Dear Scammers, Thanks for keeping good records

Update: I realize his email address didn’t get included. So he’s at williamsrnd4@gmail.com, in Nigeria (shocker, I know), I’m a little sad that I deleted the most entertaining messages from this joker, but such is life. Anyways, don’t send him money, it’s a scam. Any time you get a message from paypal, check the full message headers, and make sure it’s coming from paypal, write gmail a note telling them that you don’t appreciate them hiding the ip addresses of scammers, or facilitating this behavior by delivering messages originating from Nigeria for that matter.

this is our conversation from day one.
john doe Wed, May 4, 2011 at 7:39 PM
To: Williams Randy
Cc: sale-vsjn8-2361578881@craigslist.org
Great. Would you rather meet at 168th (9am or 6pm) street or 114th (9-4)? -Joe

On 05/04/2011 02:37 PM, Williams Randy wrote:

** CRAIGSLIST ADVISORY — AVOID SCAMS BY DEALING LOCALLY
** Avoid: wiring money, cross-border deals, work-at-home
** Beware: cashier checks, money orders, escrow, shipping
** More Info: http://www.craigslist.org/about/scams.html

========================================================

Williams Randy Wed, May 4, 2011 at 7:41 PM
To: john doe
okay,am buying it for my cousin in nigeria as a gift,am in chicago,you
will be shipping,i will pay the shipping cost.i will be paying you
with PayPal

========================================================

john doe Wed, May 4, 2011 at 7:43 PM
To: Williams Randy
You can send me payment at john.doe+paypal@gmail.com

========================================================

Williams Randy Wed, May 4, 2011 at 7:45 PM
To: john doe
send me a payment request to avoid scam ,i hope you understand.please
include the shipping cost,you will be shipping with usps express
mail,do you need the shipping address to calculate the shipping cost?

========================================================

Williams Randy Wed, May 4, 2011 at 8:21 PM
To: john doe
i got your invoice,i will be making the payment now,please pack the
camera very well and get ready to ship,i will let you know when
payment has been made..thanks

========================================================

Williams Randy Wed, May 4, 2011 at 8:35 PM
To: john doe
i just make the payment now,kindly check the paypal email you gave
me-john.doe+paypal@gmail.com.paypal must have send you a message
regarding the payment.here is the shipping address;
Name :Tosin Williams
Address :No 218,Ibrahim Taiwo Rd,Ilorin,Kwara
State,Nigeria.234031.please ship with usps express mail.thanks,it’s a
pleasure doing business with you

========================================================

Williams Randy Wed, May 4, 2011 at 8:46 PM
To: john doe
hope you got the payment notification? please get back asap..thanks

========================================================

john doe Wed, May 4, 2011 at 8:49 PM
To: Williams Randy
Got payment notification, will send you a note when I ship.

========================================================
Williams Randy Wed, May 4, 2011 at 8:50 PM
To: john doe
alright..thanks.please ship with usps express mail..i will be
expecting your mail

========================================================

Williams Randy Thu, May 5, 2011 at 9:53 AM
To: john doe
am still expecting your reply..have you shipped the camera? please get back asap

========================================================

john doe Thu, May 5, 2011 at 1:21 PM
To: Williams Randy
The payment hasn’t cleared yet.

========================================================
Williams Randy Thu, May 5, 2011 at 2:56 PM
To: john doe
read the payment notification very well,you will have to send the
tracking number to there customer care before they credit your
account…okay?

========================================================

Williams Randy Thu, May 5, 2011 at 2:59 PM
To: john doe
do you get it? please get back asap

========================================================

john doe Thu, May 5, 2011 at 5:00 PM
To: Williams Randy
Randy, I have not received a payment notification. Funds still appear
to be in “pending” in paypal.

========================================================
Williams Randy Thu, May 5, 2011 at 6:42 PM
To: john doe
check your inbox in this email (john.doe+paypal@gmail.com).that’s
where paypal will send the messages

========================================================

john doe Thu, May 5, 2011 at 7:14 PM
To: Williams Randy
Nope, don’t have a message. Payment still shows as “pending”.

