It seems amazing that a single firm can be responsible for so much spam traffic. Security researchers have been watching McColo and collecting evidence of wrongdoing for over a year, and they were the ones who eventually brought the evidence to McColo’s ISPs and asked for the shutdown. U.S. law enforcement officials aren’t giving statements about the case or about the potential repercussions for McColo’s spamming actions. After all, firms like McColo provide a service, and they frequently claim ignorance when a client misuses that service, making them tough to blame for annoyances like spam traffic. Shutting them down is frequently difficult, because as frustrating as spam is, it isn’t illegal. In this case, McColo might have broken no laws, and they haven’t been charged with any crime. The spam decrease, however, is a welcome change for the companies and consumers who monitor its traffic. 

Of course, the respite won’t last; experts caution that the slowdown in spam is only temporary because other servers will start taking up the slack. In fact, you might have noticed your spam inbox filling up once again with the usual assortment of ads and scams. But we can take some hope from this case, at least. Everyone from the security professional to the average consumer is fed up with spam, and finally, some steps are being taken to help curtail it. Perhaps more pressure from a frustrated community could help to shut down additional spam servers worldwide, or perhaps a “Do Not Spam” list will eventually be created to spare our accounts from the onslaught. With annoying sales pitches, false advertising and identity-stealing scams peppering our email accounts daily, a change can’t come too soon.  

Sources for this article: The Washington Post. Photo courtesy of freedigitalphotos.net.

Lose Weight With Your Mate! - Flush out up to 25 pounds - Remove Deadly Toxic Buildup - Relieve Constipation and Bloating - Best of all, you can try it FREE!* Get Your FREE Bottle and Colon Health Kit Today! http://z12.e-booksmarts.com/r/777/3448727/830.htm *Plus S&H Unsubscribe: http://z12.e-booksmarts.com/r/777/3448727/831.htm ColonMed700 3600 Oceanview, Glendale CA 91208

Here are the things that really jump out at me from this spam message:

1. Of course, it was unsolicited, which is what makes it spam. But it’s so far from anything I might have wanted to know about that it’s not even remotely linked to my buying preferences and interests. I can’t imagine a moment in which I might want to read about colon cleaners in my email, and yet, here it is.

2. “Lose weight with your mate” - What does this have to do with anything? Does my mate have to be a part of this cleansing process? What if I’m mate-free? This phrase is probably there for the rhyming catchiness and for the fact that everyone likes to do things with their mates (although hawking a colon-cleaning product as a bonding benefit for couples might not work the way they expect).

3. “Flush out up to 25 pounds” - I get the charming “flush” reference, but 25 pounds?? I suspect that my entire intestinal weight is less than that, let alone what’s in my system. So now I have a healthy fear of this product, since I’m pretty sure most of my internal organs would have to be removed in order to reach that touted 25-pound weight loss. Truth in advertising? I certainly hope not.

4. “Remove deadly toxic buildup” - There are deadly toxins building up in my body?? Maybe so, but I doubt a laxative will fix that. The use of “deadly,” however, is a classic scare tactic to motivate buyers. Too bad the spammers probably lost most readers before they even reached that line, thanks to number 5…

5. The text above is the entire contents of the spam message. It has no graphics, no fonts, no testimonials, and no more information about the product. It’s so small and plain that it breaks almost every rule of visual marketing. As a means of sucking people in, this falls very short. After all, even if I hadn’t been in the market for a colon cleaner, a snazzy message with bright colors and happy customers might have intrigued me. In theory, anyway.

6. FREE - They mention “free” twice, in big letters. Really, they claim, it’s free! Except for that tiny asterisk that notes the added, undisclosed cost of shipping and handling. They also say you can “try it” free, not just get it free; in most cases, “try it free” means “you get a short trial period until we start charging your credit card for the astronomical recurring costs of this product,” at which point you end up frustrated and trying to cancel the charges before they add up. In just about every case, “FREE” isn’t free at all, but spammers love to use it.

