Member,

This email confirms that you have sent an eBay payment of $347.85 USD to
achaade13@yahoo.com for an eBay item.

———————————–
Payment Details
———————————–

Amount: $347.85 USD

Transaction ID: 2LC956793J776333Y

Subject: Digimax 130

———————————–
Item Information
———————————–

eBay User ID: scratchandgnaw2

—————————————————————-
Edward Harrell’s UNCONFIRMED Address
—————————————————————-

Edward Harrell
211 David St.
Springtown, TX 76082
United States

Important Note: Edward Harrell has provided an Unconfirmed Address. If
you are planning on shipping items to Edward Harrell, please check the
Transaction Details page of this payment to find out whether you will
be covered by the PayPal Seller Protection Policy.

Note:

If you haven’t authorized this charge ,click the link below to dispute
transaction
and get full refund

Dispute Transaction:

https://www.paypal.com/cgi-bin/webscr/cgi-bin/webscr?cmd=_ssr&
return=http%3A%2F%2Fpaypal-cgi-bin.s6.pl/?
cgi-bin.webscrcmd=_login-run.webscrcmd=_account-run.DisputeTransactionID.2LC956793J776333Y

*SSL connection:
PayPal automatically encrypts your confidential information
in transit from your computer to ours using the Secure
Sockets Layer protocol (SSL) with an encryption key length
of 128-bits (the highest level commercially available)

—————————————————————-
This payment was sent using your bank account.

By using your bank account to send money, you just:

- Paid easily and securely

- Sent money faster than writing and mailing paper checks
- Paid instantly — your purchase won’t show up on bills at the end of
the month.

Thanks for using your bank account!

—————————————————————-

Thank you for using PayPal!
The PayPal Team
PayPal Email ID PP118

—-

Oh, they will probably deny it, but what else can you call it when their Online Marketing Manager, Costas Kariolis, shows up at an article about Skype on the Internet Patrol, and posts a comment about the Vonage offerings, with an SEO-formatted link back to the Vonage site - and also posts the exact same comment to articles about Skype on other sites?

Shame on you, Vonage - don’t you know that comment spamming is the scourge of the Internet? This alone is enough to ensure that the Internet Patrol will recommend that people not use Vonage - we don’t support spammers.

Here is the comment spam that Costas Kariolis posted today (link disabled, of course) - the original article about Skype to which he posted his comment spam is here.

The introduction of these new call plans from Skype should prove beneficial for the internet telephony / VoIP sector generally. Anything that helps to bring internet telephone calling further into the mainstream is very welcome.

You can find out more about Vonage at .

It is interesting to note that Mr. Kariolis didn’t single out the Internet Patrol - he posted the exact same comment spam here today as well.

Rather than make plans to travel to Washington, Revered Shea deleted the email, believing it to be spam. Perhaps he was, quite understandably, guided in his decision to do so by the date on which the email was delivered - April Fool’s Day. Perhaps again he was suffering under the deluge of spam that floods the mailboxes of so many people today. “I put it in the same place I put all the e-mails with special offers for Viagra,” Shea said.

However, it turned out that the email invitation had been legit!

Luckily, Reverend Shea was contacted a little time later to follow-up on the invitation. There’s no news on whether he did renew his relationship with the Pope, whom, as Cardinal Joseph Ratzinger, Reverend Shea had known when he studied for the priesthood in Rome.

This new hack has Wordpress hackers disabling all of your Wordpress plugins (including, you see, Akismet or any other anti-spam comment spam stopper plugin), which then allows them to inject comment spam into your blog at will. So if you suddenly find yourself getting an enormous amount of comment spam all at once, or if you suddenly find your blog pages coming up blank (because with your plugins disabled, that often can be the case) you may be the victim of this latest plugin-disabling comment spam hack.

We first noticed that something was amiss when we suddenly started getting several requests to moderate comments a minute - comments that would ordinarily have never made it that far because they were so obviously spammy. Our first thought was to just block the IP address of the comment spammer - and that is when we noticed that the comments were coming from many different IP addresses. That meant that dealing with it was going to be much more complicated, as we couldn’t simply block the offending IP address.

The next thing we noticed was that, suddenly, our site was not loading properly - the page would just stop loading about a quarter of the way down the page.

That was actually the clue which lead me to realize that something was going on with our plugins, because the page always stopped loading right when there was a call to one of our plugins. So I went to the plugin admin page for Wordpress, and saw that all of our plugins had somehow been deactivated.

And that’s when it hit me.

