Massive phone spam -- from Weatherby Healthcare

Weatherby healthcare hires physicians for “locum tennis” roles. That’s filling in for someone on holiday and the like.

They’ve contracted with the phone spam company from hell. My Google Voice number is deluged with calls like this (email of transcription):

Good morning. This is Kevin with weatherby Health care. I saw you recently inquired online about some outpatient work. I wanted to touch base with you. I'm currently working with several urgent care and outpatient facilities not only in your area, but throughout the country as well that are looking for a position like yourself to provide temporary full time or sporadic shift coverage they offer a high flexibility in the schedule and competitive pay rates. Give me a call back today would love to give you some additional information and details about these opportunities and see how I can be a resource for you my direct line here is 954 300 77 1821 again. This is Kevin with weatherby Healthcare 954 370-7828 have a great day.

and like this:

is Mike Ruskin weatherby Health Care's primary Care team. Hope you're doing well. I was reaching out to you because I came across your information, and I have some new open a family medicine positions available in Minnesota wanted to see if you or any colleagues should have I might be available. Give me a call back when you get this message. Let me know 954-343-2142 again Mike ross again with weatherby 954-343-2142. Thanks so much. Have a great day. Bye.

I blocked several of the numbers, but their phone spam operation is rotating through a large set. Number blocking doesn’t work.

I’ve turned off text messaging notifications of calls on my GV number and notifications from the GV app and notifications of missed calls. So the only notification I get is now email. In gmail I set a filter for any email with the text “weatherby health” to send it to the trash.

We desperately need a robocall/phone spam solution.

Oh, and if you’re a physician — please don’t answer calls from Weatherby. If you’re Weatherby, you’ve made a disastrous choice of marketing services.

PS. If you’re Google — your Google Voice phone spam filtering needs work.

What a solution for phone spam will look like

The FCC wants a vast and unmanageable array of voice communications carriers to fix the robocall plague.

I’m here to tell you what will happen. It will work much the way email spam was managed in the 1990s. It will also be the end of our legacy voice communication system and, somewhere along the way, the Feds will mandate that Google and Apple support VOIP interoperability.

Yeah, email spam is managed. It’s true that 95% of my email volume is spam, but I don’t see it. Differential filtering based on the managed reputation of an authenticated sending service works. Push the spam management problem down the sending service, then vary filtering algorithms based on the reputation of the authenticated (PKI) sending service. If you still see large spam volumes or losing valuable email it’s because you’re using Apple as an email service provider. Don’t do that.

Here’s what I think will happen to enable differential filtering based on the managed reputation of the authenticated calling service. I’m sure insiders know this, but they aren’t talking. 

• VOIP interoperability will be mandated. No more Apple-only FaceTime audio.
• Services (AT&T, Verizon) that don’t authenticate or manage their customers are assigned poor baseline scores. Service that authenticate/manage customers (Apple) get high baseline scores.
• Low score calls get sent to spam VOIP, we never see them. Medium score never ring through, they go automatically to transcription and we get transcription summary.
• High score calls are eligible for ring through based on user device settings.

The carriers will fight like hell to preserve their domain, Apple will fight interoperability, Google will be fine.

 

PS. For now we have a home phone number that is purely message, the phone doesn’t ring. Google Voice would be even better. If I could set my iPhone to “Do Not Disturb” status strictly for voice calls I’d be fine. I rarely answer unrecognized and unscheduled calls.

See also

• Economist.com | The fight against spam - buying a managed reputation 2/2004
• Fighting Spam - a proposal I first wrote up @1997.

Minnesota DFL phone spam - might not be what it seems

Since the election we've received a nightly phone call with a Caller ID of MN DFL party and a return number of 651-251-6300. As others have noted, that is indeed the phone number for the Minnesota DFL Party.

I assumed it was simply a fund-raising robocall. We are good Commies and donate to the Party, so it's not surprising that they'd harass us. It has been, however, oddly persistent. So tonight I actually answered the phone -- but I heard only a few meaningless sounds. Nobody was there.