========================================================

Williams Randy Thu, May 5, 2011 at 7:16 PM
To: john doe
i mean ycheck your email inbox not your paypal account

========================================================

john doe Thu, May 5, 2011 at 7:18 PM
To: Williams Randy
Have no message in either place. Maybe you should try paying again?
Also there’s someone who wants to buy it locally, maybe you can send
me $10 which is not “pending” and clears for the effort?

========================================================

Williams Randy Thu, May 5, 2011 at 7:28 PM
To: john doe
alright,i will make a nes payment of $450

========================================================

Williams Randy Thu, May 5, 2011 at 8:13 PM
To: john doe
i have made the payment again.hope you got it this time? please get back asap.

========================================================

john doe Thu, May 5, 2011 at 8:29 PM
To: Williams Randy
There’s not even one that shows up as pending this time. Please send
$10, which will not be pending to john.doe+paypal@gmail.com.

========================================================

john doe Thu, May 5, 2011 at 11:41 PM
To: Williams Randy
randy i have still not heard back from you
i very much like to sell you the d3000 camera because you seem like
good person and you offer some more than the person here and my
girlfriend is very sick and i hope to buy for her something nice with
the $450
please get back asap

========================================================

On 05/05/2011 03:13 PM, Williams Randy wrote:
Williams Randy Sat, May 7, 2011 at 11:47 AM
To: john doe
yes,i want to buy,paypal must have send you a notification,read it
very well,you will have to send the tracking number to there customer
care before they credit your account

========================================================

Williams Randy Sat, May 7, 2011 at 12:09 PM
To: john doe
where do you ship the camera to,RUSSIA? please get back asap so that
can send the $100 and help you clear your money

========================================================

john doe Sat, May 7, 2011 at 12:28 PM
To: Williams Randy
dont worry .i send camera to
Name :Tosin Williams
Address :No 218,Ibrahim Taiwo Rd,
State :Kwara State
City : Ibadan
Zip Code :23402
Country: Nigeria
they say it be there real soon .any day now .paypal just send me email
saying everything ok .appreciate anything you can send me that clears
and is not pending at paypal at john.doe+paypal@gmail.com as
paypal says it might still take 48 more hours .and like i say my
girlfriend is very not well and i have to spend long time at hospital
and not at work .also you might want to include previous messages in
reply as you seem not brightest crayola in the box and maybe it help
you keep track of things .

========================================================

Williams Randy Sat, May 7, 2011 at 12:33 PM
To: john doe
this is where i said you should ship it to:Name :Tosin Williams
Address :No 218,Ibrahim Taiwo Rd,Ilorin,Kwara State,Nigeria.234031.why
do you change the city and the zip code?

========================================================

john doe Sat, May 7, 2011 at 12:36 PM
To: Williams Randy
ok no worries. i deleted your old messages and i only had one piece i
had printed out from the trash that had some coffee on it so it was
hard to read .like i said maybe it would be better if you include all
messages in replies like i do below .dont worry though item is safe on
way they will hold for you at the post office .you can pick up this
coming week .

========================================================

Williams Randy Sat, May 7, 2011 at 12:43 PM
To: john doe
i mean you shipped the camera to another state,it’s meant to be
shipped to ilorin with zip code 234031 and that’s what i gave you but
you shipped the camera to ibadan with zip code 23402..why? and please
let me know if you have other electronics to sell,i will love to buy
more from you..

========================================================

john doe Sat, May 7, 2011 at 12:44 PM
To: Williams Randy
I’m sorry I haven’t the faintest idea what you’re going on about. Can
you include any previous correspondence in your message.