7. The date - What you can’t see in the text alone is that the email was date-stamped on 1/18/2037. Since that’s in the future, the email will stay on the top of the inbox as long as the user doesn’t delete it, keeping the lovely colon-cleansing ad front and center for as long as possible. Lots of spammers mess with the dates on emails in order to manipulate where they end up in the inbox. Some take the opposite tactic and put a much older date on the email, making the new message appear at the bottom of the list so that the user has to hunt for it in order to delete it.

8. The small bit of good news: The spam does include an unsubscribe link and an address for the company, and while either or both of those might be bogus, it’s a nice touch that almost makes it appear that the marketing company would rather not send you colon cleaning ads if you don’t want them.

So for this spam ad’s unsolicited nature, random content, dishonest advertising, manipulation of the calendar and unappealing design, it officially becomes part of the Marketing Hall of Shame! Congratulations! Sort of.

Some consumers mistakenly think that being on the Do Not Call list means that they will receive no solicitation calls for any reason, but there are exceptions to Do Not Call. One exception is for political campaigns, and another is for charities. Legitimate charities are not restricted in their telemarketing calls by the Do Not Call list; less-than-legitimate charities, though, are one way that some people try to skirt the Do Not Call list and make some money. So how can you tell whether the charity calling you for your holiday contribution is really legitimate and trustworthy?

First, ask questions to find out where the money really goes. On average, charities get just 40% of the money that telemarketing companies collect in their name. In some cases, the telemarketing company keeps 90% or more of all the money they collect on behalf of the cause they are purportedly working for. As awful as it sounds, this practice is legal; the Supreme Court case Madigan v. Telemarketing Associates ruled that telemarketing companies can keep almost all the money they bring in, as long as they don’t claim that more goes to the charity than it does. Charities claim that even a small percentage makes a difference for them, but if you want to give to a worthy cause, you probably shouldn’t do it via telemarketer, since you’ll also be lining the pockets of the telemarketing company.

I’ll give you an example from my personal experience: A man called me once on behalf of the “fraternal order of police,” asking me to contribute to police officers in my area and delivering an emotional plea for the cops who needed me. I asked him, “Are you with the police?”

“No, ma’am,” he replied.

“So you work for a third-party company doing the solicitations?” I asked. (This is exceedingly common, of course, and doesn’t mean a charity is less than reputable.)

“Yes, ma’am.”

“Is your company a for-profit company, or a non-profit company?” I asked.

“For profit.”

Ah. Now we were getting somewhere. “So what percentage of my donation actually goes to the police?” I asked.

“Well,” he said, back on script, “Ten percent of the money that goes to the police goes to…”

“No,” I said. “What I mean is, if I give you $100, how much of that $100 goes to the police, and how much stays with your company?”

“Um, I don’t know that, ma’am.”

“Because you see, I know your company wants to make money, and I know that many telemarketing companies who solicit for charities only donate a small percentage to the charity itself. So why would I give any money to you, when I can just give it directly to the police in my area and make sure that it ALL goes to the cause that I support?”

“Well…” he didn’t have an answer.

I hung up with a clear conscience, knowing that any “donation” I made to this caller’s company would have mostly gone to the company itself, not to the cause they claimed to support.

By law, the telemarketer has to give you their full name, the company they work for, whether they’re paid for their job, etc., but you have to ask first. They’re not required to volunteer that info, and they’d usually prefer you didn’t ask. Legitimate charity calls will not have anything to hide when you ask them these questions.

Protecting yourself and your charitable donations doesn’t stop there, though. Make sure you never give out sensitive information, such as a credit card number, Social Security number, or bank account information, over the phone. Don’t give out your mailing address; instead, offer to confirm the address they have on record, and even if the address is wrong, confirm it anyway. If they have the wrong information for you, it might be a way of trying to trick the RIGHT information out of you, so don’t tell them what the real information is. Don’t give out your email address, and don’t let the telemarketer send you to a website to pay your charitable pledge, since that website might be a scam site that was set up to look legitimate and collect personal info from victims.

