Anatomy of a fake
 

The other day, the halfbakery administrative account received a friendly letter that sounded slightly off. See if you spot the same things I did.

Hi,

I'd like to report a broken link on this page :
http://www.halfbakery.com/idea/Chains_2c_20the_20game

and links to: 
http://www.ghostseekers.com/Conversions.htm

Could you be so kind as to replace it with a link to my senior design
project? It is also a robust unit conversion tool?

http://www.convertauto.com/

Part of my credit for the project requires me to help improve the web
by finding dead links to replace so I'd be very grateful if you could
let me know when you were able to make the change.

Thanks!

Sincerely,
Lilly Hammond

NCSU B.S in Computer Engineering
Expected Spring of 2013 

You had me at {spurious space}

I've since fixed the links, which really did exist on the page, and really did point nowhere. But there were three things about the message that tipped me off.

  1. I've seen similar mails before that ask me to change from one link to another. They were more obviously spam, but they used an educational context, too -- some student (not the letter's author) had supposedly found the link, and would be thrilled if their correction were published.

  2. Inconsistent language skills. Some parts are well-worded, but there's a spurious space, misapplied question marks, and some bad grammar. (The "and links to" is hanging in mid-air.) Maybe there's one writer working on these letters who writes well, and others reformatting them who can't really tell what they're doing. Maybe it's also harder to get templated automatic letters to look good.

  3. A project that includes "improving the web by finding dead links to replace" is both too easy and based on a weird perception of the "web" as a finite space rather than a medium. (For comparison, you wouldn't "improve" media by correcting lies in publications -- you'd publish a better magazine and just let the bad ones die in obscurity.)

The first thing I did then was search for fragments of the text to see whether someone had done the legwork for me, or whether maybe this was part of a larger spam campaign. That just found me a dupe who quoted from the letter and wished its sender good luck. But watching that person's and my own reaction gave me enough motivation to follow up and finally provided reasonably strong proof that this is fabricated.

NCSU B.S.

North Carolina State University puts its Campus Directory online. You can search for both staff and students. There are many Hammonds in it, but no Lilly Hammond.

Headers

The email had been sent via sendgrid.me, a commercial mass emailing servce.

Return-Path: <bounces+14096-daa5-bakesperson=gmail.com@sendgrid.me>
Received: from o75126253233.static.reverse.sendgrid.net
         (o75126253233.static.reverse.sendgrid.net. [75.126.253.233])
        by mx.google.com with SMTP id d7si2968295ick.14.2012.02.28.16.19.27;
        Tue, 28 Feb 2012 16:19:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; [...]
DomainKey-Signature: a=rsa-sha1; c=nofws; d=convertauto.com; [..]
X-Sendgrid-EID: [...]
X-Sendgrid-ID: [...]
X-SendGrid-Contentd-ID: {"test_id":1330474766}

Mass email is a big problem (since it shares a lot of features with spam), but a student is unlikely to pay to send out "please fix your link" emails.

So, have we reached a stage where spammers actually do pay for their email? The last measures of effectiveness were so low that that would be their end; but then again, this isn't spam for first order effects -- my reaction doesn't matter, what matters is whether links to this site get created or not.

Pictures of Lilly

Finally, I actually went to the site the letter wanted me to link to. It looked amateurish, with not much effort, but maybe just not much talent. It did have your normal social network link-in stuff, though, even a photo of the owner:

At this point, I was ready to give up and take this at face value. The spammers I usually deal with don't write lines like "143 hours and many gallons of coffee later" (with a link to the entry on "gallons"), that's just too cute. Awww. Look at her! Who'd begrudge her some institutionally mandated self-promotion?

I'm sure part of the reason my feelings changed was that I was looking at a photograph of a young woman smiling at me. There's something about faces that switch on more social interactions and make me hold back criticism.

Hm. A photograph.

The nice thing, and the excruciatingly annoying thing, about photos is that one can sort of search for them. If the photo hasn't been manipulated much, or not in the right way, one can sometimes find them. It's not much, it's not like face detection or anything, but sometimes it's enough.

Here's the picture of Lilly again as used on the site:

And here's a picture of Christina Warren, a blogger interviewed in 2008 by "bloggertalks.com".

I can't imagine Christina having anything to do with this -- what I think happened is that someone needed a believable picture for the persona of "Lilly Hammond", grabbed Christina Warren's picture, resized it, changed the color of the shirt, removed the "I'm a Mac" inscription, and there you go. Meet "Lilly Hammond".

In hindsight

A search of everything that mentions that site quickly moves from itself, through some willing dupes, through every conceivable social link service in existence, often posted by firstname lastname number. There's jerward38, philipphillips538, matthewperry34, all posting with the same text, all huge fans of unit conversions, apparently. I bet there's a kit that you can just buy.

Why?

I don't actually know why people are doing this. By a first approximation, the site is just trying to get a high pagerank. Once it has that, it can link somewhere else, and that other site will get pagerank, too; this kind of thing can serve as a seemingly legitimate bridgehead.

But if I were a criminal trying to get pagerank, I'd just hack into existing highly ranked sites and leave invisible links in their HTML. Many highly ranked sites are well-secured, but not all, and the search for potential victims is easy to automate. And if I were a semi-legitimate SEO company trying to get pagerank, I'd try to pay criminals via some forum where I don't know the people I'm trading with. Maybe that sort of attention trade is harder or less developed than I expected; hence this merely mildly deceptive stand-in.

Followup

Hello again,
I emailed you a few days ago and just wanted to make
sure you had received my message.

I am working on a school project. If I've reached the
wrong person could you put me in contact with the
correct webmaster?

Thank you very much for your time.

Sincerely,
Lilly Hammond

NCSU B.S in Computer Engineering
Expected Spring of 2013

Same basic mass emailing service, no new clues. Another variation of the original letter has had some success; this time, the spammer writes that they're "required to help improve the web by finding relevant sites to reference" their site.

 

Feb 29, 2012,
jutta@pobox.com

<- rants