Right before Thanksgiving, we ran a Tip on "pump-and-dump" scam emails – emails containing fraudulent stock tips. A colleague forwarded an interesting variation of this scam. This message uses several different techniques in an attempt to circumvent the company’s spam filters.

As a scam, notice that the message is urgent and timed. “It’s going to explode on Monday Nov 13th”. This scammer probably dumped the stock right around that date. Looking at the stock’s trading history, this scam probably worked. On 13 Oct, this stock cost less than a penny a share. On the 13th, it spiked up to $1.14. One week later, it was at $0.65 and falling.

Note that the scam part of this message is included as a picture, not as text. It has a lightly tinted background and small little “threads” scattered through the image. To a human, they look like the tiny imperfections that you sometimes see in high-quality paper. We easily ignore them and read the text. Their real purpose is to disrupt the computer’s ability to conduct optical character recognition. Not being able to fully read the text, the message doesn’t earn as many “points” toward being recognized as spam by the filter.

Second, note that the message is crafted to appear to be a reply even though John has never sent anything to this person. The hacker is hoping that we have a “whitelist rule” that would exempt all return messages from filtering. (That’s a common rule for companies that have had problems with good messages getting blocked as false-positives.) Unfortunately, it is trivially easy to spoof an address in an email. With the right editor, you could make your emails appear to come from the President of the United States. And while that’s certainly unethical and sometimes illegal, it’s almost impossible to trace the culprit. Email was never designed as a secure communications channel.

Third, note that the spammer included a block of text at the bottom of the message. To a human, it’s incomprehensible nonsense. To a computer, those are real words in apparently reasonable order. Since the spam filter “weighs” the sales-like content in proportion to all the other content in the message, this nonsense has the effect of diluting the spam score of the message.

As we discussed last week, researchers estimate that there are 9-10 spam messages for every good message on the Internet. Most companies have good tools but at those volumes, some spam will always leak through. If it looks like spam, it probably is. Delete it (preferably without opening the message) and move on.

Leave a Reply