Nonsense Spam is More Dangerous than You Think

Suppose you meet an alien from a far distant galaxy, and she asks you to explain the identifying features of email spam. At face value, it sounds like a simple proposition, but if you think about it, the answer might be more difficult than you realize.

Spam comes in so many forms and flavors that it’s hard to nail down a definitive set of characteristics. When you toss marketing and retail spam into the mix, the definition for spam morphs from a laundry list of all that’s despicable about human nature into a veritable cornucopia of moronic nonsense. Nonsense, however, can be as dangerous as ignorance, and if you’ve ever wondered “what’s the point?” of those nonsensical emails that occasionally invade your inbox, you may want to pay attention.

You know the email messages. Like so many spam messages, they have a meaningless subject line; but the content seems more pointless than usual. It’s jabberwocky: meaningless mishmashes of words, even partial passages from books. In the space of a day, you may receive a string of these messages, each one different in its subject line and contents. The passages in the body of each email seems random, and if you took the time to examine them in their entirety, you’d be hard-pressed to find two exactly the same. One long stream of uselessness with no apparent purpose, unless maybe to annoy. So you ignore them and move on, shaking your head and wondering why somebody bothered.

As it turns out, there’s more to these messages than you might think. A nefarious purpose, in fact, and receiving a stream of these messages may be a warning signal for you to check your bank accounts right away.

In an interesting article at NetworkWorld, a blog post by security analyst Fred Touchette discusses the phenomenon of these nonsense messages, and it turns out they may have a very deliberate and despicable purpose. The messages are seemingly random, although they’re anything but. In fact, the article reports, the targets “are individuals, whose identity and personal information the thieves already have. The victims’ email inboxes suddenly get flooded with thousands upon thousands of emails – as many as 60,000 during a 12- to 24-hour period – that contain no links, no graphics, and no advertisements.” The contents are, according to Touchette, “nothing but mash-ups of words and phrases from literature.” He points out that every email is different, seemingly perfectly randomized, although searching through the messages can reveal repeated content. Obviously, the emails are delivered by botnets, with each message coming from different email and IP addresses. The emails also arrive in a fast and furious fashion, often at a mind-boggling rate. In fact, the incoming data is so persistent, that using the email account during the flood is nearly impossible. That, however, is not the ultimate goal of the messages, Mr. Touchette says.

The real purpose of the messages, says Touchette, is to distract users from valid emails arriving in their inboxes. When identity fraud or theft occurs, it’s not uncommon for receipts and transaction emails to show up, and the sudden onslaught of nonsense mail is a great way to hide these emails amidst the ongoing wave of messages. If a cybercriminal is using your credentials, this method can be an effective way of prolonging the time period before you discover the fraud. Once the crooks are done draining your accounts, they turn off the flood and move on to another victim.

To make matters even worse, the technique isn’t limited to email. There have been instances of people receiving continuous phone calls, in an effort to keep the fraud departments of financial institutions from reaching the victims. Although the practice of nonsense email is not new, this new approach could be devastating to anyone caught in its web. Security experts point out that this type of campaign is still not a common occurrence, and as such this could only be the beginning of a painful new headache for anyone who’s vulnerable to identity theft.

There’s another possible angle that the article doesn’t pick up on. Spam filters, like most security monitoring methods, work on a combination of heuristics and libraries that, while far more sophisticated than anything we had ten years ago, is still fallible. That’s what definition updates are for. It’s not a stretch to imagine that these campaigns may be using the botnet messages to confound the spam filters while a fraud is being perpetrated, perhaps in an attempt to get the legitimate receipts and transactions dumped to the junk folder.

Written by Malcolm James

0 Comments

  1. Dennis King · January 30, 2013

    Wow, the article just put a lot of fear than I thought it would. It’s frightening to think that these supposed random e-mails are actually acting like candy treats before the big meal is fully served by these scammers. But I guess it’s very important for it to do that considering that some of the commenters here and perhaps the readers truly believe that spam is already on dwindling and that these people will only begin to feel very much comfortable or relaxed when it comes to inboxes. Then boom! They’re hit with such a huge dilemma of identity theft.

  2. George Carlisle · January 31, 2013

    In other words, there’s no such thing as a nonsense spam. As I can understand from the article, all those spam mails have their purposes, some of which may not be easily understood by users. But then they are there for a reason. So isn’t the word “nonsense” an incorrect word to use? Well, anyway, thanks for this article since I still gained something informative out of it. I never really thought that spam may be used by scammers or phishers to delay the discovery of their work. That’s a very interesting and I believe truthful take on their tactic.

  3. Laura · February 2, 2013

    You need to write more about this. I myself consider pretty knowledgeable about security in general and I must admit it didn’t occur to me that the purpose of these nonsense emails is to distract attention. This is very serious and if necessary, please repeat it a dozen times till users become aware of it. They all know not to click links and download attachments but it’s hardly that widespread not to trash emails in bulk simply because the majority of it is nonsense spam.

  4. Anja Celeste · June 2, 2013

    Yes, George, this post basically tells us that nonsense spam does not really exist. Or that they are not what they seem to be. The purpose of this so-called nonsense spam is to trick email users without making it obvious. Or without alerting anti-spam authorities immediately. Yes, it is a scary thought, but I think we all knew somehow that something like this was already happening. I agree with Laura, though, we need to find out all the information that we can about stuff like this, or else we will all fall into a trap that we ourselves helped create.

  5. Yun · May 6, 2014

    This is EXACTLY what happened to me today. The random email stream start coming to my account around the time my bank called me about someone trying to transfer a large sum of fund from my account. I immediately realized that these emails were cover-up. The on-line thief actually changed all my phone numbers in my bank account. Good thing that I had a way to have my bank to keep my phone number secured so that it could never be changed by usual means. Thank you, Malcolm, for this article. This is only one I found on-line in the last hours or so that directly relates to my case. A warning to everybody: this is real, take it seriously!

Leave A Reply