A depressing thing about phish spam

December 8, 2007

For a while, my general reaction to receiving phish spam from somewhere is to block it from sending me further email. This habit has led to me discovering something depressing: how many of those places later try to send me more email, often months after the first incident.

This is depressing because phish spam is usually sent from compromised machines. Getting more mail from the same machine is a bad sign; it means that the machine has almost certainly not been cleaned up, and is instead still compromised and being used for another phish spam run. (Or the machines were cleaned up, but then re-compromised.)

(One consequence of phish spammers preferring compromised machines is that greylisting is relatively ineffective against phish spam, since the compromised machines actually are running real mailers. I don't know why phish spammers don't use open proxies, or don't use them more often.)

I suppose it's not a very surprising thing on the modern Internet, once I think about all the forces involved. Either the machine's owners have to notice the problem on their own, or someone has to complain and reach a human. Complaining to the machine's owners require you find them and find some way of reaching them, and complaining to the upstream ISP is usually throwing your mail into /dev/null.

(On the other hand, some major phishing targets have security teams that try to get at least the phish websites taken down; I've seen email from them. But I suppose it makes much less sense for them to try to chase sending sources; given finite resources, taking down websites is more important.)

Written on 08 December 2007.
« Using Linux's magic SysRq feature
I don't like smooth scrolling »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Dec 8 23:23:59 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.