Re: RE : ... blah lbah blah ... spam

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Aug 07, 2017 at 08:11:08AM +0900, Mark Fletcher wrote:
> On Sun, Aug 06, 2017 at 04:58:42PM +0200, Thomas Schmitt wrote:
> > Hi,
> > 
> > reading more about Gmail Smart Reply in
> >   
> > https://www.blog.google/products/gmail/save-time-with-smart-reply-in-gmail/
> > i got a new theory:
> > 
> > The AI learns from the user's mail habits [...]

> As a gmail user, I've been reading those auto-reply options on mails for 
> a couple of years now, feels like [...]

Scary, but plausible. Yeah, spammers are the flies and mosquitoes,
nasty, disgusting and perhaps sometimes transmitting diseases, but
the crocodiles are Google, Facebook et al.

> [...] genuine Muggles responding to spam [...]

Now this is a very nice way to put it. You made my day, thank you :-))

> the debian-user email address as sender. That also neatly explains why 
> we didn't see the original mail -- it wasn't sent TO debian-user, it was 
> sent AS debian-user.

Exactly. Or perhaps the spammer doesn't even care and is sending from
a domain long ago blacklisted by all self-respecting filters (to gather
evidence for or against that, one would have to pick through the
headers, in the hopes that the Muggles's mail user agents don't mutilate
too much. Dunno).

Those links lead to either (javascript-vectored) malware or some other
kind of nonsense. Typically they are short-lived (taken down quickly),
so they want to spread as quickly as possible.

> And the ironic thing is I doubt the spammer even expects to be able to 
> recover the replies in the end,

[...]

No. They want the clicks. And, thanks to the blind "full quote" disease
(thanks, Microsoft), this link gets passed unharmed on in the "Muggle
bounce".

> I suspect debian-user has just made it into their lists one way or 
> another and they probably haven't even noticed. So a bunch of hassle for 
> a lot of people, and the perpetrators didn't even specifically intend to 
> do it. (they also are supremely indifferent to the trouble they have 
> caused)

Here I'm more of a cynic than you: I think inserting medium-to-high
volume lists (with a web-accessible archive at that!) is a welcome
multiplier to these folks. It's an industry, where livelihoods are
at stake: expect them to be resourceful!

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlmIH44ACgkQBcgs9XrR2kbM+gCfXvRBbtuzlBIKh+/3KwNodtaL
Fc4AnAipSLKodK1fRN5Yd38s6ryWc/v4
=8Uiv
-END PGP SIGNATURE-

Re: RE : ... blah lbah blah ... spam

[Mark Fletcher]

On Sun, Aug 06, 2017 at 04:58:42PM +0200, Thomas Schmitt wrote:
> Hi,
> 
> reading more about Gmail Smart Reply in
>   https://www.blog.google/products/gmail/save-time-with-smart-reply-in-gmail/
> i got a new theory:
> 
> The AI learns from the user's mail habits to be able to propose three
> quick replies in the personal writing style of the user.
> If you annoy the AI from outside (see also "Goozim" :)) then it will lure
> the user into such a quick reply.
> So the initiator learns a brief psychological profile of that user
> in respect to obvious vulgarity and spam.
> 
As a gmail user, I've been reading those auto-reply options on mails for 
a couple of years now, feels like. The Gmail auto-reply feature doesn't 
come up with the kind of thing we have been seeing on the list. It 
certainly doesn't put profanities in the replies, unlike some of the 
clearly frustrated repliers we have seen recently.

We are not seeing auto-replies here; I am with whichever Thomas it was 
that suggested this is genuine Muggles responding to spam that hijacked 
the debian-user email address as sender. That also neatly explains why 
we didn't see the original mail -- it wasn't sent TO debian-user, it was 
sent AS debian-user.

