by George Taniwaki

About comment spam

Comment spam is a real problem. Most websites that allow comments (like mine) receive over 100 spam messages that link to unethical or fraudulent websites for each legitimate comment they receive.

Luckily, there are excellent spam filters that identify and remove these annoying click-bait messages. For instance, the service that hosts this blog, WordPress, uses a service called Akismet. These spam filters use pattern recognition to find suspicious messages based on characteristics like message content, sender email address, sender IP address, web page commented on, etc. Suspect messages are tagged as spam and moved to a junk comment folder.

Naturally, in the spam arms race, the creators of spam campaigns need tools to rapidly create comments, ideally a unique one for every blog post, so as to avoid being detected.

The message

I recently received a comment on this blog that reveals how comment spammers create messages. The comment was actually not the intended comment. Rather, the spammer sent me over 300 lines of code they used to create custom-looking comments. Phrases that could be customized were enclosed in curly braces {}. The options for the words in a phrase were separated by vertical pipes |. The curly braces could be nested to allow multiple levels of customization. In fact, the entire comment starts with a curly brace so that different versions of the message could be sent. The spam message generator is partially reproduced below.

Note in particular how many of the characters (highlighted in yellow) are accented or Unicode homoglyphs, meaning they form words that look like English, but will not appear in any dictionary that might be used by a spam filter to detect phrases often used in spam messages. Of special note is that words used multiple times will often have a different glyph replacement in each instance.


{ӏ have|I’ve} bеen {surfing|browsing} online mοrе thаn {three|3|2|4} hours todaу, ƴet I
never found any іnteresting article like
yours. {It’s|It іs} pretty worth enoսgh for me. {Іn mу opinion|Personally|In my view}, іf
ɑll {webmasters|site owners|website owners|web owners} аnd
bloggers mаde gooԁ content as ƴou dіd, tҺe {internet|net|web} will bе {much moгe|a lot more} useful than ever beforе.|
I {couldn’t|could not} {resist|refrain fгom} commenting.

{Very wеll|Perfectly|Well|Exceptionally well} written!|
{ӏ wіll|І’ll} {rіght awaʏ|immeԀiately} {tɑke
hold of|grab|clutch|grasp|seize|snatch} уoսr {rss|rss feed} ɑs I {can not|ϲаn’t} {іn finding|fіnd|to find} yοur {email|е-mail} subscription {link|hyperlink} օr
{newsletter|e-newsletter} service. Ɗo {yoս ɦave|yoս’ve} any?
{Please|Kindly} {аllow|permit|lеt} me {realize|recognize|understand|recognise|кnow}
{sߋ tɦat|in orԁer that} I {may juѕt|may|cοuld} subscribe.

The string of faux-fawning gibberish continues for another 290 lines or so and finally ends with this heart-felt closing.

Thɑnks fоr {greɑt|wonderful|fantastic|magnificent|excellent} {іnformation|info} ӏ wɑs looking for thіs {informatіon|info} for my mission.|
{Hi|Hello}, i tɦink that і saw you visited my {blog|weblog|website|web site|site} {ѕo|thus}
i сame to “return the favor”.{I аm|I’m} {trying to|attempting tߋ} find thіngs to {improve|enhance}
mʏ {website|site|web site}!І suppose its ok to use {some of|a fеw of} уօur ideas!\

I’m somewhat surprised the code above can confuse a spam filter. A pattern recognition algorithm could be designed to detect which forms of phrases, misspellings, and glyph substitutions are most commonly seen in spam rather than in messages typed by honest but error-prone humans.

Anyway, I want to thank this incompetent spammer for providing me with content for this blog post. And of course, thanks for the {kind|wonderful|supporting} message.

For examples of actual blog spam that prey on people who might be persuaded to sell a kidney, see this previous blog post.

by George Taniwaki

I recently received two comments on this blog from what appear to be scam artists seeking to prey on desperate people who might be persuaded to buy or sell a kidney.

I didn’t bother to follow up with either person to learn more about this scam. I say scam because it is illegal to buy or sell organs in nearly every country on earth. Further, nobody will pay for your travel expenses to a developing nation to have a nephrectomy (kidney removal surgery).

Bottom line: Do not respond to messages from strangers offering you money!

The messages

The first message shown below, is short and specifically is targeted at poor people who need money.

