Author: Mark

I send spam (Subject Line)

Wouldn’t it be great if spammers would mark their junk mail as spam when they send it?  Then we could waste less time reading it.

Well, I may have a solution, the only question is if a genuine person sends an email that they remember to set the subject line to something else. Here is what I have observed over the past month:

I have contact forms on websites, and most of these have anti spam measures built in, but there is still a steady trickle of spam messages. As some of the anti spam measures require a human to look at an image and identify it, the chances are that the spam is being sent by people and not by bots. It is also likely that the people sending the spam are doing so quickly and for a few cents per email.

On a form I have created I have a pre-programmed subject line with 4 or 5 choices depending on the nature of the site. So you cannot enter your own subject line. You have to choose one. They might be for example;

  • I wish to volunteer
  • I wish to make a donation
  • I need help
  • Something else

I normally default to “Something Else”.

What I noticed is spam messages continued to arrive, but instead of “Something Else” being used as the default subject line, the spammers always chose the first option. Without fail.

So I changed the list to the following:

  • I send spam
  • I wish to volunteer
  • I wish to make a donation
  • I need help
  • Something else

Now my spam messages arrive neatly labelled as spam. See below for an example. (click on it to enlarge it).

Email Filtering

The next step is to auto file any incoming messages so that they are sent to a special folder. That is very easy to do because you can redirect emails based on the content in the subject line. In this case “I send spam”. 

I have not taken that step yet, but I will do over the coming month. 

The only problem with this approach is somebody might click on it by accident. That is unlikely but cannot be ruled out. So it would be wise to check the folder from time to time. 

Filtering your email box, may be possible in Outlook, but it is definitely possible in your email box via https://stackmail.com. It is quite easy to detect strings of characters in the title, email address, or the body of the email and take action when they are detected. 

If anyone is being bombarded by junk email let me know and we can try this out to see if it helps. Unfortunately spammers seem to target some sites and not others, how or why they do this, I am not sure. 

BTW this method only works with messages that originate through your contact form. It would not work with general messages because it is unlikely a spammer is going to label the subject line “I send spam”. 

Spoofed Email Address Scam

The following is based on an actual case, and shows you how scammers work. In this case not very successfully, but I will come on to that in a moment. 

Scam Plot

A message arrives in your inbox which appears to have come from your account. So it is from you to you. That implies someone may have access to your email account. Something that is likely to generate a panic response, which is exactly what they are hoping for. See below for an example. Click on the image to see a larger version of it. 

For most of you though you will not see this message

Why?  If your email is hosted with me, or with Outlook.com, then you will never see this message because of something called SPF (Server Policy Framework). It is a list of legitimate sending servers which is located in your DNS settings. It is there so that any email system receiving a message from your email sending server can verify that the message actually came from your server and not from somewhere else. It is a basic test, and if it fails the email is discarded. It is handled on the receiving server.

If you do not have an SPF policy set up, then you will see the message as intended by the sender.

What the Spammer Scammer did

In this case there was a trail of evidence, because the actual message that arrived was a bounce back message, and then a reply from the actual server it came from.

It appears that the individual behind this, took over a server in a Canadian hosting company. Either used a special program to do this or wrote a script to do this. The script probably had a list of target email addresses scraped from websites. It formatted the email and populated the sending email address and the destination email address as the same address and then sent out 625 of them. We know it was 625 because the following happened.

  • Email is received and then some automated tests are carried out
  • Email is rejected because it did not come from your sending server, there was not a match, therefore it is a “spoofed email”.
  • A message is sent back to the actual sending server. At this point no email has appeared in your inbox, or in junk mail, this is all happening automatically.
  • The message arrives at the originating server, but there is no corresponding email account at the sending server, and the server replies with an error message back to your inbox.
  • Because it is an error message you get the error message and original payload. This is called a Bounceback message, it is sent to warn you of problems with email.

The bounceback message

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  info@xxxxxxxxxxxxxxxx.org.uk
    Domain tidunglagoon.com has exceeded the max emails per hour (625/500 (125%)) allowed.  Message discarded.

Reporting-MTA: dns; sng123.hawkhost.com

Action: failed

 
Here we can see where it originated from, a mail server for tidunglagoon.com. We can also see from the message that 625 emails have been sent, so this was not the only one.

The Email Header

Not shown here, but viewed by me is the email header. All emails include a header which is not normally visible. But it is present on all emails. It contains information about the source of the email and the destination. It also contains information about any tests that have been subjected to the message, particularly around spam scores. 

