Guest writer

Today is Guest Writer day... actually, I don't have an article to post and this mail from a friend came apropos. She's talking about a previous article I wrote about Internet safety in general and passwords. I want to say on my behalf that the problem she has was her own fault. You're supposed to create a rule for your passwords AND REMEMBER IT!!!

Her mail was too long for a comment and too good to be dissmised, so I decided to post it here. The text was edited to suit the requirements of the "Stop the Online Exploitation of Our Children Act" wrote by republican senator (and "freedom lover") John McCain, who doesn't seem to be aware that there's a pesky First Amendment that clearly protects the freedom of speech. Anyway, I've censored an couple words just to keep her safe (and all of your children out there reading this blog). She's my friend and I don't want to turn her in to the feds (but I will if the alternative is to pay $300,000 :-O ).

So, without further a due, I give you the Guest Writer of the day, Alex

After reading your article on Are you safe? Are you sure? I became, like any normal person would, completely paranoid about the vulnerability of my virtual * posterior *ets. You were so right, everything was out there, open to any interested hacker. I've never been the victim of identity theft or any other online crime. But you know what they say . there's always a first time for everything, so I'd rather be safe than sorry!
Conscious of the importance and severity of the task ahead, I decided to break my procrastinating habits and do it right away. I had your suggestions, which I could completely follow (why not?), and internet access to all my accounts. What else did I need? Nothing! So I merrily went on my way, updating all my passwords My only personal contribution was to use the nicknames I have for the financial institutions instead of the real name, which usually goes on the address bar, therefore making it easy to guess. Also, for some account types I used 3 letters for the month and for some others the complete month name. Guess one, guess all, you know! I felt immediately gratified and proud of myself.
Hackers getting to my accounts? Not now, not ever, no way, Jose!
A couple of days later I realized that I also decided not to make any more payments online, so I had a few checks to mail (you can't pay in person here, you know). No problem: checks, envelopes and postage stamps. All set! Like I used to do in prehistoric times, I mailed the checks on Wednesday, knowing they would not reach its destination and post at least until Friday, when my paycheck posts to my account via direct deposit (should I stop that too? Hmmm!). Well, the post office seems to be more efficient now, and some vendors hungrier for money. One of my checks hit my account too early, on Thursday, and bounced for lack of funds. I used to have overdraft protection from my savings account, but I stopped that as a safety precaution. So, there I was, with a delinquent electricity bill and a $30 fee for the bounce. That's okay, I thought, I learned my lesson: don't wait until the deadline, and don't mail ahead of time, you sneaky * woman of dubious reputation *!
Then came the time to make my mortgage payment. To me, it's the most important one, it's the roof over your head. I checked my bank account, and there was enough money there to cover the payment, so I mailed it.
Only to find out that it bounced anyway. Why? Because a couple of the previously sent checks had not posted to my account by the time I checked, therefore inflating my available balance. Thank goodness, the mortgage company didn't really bounce it, they called me. I explained the situation to them, and they waited until Friday (good that I didn't cancel my direct deposit!). Life is good!
Then I went on vacation for a week, to a beautiful ranch in the middle of the desert, but with all the amenities of a 5 star hotel. I had a wonderful time, disconnected from every day routine activities, Oh, if it only lasted longer than a week! When I came back, I went online to check my finances. But I found a little problem there, did I call Bank of America BofA? Yes, I think I did. Well, it was really 6Of4 (I also
replaced all b's with 6). Now . what the hell was the rest of the password? Did I create it in m4rCh or aPri1? I tried them both, but none of them worked, probably I used something other than 6Of4. Tried 64nKoF4MeRiC4, but that didn't work either. Maybe I used the complete month name? After 3 wrong attempts, the bank blocked my account, so I had to wait until the next day to try it again, but at that point
clicking on 'forgot my password'. They sent it to me via email.
Another little problem I had was with one of the credit cards. Some crook opened my payment envelope and made a copy of the check before processing it. So, he had my checking account number, my credit card number (memo area of the check, as they instruct you to write it there), and my signature. I had to close that account because of fraudulent charges. The money was returned to my account after a while, but the headache was there.
Oh. My God! What a * performing of sexual intercourse * nightmare! I was so relieved when I woke up and realized it was just that, a very bad dream! Right there and then I made up my mind: stay with the good-old kiss principle that never failed me so far. I believe that people somehow manage to attract to them the things that happen in their lives. For instance, if you worry too much about losing your job, you're asking for it to happen. Makes sense?
Maybe not, but my experience shows me it's true. As far as security, many web sites require more and more intricate passwords, more digits, combinations of characters, etc. Hackers are aware of it, and they will probably try complex combinations instead of a simple and stupid one.
I'll keep my simple and stupid
Thank you for all your valuable advice. Seriously, I mean it. From now on, I will always look at the address bar.

