News:

"I am stuck somewhere in Atlanta, Georgia"

If you received an email like this, rest assured that nobody you know is in trouble. The spammer chose a common name in hopes that you know somebody named "Ann" well enough to send her $700 on the basis of an email with horrible English grammar. Anyone who answers will be instructed to send money via something like Western Union money transfer.

Notice that the "from" and the "reply-to" addresses are different. The "received from" IP address, 209.226.175.109, actually is Bell of Canada, so the spammer may have guessed the password to the jeffaction email account and is using it to send spam. It's easier to bypass spam filters if that IP agrees with the "from."

Notice the "to" address, [email protected] This email was sent as a blind carbon copy, or BCC. There may have been hundreds of other recipients specified (but no recipient sees the other email addresses). That increases the odds that at least a few of them know someone named "Ann."

To report spam like this, contact gmail to report user annloveall (the address collecting any replies to this scam) at http://mail.google.com/support/bin/request.py?contact_type=abuse_spoofing

Google doesn't accept forwarded emails, only webform entries. It's a pain, but they do take prompt action. You want to shut down the email account before the spammer can get the replies and contact victims to set up the money transfers.

Since jeffaction may be a hijacked email account, it may be helpful to notify bellnet.ca as well (at abuse@sympatico.ca ). Looks like the address was harvested from online job postings, a common technique of 419 spammers.

May 17, 2009
Choosing a strong password

Most people can understand that something like a military computer needs a strong password. A lot of people would like to break into such a computer, and there are serious consequences if someone does.

It's not so easy to understand why the average person needs strong passwords. They may say, "There are so many people who do online banking; who's going to try to guess my password?" or "It's just a free email account; who would bother to try to guess that password?"

The fact is there is no one so anonymous that they can ignore password safety. Examples of why:

-- Many people use the same password on many sites. If someone can get your password for your email account, it may let him empty your bank account, too.

-- Many accounts could allow someone not only to impersonate you, but also to get personal details about your friends. One of your friends might be smart enough not to wire money to a Nigerian prince, but if he got a message, addressed to him by name, from your email account, mentioning personal details from emails he had sent you, and saying you were in trouble and needed money, he might just fall for it.

How can you make your passwords strong?

-- Don't use the same password on every site. Any important passwords, like ones for sites that have your personal details or allow a user to spend your money, should not be used anywhere else.

-- Don't store your passwords someplace easy to find on your computer. There are too many malware programs looking to steal passwords. Don't post them on sticky notes on your monitor where anyone cleaning your office (or burglarizing your home) can see them. Shred any piece of paper with a password on it. The ideal password is easy to remember but hard to guess.

-- Use long passwords. The number of tries it takes to guess a password goes up exponentially with longer passwords. For instance, if your password is all numbers (ten choices of characters: 0123456789), a one-character password can be one of ten digits. A two-character password could have one of ten different first characters and one of ten different second characters, for a total of 100 or 10 to the tenth power. If you get to eight or more characters, you've got over ten to the eighth power, or 100,000,000 choices. Even with a computer doing very fast guessing, that can take a long time to crack.

-- Use as many types of characters as the site will allow. If it's only digits, like a automated teller machine, you can't have more than ten choices for each character. If you have upper and lower case letters and also numbers, you have 26+26+10 choices. Now your eight character password is 62 to the eighth power, or over 218,340,105,584,900 choices. Now we're talking years to crack it. If a site will allow special characters, like !@#$%^&*_-+=<>,.?/ etc. that gives you even more choices.

-- Don't use words in the dictionary, first names, or dates. Hackers try those first, and even a long password will be guessed in minutes. Words with one digit at the end aren't much better. Things that someone who already has information about you might guess, like your child's name or birthdate, are especially bad.

-- Don't use words on any of the "most commonly used passwords" lists. Lists vary depending on where they're from, but examples are at http://www.whatsmypass.com/?p=415 and http://darkreading.com/blog/archives/2009/02/phpbb_password.html

-- Don't go to any sites that require passwords when you're on an insecure network, like a free wireless internet hotspot, or when you're using a proxy server like Tor.

-- Remember that length increases strength the most, all things being equal. A 20 character password with all numbers (100,000,000,000,000,000,000 choices) is stronger than a 6 character password with upper/lower case letters and numbers (218,340,105,584,900 choices). So to get a password that is easy to remember but hard to guess, use a "pass phrase" if you're allowed enough characters, using multiple words separated by numbers or special characters, capitalizing some letters, maybe substituting letters with characters like 0 for o) and using a phrase that isn't related to you or the site you're using.

There's a good analysis here about strong and weak passwords, and how long particular types take to crack.

May 3, 2009
Email helpdesk spoof

It's not phish, because it doesn't spoof a known brand, but it's the same purpose -- to steal your password. This spam, with all the typos and unusual line breaks, arrived today:

You may not think your email account is valuable to a hacker. You're not a famous person like Sarah Palin. But your email account contains your stored emails and address book. That may be enough information for someone to use to conduct scams on people you know. They can pretend to be you, give details that convince people they're you, and claim to be in trouble and need money. They can probably convince someone to send them money by an untraceable method like Western Union money transfers.

So yeah, we all got one of these. There's nothing wrong with your email. Don't give them any information. You can submit it to spamcop.net, and you can look in the headers for the "from" and "reply to" addresses to get those addresses shut down.