And the ironic thing is I doubt the spammer even expects to be able to 
recover the replies in the end, in this case. Having to go to the 
archives and search for responses to past-sent spam mails just doesn't 
fit with their operating model which is take very large scale action, 
and reap results with minimal effort. (take as evidence the spam one 
sometimes gets from addresses like big.hairy.mike...@somedomain.com 
purporting to be from an 18-year-old Eastern European girl looking for a 
husband... It's obviously bollocks and they don't give a monkey's that 
it's obviously bollocks, because there will be others in the mountain of 
stolen and/or forged addresses like exotic.angel...@sexyangels.cz or 
something, that might actually get a reply from someone stupid enough)

I suspect debian-user has just made it into their lists one way or 
another and they probably haven't even noticed. So a bunch of hassle for 
a lot of people, and the perpetrators didn't even specifically intend to 
do it. (they also are supremely indifferent to the trouble they have 
caused)

Mark

Re: RE : ... blah lbah blah ... spam

[Fungi4All]

From: geo...@nsup.org
>Le nonidi 19 thermidor, an CCXXV, Thomas Schmitt a écrit :
>> Further, if this spam shall sneak through spam filters, why does nearly
>> all of it bear that peculiar URL domain ?
>
>Because that is the URL that the spammer wants to advertise, of course.
Not true, look closely at the links, they are all different, they forward to
the same site. So you can not screen by it
Here are the last 5
http : //bit.ly/2vBXTKq
http : //bit.ly/2vtmktp
http : //bit.ly/2u4JToE
http : //bit.ly/2u4oj3x
http : //bit.ly/2ud5DyE
https://bitly.com/
I am sure the folks at bitly.com know who made these links
>Nicolas George

Re: RE : ... blah lbah blah ... spam

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sun, Aug 06, 2017 at 03:30:41PM -0400, Fungi4All wrote:
> >Clever. Yes, going by the headers, those seem genuine replies to spam.
> 
> > The spam is crafted in a way (cc) that the reply lands here (for the
> > spammer, this distribution channel is what they want). The Goozim
> > bit seems compelling :)

[...]

> I am confident that the reply is the spam [...]

We have only the headers to go by, and some of that can be spoofed.
So I think your guess is as good as Thomas's and/or mine. What favors
our guess is spammer economy: one scarce resource for the spammer
is genuine domains/addresses (a spamhole domain quickly garners
a high spam score), and bouncing off unsuspecting users covers that
nicely.

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlmHcPcACgkQBcgs9XrR2kayPACfXQcSEHpU44zyYo1xCs1qKty+
Rm4An00m2Cj0G7gvQ43ECx30pS4X4Nwq
=ia99
-END PGP SIGNATURE-

Re: RE : ... blah lbah blah ... spam

[Fungi4All]

>Clever. Yes, going by the headers, those seem genuine replies to spam.

> The spam is crafted in a way (cc) that the reply lands here (for the
> spammer, this distribution channel is what they want). The Goozim
> bit seems compelling :)
> Cheers
> -- t

I am confident that the reply is the spam, but a quick look on some of them
reveals that the link is never the same, but a short link to the spammer's site.
So no matter how many times you will screen for the short link a new one
will keep being forwarded.
The problem is that it is very easy eye-balling the subject line patterns you 
can
easily pick the spam off in one take. What your eye can do no software will
learn to do. Some german, some french, some english. Patterns in all.
Maybe someone who has invented a new AI learning spam filter is trying to
promote it this way. How do we know that the internet's most high-volume
member lists do not all have the same patterned messages? I bet debian is
not the only one. Has anyone figured out what vulnerability of 
windows/os/androig
is this site exploring? It might be a statistical model research for how easy it
is to draw people into something with ill-motives. Maybe it is someone's
dissertation on spam and malware.

Re: RE : ... blah lbah blah ... spam

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sun, Aug 06, 2017 at 04:58:42PM +0200, Thomas Schmitt wrote:
> Hi,
> 
> reading more about Gmail Smart Reply in
>   https://www.blog.google/products/gmail/save-time-with-smart-reply-in-gmail/
> i got a new theory:
> 
> The AI learns from the user's mail habits to be able to propose three
> quick replies in the personal writing style of the user.
> If you annoy the AI from outside (see also "Goozim" :)) then it will lure
> the user into such a quick reply.
> So the initiator learns a brief psychological profile of that user
> in respect to obvious vulgarity and spam.
> 
> By fake mail headers in the original poking mails, the reply then
> appears here. The annoyer may be subscribed or may simply harvest
> the replies from our web archives.

Clever. Yes, going by the headers, those seem genuine replies to spam.
The spam is crafted in a way (cc) that the reply lands here (for the
spammer, this distribution channel is what they want). The Goozim
bit seems compelling :)

Cheers
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlmHZw4ACgkQBcgs9XrR2kY/VwCbB2sYab5DgbO+4TzPvi2A0L/w
pf4AniQ+Wcv6OAO3Kiw7cx/jvo8B+GfO
=pPta
-END PGP SIGNATURE-

Re: RE : ... blah lbah blah ... spam

[John Hasler]

Nicolas George writes:
> Debian's are part of the few tech mailing-lists that I know that are not
> moderated for posts by non-users.