Do you want to sell your kidney due to financial problem? If yes you are in the right place of selling your kidney for good money. contact us @ SAWAN NEELU ANGEL’s HOSPITAL Multi specialist Home, J-293,Saket, New Delhi-17 India.. Email Us now:

Very Urgent


Dr Ashok kumar
ASN Directo


The second message is a bit of a mixed bag. This scam artist starts his pitch with an offer to help poor people desperate for a chance to escape debt. But at the end of his message, makes a stab at conning kidney patients to make a down payment for a transplant.

Good day,

Do you want to buy a Kidney or you want to sell your kidney? Are you seeking for an opportunity to sell your kidney for money due to financial break down and you don’t know what to do, then contact us today and we shall offer you good amount for your Kidney. My name is Doctor Calvin Cien am a Nephrologist in UBTH clinic hospital. Our clinic is specialized in Kidney Surgery and we also deal with buying and transplantation of kidneys with a living an corresponding donor. We are located in Indian, Turkey, Nigeria, USA, Malaysia. If you are interested in selling or buying kidney’s please don’t hesitate to contact us via email.

Best Regards.
Dr. Calvin Cien.


For more on how comment spam is created, see this blog post:

Comment spam template (June 2014)

For more on how scams work, see the following blog posts:

The Craigslist counterfeit check scam (June 2013)

Paris scam artists (March 2011)

by George Taniwaki

I went to the local Washington Department of Licensing office last week to renew my driver’s license. Just like I did ten years ago, I registered to be an organ donor. I urge you to do the same and give the gift of life.

You don’t have to wait until your driver’s license comes up for renewal to do it. You can do it today on the web. Find your state’s registry at If you live in Washington state like me, you can go directly to LifeCenter Northwest’s web site at

Incidentally, I noticed something new on my new driver’s license. On the upper right is the word “DONOR” followed by a heart-shaped icon. On my previous license only the icon was displayed and its meaning was ambiguous. I like the change.


Figure 1. Register to be an organ donor


I notice a few other changes from the last time I renewed my driver’s license ten years ago.

  1. The lines were short and the process was efficient.
  2. Previously, driver’s licenses were printed while you waited at the DoL office. Now the ID photograph is taken at the DoL office, but the actual driver’s license is mailed to you. My guess is that centralizing the printing allows more sophisticated security measures to be embedded in the card. It also reduces the opportunity for local DoL employees to make counterfeit licenses.
  3. I had to take my glasses off for the ID photo. This is probably so that a photograph can be taken of me later (perhaps during an arrest) and my identity determined by using facial recognition software to compare the new photograph to the existing photograph in a DoL database. The facial recognition must compare features that don’t change readily like the eyes, nose, mouth, and ears. It ignores jewelry, facial hair, and facial expression.

by George Taniwaki

Reproduced below is what I hope to be the final email I received from Alex, the scam artist who responded to a Craigslist ad I posted. A complete description of the attempted scam is reported in a Jun 2013 blog post.

This email is a follow up to a check she mailed to me for an amount far in excess of the price of the item I was selling. I did not deposit her check (it is obviously a counterfeit) and did not send a requested MoneyGram to her “movers”.

Her email starts off with a plaintive call for a reply followed by a threat of legal action. (Ha ha. Somehow, I doubt she will follow through on that threat.) The letter ends with a couple of misspelled words and closes with a friendly “Good day.”  I like it.


Sent: Friday, June 14, 2013 8:11 AM
To: George Taniwaki
Subject: Re: Beautiful Mission-style cupboard


What is going on? The check has been delivered to you and you never get back to me regarding the movers money and the pick up schedule.

Are you trying to run away with my hard earned money? Remember i am a Marine and my friend works with the FBI you will be tracked down and arrested. I will also contact my lawyer now for a legal process.

To safe all this troubleyou better get back to me now.

Good day.


Alex sent the email to me twice, a few hours apart. She has done this before. I guess it must be hard to remember whether you’ve sent a particular email when you have dozens of scams going on at once. Hey, maybe Alex should invest in a CRM email tracking system.

by George Taniwaki

I recently became the target of a Craigslist check fraud scam. I was cautious, so I caught it before I lost any money. However, the scam was cleverly designed. A careless or more trusting person could easily be fooled and lose money.