Making money on the Internet

The "payment officer" scam is a huge success lately. At least I think it is because everyone is doing it. A couple months ago I was getting one of this once in a while, now I get a couple everyday.

In case you've missed it, the scam work like this:
You're offered a job as payment officer (or any other name), your duty is to receive payment from customers and send the money to your boss at headquarters. You get to keep a percentage of every transaction (usually 10%). So far so good, it really sounds like a sweet deal, maybe too sweet. But "entertain no fear my friend" (as nigerians always say), the reason why the company is doing it is because of 9/11, patriot act, laundering controls, etc that makes too complicated for our customers to pay from USA to foreign countries (exactly what you're supossed to do).
How this "job" really works? You get bad checks, forged or stolen. The bank usually let you get the money before the check goes all the way round. By the time the check bounces, you've already sent the money to your boss and the bank wants it back. The reason why the bank gives you the money in advance is because you're good for it, they don't care about the check (as far as I know this system applies only to the USA). The scammers knows is and that's why they'll push you to send the money as soon as possible, they know that the time frame is limited before the whole thing blows up.

The inside of the "company" it's a band with access to the real stuff and freelance "bosses" recruiting marks over the net. Once your boss gets you on the hook, you're presented to the company as a prospect. If they like what they see (your name, address, ID, job position, etc) they'll contact you as "customers" and start the transactions.

Now there's an extra twist to this scam. Instead of a check they make a transfer straight into your account. I'm still wondering about this, because it means that somehow they have control over an account with enough money or credit to do it. I suspect that nigerians scammers are into the phishing business too. If they get hold of a user/password combination for a bank account, they wait for the opportunity to make a transfer to a payment officer's account. If they time the operation properly, the payment officer will send the money before the victim of the phishing finds out. From that point, it's someone's else problem.

It's hard to believe how easy it is, but it is.

I took many of this jobs. My idea was to make them send the checks to someone who cares and can do something about it, law enforcers I mean. But I'm still trying to find one who does. In the meantime, I made them send the checks to dead ends where they got lost. I don't want to give much details about it in case they read this blog. The good thing is that each check that they send to me is a check that won't hurt someone else. So far, only this year, I catched almost half a million dollars. And this is only those I could get some kind of confirmation.
Some of the checks were sent through regular mail and I had no way to confirm them, maybe they were not sent at all. Others were sent by courier, Fedex or UPS, and I verified that using the tracking number. For some, I also received a copy of the original waybill. This is great because it gave me information about how it was sent, from where, how it was paid, etc. The bad news is that they're all dead ends. Paid in cash at the counter (no real name or return address) or charged to a hijacked account (real name and return address but it's just another victim).

Transfers are hard to handle for me. A couple times I sent bogus account numbers, some worked (no complains from my boss) some didn't (a lot of complains). I can't tell what happened. It's obvious that if you do a transfer from the bank's web page and the destination number is wrong, the system should warn you about it. But why some seemed to work? Maybe they didn't, the "company" called my bluff and decided to cut my "boss" out of the loop. The chances of typing a good number randomly are incredible low.