It's also one of the few that are publically-archived with no
obfuscation of email addresses.

I doubt that spammers utilize any fiedish schemes to attack
debian-user.  Email addresses are too easy to get my mining the Web
and/or perusing address lists on compromised machines.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA

Re: RE : ... blah lbah blah ... spam

[Thomas Schmitt]

Hi,

reading more about Gmail Smart Reply in
  https://www.blog.google/products/gmail/save-time-with-smart-reply-in-gmail/
i got a new theory:

The AI learns from the user's mail habits to be able to propose three
quick replies in the personal writing style of the user.
If you annoy the AI from outside (see also "Goozim" :)) then it will lure
the user into such a quick reply.
So the initiator learns a brief psychological profile of that user
in respect to obvious vulgarity and spam.

By fake mail headers in the original poking mails, the reply then
appears here. The annoyer may be subscribed or may simply harvest
the replies from our web archives.


Have a nice day :)

Thomas

Re: RE : ... blah lbah blah ... spam

[Andy Smith]

Hello,

On Sun, Aug 06, 2017 at 03:56:35PM +0200, Nicolas George wrote:
> Your Occam's razor is definitely blunted. These mails are spams
> masquerading as legitimate answers to bypass automated filters and catch
> the reader's attention, nothing more. That is the simplest explanation,
> consistent with all the techniques used by spammers and there is
> absolutely no evidence of anything else.

I disagree. I am very confident that these emails are from real
people who have received a spam sent with the from address of
debian-user, and they are replying to it. They aren't members of the
list and they don't realise that the thing they're replying to is a)
not the actual sender and b) a mailing list with thousands of people
on it.

I find that explanation far simpler than the idea that a spammer has
decided to send email to debian-user that masquerades as a large
number of very confused people who want to stop receiving their
email (or, in some cases, are asking for more information about the
sexy woman who has contacted them).

As such, asking people not to reply to them while being sensible
advice for spam in general, in this specific case isn't that helpful
as the people who are replying are not subscribed to this list and
will never see the advice.

As evidence, I have in the past responded to some of these people
off-list and they behave as just confused normal people who want the
emails to stop. They don't try to sell me anything or entice me to
visit any web sites. In fact sometimes they remain so confused that
they think I am the spammer and just keep asking me to go away,
regardless of what I say.

It could be argued that if they are spammers their goal might be to
get people to reply, purely to harvest email addresses, but in that
case they need not reply to me, yet they do reply, in the style of a
normal, confused person. Also there are much simpler ways to harvest
valid email addresses, e.g. the archives of this list.

I don't find any other explanation simpler than that one, and it's
testable by replying to them. We know that spammers forge from
addresses, so just imagine the consequences of a spam run that had
debian-user as its from address, and you will conclude that it would
play out exactly as we see here.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: RE : ... blah lbah blah ... spam

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sun, Aug 06, 2017 at 10:35:56PM +1000, Zenaan Harkness wrote:
> Seems there's a fair bit of responding to what is evidently spam, so
> perhaps it's been a while since an old-hand explained these ropes:

The person having responded "stop" to that mail is most probably *not* on
the mailing list. Either write them directly (which most of the time won't
help) or just report the thing itself as spam.

The way I guess that works is: some random victim (in this case
colette.chaillou76) receives the spam, which contains also a Cc:
to debian-user@ (or whatever high volume list). This person hits
"reply all", requesting the spam to stop (not all will do it, but
a probability greater than zero pays off for the spammer).

The Cc may well be spoofed, so that we don't even see the original
mail. Or that gets caught in the list's spam filter.

Think bounce spam with a human interface in the middle.

If you want to harangue somebody, then it'd be the sender directly.
In the current case, better try French :-)

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlmHLM4ACgkQBcgs9XrR2kZgLQCbBzzEMdAUqaVA838Ov4loNebd
DCsAn3sOvkkdezspSmxgeqCT6mkdNVn8
=AJ/e
-END PGP SIGNATURE-

Re: RE : ... blah lbah blah ... spam

[Nicolas George]

Le nonidi 19 thermidor, an CCXXV, Thomas Schmitt a écrit :
> This theory does not explain why it is so focused on debian-user,
> where it is very unlikely to find a receptive audience.