If you want to make a contribution but want to be safe about it, ask the telemarketer to send hard copy donation information to the address they have on file. If it’s wrong, just play along until you say goodbye and hang up, then look up the address of the charity you want to support and send them your contribution directly. That way, you’ll know that your money is going where you want it to go. All charities are happy to take direct donations if you offer them, and bypassing the telemarketing company entirely means that your identity is safe.

You can’t do much about charity telemarketing calls, since they’re exempt from the Do Not Call list, but you can take steps to keep your identity safe and make your contributions count among the charities you prefer.  

Sources for this article: Associated Content, North Carolina Attorney General’s Office, MSN.com 

Privacy Council wants you to know just how much waste is due to junk mail and catalogs. In a given year, it’s estimated that 19 billion catalogs are mailed to consumers. Of those, 5.6 million tons of catalogs and direct mail ads are put into landfills. That’s so much waste that it’s hard to comprehend! According to Worldwatch Institute (as quoted at Carbonrally.com), the United States has 5 percent of the world’s population, but consumes 30 percent of the world’s paper. Can we recycle it? Sure, but according to the Center for a New American Dream, only 22 percent of junk mail is recycled today. Besides, that doesn’t even begin to address the energy and trees used in making all the junk mail in the first place, then recycling it later. It’s a blow to the environment on several fronts, but you can do something about it.

First, sign up for Privacy Council’s environmentally-friendly service and get yourself removed from the major catalog mailing lists. This will drastically cut the amount of junk mail you receive, so you’ll know you’re doing your part to reduce the paper waste. How much waste can you personally help to prevent? Estimates indicate that, on average, consumers receive 110 catalogs per household per year, so over ten years, you could help to keep more than a thousand catalogs from ending up in a landfill. That makes a real difference.

Also, make sure that you aren’t granting companies the right to sell your contact information to mailing lists when you sign up for a new product or service (check the fine print and opt-out whenever possible). Finally, if you still want to receive a few specific catalogs during the holidays, contact those companies directly and ask them to send you their catalogs, perhaps at a lesser pace (instead of four or five catalogs per company during the holiday season, for example, the company could send you just one or two catalogs). 

‘Tis the season to be festive, but don’t forget about the environment!   

Sources for this article: Center for a New American Dream, Carbonrally, The Virginia Gazette    

Mitnick described how easily a hacker might call a company, ask for some seemingly-harmless information, and use it to get more sensitive information out of the company’s computers. He spoke about how smooth-talking tactics from someone who claims to be part of the company are sometimes all that’s needed to get to the important data, and that the criminals play on the fact that we as humans have an inherent desire to help others, even when we don’t know them personally. Mitnick painted a picture of a hacker (he used to be one of the best) who could simply use the staff directory information posted on a company’s website to call the right people, say the right things, and hang up with the keys to the kingdom. He made it sound both simple and widespread. The presentation left me and my fellow listeners a little stunned, and more than a little paranoid.

The main issue at the heart of social engineering tactics, Mitnick said, is that we as humans are trusting, helpful people. We don’t really believe someone could steal our identities until it actually happens to us. We don’t think to question it when “Bob from Accounting” calls for some simple information, even if we’ve never met Bob personally. And the helpfulness and trust don’t stop at work; Mitnick mentioned how nine out of ten people in London were willing to tell a stranger their password in exchange for a cheap pen, and how others will happily disclose their pet’s name or the school they attended, forgetting that those questions are the same ones used to verify accounts online (Privacy Council posted an article about protecting those security questions in September).  Psychological manipulation, he noted, is easier than breaking into a computer system.

Phishing is one form of social engineering attack, since it tries to trick the victim into clicking a link in an email and giving away sensitive information. Phishing works because it often attempts to use fear and urgency as motivators, sometimes by saying “your account will be closed if you don’t click immediately.” More recent phishing attacks contain a phone number for victims to call to “verify” their information, but instead of calling the bank or other organization, the victim is calling the hacker. This combination of deception and manipulation can lead to disaster for those who trust it.