This is the first place to look if you get a dodgy email. It is also important if you need to share the email with a third party for analysis. 

There will always be a link or something traceable

In all of the various spoofed emails and scams there will always be a link to something. In this case there is a reference to a digital wallet so the person can receive a bit coin. I do not think you can trace that to an individual, so it is a great way of hiding. Sometimes there is an email address, or a hidden link to a website. While not impossible, those are fairly easy to hide behind too. 

What if you receive something like this?

Firstly do not panic. The sender wants you to panic, that is why these emails are constructed like this. The first task is to move the email to a special folder and leave it there. Do not click on anything in the email or send any reply. Also do not download any hidden images in the email because this confirms someone has read it. 

Calmly read through it and check to see if it is generic (could be applied to anyone) or specific to you. Chances are it is generic. If you are not sure about it, contact me and tell me about it, but do not send it to me. It is highly likely if you send it to me on my usual email address it will be detected and sent straight to my junk mail folder, so just let me know you have a problem you need me to check. 

What I will want to look at is the header in the email as well as the email contents, which is why you should park it somewhere safe and not delete it. 

 

The take out more domains scam……

This scam is very subtle, it preys on fear, uncertainty and doubt. If you are not regularly doing business in this field and receive a message like this, it can be quite distressing. Note that this email below is not actually asking you for anything, but it is begging you to reply.  (click on the image to see a larger version of it). 

How does it work?

I have deliberately changed the real domain name in question to homestart-czw.

The sender (who is probably real) claims that they wish to use homestart-czw as a keywork in Chinese domain names.

They know that there is a homestart-czw.org.uk and that is how they found it. Similar scams along this theme may claim ownership of copyright or trademarks. What they want you to do is reply to the message. In other words start a conversation.

The sender will claim that you should protect your domain name against misuse by purchasing a set of CN (Chinese) domain names to protect your uk one. It will not stop there, they will also recommend that you purchase other domain names including the text “homestart-czw” for Thailand, Malaysia, Indonesia, Vietnam, Philippines etc. Before you know it you have purchased maybe 5 or more domain names that you do not need. Plus you have to renew them every year. The last one of these I looked at a few years ago would have amounted to an annual bill of £100 per year

Why should I ignore this?

Fundamentally because you are not trading worldwide, at best you are trading at the county level and most of you are at the local level covering a sub region in a county. Your domain name will generally give a clue about where you are:  homestart-czw.org.uk is an Organisation (charity) based in the UK. You are not providing services in China or Asia, therefore no conflict exists.

However you have to admit; from a “plausible deniability” perspective, that the person making the enquiry could just claim he is trying to help you! Sadly there is nothing going on here which could be deemed to be illegal.

If you receive a message like this, send it over and I will check it for you.

The highlighted red ring around the web address is designed to fool spam checking tools which will probably be looking for that website address. That is why it has spaces and square brackets where there should not be any.

Self directing spam to a spam folder!

We are all subject to spam messages, and sometimes they can be a real pain. There are various mechanisms for reducing it, the more sophisticated methods I use require a match between some text and an image. 

However if a human is behind sending spam, then they can defeat these systems and send it anyway. 

During an idle moment, I started think about it a bit more. 

If it is a human sending spam messages, then it is likely that they do not get paid much, and probably do not pay too much attention to what they are sending. I can tell this by looking at some of the messages that come in which have letters for example where telephone numbers should be. Or perhaps the systems are automated and have a human standing by when a problem occurs. 

Either way, I have also noted that if a choice is already made in a form, then the default choice is often used. So what happens if the default selection is “I send Spam“?  So I tried it. 

In the image you can see that there is now a selection for the subject line of the message. The default setting is “I send spam”. If a bot or bored human sends a message they will not change that setting.  Anyone genuinely wishing to contact the website will make a selection other than “I send spam”

… And here is the first candidate through this form. It is a spam message and they have not changed the subject line. So if this theory holds up I can now create a filter in my email box, that redirects the suspect message into a folder for messages that have “I send spam” in the subject line. 

The filter above will detect any messages coming into this mail box which contains the precise text “I send spam” on the subject line, and redirect it to a special folder called Spam Suspects.

About this approach

It is experimental, but looking promising.

Pros:

  • It should trap spammers who are either bots, human, bots supported by humans, people that are not paying attention.
  • With the default subject line the message can be accurately detected and sent to a special folder.
  • The inbox should be more clear of spam than it was before.