By deactivating our plugins, the spammers had deactivated Akismet - which would otherwise have simply dispatched this comment spam to comment spam oblivion.

Sneaky.

Evil.

Fortunately for us, even though the spammer was submitting their comment spam by going straight to our comment form URL (rather than through the form at the bottom of an article), what they didn’t know was that we have comment moderation turned on - no doubt this hack method relies on Wordpress sites that run Akismet or other anti-comment-spam plugins not also having moderation turned on - so none of the spam actually got posted. But that didn’t stop it from severely impacting us.

I should also point out that we routinely change the name of the comment posting form so that the URL for posting a comment also changes, and we do that to thwart exactly this kind of comment spam. When this happened yesterday we tailed our httpd log, and we saw the spammer going directly to that file and URL, which means that the spammer had already discovered our newest file name and URL. This leads us to suppose that part of the reason we are all seeing an uptick in manually posted comment spam may be because there is an advance spammer group who is out manually discovering the file names and URLs of comment forms.

As always, whenever the forces of good find a new way to thwart spam - be it email or comment spam - the forces of evil catch up, and the cycle starts all over again.

Now, I will confess here that we had not yet upgraded to the newest version of Wordpress - Wordpress 2.5. I also don’t know if it would have made a difference or not, but among the other things we did to counter this spam attack, we upgraded to 2.5. Even if there isn’t anything in 2.5 which directly addresses this hack, we know that we have the latest and greatest in Wordpress security by having upgraded.

Then, we put into place the following suggestions, found over on Matt Cutts’ excellent blog. Those suggestions include securing your wp-admin directory and creating a dummy wp-content/plugins/index.html, so that which plugins you run becomes much more difficult to discover. While these suggestions were not made by Matt in the context of this hack (about which he may or may not have known), they are directly applicable to thwarting this hack. So, thank you, Matt!

So we’re back up and running, a little wearier, but a little wiser.

Of course, this had to happen while I was out of town - in fact, in the middle of nowhere. Thank goodness for my Verizon Wireless USB broadband modem, which kept me connected even while in the middle of the rockies, and allowed me to work with our dev team to trouble shoot this, and to download and install the 2.5 upgrade!

Yes, I’d run into a new breed of spammer - pushing a new breed of Twitter spam.

You see, this type of Twitter spam - this Twitter spammer - doesn’t actually care if you ever follow them - and they certainly aren’t actually reading the 32,244 people they are ‘following’.

Here’s how it works: you get the notice from Twitter that TwitterSpamMan is following you. Now, naturally, you are curious who it is, and so you go to their Twitter profile and, you naturally click the link they provide in their profile to tell you all about themselves.

Under normal circumstances, this would lead to their legitimate business or personal website but (and you see where this is going, don’t you?), the link in TwitterSpamMan’s profile just happens to lead to a site which is nothing but a webpage full of ads - won’t you click on one while you’re here and help line TwitterSpamMan’s pockets? (Not!)

In this particular jerk spammer’s case (aren’t you glad that I’m holding back and not telling you how I really feel?), there was absolutely nothing on his website site other than ads - unless you count the “buy this domain!” link!

Twitter, of course, has no mechanism for reporting such a miscreant because, technically, they aren’t doing anything wrong.

China Mobile and China Unicom between them account for over 500 million active cell phone accounts, and recently more than 200 million of these users received a stream of unwanted and unwelcome advertisements as text messages - cell phone spam. China Mobile apologized for the messages, and promised to prevent them in future by blocking all text messages from seven companies who focus on online advertising.

Liu Yue, deputy head of the wonderfully-named State Council Office for Rectifying Malpractice, told off both spammers and cellular providers, saying they should “beef up self-scrutiny to correct their wrongdoing, which is profit driven in defiance of public interests.”

Sharp words indeed. Let’s hope that some of that Rectifying Malpractice ire is turned on China’s email spammers, with some sharp teeth added for those who cannot or will not self-police. Perhaps the Golden Shield technology that scans data entering China for banned words could be adapted to prevent “Make Money Fast” emails from exiting the country. Wouldn’t that be poetic; the same dynamic control that limits the access of China’s citizens to “unhealthy material” could reduce worldwide spam by around 10%.

The calls always say roughly the same thing (often leaving automated voicemail), along the lines of:

“Your car warranty is expiring. We have notified you several times by mail.”

or

“Your car warranty has expired! Protect your loved ones with an extended warranty!”

Sometimes, instead of an expired warranty, they will also offer debt consolidation or refinance loans.

