Filters are not good enough to get rid of spam and, if your email address has been exposed as mine was, at some point you have to get rid of it and start all over again. And even if you do and it's your own server, the connection attempts keep coming, if you have a catch all address it will fill up your disk, no matter what you do you have to pay for the bandwidth, the processor time and the storage space plus the maintenance.
Scams and phishing are easy to spot and ignore if you're aware of it, but what about those who fall for it. You can say that most of the "victims" of nigerian scams are greedy and inmoral, even if they're not commiting a crime they think they are and fine with it. But some others are inocent victims, even good caring persons that fall just to help someone in need. And those falling for phishing are common users of internet services trying to comply with the politics of the site (or what they think is a policy of the site).
So I've decided to do something about it. Not much really, because I don't have the resources or the position to go any further. But I'll do my best with my lunch hour.
I'm taking action against all scams and phishing messages I receive.
I report the messages to mail administrators, also to the ISPs of the source node of the message (if available).
I report the links to the server administrators if there's a phishing page, to the ISP is there's no answer from the server.
And I'll keep this blog to tell the world (or the two guys that will read this... and you, mom) about how I'm doing it, the results, advice to other who may want to join and to bring awareness about the problem in general.
Today, I'm going to talk about phishing. Phishing is a way to get your personal information, mostly user names and passwords, through a web page. It all starts with a message sent to you from someone you have a service contract with. At least it looks like it comes from them, but the truth is that the phisher is fooling you. They use mass mailers, they don't know if you have an account or not and they use the format and the images that the real service provider would.
The service could be Paypal, your bank or any other service with internet access. Most of the time, the message is about a security issue. A change in the security system, your account has been under attack, the database went down, etc. To solve the problem, and to keep your access working, you have to click on the link provided, log in (with your user name and password) and fill a form (with personal data that may include all your credit card information).
The link looks like it belongs to the real server, but in the code of the message it points to another place where the phishing server is located.
You may think this is a risky business but is not. I rarely find a page in a server owned by the phisher, it has to be a very stupid one to pay for it knowing that it will be shutdown as soon as someone notice it and that he'll get no refund (if he's lucky, if he's not he may end up in jail).
Tipically the phisher hacks into someone else's server and set the page, it could be through a vulneratbility in the management software or a weak password. This is easier now that the hosting services around the world are using a limited number of management systems, once one vulnerability is found is passed around fast. Also the scripts for blogs and forums are very popular and used all around the net and they have too vulnerabilities. All these web interfaces are vulnerable because they need administrative rights to do their job, and that means that once you find the hole you can do with the server anything you want. In some other cases, someone with rightful access to the server, abuse it for his own benefit.
One way or the other, once the page is set the administrator has no easy way to find out.
The rest of the job is spam, mass mail the bait and wait for the "phish" to come.
Here's an intereting case (the page is active at this time but I'm in contact with the page admin and he's woking it out, the name of the domain is masked)
This is how a phishing link looks like in the source code of the message
What you see in the message is https://www.wainwrightonline
The site is a board for car enthusiasts, is not ran by computer experts and they were shocked to find out what was going on under their noses. To make matters worse, the one I could reach has no idea how to fix it. So the page will keep running for while.
And this is something to think about, the net is so big now, so user friendly, so open that is vulnerable to this kind of abuse. The site owner may be a responsible person and the site as clean as his owner thinks it is, but is not. Who's to blame? The phisher of course, but he's nowhere to be found, he won't take the page down even if you reach him. We need to take the page down, now, and the only one who can be reached (if) is unable to do it.
The moral of the story is, web sites should have a contact to report this problems. Form, email, whatever, it has to be published and easily accesible for a human. Use _at_ instead of @ if you're worried about your address farmed for spam. And someone has to read the reports and do something about it, I know, it's a lot of work but it's the price of the internet.
Plan B, maintain the current situation and they'll run the net. Spammers will turn all email worthless, scammers and phishers all online services useless. You may say that it's all because most of the internet users are too stupid to protect themselves, I agree (maybe not the "stupid"part). But the key word here is "most", etiher if you're running an online service or just publishing your stuff you know that they're your market. Without that market, you have no reason to be here.
Plan C, a highly regulated media. All access controlled, all sites under surveillance. The result? Astronomically high cost and poor content.
Which way do you want to go?