Cons:

  • A real enquirer not paying attention might also fall for it.
  • You still have to check the spam suspects folder and clear it out from time to time in case there is something important in there.

Your Website has been hacked….. send bit coins.

There is a well documented scam going around where you will receive a message which tells you your website has been hacked and they have all of your data, and data from your clients and they are going to contact everyone and sell the data and cause you a load of grief. (I have paraphrased that to keep it short). If you get anything like that please do the following:

1). Don’t panic

2). Send a copy of it to me

3). Wait until you hear back from me

Do not pay anyone anything, or engage in a conversation. The language including grammatical errors are recorded in multiple places on the web. It is a well known scam. Another one which is designed to instil panic in the recipient. 

While I am on the subject there is a second one which claims to have taken over the camera on your computer and has images of you in compromising situations (I will leave that to your imagination!), that one is another scam. I have not seen it recently, but what goes around comes around eventually. 

Both messages will come from a non traceable source, and both are asking you to deposit bit coins in an account.

Fake 20i.com invoices

There have been several instances (around 15 of them) where an invoice has been sent to an organisation claiming to come from 20i.com and stating that their domain name has expired or is about to expire. 

The information relating to your domain name is available to view on the Nominet website: Registration Data Lookup by Nominet Just enter your domain name and other information will be presented. 

Someone, or some group have been trawling through this data and identifying websites that are hosted by 20i.com. I have a reseller account at 20i.com and deal directly with them. You have no relationship with them. Invoices from 20i.com are not sent to you, they are sent to me, and I look after them for you.  The people behind the scam do not know that. 

If you receive anything about your website, or your domain name and you are not sure, send it to me and I will confirm whether it is a scam or not. It stands to reason that if you do not have a relationship with 20i.com then you would not expect to receive an invoice from them. 

20i.com are aware that this is happening, no doubt other hosting companies are being targeted too. 

Refresher Training

Forgotten how to edit your website?

Don’t despair, I have some solutions available for you.

While I provide a lot of help FOC for short enquiries, I do have quite a large number of people I am in contact with now.

For all new websites and since those days of Covid I have been providing online training for Divi site owners. Before Covid, I used to visit most people and do the training face to face. I now have a few sites in Scotland and Northern Ireland so that is not always feasible.

I can provide the following to you:

  • 2hr tutorial on what you need to know about WordPress and how to edit your website and create news.
  • Editor page built into your website with support PPT on it and links to other resources.
  • Editing exercise page.
  • 1 hr post editing training support. This is on an as needed basis, so if you need me to check something or have a question, this will be debited by the minute.
  • A video of the Zoom session.

This is a more elaborate version of what I did when visiting my clients.  It is designed to help you to be independent. Cost is £50 only available to direct clients with sites I have built.

No Budget – No Problem

I also have some training resources and tips on this special page: https://wingrove-media.uk/hsuk/ if you scroll to bottom of this page you will find there is a tutorial online and a list of times for the various exercises. This is available free of charge.

Editing Credits

While this service is not part of my normal package, I realise that some people do not need to edit their sites very frequently, or just want to outsource editing the website. I can provide up to 3hrs of editing time on an as needed basis. To take advantage of this you purchase an editing credit. Once that is agreed, you pass content to me and I will place it on your website for you. I keep a record of how long each one takes and share that with you. Contact me for more details. This service is only available if I built your website.

Complex Forms are now Available

Mainly for Home-Starts

I switched over to Contact Form 7 several years ago and am now familiar with several plugins which extend the functionality, particularly in the area of complex forms.

I now have available:

  • Professional and Self Referral Forms (£130 for both)
  • Volunteer online diary (£80)
  • Volunteer Application Form (£80)

The first professional referral form took 1 week to create from scratch. I start with an off the shelf copy of one of the forms, and take feedback to modify the form for your organisation.

The form has two major components; what you can see online, and a formatted email which is returned to the organisation with all of the data in it. It is also possible to include the data as a CSV string of characters which you could import into a spreadsheet or database. The email is human readable and annotated to clearly list the data submitted by the user. 

You can see some examples on this site and have a play: https://wingrove-media.uk

Contact me for more details. I can also point you to live examples which are currently in use by various organisations. 

Beware of Phishing

Over the past year I have become aware of many instances of phishing, it is much more prevalent than it was 2 years ago. It is also becoming increasingly sophisticated, especially if one person in a group that regularly communicate is compromised, his/ her contacts might be next.

