I have a lot of security delicacies “on my plate” but SPAM isn’t one of them. Back at the salt mines, that’s someone else’s problem. Suffice to say I’ve ignored the subject for years, considering it’s fairly well handled by all the Web mail accounts I have floating around (Yahoo, Hotmail, Gmail, et cetera).
I never even look at the stuff.
However, there is this woman – let’s call her “Helen Dink” – who is no relation to me but by some strange quirk of fate we share the same ISP. She believes her e-mail address is hdink@myisp.com, but it’s not. That’s my email address. I’ve had that address for almost ten years now, but whenever she goes to fill out Web forms online she plugs in my email address!
So I get a lot of her email.
This has been going on for at least five years. I know more about this woman than I want to (yes, she’s a Facebook user). Her friends constantly send me email about a variety of crap, from Girl Scout meeting notices to recipes and the like. It’s incredibly annoying and for the past few years I’ve been writing them back and letting them know, in no uncertain terms that I am not “Helen Dink” and to please remove my email address from their “Contacts” folder.
So today I got an email from “Andrea Wilson”, a normal-sounding American name. Thinking it’s one of Helen’s buddies I open it up in order to send my standard reply to these things.
But it’s not. It’s a 419 scam email…
I am Golan Bradley a staff of Natwest Bank ,I am pleased to pass across to you a very urgent and profitable business proposal which I believe will profit the both of us after completion.I will await to receive a positive response from you to enable me give more details Please send your confidential telephone and fax number in your reply to: golan.bradley@removed.com Golan Bradley(Mr.)
The security wonk inside me kicks in and I decide to look at the SMTP headers, thinking I’d be able to track it back to Nigeria or Cameroon (hi, fellas!).
But the headers were extremely legit. The email went through 2 Exchange servers, a Symantec Brightmail Gateway (an anti-SPAM device), and a ZIX encryption device before ending up at my ISP.
“Andrea Wilson” turns out to be a Real Person™ who works at a hospital in Texas. And, not surprisingly, she’s an active Facebook user. Obviously her workstation or laptop or whatever had been summarily pwn3d and was being used to deliver 419 SPAM for person or persons unknown.
Well, that’s her problem.
I briefly toyed with the idea of writing her back and suggesting she have the IT department check out her box, but that’s a notoriously bad idea and generally frowned upon (this comes from the heyday of email viruses, when sending a “HEY ASSHOLE YOUR COMPUTER HAS A VIRUS” email only served to exacerbate the problem).
Maybe I’ve been away from SPAM for too long, but it seems unusual to see legitimate SMTP headers from an obviously corporate environment, considering that lately the vast majority of SPAM comes from Yahoo, Gmail, Hotmail, et cetera.
Everything old is new again.
Hey HinkyDink, I couldn’t find a method of contacting you, aside from the private whois email, which I don’t trust will actually deliver my message, so I’ll use this comment box instead.
Would you be interested in sharing your sources of proxies? I know about the usual blogs (elite-proxies, proxycollections, etc.), but you always seem to be one step ahead of them. I suspect they are getting their proxy lists from other sources.
Also, I’ve noticed a few anomalies lately that I thought I’d bring to your attention. The proxies listening on port 9415 (KoobFace?) are no longer working. They just respond with “error” no matter what URL you request. So you may want to remove them.
Another thing worth mentioning is that a lot of high anon port 80 proxies, especially those with low latencies, appear to be re-routing through the IP 74.115.6.57. Some preliminary research leads me to believe that this is some sort of VPN provider. So either those proxies are customers, in which case I doubt they’d be too happy to know that they are functioning as open proxies, or they’re nodes set up by the VPN provider themselves (for whatever reason).
You also mentioned in the past that you were going to start listing socks proxies. Any progress on that front?
Thanks.
Note: I may have posted this comment 3 times with slightly different wording and additional information each time, but they don’t appear in the comments section, so I’m posting it here instead. Sorry if this is annoying. I know you probably have some sort of comment approval system turned on, but I like to have some sort of instant notification.
Sorry, Hinky doesn’t share. But I assure you I have no private sources. Everything is scraped from other proxy sites, the very same ones you get when you search for “proxy list” on Google.
For awhile I had a couple of “secret” sources (still Google-able, but buried deep in the results), but those have dried up for the most part.
I was not aware that Koobface had switched to 9415, if that is the case. Yesterday there was a shitload of Chinese proxies on 9415, but I check China more often than the rest of the world so they should fall off pretty quickly. Chinese proxies have always been short-lived.
Otherwise, everything gets rechecked when the list hits 750 proxies. That usually clears out at least two-thirds of the list.
It’s somewhat rare that proxies will forward to other IP addresses, but it’s been known to happen.
I have thousands and thousands of SOCKS candidates but have never come up with a decent way to test them with anything but HTTP, which is not what SOCKS proxies are best at. And a lot of SOCKS proxies don’t even do HTTP at all.
I get a lot of comment SPAM, but I haven’t seen anything from .tw until now. I haven’t seen anything similar. The whois mail does work but I never answer it.
The whole project is winding down. I’m at the point where I have to “publish or perish”. I don’t see it continuing after the first of the year (2011), but since everything runs so well on “auto” I may just let it run.
Thanks for not SPAMming!
-Hinky