Dealing with Spam: Identifying and Preventing Nigerian Prince Scams

Spam identification

We have a spamfilter running that does a very good job at tackling common spammer issues.

From what it catches, I’m assuming it blocks mails based on a few things:

  • SPF checks
  • Certain attachment formats (.exe, .swf, ...)
  • Known spam servers (+ the companies ‘private’ spam lists)
  • A combination of the above by applying a form of AI.

We have some false positives that we manually allow through, but we’re fine with that rather than letting too much pass through.

Today, however, one got through: A presumably hacked Gmail account sending a message that They were stuck in Turkey, with no money and the embassy will fly them back if we can transfer them 2K for a ticket.

  • There’s no attachments as it’s a social engineering attack.
  • There are some keywords, like Embassy or Turkey, these will stop this wave of spammers, but the next just changes a few lines and they’re through again.
  • It’s Gmail, which is relatively secure, but which is being exploited by attacking users through weak passwords, which we cannot detect on our side, and we can’t globally block either.

Has anyone managed to interrupt this kind of Nigerian Prince Spam from reaching end users? Is it even possible to properly distinguish these mails from ‘normal’ mails?

As I’m Dutch, to me it’s pretty easy to notice the Google-Translate English->Dutch that has been used. But of course, some end-users with financial-level access might not follow the same reasoning.

Answer

It requires real language interpretation to determine if the context is reasonable. That’s not an easy thing to do (fingers crossed for AI).

But in the meantime, there are Markov Chains. They would pick up on the terms ‘turkey’ ’embassy’ and, more importantly, ‘transfer’ and a currency symbol in the same sentence.

But, the science is far from perfect and scammers work to defeat them.

In terms more in line with what an email admin can do, I have seen great success when the server adds a banner to all externally sourced emails ‘This email came from an outside source.’ or somesuch. It does not stop the emails, but it equips the end user to be more alert.

Leave a Reply

Your email address will not be published. Required fields are marked *