I wonder if this were really a DFL call, or if someone is spoofing their number. That would be a nasty trick; a small donation to the right offshore resources could paralyze a fund-raising program.

If so, it might be that the villains don't know the election is over. Or the nighty calls could simply be a malfunctioning robocall system. I'll try to contact the DFL and ask what's up (I'll need to disable some of my DFL email spam filters to get a response). Even if it's not a dirty trick in this election cycle, it's a sure-fire strategy for the next one. Just another way that the era of switched network voice telephony is over. We will need caller-authentication with reputation-based call triage.

I'll update this with what I hear from the Minnesota DFL.

Update 12/8/2012: It seems to be incompetency, not malevolence. It seems the DFL really is spamming our home nightly.

Dear Dems: Maybe you shouldn't have spammed me so much.

The GOP may have a loose relationship with the falsifiable world, but they're tight where it matters. They have money by the truckload, mostly delivered by the deluded wealthy [1] to anonymous GOP funding streams.

So you'd think that Emily and I be inundated with pleas for donations.

Instead, crickets.

Seemed odd to me, then I remember the dense wall of filters and blocks I had to put up after our last set of donations. I had to block over thirty domains to beat back a deluge of Dem spam.

I guess our defenses are working. All those pleas and invitations are probably lost in my spam filters.

Maybe my team needs to rethink their fund raising strategy, and to implement rigorous email list control. Work on it guys.

In the meantime, I guess we'll have to send money somewhere. Google will probably come up with an address.

[1] Besides America, how many other post-industrial nations associate wealth with virtue and intellect?

CAPTCHA has failed, and so anonymous comments may go too.

My most loyal commenter (that's you Martin) tells me he can't solve Google's CAPTCHAs any more.

Neither can I. I responded ...

I can't do the CAPTCHAs either. Blog authors don't usually see them, but occasionally I'm connecting with a non-owner account.

I think they've evolved to a point that only human experts and AIs can solve them, and they all work for spammers.

Problem is I allow anonymous comments and only moderate if > 4 days, so there's only CAPTCHA and Google spam detection between me and endless hordes of mosquitoes.

As an experiment I've disabled CAPTCHAs on notes.kateva.org. I'll see how good Google's spam detection is. If the volume is too high I'll turn off anonymous comments. I agree, CAPTCHA has reached the end of the road.

Even in tiny market blogs like mine, comment and discussion is problematic.

Update 8/9/12: No problems! I should have dumped CAPTCHA years ago. Turns out I did on tech.kateva.org and then forgot I had. Google's comment spam filters are pretty amazing.

The evolution of spam: Nordstrom and mandatory spam acceptance

We've come a long way baby.

A year ago Nordstrom's began offering optional email receipts as "a convenient, environmentally friendly alternative to paper receipts."

Of course there are alway a few skeptics who doubted Nordstrom's integrity, but USA Today was reassuring

Retailers ditch paper and pen, use email for receipts - USATODAY.com

... no retailer serious about building a relationship with its customers would consider taking advantage of email access, said John Talbott, assistant director of Indiana University's Center for Education and Research in Retailing.

That's because for the retailer, the most significant benefit is being able to offer a service customers appreciate, he said. It isn't about cutting costs, he said, as less than 1% of a retailer's total revenue goes toward paper and ink for receipts.

Instead, the driving force is providing an option that makes the store a more appealing place to shop...

Yesterday Emily bought a shirt at Nordstrom's. The email receipt, she was told, was mandatory. No, of course there'd be no spam. She doesn't have a spam account, so she gave them her gmail account.

She got her first Nordstrom spam a few hours later. I'll show her how to use filters later today.

Not to worry though, paper receipts are not long for this world. Soon we'll be buying things with our phones. No spam there, since of course there's no tie between our phone's unique identifier and our email and phone number.

Text Spam: Phone company text messaging must die

I don't like paying $20/month for our AT&T unlimited texting family plan. After all, it costs AT&T next to nothing to provide SMS services.

