Is this the worst 419 ever ?!

It hit my mailbox today – the decision to put the entire letter in a jpg file probably got it past gmail’s spam filters… but sheez, this is absolutely terrible… terribly perfect as a rip-off that is…

Get this:
1) Firstly the spelling and grammar is actually almost acceptably good !
2) It puts a whole new spin on the usual “God bless you for your help” and other religious crud in the “help me collect my dead husbands fortunes” 419s by pretending to be from a Christian in Saudi who had converted (along with the dead hubby) from Islam
3) It then goes on to state that the purpose of the money for her is to use it for charity ! To build things like cancer research centers !
4) The “I have cancer” bit is a nice (if rather fucked up) twist…

Sheez… I can just see a million fundamentalists falling for this one… Here is the letter as I receive it.
Please if you get this – IT IS NOT REAL. These scammers have in the past committed fraud, theft, kidnapping and even more violent crimes than that against people who respond. Do not fall for it.

Oh, and whichever scammer came up with this one… you know, “Sister Mary Jones” is really not a very believable name for a lady who was born to a Muslim family in Saudi Arabia !

419 Scam

419 Scam

February 5th, 2010 | Tags: , | No Comments »

automountd considered harmfull…

This is a post based on personal experience that led to a fairly major outage for me recently, I won’t share any specific details therefore, but I will explain the issue so others can be warned. The automountd in question was running on an older version of hpux so I suppose it’s possible that newer Linux systems have some kind of protection in it, but sine the flaw is fundamentally part of how automount works – I doubt it.

Imagine you have an nfs share, that contains a lot of directories, various clients will only access some of them, now one popular setup here is to set the master share as an automount – hooked into the subdirectories. Lets say you set this up on /shared_files

Now when a user tries to enter /shared_files/documents for example – the automounter will send a mount request to the NFS server, mount the documents directory directly, and the user transparently gains access… sounds perfect right.

Here’s the flaw… what happens if the user tries to access a directory which doesn’t exist in the share ? Say /shared_files/garbage … well a mount request gets sent, the server rejects it – and the user gets a file-not-found.

That’s all well and good right?

But now… what if I do this:

while /bin/true ; do

ls /shared_docs/$RANDOM

done

See what happens now: instant denial of service attack on the NFS server. Normally, NFS is fairly safe from DoS’s as it’s usually not used online and generally one inside the company would need root access to issue a mount request- but this can be done by any user, and worse on any server he has access to (so it could be distributed) and just to add the cherry on top, similiar scenarios could just as easily spring from stupidity or a buggy program/script – there isn’t even any need for malice…

This problem isn’t limited to NFS, you’d have the exact same issue if you were using CODA or practically any other network file system. Essentially automount, when used on a “in the directory” level – is a disaster waiting to happen, it’s a daemon that executes a root privileged command when triggered by actions a non-privileged user can perform… inherently this is very dangerous.

It is for this reason that I am piece-by-piece ridding my network of automount based setups, and switching to rather just mounting the /shared_docs equivalents using fstab directly (besides which, one on-boot mount request is so much less overhead than hundreds of on-access requests)

September 23rd, 2009 | Tags: , , | No Comments »

The new way 419 scammers are getting around spam filters: get you to mail them first.

Man, just when I thought I’d seen it all, 419-scammers seem to have caught on to the fact that most spam filters now simply destroy their mail without people even seeing it. Thus preventing them from ever reaching potential gullible victims. They found a way around it, ellegant and scary in it’s simplicity.
I just received an SMS that read: “Please contact Doctor Kelvin agentdrkelv@gmail.com for your prize of 7500000 pounds” . The number, a +44 is the correct country code for the UK (I had it wrong earlier, corrected now) – don’t be fooled by this.

Yep, the classic lotto prize 419, in an SMS – the interesting thing is that they obviously realized short messages like in SMS is not sufficient to pull a full scam, so they just put the bait there, then lure you to mail them – if you do, of course, it’s business as usual for one of the most effective criminal syndicate systems we’ve faced.

This shows a classic problem with security systems – technology convergence. In the beginning they kept beating spam filters by simply spamming better, now that this is becoming hard as we are getting good at picking up the consistent messages they need, they are targeting using a completely unfiltered technology, and thus leading you into the conversation. Almost no spam filter in the world will pick a message as spam if it’s a reply to one you sent.

It’s very wrong, but it’s very clever. So this post is a warning to those who read it. I am sure I wasn’t targeted for the SMS. These people almost certainly invested in bulk sms packages and are sms’ing large numbers of people in bulk at overseas rates. A much more expensive proposition than mass mailing, but they must believe the payoff is worth it. So when you get your 419 SMS – ignore it, or contact the cops, whatever you do -don’t mail the address in it.

April 29th, 2009 | Tags: , , , , , | 2 Comments »
« Older Entries