Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Spammers aren't always creative

Spammers aren't always creative

  • Comments 1

I first started actively fighting spam in 2004. In the beginning we were dealing exclusively with English language spam but only a couple of months later we expanded our tool set to include support for foreign languages.

Foreign language spam differs in structure from country to country so the strategies used to fight it are different.  I have discovered that English language spam tends to be very creative and spammers will use extensive obfuscation in their messages in order to evade filters.  They have been known to do similar things in German spam, but the tactics are less evolved; most of the time the language is grammatically correct and they will only obfuscate a few characters (mostly the umlaut... I'm quite sure I spelled that wrong).  French spam consisted mostly of newsletters, advertisements and 419s, while Spanish language spam was the same (minus the 419s).  I didn't fight too much of this type of spam so it's hard to generalize.

But the one thing that stuck out at me was how consistent Japanese spam was.  Japanese spam consisted of two kinds - cheesy newsletters (which I couldn't read but could still interpret) and Japanese porn.  In the spam world, we referred to it as "Ja-porn" or "Ja-porn-ime", a portmanteau of Japanese-porn-with-anime-characters.  I remember we saw a big wave of it in 2005.  However, it was clearly recognizeable and spammers used the same structure every time.

The text structure was a square block of text in Japanese with line breaks nicely formatted, in other words, the text did not extend to the far side of the page.  It was usually just a few lines of text and they are always right-justified.  Then, at the end, there is a link to a porn page but the link is almost always in English and is a .com domain.  And the links are really obvious.  I would have thought that they might use .jp domains or something, but no.

Just this past week, one of our customers escalated some Japanese spam.  The structure of the messages was nearly identical to what we were seeing three years ago.  Spammers haven't changed their tactics at all.  So, while they are constantly shifting their tactics in English, in Japan they have gotten really lazy.  I guess creativity is not a universal trait in the spam world.

Leave a Comment
  • Please add 7 and 1 and type the answer here:
  • Post
  • "the link is almost always in English"

    It is?  Even in English-speaking countries, links are often acronyms or other abbreviations.

    If you meant that links don't usually use Chinese and Japanese characters, that's because most browsers don't support that kind of experiment yet.  (Or do you mean GET parameters and such things?  In that case Japanese is used a bit more but it's still not common.)

    "and is a .com domain"

    .com is still pretty common, just like microsoft.com instead of microsoft.us.  Spammers have two additional reasons though.  One is that if they're silly enough to register their own domain names then they lose the cost of a .com registration instead of the cost of a .jp registration.  The other is that if they're hosted by a foreign company and the hoster has no employees who read Japanese then the spam sites will stay up longer.  Though I'm not quite sure why spammers bother with any of that when NTT provides bulletproof spam services.

    "always right-justified"

    If they want to make some pretence at being a legitimate site, or being traditional Japanese, or whatever, then sure.  Traditional Japanese typography calls for making all lines the same length, except for the last line of a paragraph and a few other cases where other typographical rules require deviating by 1 character.  Ordinary e-mail usually doesn't stick to traditional typographical rules.  Outlook Express breaks every rule including its own settings.

    "Spammers haven't changed their tactics at all"

    s/Spammers/Some spammers/.  True in English too.

Page 1 of 1 (1 items)