It's a real problem because transfers is becoming the most popular way to scam. One reason could be that it's a lot more easy for the mark. Most people is reluctant to get checks from strangers, but the transfer is money already in your account. You have to do nothing, sign nothing. It really feels like you're not taking responsibility for it, it's just in there waiting for you. The other reason could be that phishing is working and they have control over many bank accounts. Forged and stolen checks require hard work and are limited, accounts taken by phishing require less work and are coming fresh daily. If I'm right and there's a connection, it's a scary scenario.

And probably is. The transfer scam is being used in connection with the advanced fee frauds. If you don't pay the fees for your lottery prize, your inheritance papers or your contract certificates, they will offer you to deal with a financier who's willing to pay for it. But, because the financier is inside the lottery/court/government, he can pay by himself. The payment has to be done from you personally. So the money is sent to you first, then you have to resend it to wherever it is that it has to be sent. And how it's going to be sent to you? A bank transfer.

As you can see, it's always about creating a missing link in the money chain. They may have access to the money but if they use it directly or send it to their own accounts, the chain goes to them. When you send the money to them through Western Union or Moneygram (to a fake name somewhere in Africa where they can get it without an ID), the chain is broken and you're the last link.

The bank on top of the phishing ranking (at least in my mail accounts) is the Bank of America. I don't think is something about the security level of their online system, it has to be something about the way money can be transferred from their accounts. I've sent them a message with details about it. I think that they should try to catch some of this jobs and make the scammers do the transfers to controlled accounts. The scammers have control over some of their customers accounts and there's no way to find out which ones. Besides, the mark is going to be one of their customers too. If they do it, the hijacked accounts can be secured as soon as they're identified, the customer informed about the situation. I'd like to know that my bank is doing things like this to protect me, the publicity will improve the image of the bank and bring awareness to the general public about the phishing problem. The cost is minimal, I can do it on my free time. A lot more can be done from an organized group working full time. But, so far, no answer.

Law enforcers are not interested, neither is your bank. You have to take care of yourself kids. I won't be here watching your backs forever :oP

A Moebius tape of recursivity

Haven't posted articles in a while and I'm sorry about that.

After Google disabled my mail account my Blogger account was disabled too. Silly me, I didn't see that coming even knowing that Google and Blogger have unified accounts.

Anyway, everything's fine now. I have access to both my mail account and my Blogger account again. But in the meantime I was seting up another blog and re-editing all the articles because I though that my account was as good as gone. And that kept me busy all the time that I could have use to write.

I have a lot to write about.

Check scams are rising now and I'm going to get back to this issue in a future article. Meanwhile, don't take a job as a "payment officer", don't take a job over the web, don't trust a "company" just because it has a website, don't sell book (or any other thing) to schools or academies in India, Africa or anywhere if they were requested by mail. Believe it or not, the scammers are going to that extent to lure you into taking their "rubber" checks.

Phishing is high too. I've seen a lot of mail forms lately. These are the phishing messages where the form to post your data is inside them. No need to click a link and post on a web page, you can do it from the message itself. Which is more tempting and makes the actual phishing web page invisible. In fact the page is only a script that forwards the content of the form to the phiser's mail account. If you call it without the content of a form you get nothing. And that makes it very hard to report to network administrators, because there's nothing to see from the hyperlink.

One of the scripts is totally legal, meaning that it was created and it's used legally. But it's open to the general public when it was intended to serve the customers of a hosting service. The administrator was doing some complicated things redirecting the script to eBay if the referrer included a reference to them. But the result was that if you try to access the script manually by yourself, eBay showed up. Bad idea. Let's say that a person suspect that the message is not real. He tries the link manually and eBay shows up. Most likely he'll think that the message is good, fill the form and get his credit card cloned.

Some other administrators are doing things differently. I saw a phishing page this week that was replaced with a warning page explaining phishing, in case you are a potential victim, and trashing the phisher. I'll see if I can recover the link for you to see.