I pay because the current IM alternatives don't work. That leaves texting as the polite alternative to the unscheduled phone call. I pay because what I get is worth more than the money I pay.

Or, rather, it was worth more. It's worth less all the time, because I'm getting more text spam like these 595-959 Welcome to Sears/Kmart Shop Your Way Rewards Text Alrts (yeah, "Alrts") ...

Unlike "full number" text spam, AT&T won't accept reports for these...

Instead, AT&T markets "short code" text message services. They charge spammers to spam us, and, I assume, they charge us to receive the spam. Talk about a win-win!

You could try completing the FTC's spam report form for wireless phones, but as of today it's not designed for text message reporting. It's as though the FTC got caught in a time warp @ 2002.

This is only going to get worse. There are now two phone companies in America, and they hate us almost as much as we hate them. They hate us so much they'll drive us to abandon their most profitable service.

We need an alternative to phone company controlled text messages. We need a messaging service that includes spam filtering -- and that doesn't make us sitting ducks for low grade spam. Blackberry did this years ago; maybe when RIM dies in 2013 either Apple or Google will buy their texting service -- and give us something worth paying for. Maybe California will ban text spam and end our spam as a side-effect. Maybe all of the above.

There's an opening here. Help me out Apple, Google, and California!

Administrivia: return of the captcha

Google's spam comment detection isn't good enough. After a one month test I've given up and restored a captcha function (yech) for Gordon's Notes comments.

Sorry.

If Google acquires Groupon they're absolutely insane

There's a rumor that Google is going to acquire Groupon for a zillion dollars.

I signed up to see what it was about. Naturally I used my mail.yahoo.com junk email address - a disposable digital identity. (If it ever annoys me too much, I will destroy it and create a new Yahoo persona.)

Groupon is a service that sends you spam. You can't opt out of the spam. Oh, and you can never leave. There's no obvious way to delete a Groupon account.

If Google buys Groupon then I will begin disentangling my data from Google. It will be an incontrovertible sign that they've gone off the rails.

Edging to AI: Constructive (almost) comment spam

It took me a day to realize that this comment on Gordon's Notes: Apologetics: God and the Fermi Paradox was a spam comment (Spomment):

Luke said... Interesting questions you ask - as always enjoy reading your posts. We all have our personal experiences & beliefs, but I do have to challenge you to check out an event coming up in the spring that I recently was introduced to. March 12, 2011 a simulcast called The Case for Christianity is taking place that will address the very question you have asked. Led by Lee Strobel (former Legal Editor of the Chicago Tribune) & Mark Mittelberg, all of the most avoided questions Christians don't like to answer or even discuss. Both are authors of extremely intriguing books, I encourage you to check them out as well as the simulcast in March. Definitely worth the time & worthy of the debate! Thanks again!

It's obvious in retrospect "interesting questions you ask" is a give away. It doesn't address any specific aspect of my post, and it leads directly into an event promotion.

Still, it snuck under my radar -- and Google's too. It's well constructed.

Of course the construction was human, only the targeting was algorithmic. It's a bit of a milestone though -- it's almost a relevant comment.

Charles Stross and others have speculated that spambot wars will spawn hard AI. First, though, they have to become specific, relevant, and constructive. We're getting closer ...

Incidentally, shame on Strobel and Mittelberg for using this kind of sleazoid marketing.

See also:

• Gordon's Notes: Slouching towards Skynet (2007)
• Gordon's Notes: The evolution of comment spam - from parasite to symbiote? (2009)
• Gordon's Notes: Phishing with the post-Turing avatar (2010)
• xkcd: Suspicion: Spambot love
• xkcd: Constructive (2010 - when spambots rule)

Friendly fire - how Dem spam killed my donations

I'm a good commie. Each cycle we  give some money to help Dems.

Not this election though. Partly, that's because my team's spam has gone astronomical. The spam flow is legal though, because "political speech" isn't covered by the CAN-SPAM act of 2003.

