Some amusing cut and paste work from spammers

November 9, 2012

Recently I got a modest spate of advance fee fraud spam attempts with the interesting feature that they either claimed to be from 'Federal Bureau Of Investigation Seeking To Wiretap The Internet' or at least contained some variant of 'FBI seeking to wiretap the Internet' in addition to the agency name. Advance fee fraud come-on messages are almost never well written to start with but this text is relatively glaringly out of place, which is part of why it stood out and stuck in my mind. The messages have some other similarities but also their fair share of differences, so I'm not sure I can conclude that it's the work of a single group (I suspect that advance fee fraud spammers aggressively copy from each other's come-on messages). My records say that this is not a new thing; the oldest sample I could spot using a quick search pattern dates from the end of 2008.

(It looks like an Internet search for this phrase will turn up lots and lots of archived samples.)

What interests me is speculating on where this odd text comes from and what it implies about how spammers operate. In general, the 'seeking to wiretap' text is clearly out of place in the spam messages; there is no attempt to weave it into the come-on text and it's generally more or less positioned as part of the FBI's name. The obvious guess about what happened is that at some point an initial spammer was looking for the FBI's full name, did an Internet search, and wound up on a news story where this text was the main heading or the like instead of the FBI's own page. Operating without enough contextual knowledge they lifted the entire text, copied it into their spam, and it propagated from there. That the text continues to show up with some regularity suggests that it's become established in some mainline of advance fee fraud messages that lots of people copy from.

This is where I start thinking of similarities to evolutionary biology, where odd and unimportant features of a successful organism can sort of come along for the ride as it propagates. This bit of text feels like one of them; I doubt that it itself does anything to improve the spam's success rate, but it could well be part of a relatively successful initial advance fee fraud message that has been widely copied and imitated more or less wholesale since then. This is especially so because the text usually appears as an initial title block and I can certainly believe that those just get copied back and forth without anyone paying them much attention.

(While there are theories that advance fee fraud spammers deliberately make their come-on messages relatively extreme and obvious in order to hook only the most credulous, I don't believe that this text is being included deliberately as part of that filtering. To use the text as filtering seems more than a little bit too subtle and clever for both the spammers and the audience they are allegedly filtering for.)

Written on 09 November 2012.
« Devops, the return of system programmers?
Why Unix doesn't have user-changeable namespaces »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Nov 9 00:51:18 2012
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.