And I've just contacted another who is taking a strong stand against scammers. But this is for another article.

Today I'm writing about human stupidity and how technology makes things worse.

Lately I'm seeing that the number of scam messages from LatinMail is increasing. This happens often, a free mail server gets popular among them. Yahoo is still the number one, even when it's also the number one in closing their accounts.

The trick nowadays is to send the first message with spam servers with a disposable mail account and, once the contact with the mark has been established, move the operation to the Yahoo account.

Sending from a spam server makes the message impossible to report, no mail server would accept it just because the mail allegedly used belongs to them. They want a header showing that the message was generated from their servers.

This trick works as a crib, those who suspect the message can't report it and won't pursue matters, and those who answer won't report it.

But sometimes, they use a mail server that they know or they think is lenient in its abuse policy, like LatinMail in this case and another that is rising, adinet.com.uy.

I started reporting just to see if there was a response. I didn't get one but at least the abuse address didn't bounce, something that's pretty common.

Then, a couple messages bounced. That was odd. Most of the time the bounces are because the abuse address doesn't exist at all or its quota has been exceeded, meaning that nobody has checked the account in years. And on both cases the bounce is immediate and for every message.

This time only a couple of them bounced. So I took a closer look at the bounce message. And I found this:

< latinmail@latinred.net> : host mail.latinred.net[62.37.236.165] said: 451
Blocked - see http://www.spamcop.net/bl.shtml?62.37.236.187 (in reply to
RCPT TO command)

SpamCop is an organization working against spam, I guess the name is graphically enough. They take information from user reports and traps they set purposely. From that information, they keep a database of offending IP numbers. The addresses from whee spam messages are originated. The database is public and anyone can use it to check if the source of the message is reported. I'll get back to the details later.

Using this database, LatinMail detected that the IP address 62.37.236.165 has ben reported as source of spam several times. So, they blocked the message and buonced it.

Nice, isn't it? Well, not really. Because the IP 62.37.236.165 belongs to LatinMail. And it was reported several times, along with others also belonging to LatinMail, because is the source of a lot of spam. Including scam messages.

The second minor detail in this story is that the message that I sent wasn't generated or forwarded from that IP. The reference to that IP was in the header of the message I was reporting, which was inside the body of my message.

Somehow, their script is unable to understand where the real header ends. Somehow meaning someone did a lousy job, a header has a distinctive boundary.

But the bottom line is it's impossible to report abuse to LatinMail. If you take the IP number out, they won't see evidence that the message generated from them. If you let the I number, the message bounces.

And I'd applaud a system so efficient in dealing with reports. But this one wasn't meant to work like that. This is just the result of plain stupidity in charge of technology.

This is a real Dilbert system, something that Scott Adams talked about on "The way of the weasel". A system so incompetent that looks brilliant in terms of results from a corporative point of view. Their antispam software blocked thousands of messages, showing that's incredible efficient, and thousands of abuse reports never reached them, showing an incredible clean mail server.

And going back to SpamCop. The idea is good but I think it's a very complicated solution for a very simple problem. Eventually they'll fill the database with almost all the IP numbers that don't belong to a mail server and some that belong to a mail server. The database is going to be huge, probably it is now. And it doesn't take into account the human factor like this case of LatinMail. Someone using this database to filter its own mail.

You can read about my idea on a previous article. A system that's more simple, more efficient and based on information and protocols that ae available now. There's no need to invent new stuff.

The idea basically is that every server receiving mail (SMTP) must verify the IP of the sender through the domain name system to see if it's declared as a mail server. It has to receive only from other declared mail servers and terminate immediatly any other attempt. This way it saves storage space and bandwidth. The database to check is smaller, it's efficient and is in use right now. Eventually, the servers can make a second query to another database public or private to check if the sender, even being another mail server, should be banned for any reason.

And that's the problem with the world this days. Things are going so bad just because nobody's asking me...