Debian's are part of the few tech mailing-lists that I know that are not
moderated for posts by non-users.

> Further, if this spam shall sneak through spam filters, why does nearly
> all of it bear that peculiar URL domain ?

Because that is the URL that the spammer wants to advertise, of course.

> But i prefer the idea that there is some reason behind this and we are
> the public test area for something more insidious.

Enjoy your conspiracy theories.

Regards,

-- 
  Nicolas George


signature.asc
Description: Digital signature

Re: RE : ... blah lbah blah ... spam

[Thomas Schmitt]

Hi,

Nicolas George wrote:
> Well, I have never seen any hint of that kind of feature.

As for sprit of our days:

  
https://techcrunch.com/2017/05/17/google-brings-smart-replies-to-gmail-on-ios-and-android/
  
https://www.theverge.com/2017/7/26/16000562/easilydo-edison-mail-app-email-smart-reply-security-new-name

But i found none yet which would combine this with a dummy text generator.


> Your Occam's razor is definitely blunted.

Can it be yours is a two-handed sword ?

> These mails are spams
> masquerading as legitimate answers to bypass automated filters and catch
> the reader's attention, nothing more.

This theory does not explain why it is so focused on debian-user,
where it is very unlikely to find a receptive audience.
Further, if this spam shall sneak through spam filters, why does nearly
all of it bear that peculiar URL domain ?

> That is the simplest explanation,

You may get to a less easily refutable theory by saying that somebody
simply wants to annoy us. (By using painfully dull means. So evil.)

But i prefer the idea that there is some reason behind this and we are
the public test area for something more insidious.


Have a nice day :)

Thomas

Re: RE : ... blah lbah blah ... spam

[Nicolas George]

Le nonidi 19 thermidor, an CCXXV, Thomas Schmitt a écrit :
> No. But it would match the spirit of our days and it would explain
> why we see erratic replies to slimy but quite redundant originals.

Well, I have never seen any hint of that kind of feature. Therefore,
until somebody produces evidence they exist, I suggest to stop wasting
time speculating about them.

> Also, many of the replies bear the signatures of mobile devices which
> are most probably smarter than their owners.
> So we might deal with semi-AIs who do not yet understand the concept
> behind big balloons and their meaning to male cro-magnons.
> (They may contact me in private so i can explain about our heritage
>  as rampant sea squirts juveniles.)

Your Occam's razor is definitely blunted. These mails are spams
masquerading as legitimate answers to bypass automated filters and catch
the reader's attention, nothing more. That is the simplest explanation,
consistent with all the techniques used by spammers and there is
absolutely no evidence of anything else.

Regards,

-- 
  Nicolas George


signature.asc
Description: Digital signature

Re: RE : ... blah lbah blah ... spam

[Thomas Schmitt]

Hi,

Nicolas George wrote:
> Do you have any evidence that this kind of button exists?

No. But it would match the spirit of our days and it would explain
why we see erratic replies to slimy but quite redundant originals.

Also, many of the replies bear the signatures of mobile devices which
are most probably smarter than their owners.
So we might deal with semi-AIs who do not yet understand the concept
behind big balloons and their meaning to male cro-magnons.
(They may contact me in private so i can explain about our heritage
 as rampant sea squirts juveniles.)


Have a nice day :)

Thomas

Re: RE : ... blah lbah blah ... spam

[Nicolas George]

Le nonidi 19 thermidor, an CCXXV, Thomas Schmitt a écrit :
>  Open question is whether there are
> humans who press a Go-Away button on their smart phones or whether these
> replies are part of the spam scheme.

Do you have any evidence that this kind of button exists?

Regards,

-- 
  Nicolas George


signature.asc
Description: Digital signature

Re: RE : ... blah lbah blah ... spam

[Thomas Schmitt]

Hi,

Zenaan Harkness wrote:
> - Debian's lists are very well spam-protected 

Not that well, given that this strange stuff gets through since
weeks although it could be easily recognized by the peculiar URL,
which you quoted, too.


>   - The one or two that get through, is incredibly low in volume!

No mail of this pattern gets through on any mailing list where i am
subscribed. It seems to be a unique annoyance here on debian-user.