Campaign spam comes with 'unsubscribe' links, but they don't seem to be connected to anything. Even if they were, however, I'd probably be re-enrolled with the next list update. I doubt the campaigns spend much on mailing list hygiene.

At least the email headers aren't faked, so I have about thirty Gmail filters that send all email from all identified campaign-related domains to the trash. I'm probably not the only one doing this though, because lately the domain names are proliferating. The speech spammers are trying to get around my filters.

This is a job for the DFL. Yes, it's a bit of a reach for them -- but we're talking money. Money talk gets politician's attention. Here's what the DFL can do:

1. Get serious about a state wide unsubscribe service. Tell campaigns that if they don't follow the rules, they don't get funding or DFL support.
2. Forget about reaching me by email. There's nothing a politician can put in a mass email that will interest me (the vast majority of political speech is aimed at the undecideds). Instead set up narrowcast feeds aimed at literate geeks whose vote is not in doubt.
3. Enjoy the money Emily and I will send after the spam stops.

Comments now without captcha and without moderation

Blogger, long left for dead, tottered into the pub this week. Among other signs of life, there's a new comment spam filtering system.

I disabled comment moderation and the captcha on tech.kateva.org a few days ago, and I haven't seen many problems. So today I've removed it for posts less than 28 days old on notes.kateva.org.

It's good to get rid of the captcha. I really don't like those.

Innovations in comment spam

Comment spam continues its rapid evolution. Despite my reluctant surrender to the Captcha I'm seeing novel mutations every few months.

A recent technique is to write a reasonably detailed comment about a fairly specific topic, like "junk DNA". A query engine then identifies all blog posts that have a high match to the comment. An automated posting process, perhaps with some tool-assisted human powered captcha processors (via Amazon's Mechanical Turk?), submits the post to thousands of blogs.

Even with human review, the comment submissions will be a good quality match to a meaningful number of blog posts. The comment gets posted, and the spammers get something of value (link referrals?).

The one I rejected today was clumsily written, so it was fairly easy to spot. It contained an unnecessarily specific reference to a "first post", the author name was a marketing phrase, and the grammar and phrasing could have been better. I've probably missed better ones!

We can expect rapid improvement. In time they might evolve to transiently novel insights statistically applied to the right spot at the right time. At that point, would we not welcome them?

In the meantime we do need Google to start filtering these comments the same way they filter email. This particular approach lends itself to statistical filters, and of course the use of author reputation in filtering algorithms. Alas, Google has forgotten all about poor Blogger ...

--
My Google Reader Shared items (feed)

It's not over. The rise of second generation spam.

First generation spam was pretty bad, but it's more or less under control now. Between sharpening spam recognition algorithms, crowd sourcing, and managing the reputation of authenticated sending services Google has beaten back the tide.

So that's it for spam?

Heh. Of course not. Now we have second generation spam.

Second generation spam does not use forged headers -- though the headers do seem to change a fair bit. This spam is not anonymous, it markets real goods, services - and politicians.

The goods and services aren't too hard to manage. I created a filter that sends anything from "buy.com" to the trash -- that took care of 80% of it.

The politicians are much worse. I get daily spam from fund raising politicos, PACs and other accessories to the political process. I now have about 25 Gmail filters that do nothing but delete all incoming email from their domains. The domains typically last a few months, and then there's a new crop. At this rate I'll have 200+ Gmail filters that delete email from largely defunct domains.

What? Ask to be removed from the lists? Clearly you're just toying with me. I tried that of course, but it doesn't work. I just get added back in they next time some politico buys a list. (Maybe I should start forwarding to spam@uce.gov as well?)

It's hard for any ISP to block this kind of spam. Politicians generally exempt themselves from laws that slow fundraising; if Google blocked their spam they'd be asking for a world of hurt. Better to get between a Grizzly and her cub than between a politician and your wallet.

We need a different approach to political spam. Sorry, I have to vote for some these dorks -- better spam than Palin and her ilk! So changing my vote's not enough. Any ideas?

I do have one quick fix. Google could add a "blacklist all from this domain" to the message action select menu. Choose it and the message is deleted and the blacklist entry created in a one move.

