So, I recently received a new mail that I presume is spam:
From: Julianna $changed <$firstname.lastname@example.org> Subject: A graphic on Microsoft's failures To: email@example.com
I was curious to see if this was the correct email to contact in regards to the content on ydal.de?
This is a rather curious e-mail. It sort of looks legit, but there’s nothing at all on ydal.de that should reflect as a «graphic on Microsoft’s failures».
Spamassassin also thinks it’s legit:
X-Spam-Report: SpamAssassin 3.2.5 (2008-06-10) on flock.szaf.org Content analysis details: (-0.5 points, 5.0 required, autolearn=no) pts rule name description --- ---------------------- -------------------------------------------------- 0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) 0.0 HTML_MESSAGE BODY: HTML included in message -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
The SPF mismatch is rather interesting: even though you’d assume someone stating their Google Mail address to use the Gmail web interface (or one of the known clients), the sender is “offandawaymail.com”, which has a non-functioning web server. Googling for the host quite quickly reveals other people also getting this mail, and Tim Dobson googled a bit, also digging up a enlightening discussion on Google+.
So this isn’t even the standard attempt to bugger up your Bayesian spam filters (see the Wikipedia article on Bayesian poisoning. It’s a sneaky attempt to actually do SEO by using half-automated spamming. Which is pretty weird, since it’s rather cost-intensive in terms of manpower – even if it’s generated automatically, they have to categorize sites in what they want to spam them about. There’s also the fact that I’m addressed with my first name – while this may be reasonably extracted from information on the web, the debian-live mailing list received a similar mail, and they were addressed with “editor”, which a quick Google search couldn’t associated with the mailing list address. Which, at least, makes for a rather interesting source database that seems to have been used.
What I found most abusing about this all is how quickly my brain said “this is fishy”, whereas automatic classification was unperturbed.