Mitnick did touch on some newer technology threats in his talk; for example, USB drives left lying around can contain malware that lets a hacker see and manipulate the computer desktop of whoever plugs the drive in. He also rehashed old-school hacking techniques, such as Dumpster diving (it’s amazing in this day and age that many companies still don’t shred sensitive documents before putting them in the trash). He handed out business cards that double as lockpick sets, and he played with Caller ID spoofing technology that allows a caller to fabricate the number on a victim’s Caller ID. He told tales of past hacks, both his own and those of other notorious hackers, and he engaged and entertained the crowd for nearly two hours. But everything he said and did served to bring home an important lesson: To have an adequate security system, companies and individuals have to have not just technology, but also people and processes that are prepared to handle all kinds of high- and low-tech attacks.

So how can you protect yourself and your company against social engineering? Don’t share your information unless you REALLY know who’s asking for it, and train your staff to do the same. Test your staff by calling and pretending to be someone else who needs data, and see how they respond. Also, don’t ever write down passwords and put them on Post-It notes on your computer screen or under the keyboard. Shred everything that contains information about you or your company, from credit card offers to company directories. Adopt a “less is more” approach to information-sharing. Don’t use your mother’s maiden name, Social Security number, or birthdate as the security answers on any sensitive accounts (SS numbers, birthdates, addresses and even mother’s maiden names are part of the public record in many states and can be accessed for a fee). Play your cards close to your chest, and you have a chance of protecting what’s yours.

There’s no way to avoid EVERY attack, and a talented hacker might still use a combination of technology and manipulation to gain information. But you can still try to be ready for the worst; if anything, think like a hacker, and don’t share your information unless you’re sure!

For more information about Kevin Mitnick’s services and books, visit Mitnick Security.

After 30 days of providing open membership to our community-driven list removal service, we’re proud to announce the 500th member.

Collectively, we’ve removed everyone from 4,320 marketing lists, including Do Not Call and all of the direct marketing and catalog lists.

This has reduced waste from junk mail, and hopefully, improved the quality of your life.

If you are still receiving any form of unwanted solicitation, I invite you to please email me personally, and I will assign the appropriate resources to work to end this solicitation.

jhartman@yovia.com

Spread the word,
Jalali Hartman

You can imagine my confusion: I hadn’t sent any spam emails selling vitamins and supplements, but I was receiving the undeliverable spam messages back to my account. Sure enough, in each message, the “return” address was listed as mine! Now I was concerned. I followed the link in the emails and contacted the company about the my email address being used as the return address on their spam messages (no one responded to me). I also contacted Yahoo! and let them know that I was receiving these “undeliverable” messages, but that I hadn’t sent them in the first place. In short, I was inconvenienced, annoyed, and slightly violated because of spammers using my perfectly legitimate email account as their own return contact.

As it turns out, I wasn’t alone in my “undeliverable” spam troubles, and this problem is growing worse. There’s even a name for it: Backscatter spam.

According to USA Today, backscatter spam now makes up 3 percent of all email sent, and it clogs up the email accounts of hapless users. Backscatter spam consists of NDR (undeliverable) messages, but it’s also floods of “out of office” autoreply messages, waves of “confirm your subscription to our service” emails, and misdirected virus alerts. Spammers create this problem by collecting legit email addresses (like mine), often by employing viruses that attack corporate databases and steal the data. Email addresses that have been in use for a long time (again, like mine) tend to be good targets because they’ve been “floating” around in cyberspace for a while. The real email addresses are then “spoofed” so that any emails the spammers send look like they’re coming from the real email accounts, not from the spammersthemselves. The holder of the legit account is unaware of all of this, meanwhile, until the “undeliverable” spam emails – those sent to inactiveaddresses that can’t receive email - start bouncing back. They go to the return address that the spammers provided, which of course is the one that belongs to the victim. The bounced messages can pack the victim’s inbox full and create a very large headache.

