March 23rd, 2016


Living with an accidental honeypot; or, A rise in industrial-scale spam?

One of the odd side-effects of having owned and used my own domain for a *long* time now is that I wind up with an interesting and sometimes annoying view into the world of Spam. I've had for well over 20 years, and I used it as my primary email for much of that, as did Jane.

More importantly, we were both great devotees of giving out bespoke addresses to anybody we didn't entirely trust. Hotels get *very* confused when I tell them to use, eg, "" as my email address, but it means that I've been able to detect who has bad email security and filter out anything to that address if it gets picked up by the spammers. If you sell your email address list, or are just careless about it, I will know. (As it turns out, political groups tend to be the worst.)

(NB: you can do this in Gmail, at least most of the time, by putting a "+" suffix onto your email address. So if you are actually "", you can give out "" -- it'll still go to you, and lets you do smart filtering based on the To: field. Some sites choke on the "+", but it usually works.)

The result is that I have given out hundreds, maybe thousands of email addresses on over the years, including my legitimate ones, the ones given to vendors, and specialized addresses I've put on websites, like "". And it turns out, that makes a remarkably effective honeypot for spam.

A "honeypot", in computer security, is something you put out there to lure the bad guys in -- typically some fake data that looks real and appealing, that you use to draw them in and trap them. In this particular case, much of the content of my spambox is *wildly* obvious spam -- not so much because any individual email is conspicuously bad, but because I receive two dozen copies of it to two dozen email addresses.

So for instance, today's biggest example has the subject line "Image[some random number].pdf", and the body "Sent from my Sony Xperia™ smartphone", plus an attached "image" that is, of course, actually a virus. It's unlikely I would fall for such a thing anyway, but I'm certainly less likely to when I have multiple screenfuls of them. Google is smart enough to notice that these contain viruses, and put them into Spam -- I'm downright surprised that they aren't smart enough to notice that there are so many near-identical emails, and just trash-can them. I would far rather they did.

I've long been amused at the lack of honor among thieves -- it's been very clear for 10-15 years that some people are simply taking existing email addresses, modifying them in trivial ways, and reselling them in order to bulk up the lists. For example, caitlin@waks was a real email address, but about ten years ago I started to notice "caitlinn", and then "caitlinnn", or "aitlin" -- non-existent email addresses that somebody invented. (I rather like "ookbook", which sounds like I'm writing about monkeys.) I'd bet good money that that was done simply so that people could sell packages of "ten million email addresses!" and suchlike. Indeed, many of them are even less real -- addresses that look like nothing so much as a cat walking across the keyboard.

The really interesting thing I'm noticing this week, though, is a sudden spike in what I can only describe as industrial-scale spam. There's been an *enormous* uptick in the number of spams landing in my Spambox. Traditionally, I would get ten of something; now, I'm getting a hundred. And they are from all of the above categories -- addresses stolen from vendors, addresses from websites, and the various multilated forms that have gradually come into common use over the years.

I suspect somebody has gotten serious about selling Spam as a Service. This feels like some site has bought up *all* the lists they can find, and opened up an API for blasting out trivial variations of a template to umpteen million addresses at high speed. The virus-laden ones have a straightforward business plan behind them (one thing you learn in financial security is how much spam is all about stealing ACH credentials); the ones that are simply, eg, "Hi ekyz how are you?" are a bit more mysterious, but I assume are attempting to lure a victim into a conversation.

Anyway, just some food for thought. There is one sad consequence of all this: I think it's time for me to turn most of Jane's email addresses off. The various forms of "jane@waks", "caitlin@waks", and so on, have been coming to me over the years, but we're down to well under one legitimate email per year, and a fair number of spams per day. So I think it's time to filter those into the bit-bucket. I will admit, even knowing that it's the sensible thing to do, it's remarkably hard for me to set up those filters...

Entrepalooza 2016

As I dive into the craziness that is fund-raising for Querki, I may as well blog about it for posterity. No deep thoughts, just a bit of diary entry for amusement, and for those who might want to go down this road someday.

Tonight's outing was to Entrepalooza, MassChallenge's annual shindig. Roza and I got there on the casual side of 6pm, since I had figured that a a large and loud party like this would have folks gradually arriving over the first hour or so. Wrong-o: there were a couple hundred people in line ahead of us.

The event was held at the Royale, a pretty large club in the theater district downtown. As expected, it was loud and crowded (presumably not helped by the fact that they were pushing $5 "VIP" tickets, with all the Harpoon you could drink), but in fact a good deal more useful than I'd expected. The focus was mainly on service offerings for entrepreneurs -- accelerators, gatherings, newsletters, tech services and so on. Each had its own eensy-weensy table on the floor, and was pitching its services to the mobs of entrepreneurs and would-bes wandering around. We found several that seem like they might be noticeably helpful for us, including the MIT Enterprise Forum, the Venture Cafe Foundation, TIE and The Capital Network. Between those, my calendar for the next few months is starting to look a lot busier.

I was gently amused that, while we're still very early on this road, we are a *lot* further than most of the people present -- we wound up in conversation with several earnest 20-somethings who had a clever idea and not much else. (I listened to one of them, pitching to an accelerator, smoothly transition into, "Do you maybe have any intern openings?".) Having an actual product in beta, that's been through well over a hundred releases, looks positively baked by comparison.

I remembered to grab my "I write code so you don't have to" button, which got a lot of inquiries. I may yet make that a semi-official slogan for Querki, since it gets to the point quite nicely.

I'm finding the overall sensation vaguely familiar, which is comforting. I've learned that, at the outset of any major project, I have an overwhelming sense of, "OMG, we're doomed! I don't know what I'm doing! Doomed! DOOOOOMED!". So I spend a while -- anywhere from days to months -- poking at the problem, looking at it from all the different angles, understanding what goes into it, and so on. Eventually, there comes the day that I look at the problem again, and say, "Oh -- okay, that's easy."

(Mind, that's the engineer's definition of "easy", which means "not hard", which means "I'm quite sure that it's physically possible to solve this". It still might take years of work -- but now I understand *what* work needs to be done, so it's no longer scary.)

That seems to be roughly where we now are. We need to raise a sum of money that, while not especially much by enterprise-software standards, is still dauntingly large -- enough to hire a bunch of people, and push Querki through to a serious launch. The process is a bit of a black box, and that little voice in the back of my mind is going, "Doomed, I tell you! DOOOOMED!". But I'm starting to feel like I understand the resources that are available for learning the process (how's that for indirection?), and have some hope that, while this isn't ever likely to be easy-easy, there is some hope of achieving not-Doomed in the foreseeable future...