“Reply to Scammers”, they said. “It’ll be fun”, they said

A book called Dot Con has been bouncing around the news for the last few weeks, authored by comedian James Veitch. The idea is straightforward enough – instead of deleting all those junk mails, he replied to them all and wasted the time of the scammers.

I was particularly taken by a comment made in an interview where he said that wasting their time is one of the ways we can fight back. While this is true, he also said that doing this is “Just a lot of fun”. Some may be encouraged to take up arms against the scammers and follow his lead; however, it’s worth noting that many scammers are small time criminals and not particularly pleasant individuals.

I may have missed it, but none of the articles I read about the book touched upon the fairly important notion of staying safe while dealing with scammers.

The author does mention in the introduction to use a pseudonymous email address – however, that’s the only safety tip I could find and I’m not sure that goes far enough – especially when the book says “Do try this at home”. One man’s jolly jape is another man’s horrible set of nightmarish email threats to come round to your house and beat you up.

Make no mistake; you’re being asked to yank the chain of actual, (dis)honest to goodness criminals who are really rather all about illegal activities. They probably won’t fall about laughing when they discover you’ve been wasting their time, and may well decide to have a little fun of their own if you gave away too much of your own information in the process.

Spammer Time

Spam mails come from a wide variety of sources, and they usually fall into a few distinct categories:

  1. Phishing – Presenting the potential victim with fake logins in an effort to steal credentials. Anything from online banking to your Myspace account is up for grabs here. Okay, maybe not your Myspace.
  2. Malware – A fake invoice, a phony bill, a dodgy parking ticket despite the fact that you don’t own a car and go to work on a skateboard? Your final destination here could be a Botnet, blackmail, credential theft or some other horrible thing.
  3. 419 – You’ve won the lottery / a mysterious sum of money is owed to you / a spaceman is trapped in orbit and needs your help. These mails are a fast track to becoming a money mule if you’re not careful (while getting yourself into trouble at the same time).
  4. Pharmacy spam – Buying pills from random websites is not a good idea, for obvious reasons.

Some of these scams fall into certain “behind the scenes” patterns, in as much as they may be run by specific individuals, chancers, organised criminal groups, amateurs or professionals who make vast sums of money by being incredibly good at ripping people off.

That’s where the pattern tends to end, though – despite the cliches, there’s no fixed geographical location for your scammer of choice; you may be sent 419 mails from individuals operating out of the UK, or have spam land in your mailbox courtesy of a professional spamming outfit based in Russia. In all cases, there’s no real way to know exactly who you’re dealing with when fine tuning your humorous email response.

In terms of real world impact caused by spammers, legitimate business can endure all sorts of headaches due to something as basic as spam mail, which can also potentially be tied to PC infections.

When you start responding and investigating spam mail, you can quickly find yourself in some rather scary places, and there are cases of people having died as a result of buying spam pills. All in all, replying to spam could give you much more than you bargained for.

Common “Scamming the Scammer” Activities

One form of spam most frequently replied to by scam baiters are 419 missives.

There are dedicated forums where regulars will teach one another how to waste the scammer’s time, in theory preventing them from trying to steal money from an otherwise genuine victim. There are safety issues involved, and most 419 baiting forums will provide hints and tips for staying out of trouble. 419 scams can come from many angles – not just email, but also IM.

If a spam message arrives in your VoIP chat, for example, before you run off to thoroughly annoy them you should keep in mind that you’re probably about to reply from your main account. There are VoIP resolver tools which will let the scammer know your IP address – they’re not all technologically incompetent, and the last thing you want is a scammer letting you know they’re going to tell their friends residing in your country that they know where you live.

419 baiting sites take these safety issues so seriously that they also advise not to use fake IDs when baiting scammers, lest they then reuse those IDs you carefully crafted on a real victim.

This notion of turning your own tools against you is why security companies tend to watermark screenshots of spam emails (or include things like browsers, email clients, “This message is flagged as spam” notices in the images). You don’t want this happening. Even if your company isn’t flagged for phishing due to scammers reusing your images, you may find yourself being used as the supposed sender of spear phish emails.

On a similar note, you shouldn’t just reply from whatever your (presumably valid and oft-used) email address is when a scam mail lands in your Inbox. At the very least, make use of disposable “Spam trap” accounts not tied to personally identifying information, social network accounts, domain registration and so on. Don’t presume that the person you intend to turn the tables on has no idea how to Internet.

Phishy Fun?

Should you decide to rise to some phishing bait and “make things harder for them” by populating their phish with fake data, keep this in mind:

  1. Unless you’ve taken steps to anonymise yourself, the data you submit to the site may contain traces of information which reveal your identity such as IP address, email (you did remember to enter a fake email address, right?)
  2. Many phishers have no idea how to secure their stolen data, and find their plundered information cannibalised. From there, it will end up in other people’s data dumps and splashed around the web. No really, you used fake details and an anonymous email address – right? People trading in swiped goods tend to talk, and also draw up lists of marks / fake victims / people who otherwise annoyed them for some reason.
  3. You make it difficult for anti-spam organisations and entities who attempt to contact phish victims by scouring data dumps when you populate the information with fake entries. It becomes even trickier if you put some effort into making your fake entry look realistic.
  4. Phishers often make use of other dubious content, hosting it in directories related to the phish you’ve been sent. There’s no way to tell what you might stumble upon, but it probably won’t be anything good.

The Internet: Serious Business

Security research comes with inherent risks, and despite the potential for humorous “I made this guy take a photo while holding a fish on his head” antics, any direct response to a scammer brings with it the possibility of risk. It’s also becoming increasingly difficult to track down people up to no good, and increasingly some very specific desktop setups and techniques are required. With that in mind, you probably won’t get to go undercover and take down the criminals Punisher style, either.

A note of caution from Senior Security Researcher, Jérôme Segura, who spends a lot of time digging deep into tech support scams:

Those fake tech support people tend to get things moving by calling you on a number which is probably your landline. Before you start winding them up for half an hour, think about whether you want them to add you to their “Naughty Pile” list and either sign you up to telephone spam and / or give you the odd threatening “We know where you live” phonecall at 2 in the morning.

Make no mistake, pointing out to a tech support scammer can make things go a bit Liam Neeson as they threaten to find you and kill you. Top tip: they have a landline which they can attempt to tie to a home address via public registers, assuming they didn’t get it from one of those in the first place. As a result, the whole “finding-and-killing” thing would likely keep you up at night a bit more than it should.

Sticks and Stones…

I mean, for all of the above, the book is certainly entertaining. A lot of the chapters are very funny, and no doubt the writer took additional security precautions behind the scenes. It’s just a little alarming that there doesn’t appear to be any mention of this – and the last thing we need is lots of overenthusiastic people hurling themselves at professional criminals with little more than a vague sense of the lulz to keep them safe.

Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.