A new kind of phishing

Well, so much for the Nigerian prince schemes – those wild ‘n crazy foreign scammers have finally gotten a little smarter. Take, for instance, the message I received this morning from a “customer”:

I’m in some kind of deep mess right now,my family & i came down here to London,England for a short vacation to visit a resort and got mugged at gun point last night at the park of the hotel where we stay.All cash,credit cards and cell were stolen off me.I’ve been to the  embassy and the Police here but they’re not helping issues at all,our flight leaves today and I’m having problems settling the hotel bills.

The hotel manager won’t let me leave until i settle the hotel bills(1,550GBP) now am freaked out.Please reply and let me if can you have the money wire to me through western union i promise to pay back as soon as i get back home.

Thanks so much,
Kate

Now, the message itself isn’t exactly gold – on the one hand, I know the purported sender to have far better grammar and spelling skills; but on the other hand, a person in panic writing quickly could make such mistakes. Likewise, the message’s headers were clearly (and poorly, might I add) forged.

But the message did have one unique redeeming quality – the signature (“Thanks so much, Kate”). It’s a small touch… but even I had to look twice when I first saw the message. It added an hint of possible legitimacy that just doesn’t exist in other high-volume phishing attempts I see every day.

See, this person ends many of their non-formal emails with “Thanks so much, Kate” (name changed). About the only way to know this would be to have seen one of their outgoing messages. Since there are dozens of them published in their mailing list archives – which are publicly accessible, indexed by Google, and viewable by anyone who cares to dig them up – I’m betting that’s how it was found. The fact that this person otherwise goes by a longer version of their name helps confirm my suspicions.

What may seem like four little words are, in this case, actually a small piece of “insider information” that may cause less skeptical people to hit the Reply button.

Speaking of Google, a quick search revealed that this tactic (along with the same exact message) is gaining popularity. It also seems that our scammer is greedier than the average; most examples only ask for 1,000 pounds.

At any rate, the moral of the story is: be cautious. They’re getting just a little bit smarter every day.

The new webserver: IT’S ALIVE!

Well, the new server (whose name is dala, by the way) is now up and running.

In fact, the page you’re seeing right now was served by it.

So far the transition has been fairly smooth. DNS changes propagated to all the major nameservers in a matter of two or three hours – lightning fast as compared to the usual 12-24 hours. Our password database was abandoned and the users were all moved by hand, but everything else was scripted and “automagically” took care of itself.

About the only config issue I ran into was with our MTA. I’ve always disliked Sendmail, mostly due to my lack of understanding it (but then, who can really claim to understand Sendmail’s arcane config-file format?). Even so, I could never quite bring myself to make the move to something more modern – “if it ain’t broke, don’t fix it”, right?

However, after spending a few hours struggling (and failing) to make Sendmail play nice with saslauthd on the new server, I finally threw in the towel. Now we run Postfix… and yes, it really *is* much nicer.

The last thing to be moved is the Mailman mailing lists and their associated archives, which is happening right now. So far so good!

Will this make all the customers happy? Tomorrow should give me a better idea of that… but for tonight, there’s still lots more non-server-related work to be done.

By the way: the admin interface is now at http://dala.kanabec.net/. If your password isn’t working, call and we’ll be happy to reset it for you.

And if you happen to be missing anything, don’t worry – the old server (raqpaq) is still running, and we can easily log into it for you and retrieve anything that might have been overlooked. Or you can dig around yourself… just telnet, FTP, SSH, or what-have-you to 63.160.14.236 and take your last look around. (We’ll be taking it down for the last time sometime later this week.)