Another related fix -- allow Gmail users to share their blacklists. So Google wouldn't get in trouble, because we'd be choosing what block.

Any other ideas?

I add the despised comment captcha

I dislike Captcha (usually a text recognition test) as much as anyone -- but lately my email has been clogged with notices of blog comments to review. They're almost all spam.

So I had to turn on the Captcha test. If the spambots get bored I'll try turning it off again.

Death of email part XI: forwarded emails with big red phishing warnings

I own a few domains, including a Google Apps domain we use for our family [1]. My immediate family members, excluding Kateva (canid), have calendars and emails in the family domain. Overall, it works pretty well. It pounds Apple's warped MobileMe into the sand. Savagely.

For reasons that aren't worth trying to describe, I've used an email redirector for some of these accounts. This is forwarding at the domain level, not forwarding from an email account.

This used to work pretty well, but when I tested it on a new account two problems appeared:

1. It was filtered to Google spam.
2. A BIG RED PHISHING warning appeared when I opened the email.
   

I was able to correct this by marking it as 'not spam' and 'not phishing' (the UI for the latter is a bit non-obvious, I had to follow the help link in the phishing notice).

This is a great example of the tech churn meme I wrote of yesterday. Email is in a troubled state as it painfully moves from the old world of the naive net to the new world of authenticated messaging [2].

This redirect mechanism is clearly not going to work, perhaps because the redirecting domain has been used by spammers in forged email headers [3].

Ouch. This is definitely a problem. I have some workaround ideas, but this will be a bugger to test since Google doesn't talk much about what it's doing.

--

[1] Free edition. If google drops the price on their small business product I'd upgrade to get some customer support options.
[2] One reason people like facebook messaging is that it's deeply authenticated.
[3] The curse of old, private, domains. Mine is very old. There's no defense against such forgery. See also two 2006 posts about a related problem (this isn't new)

• Gmail spam filtering threatens services
• Spam - blacklists are back

The evolution of comment spam - from parasite to symbiote?

Lately I've been getting blog comments that blur the spam/non-spam species boundary.

Comment spam used to be pretty clear. It would be unrelated to the post topic, and contained a link to a splog or other more or less fraudulent web page. These were easy to automatically block, so spammers dropped the links. Second generation comment spam aimed for search engine "optimization" through reputation enhancing back links to the author URL. Second generation comment spam was made of strings like "thanks for the the great post"

These were harder to machine reject, but easy for human reviewers to spot.

Now I'm seeing third generation comment spam. These have no links, and they're actually related to the original post. Sometimes they're almost non-sequiturs, but mostly they read like a fourth grade student answering a homework assignment. The grammar suggests either a very young or non-english writer. They do link back to splogs.

So how's the new species of comment spam being authored? It could be AI based -- maybe calling Wolfram Alpha or Wikipedia to retrieve relevant strings. It's probably human though -- outsourced work being done by low paid labor churning out comments at high speed.

This third generation spam isn't trivial to reject. Sometimes I have to think about it.

We know where this is going. Fourth generation spam comments will actually make sense. They'll be legitimate comments.

Fifth Generation spam comments will be very high quality. Skynet will appreciate them.

Update 9/4/09: Another (funny) take on the theme. Also, see the comment by one of my favorite writers.

Update 1/1/10: Cory Doctorow's excellent 2006 novella I, Row-boat (read it, it's online) tells us how Robbie the row-boat's ancestors became sentient ...

“Back in the net’s prehistory it was mostly universities online, and every September a new cohort of students would come online and make all those noob mistakes. Then this commercial service full of noobs called AOL interconnected with the net and all its users came online at once, faster than the net could absorb them, and they called it Perpetual September.”...

... “AOL is the origin of intelligence?” She laughed, and he couldn’t tell if she thought he was funny or stupid. He wished she would act more like he remembered people acting. Her body-language was no more readable than her facial expressions.

