Futurama's Fry wondering: "Not sure if spam or just particularly curious"

New ways of spamming

Futurama's Fry wondering: "Not sure if spam or just particularly curious"

So, I recently received a new mail that I presume is spam:

From: Julianna $changed <$localpart@gmail.com>
Subject: A graphic on Microsoft's failures
To: towo@ydal.de

Hi Tobias,

I was curious to see if this was the correct email to contact in regards to the content on ydal.de?


Julianna $changed

This is a rather curious e-mail. It sort of looks legit, but there’s nothing at all on ydal.de that should reflect as a «graphic on Microsoft’s failures».

Spamassassin also thinks it’s legit:

X-Spam-Report: SpamAssassin 3.2.5 (2008-06-10) on flock.szaf.org
 Content analysis details:   (-0.5 points, 5.0 required, autolearn=no)
  pts rule name              description
 --- ---------------------- --------------------------------------------------
  0.7 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
  0.0 HTML_MESSAGE           BODY: HTML included in message
 -2.6 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
                             [score: 0.0000]
  1.4 MIME_QP_LONG_LINE      RAW: Quoted-printable line longer than 76 chars

The SPF mismatch is rather interesting: even though you’d assume someone stating their Google Mail address to use the Gmail web interface (or one of the known clients), the sender is “offandawaymail.com”, which has a non-functioning web server. Googling for the host quite quickly reveals other people also getting this mail, and Tim Dobson googled a bit, also digging up a enlightening discussion on Google+.

So this isn’t even the standard attempt to bugger up your Bayesian spam filters (see the Wikipedia article on Bayesian poisoning. It’s a sneaky attempt to actually do SEO by using half-automated spamming. Which is pretty weird, since it’s rather cost-intensive in terms of manpower – even if it’s generated automatically, they have to categorize sites in what they want to spam them about. There’s also the fact that I’m addressed with my first name – while this may be reasonably extracted from information on the web, the debian-live mailing list received a similar mail, and they were addressed with “editor”, which a quick Google search couldn’t associated with the mailing list address. Which, at least, makes for a rather interesting source database that seems to have been used.

What I found most abusing about this all is how quickly my brain said “this is fishy”, whereas automatic classification was unperturbed.