>   - Actually responding to such spam emails, e.g. "stop", "what do
> you mean?" etc etc,

The responses do not stem from list subscribers. It is quite clear that
most replies are boiler plate texts. Open question is whether there are
humans who press a Go-Away button on their smart phones or whether these
replies are part of the spam scheme.

After all, none of the alleged original mails went through the list.
We only see alleged replies.


Cindy-Sue Causey wrote:
> these episodes seem more prominent immediately following major releases

Interesting observation, indeed.
Stretch was announced june 17.
I became curious on juli 8. The oldest message i inspected in the archives
was of juli 4:
  https://lists.debian.org/debian-user/2017/07/msg00235.html
My mail of juli 8
  https://lists.debian.org/debian-user/2017/07/msg00511.html
received a few replies with various theories why this might happen.

Since yesterday the spam drizzle seems to increase again.


Have a nice day :)

Thomas

Re: RE : ... blah lbah blah ... spam

[Cindy-Sue Causey]

On 8/6/17, Zenaan Harkness  wrote:
> Seems there's a fair bit of responding to what is evidently spam, so
> perhaps it's been a while since an old-hand explained these ropes:
>
> < snipped to get straight to the targeted point >
>
>   - Actually responding to such spam emails, e.g. "stop", "what do
>you mean?" etc etc, actually identifies both your personal email
>address as someone likely to respond to such emails, AND that
>their spamming of this particular email list is to some extent
>successful, thus further motivating the spammers to spam more.


It has been my observation over time that the responses may very well
be real, but they come across more as part of the overall program to
disrupt. Additionally, their mere presence adds a gloomy air of
*expressed* discontentment to the list's *permanent* archives

A further, highly unscientific observation is that these episodes seem
more prominent immediately following major releases...

Just thinking out loud... not totally unlike I've done over on another
list a couple years ago during a very similar outbreak there and then.
:)

Happy Debian'ing!

Cindy :)
-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* runs with duct tape *

Re: RE : ... blah lbah blah ... spam

[Zenaan Harkness]

Seems there's a fair bit of responding to what is evidently spam, so
perhaps it's been a while since an old-hand explained these ropes:


  - Debian's lists are very well spam-protected - the (extremely) few
spam emails that gets through, are incredibly low in volume,
compared to what a friend of mine who runs a public-facing ISP
SMTP server, faces in a daily basis - in his case literally 10s of
thousands of spam emails, except that certain RTBL/RBLs and other
mechanisms are used

  - The one or two that get through, is incredibly low in volume!

  - Those one or two that get through, are still spam - they are not
 real people making an honest mistake. It is the effectiveness of
 Debian's spam-filtering, shielding us from the true (incredible)
 volume of actual spam, that allows us the luxury to imagine that
 inane rubbish emails could potentially be someone genuine.

  - Actually responding to such spam emails, e.g. "stop", "what do
 you mean?" etc etc, actually identifies both your personal email
 address as someone likely to respond to such emails, AND that
 their spamming of this particular email list is to some extent
 successful, thus further motivating the spammers to spam more.

In the face of the above facts, it is, in almost all cases, in our
collective interests to not respond to such emails.

Very similarly, it is in almost all cases in our collective interest
to neither respond to those who respond to such emails (of course I
hope this response ultimately reduces, rather than adds to, the
resultant noise level).

Finally, the incredible effectiveness of the Debian listmasters and
their spam-filtering efforts, is in fact something we might be both
appreciative of, and proud of (notwithstanding any personal gripes
against unrelated Debian's free Code of Conduct swinging community
approach which some conscientious individuals might be taken to
disagree with... ).

:)

Have a great day y'all, and please, remember to bottom post to keep
the flow dude, keep the flow :)



On Sun, Aug 06, 2017 at 12:36:04PM +0200, colette.chaillou76 wrote:
> Stop
> 
> 
> Envoyé de mon Galaxy model_name Orange Message d'origine De : 
> Clemence Aliem  Date : 06/08/2017  11:13  (GMT+01:00) À : 
> debian-user@lists.debian.org Objet : Je présume que je ne suis pas trop ton 
> type – qui aimerait une fille avec de gros ballons… Clemence 
> 
> 
> Bon, peut-être que tu aimerais les voir pour me répondre sur ça 
> http://bit.ly/2vBXTKq