“Spam-filters, actually. Once they became self-modifying, spam-filters and spam-bots got into a war to see which could act more human, and since their failures invoked a human judgement about whether their material were convincingly human, it was like a trillion Turing-tests from which they could learn. From there came the first machine-intelligence algorithms, and then my kind...

Conde Nast's latest spam ploy - Axciom's Delivery.net

Conde Nast, publishers of Gourmet and other periodicals, holds a place of dishonor among the world's scummiest spammers. It will be a sad commentary on humanity if the New York Times goes under and Conde Nast survives.

Spam must work for them, because they invest a fortune in spam and associated legal fees. They're not too hard to block; even though they change their email address every few months it's only a moments work to add another Gmail 'filter to trash' rule.

Today, though, they're trying something knew. They're sending their email using a "delivery.net" account with a dedicated spamming service:

Acxiom Digital

... Acxiom Digital helps the world's leading marketers create and deliver permission-based email marketing campaigns. Acxiom Digital acts as an agent for our clients in delivering email communications to their customers. Our clients own the data on their customers, including email addresses, which are gathered via permission-based processes at their website or other online and offline sources...

"Permission-based" my ass.

So now anything from 'delivery.net' is immediately deleted. It will be interesting to see what email address Conde Nast uses next.

Friends don't let friends buy Conde Nast products.

Facebook observations

I've been enjoying Facebook, though the iPhone client is overdue for an overhaul. My conclusions about what's interesting with FB are a bit different from what I usually read, so, inevitably, I'm compelled to share:

1. Internal identity - no anonymity. This means control over communications, which means spam is manageable. The FB equivalent of spam is metastatic "apps", but, for the moment, you can opt out of those. Spam free communication environments are worth much more these days than they were 7 years ago.
2. It's AOL 2.0. I remember when AOL was interesting, back when it was a Mac only spinoff of one of Apple's many failed online communities. I'll call that AOL 1.0. Of course in those days there was no spam, no phishing, no viruses -- essentially the proto-Net was risk free. That meant AOL didn't have an enormous amount to offer, but it still did quite well. Now the Net is extremely risky, especially for XP users. AOL 2.0 has a much bigger value proposition than AOL 1.0.
3. I love pub/sub, especially as implemented in feeds and readers. Unfortunately, this technology was a bridge too far for the vast majority of humanity. Only the uber-geeks knowingly use feed readers like Google Reader; all the good desktop XP feed readers have died. Facebook is all about pub/sub, but they've made the technology feel natural to their base. That's a real accomplishment.
4. Facebook has shown (sigh) that logic and usability are not all that important for a social application.

I've never paid much attention to the alleged role Facebook played in electoral politics. I'm still unsure how much of that is real, but there is some potential to gradually encourage specific memes in one's FB network. It has to be done judiciously. I actually streamed my Google Reader "notes/shares" into FB for a while and I think I about vaporized my friends. Now I restrict the meme injections to 1-2 a week.

The dark side of FB, of course, is data lock. (Privacy you say? Surely you've given up on that 20th century dream.) They're providing more APIs and sharing more identity information than they have, but I would never put my photo library on FB. It's a place to put things that are intentionally transient.

Death to Captchas

Beck when machines had trouble solving simple Captchas, they weren't a bad idea.

Now the machines are much better at solving them than we are. I see red when I see a Captcha, no matter the color of the cursed thing...

Recent Stuff That Bothers Me - Pogue’s Posts - NYTimes.com

... These days, blogs and Web sites often require you to prove that you’re human by typing in the text version of some distorted picture of a word. The idea is to screen out automated software spambots that fill the Comments area with auto-generated ads...

... I suddenly realized how much I hate these things when I got a note from reader Jason Donovan, who’s started a Web site where you can post your favorite (meaning most ridiculous) Captcha images.

Some of the starter images posted there aren’t hard to figure out. But the ones in color, one of which I’ve pasted here, are living, breathing proof that these things have gotten quite out of control.

I moderate all comments and foreswear the cursed Captcha. It was a nice try, but the experiment failed. The machines aced the Turing test.