Wednesday, July 29, 2009


“Send to a friend” abuse

I’ve started getting a few “419 scam” messages using the “email this cartoon” feature of the Dilbert web site as a vector. The 419 scam, also called the Nigerian scam, is that form of advance-fee fraud we see in email so much, where someone sends you a message claiming that he’s the son of the deposed Nigerian president, or some such, and promising free money if you will only help.

The Dilbert web site needs no introduction, I’m sure. Below the day’s Dilbert cartoon is a convenient “Email” button.

Now, the thing about the button is that it pops up a nice, convenient mini-window in your browser, and the window has fields for the sender’s name, your name and email address, and a “personal message”. You fill those in, you press “Send”, it sends the email... and then you can press a button to send another. If you do that, it retains what you put into all three fields. And there’s no CAPTCHA.

You can see how easy it would be to use this to send a boatload of identical messages. Once you get started, it’s a sequence of clicking “again”, pasting another email address into the destination, and clicking “send”. The scammers have seen that, too, obviously: I got one yesterday that looked something like this:

Subject: The Good Lord Loves You is sending you some Dilbert!

Your friend The Good Lord Loves You wanted us to send you this from

Message from The Good Lord Loves You:

[419-scam message goes here, something about a church and orphans and whatnot. And money; a lot of money.]

[Image of Dilbert cartoon goes here.]

Sigh. Leave it to the fraudsters to ruin “email” links for the rest of us.

On the other hand, as I tell all my friends: if you want to send someone a pointer to a web page... copy and paste the URL, and send them that. The email message comes from you, you can put your own personalization on it, and you haven’t given your friend’s email address to the web site.

Repeating that last point: please don’t give random web sites your friends’ email addresses. It’s not hard to send the email yourself.


Thomas J. Brown said...

Unfortunately, it doesn't seem to matter how many times I tell some people to send the e-mail themselves, they still end up using the "e-mail now" links (*cough*mom*cough*).

Also, if fans of Dilbert dislike the load time and annoying strip reader (which makes reading the Sunday comics almost unbearable), visit to get a massively stripped down version (it's pretty much just the comic).

Frisky070802 said...

I don't get it. Why do both Barry and Thomas think that providing Dilbert an email address has anything to do with people sending email spam that comes from, or pretends to come from, dilbert?

(a) There are a zillion ways for people to harvest email addresses to which to send spam. That is orthogonal to the way the spam looks when it gets to the recipient.

(b) The mail here claimed to be from a bogus address, "the good lord loves you", and not a friend.

(c) I think Barry's point was more about the ease about enabling spam to come from otherwise legit sites, but it ended with a comment about not giving email to those sites; Thomas was a tirade about using the links at all.

I use the email links and am unapologetic about it, with the caveat that I do it only on sites I reasonably trust. NPR and NYTimes have "most emailed" summaries and even podcasts (NPR) and so it's a public service to highlight the important stuff. Nor would I expect that Dilbert as a site would be evil.

I do agree that they should *always* use a captcha. And that regardless of where the mail seems to come from, the recipient should take all mail with a grain of salt. It's the fact that these emails ever, ever work that is so disturbing!

Barry Leiba said...

Naw, I mixed two things in this post:

1. Interesting: the 419 scammers are using the Dilbert page to send their spam now.

2. I hate the "email to a friend" features of web sites, because it lets those web sites collect my email address when my friends use it.

I didn't mean for those to be related things, and I wasn't clear enough that they're separate.

Barry Leiba said...

And, yes, I agree with Frisky that I worry less when people use the "mail to a friend" links on NPR and the NYT than on some other sites. I'd still rather people not use them at all. Would you give out my phone number to others? Why should my email address be different?

Frisky070802 said...

I agree with your last comment up to a point. I won't give a friend's email to a dodgy site, but I guess I have a lower threshold than you for what constitutes dodgy. Dilbert strikes me as probably OK, but maybe subject to being hacked. But the fact is, I give customized addresses to lots of organizations (companies and such) and a distressing number of them have started accumulating spam. When the only time it was ever used was when it was given to 1-800-flowers, say, I have a pretty good idea that their mailing list or internal database was compromised.

Given that email addresses are already so public, I view the threat of providing it to someone as far less than of providing a phone number.

I think the next big wave of spam we'll have to deal with will be SMS spam. I already had to set things up not to allow random internet email to go to my cell phone, but I've gotten spam from actual phone numbers too! (Perhaps forged; who can tell).

And is it just me, or has the volume of spam gone up about 100fold in the past month?

Thomas J. Brown said...

Tirade? I think Frisky may have misread both our posts. I completely understood what Barry said, although now that it has been pointed out, I can see the potential for confusion.

Although Frisky may trust some sites, and although some sites may indeed be trustworthy, many aren't. Barry's example of giving out other peoples' phone numbers is spot on.

Frisky070802 said...

The "tirade" comment was because of the cough-mom-cough comment. No offense intended :)