Filtering Spoofed Emails

Do you get a lot of spoofed messages about your “World of Warcraft” account? Do you not have a “World of Warcraft” account? Annoying isn’t it. Even if you set up your gmail to receive messages at username+alias@gmail.com and filter on the recipient field these messages often make it by because they’ll use the proper value in the to field. And the from field will read something like …..@realplace.com, but of course they’re not sending it from realplace. So how to tell the posers from the real thing? Take a look at the full message source, in gmail you’d hit the down arrow next to reply when viewing the message and choose “show original”. This will show you some unformatted goodies about the message, including the identity of the real sender. There are a few fields of interest:
From: obviously this is the first place to look, generally it’s composed of two parts, first a claimed name and then an account name. Both are actually spoofable, but we’re relying on the ineptitude of these folk to work in our favor. And on the first is easily spoofed. So if I get an email from
From: “service@paypal.com”
it’s easy to tell that it’s not actually originating from PayPal. Here a good filter would be “” in the “has words” field. This will actually save you a large deal of spam.

Other fields of interest (but less usable) are:
The sender field, here is an example pulled from the same email “Sender: williamsrnd9@gmail.com”, so you can see that this spammer actually isn’t totally incompetent because the from field is spoofed enough to look like it’s coming from “post.com” instead of “gmail.com”. It’s possible that they’re even avoiding @paypal.com because that would be flagged as spam by gmail. Unfortunately the sender field is not usable in filters in gmail now, who knows why.

When in doubt always check the message center or whatever it’s called on the site in question. The one instance where closed source saves us, as it’s harder to spoof those messages. Granted if gmail was open source we could just filter on the sender field, or even on the originating ip address and we wouldn’t be in the bind in the first place. Seriously, how cool would that be, to tag emails with geographic locations on the basis of ip address, so emails actually come “from” somewhere instead of just magically appearing. It’s going to be a thing.

Posted in Tech. Tags: , , , , . 1 Comment »

The only real solution to SPAM

So I’ve finally found what I consider a plausible solution to email spam.  It’s known as hashcash/proof-of-work and the implementation I’ve come across is the pennypost.  It’s a valid alternative to challenge authentication and less annoying to all involved.  It works thus:

If I desire to send an email to user@domain.ext I must find a combination of date/address/randomstring which hashes to a required number of leading zeroes, using some agreed upon hash.  If the hash is correctly chosen finding a solution can be computationally expensive for the sender yet trivial for the recipient.  As if 1 in 10^10 strings satisfy the condition the sender will have to make 10^10 computations on average, the recipient will only have to make one.  This is desirable as the cost of sending should be born by the sender and not the recipient.

Unfortunately, I’ve only been able to get this to work in thunderbird 2.x (current version is 3.0.1).  And further I had a bit of trouble with the email address as regular expressions bit, but that’s really not that much of a complaint.

Protests against this method cite botnets and discrepancies in cpu power.  Botnets supposedly make this approach less appealing as one can use the botnet to compute hashes and thus find a hash much faster.  However, this method still reduces the amount of SPAM that a botnet can send and also makes it more likely that the owner of an infected machine realizes the machine is infected and does something about the issue.  So really this complaint boils down to botnets are bad, yes they are, but their badness is lessened through using proof of work stamping.  Second discrepancies in cpu power.  There’s maybe a 15x difference in performance between a pretty powerful system and a pretty weak system (atom vs i7 920, that’s an approximately $60 cpu vs an approximately $280 processors, or a 5x difference in price).  So a computation that takes the i7 10 seconds takes the atom a little under three minutes.  I actually think that if one were to pick the hash well one could minimize the difference in performance, but either way, 3 minutes isn’t terribly long to wait.  I mean how often do we expect people to read their email, plus one could integrate with an intelligent whitelist, such that one doesn’t need to compute hashes for those we correspond with frequently.  This has the potential to reduce the amount of spam sent by orders of magnitude, and it’s cutting it out at the source, it’s not better filtering or something at that end.  The cost is being paid either by those who would do the harm or by those whose machines have been infected (which will encourage them to clean their machines and take better measures in the future).

Anyways enough rambling, the PennyPost extension for mozilla thunderbird can be found here, now we just need to integrate it with gmail and most other email clients (of course this is where it will fail at the moment, but perhaps with time it could work).  It’s the only thing I’ve ever heard of that might work, because Russian isp’s have no incentive to prevent their subscribers from sending pharma spam to americans, but this could reduce their ability to send spam by 100x or more.