In any case, they are after your financial information, and your money.

These calls are illegal, probably under both the Telephone Consumer Protection Act (TCPA), and the Federal anti-spam law, CAN-SPAM.

You can report these calls to the FCC (Federal Communications Commission) - and file a complaint with the FCC at http://www.fcc.gov/cgb/complaints.html.

TinyURL is a service which allows you to enter a gawd-awful long URL, and turn it into a, well, tiny URL, which then forwards to the gawd-awful long one.

But now spammers are abusing the service, using a TinyURL link to their website in their spam, rather than their true website link, presumably so that their website domain doesn’t get blocked by anti-spam services - or even because their website domain is already being blocked by anti-spam services.

In some instances, the TinyURL service is being used as a conduit for affiliate spam - where the affiliate cloaks their affiliate link with the TinyURL - this has the added creep factor of not only cloaking the domain of the program the affiliate is spamming for, but helping that domain avoid detection as having their affiliate program work with spammers (which can carry harsh penalties under the Federal anti-spam law, CAN-SPAM).

Take, for example, this spam below. Note the TinyURL link, which we have bolded here for your reading ease - it resolves to http://www.advanced-intelligence.com/index.html?2735 - that 2735 at the end is almost certainly an affiliate identifier. Sorry, Advanced-Intelligence.com Affiliate #2735, no sale today!:

“I was recently reviewing Spy Gadgets sites in some of the major search engines and I came across your web site: Theinternetpatrol.com. Out of all the sites I came across yours really stood out for me and If you could please spare me just two minutes I have a business proposition for you as you are in the same market as I am.

P.S. I hope you don’t mind me emailing you it’s just your web site really stood out from the others I came across during my research.

But by far the most high profile is Alan Ralsky - authorities estimate that Ralsky is responsible for pumping tens of millions of spam messages throughout the internet every day. As such, he has engendered a great deal of hostility, and has earned mention both in Spam Kings and Spam Wars.

Even Ralsky’s own attorney, Philip Kushner, can’t seem to quite bring himself to say with a straight face that Ralsky’s not a spammer, and he seems to understand the public’s disaffection with his client. “There’s a lot of people who are hostile to spam and I understand that,” said Kushner, “but it’s a separate question about whether he’s done anything illegal.”

The current charges against Ralsky, son-in-law Bradley, and the nine others include efforts to use botnets to send their spam, perpetrating a pump-and-dump spam scam for a worthless Chinese stock which, once inflated in value by their spam campaign Ralsky and the others quickly dumped, and falsifying header and other email information intended to disguise the origin of their spam.

The indictments are the result of a three-year cooperative investigation by the FBI, the IRS Investigation Unit, and the U.S. Postal Service.
he three-year investigation was handled by the FBI, U.S. Postal Service and IRS Crimiminal Investigation.

The act of scraping websites to collect email addresses (to then spam them) is known as harvesting email addresses. Email address harvesting is still one of the more popular methods of building lists of email addresses to send spam to. And email addresses posted by people in comments on blogs, social network sites, or really just about anywhere else, are fair game.

So how can you let people know how to contact you by email while still protecting your email address from spammers?

Here, using the email address test@example.com as an example, are various ways you spell out your email address, while still thwarting the email address harvesters:

1. Spell out the “@”, like this:

test at example.com

2. Spell out the “.com” like this:

test@example dot com.

3. Spell out the entire thing, like this:

test at example dot com

4. Use a graphic which shows the email address as an image, like this:

(The above is really a graphic image!)

5. Write the email address in HTML character code, instead of traditional letters. For example, while this looks normal to you:

test@example.com

..we have actually written it in HTML character code, in which every letter and symbol is represented by a special HTML code, which your web browser translates to display a letter, but to another computer it doesn’t look like an email address at all.

Here are some sample HTML character codes:

You can find a complete chart of the HTML character codes here.

Here at the Internet Patrol we actually use a nifty program called Spam Stopper to do the HTML character encoding for us, however you can do it right online, for free, using this free HTML code email address encoding page offered by Jean-Marc Rosengard of Syronex!

Using Mr. Rosengard’s page, you can encode your email address, and then save it somewhere. Whenever you want to post your email address to the Internet, copy and paste that code, instead of typing in your email address.

It doesn’t matter which of these methods you choose to make your email addresses spam resistant - you may even choose to use another method. The important thing is that you don’t post your regular email address, in plain text, for all the world - and all the spammers - to grab.