Your regular email address is critically important

Phishing will try to target your email address, and get you to enter your password and email address into a box, believing that you can download something allegedly from a colleague. It may appear as an email in your inbox, or you may at some point be directed to a page with a form on it asking you to enter your credentials.

These attacks will frequently occur on a Friday afternoon, or just before a bank holiday weekend, just because it will be more difficult to independently check to see if something is legitimate or not.

I am aware of several cases where organisations have been caught out by this, it works in the following way:

Jane receives an email from a colleague asking her to download a document from say Sharepoint. Jane knows her colleague and while the email may have been short and to the point, she does not suspect anything. She clicks on a form in her email, and is then taken to the form on a website. She enters her email address and password anticipating this will allow her to download a document.

But nothing happens

Well, nothing obvious happened, so I will just assume it was broken……

What has actually happened is Jane’s email address and password has been passed to a 3rd party. The form was not legitimate.  The hacker can now access Jane’s email. In Jane’s email accounts are year’s of correspondence and messages that reveal whom Jane has been talking to, which other accounts she has access to, bank accounts, websites, Credit Cards etc. But Jane does not know someone is looking at her email.  The hacker could independently copy everything now and study it more carefully, and then contact one of Jane’s colleagues and do the same thing.

I received one of these messages last year, as did my wife.  In both cases our security recognised that the website we were being directed to was not legitimate.

Being Paranoid

Please be especially sensitive to anything that looks vaguely odd. These messages when they occur, are often very short, with no context, or a very limited context such as an invoice or payment has been made, or not been made. Many of them are also designed to shock you into acting quickly. They also arrive at the end of a day or just prior to a weekend.

Take a breath – is it real?

Find an independent route to check in with this person to make sure it was really sent and genuine if you are suspicious.  Don’t ever think it won’t happen to me. Complacency is one of the factors of success. Remember that if your main email address is compromised, it compromises everything that you have used your main email address for. Plus your main email address will be used for password recovery too.

In a case where I responded back to the person that was asking me to click on something, I was suspicious, but the person was known to me; I replied. I immediately got a reply back saying it was all quite innocent and not a phishing email…. So I clicked on it, and my security system immediately flagged up that it was a phishing site before I could enter anything. In this case, the hacker was also sitting on the person’s email account and answering emails. The email account owner was unaware that this was happening. This is why it is better to find a phone number and call them, or call a colleague to check first. In my case I used the same communications channel to ask if it was legitimate or not, and the hacker was waiting.

Remember if it goes wrong….

You are going to have to change all of your passwords starting with your email account, and then all of the accounts tied to your email account. It will take a long time to change everything, and you have to remember to cover everything. So it is worth being careful and more sensitive than “normal” whatever normal means these days!

It can be worse if you are using a free email account….

If you are using gmail, yahoo or hotmail, then the hacker can completely take over your account. You will find it quite challenging to regain control. There is no support desk with live people you can converse with on these free email accounts. So do take care, and make sure you have 2 Factor Authentication set up with any free accounts. That will help to protect you. 

Client Data on Websites

GDPR and your website

When you created your GDPR conformance policy, you should have given consideration to where data is located in your organisation. If you do not know where it is located, you cannot really claim to control it. 

The websites I have created over the last 5 years do not contain a lot of user data by design. The data in the site, other than what is visible to the public is generally limited to the administrators and editors on the site, things such as email addresses and where subscriber lists are present there may be subscriber names and email addresses held in the site. But not much else. 

This means if a hacker gets into a site, there is not really very much there which might be of value to them. 

I am aware of some sites though that contain copies of forms being submitted through the site. This can occur if someone else has added a form manager that does this, or a database extension to collect and store user submitted information.

There is no value in keeping copies within the website if the email function is working and all user submitted data is sent to your organisation for processing. In fact retaining copies of previously submitted forms will likely contain sensitive information which could represent a data breach if the data fell into the wrong hands. 

Check your website

It is worth checking your website to make sure there are no records of previous form data being retained in the website. If you find something and you know this data has been submitted to the organisation through an email account, you do not need copies on your website. So delete them all. It is worth considering whether it is possible to stop copies being retained, or if you cannot stop copies being retained, make a note to revisit your site and delete them regularly. A form manager that does not retain copies might ultimately be a better choice for the future.  

Wingrove-Services
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

You can adjust all of your cookie settings by navigating the tabs on the left hand side.

My privacy policy can be located here: Wingrove Media Privacy Policy (opens in a new window)

My Cookies Policy can be found here: Wingrove Media Cookies Policy (opens in a new window)