Why would spammers do this? Aside from the obvious desire to avoid bounce-back emails themselves, spammers know that most emails sent without a valid “From:” address (or those sent from addresses and/or domains that are known as spam originators and are blocked accordingly) don’t reach their destinations. A forged return address gives an air of legitimacy to the mailing. The spammers aren’t using your server for their mass mailing; they’re just using your email address in the “From:” field.

How many messages are we really talking about here? Spam email lists are notoriously inaccurate, as a high percentage of the emails on the lists are no longer active or deliverable. Of the undeliverable emails sent, most will simply disappear, but 7-10% of the emails will be accepted by the server on the other end, then sent back as undeliverable later. These are the bounce-backs that end up causing the problem. As Al Iverson wrote on his Spam Resource blog, the math is simple: if a spammer sends 2 million messages in a single mailing, and 40% of the email addresses he uses are invalid, and 9% of those invalid addresses send the message back as undeliverable, that means that 72,000 bounce notifications will go to the return address listed on the spam emails. And that address might be yours or mine.

So what can you do? For one thing, don’t contribute to backscatter yourself. Don’t use a “challenge/response” anti-spam program, since your automated challenge/response messages are a form of backscatter, and they make life more difficult for other legitimate users. Also, don’t use an “out of office” auto-response message if you can help it… Again, this is a form of backscatter, and worse, it lets spammersknow that your address is active. Finally, don’t use a fake bounce-back anti-spam system (a system that sends fake bounce-backs in response to spam in the hope that spammers will take your address off their lists when the spam is undeliverable) – your bounce-back doesn’t go to the spammer, as we’ve already made clear. It goes to a victim whose email address was spoofed as the spammer’s return address, and your bounced message just becomes another of the backscatter messages that the victim receives. Since the spammers never receive the bounced message, they don’t update their own mailing lists based on the bounces, so the fake bounce-back systems are pretty useless.

As for stopping backscatter from hitting your own inbox, it’s generally hard to prevent it if a spammer has used your email address in the “From:” field. A spam filter sometimes helps to stem the tide a bit, so make sure you have one. Also, if you have a domain with a catch-all mailbox (an email inbox that catches any emails sent to your domain that aren’t sent to a specific user’s mailbox), you can deactivate the catch-all, since most backscatter spam heading for your domain will end up there as the spammers try different variations of emails for the return address. Check with your ISP or hosting provider on how to eliminate the catch-all address while still receiving emails directed at specific mailboxes or at certain required accounts, such as “postmaster.”

Backscatter is annoying, but if you get spoofed and end up with an inbox full of undeliverable email, you can rest assured that your reputation is probably safe. Few people in today’s world of spam email believe that the “From:” address in a spam message is the actual source of the message. If you do get backlash from an angry Internet user, show them this article; after all, they might be the next personspoofed by spammers.

Sources for this article: USA Today, Al Iverson’s Spam Resource blog, SpamNation

Photo attributed to freezelight, posted to Flickr, licensed under Creative Commons Attribution-Share Alike 3.0

“Hello. I’m calling for John McCain and the RNC because you need to know that Barack Obama has worked closely with domestic terrorist Bill Ayers, whose organization bombed the U.S. Capitol, the Pentagon, a judge’s home and killed Americans. And Democrats will enact an extreme leftist agenda if they take control of Washington. Barack Obama and his Democratic allies lack the judgment to lead our country. This call was paid for by McCain-Palin 2008 and the Republican National Committee at 202-863-8500.”

Here is the robocall’s full audio.

This is just one of the thousands of Political Robocalls from both parties that have been flooding phone lines in battleground states. According to a recent report by CNN, some voters are receiving as many as a dozen automated calls per day.

Some states, like Maine, are cracking down, claiming this is a violation of personal privacy.

According to Wikipedia, even those who have opted into the National Do Not Call Registry may still receive these calls, as political parties are exempt from the rules set forth during the formation of this registry.

Are these calls really effective, and why should we have to put up with this violation of our personal privacy?

Comment below to join the petition.