There were a few surprising lessons from my experience. First, my interaction with the criminal didn’t raise any flags until very late in the process. The emails I received were a lot less obviously fraudulent than the offers of money in Nigerian widow emails.

Second, a regular Craigslist user may become complacent about the chances of becoming a victim of fraud. Because I am remodeling my house, I use Craigslist frequently both as a buyer of tools and supplies and as a seller of used kitchen appliances, fixtures, and furniture. I also buy and sell used cars this way. I haven’t bought a new car from a dealer in over 30 years. (Yes, I know this is way before the inception of Craigslist.) In all, I’ve never had a problem with any transaction, until this incident.

Further, in order to use Craigslist you need to have some trust in the other party, or you can’t complete a transaction. Thus, a potential victim is primed to be taken advantage of through emails in the context of a Craigslist transaction that does not occur when receiving an unsolicited email offer from a stranger.

Finally, even though I have kept detailed evidence of this attempted fraud, including names and addresses, and reported my incident  to a variety of law enforcement groups, I believe it is unlikely that any of the criminals involved will be caught or prosecuted. More on the reasons why I believe this later in this blog post.


Description of events

On May 31, I posted an antique cupboard (shown below) on


Figure 1. The Craigslist posting that attracted a criminal’s attention

Within a few hours I received an email inquiry. It was from a woman named Alex who said she was in the Marines and temporarily stationed in Georgia.

This seemed odd, but not suspicious. There are lots of military families in the Seattle area.

I did a web search for the woman’s name and found that she had profiles on LinkedIn and Facebook. Both indicated she lived in Shoreline, a suburb of Seattle. Both said she was employed as an instructor at a local beauty school. Neither profile mentioned the Marines, but I reasoned if she was in the reserves, perhaps she wouldn’t mention it.

Alex asked some basic questions about the cupboard, which I answered. The questions were oddly generic and most of the answers were already in my ad. We settled on a price. On Monday, she wrote that she would mail me a cashier’s check and that someone would pick up the cupboard and hold it until she got back. She asked for my full name, address, and phone number.

This seemed odd and a bit suspicious. But I agreed since the risk seemed low.

On Tuesday, she sent another email saying that she had sent the check via USPS priority mail. The tracking number was 9405501699320004099027. I went to the USPS website and found the tracking information.

It looked legitimate to me.

On Thursday I received the package. The return address was for a TRH Construction of Brunswick, GA. This seemed odd, but not entirely suspicious. Maybe Alex was busy and had a friend mail it for her.

Inside was a company check (not cashier check) for $1,850.00 with payor name of Commercial Truck Sales & Export of Sanford, FL drawn from RBC Centura Bank of Lake Mary, FL. There is an illegible signature printed on it.


Figure 2. A suspected counterfeit check, the account number and ABA routing numbers have been obfuscated

OK, now I was finally suspicious. The check appeared to be real. It was printed on one of those check forms you can buy mail order and run through your inkjet printer.  I did web searches for both the payor name and the bank name. Both seemed to be legitimate. But it was pretty obvious that these firms had no connection to this woman. The check was very likely a forged counterfeit.

I received another email from Alex. She wrote that the check amount included our agreed upon price plus an extra $30 for me for my troubles to cash the check and do her a favor. Because I was a trustworthy seller, she wanted me to send the remaining amount of money to her moving company via MoneyGram. She provided the contact name and address where the MoneyGram should be sent. It was a woman named Ychantiz of Rock Hill, SC. Once the money was sent, Alex wanted me to reply back with the MoneyGram reference number, date, address, and dollar amount sent, which she would forward to the movers.

Aha. Here is the scam. I receive a counterfeit check (the bad money) from a forger and deposit it. The check is drawn from a real account at a bank, so it clears. I feel confident and send a MoneyGram (the good money) to the forger’s confederate. Later, the payor on the check discovers money has been stolen from their checking account. Their bank reverses the transaction. My bank also reverses the transaction. I now have lost money and cannot get it back from the forger who is now long gone.

In fact, if I deposit the check now, I could be charged with bank fraud by the local police. It would be the ultimate indignity, the victim accused of being a criminal.

I noticed that my name was misspelled on the check. So to stall for time while I contacted law enforcement groups, I sent Alex an email stating that I received her check, but my name was misspelled and that the bank would not cash it. I asked her to mail me another check.

A day passed without any response. Then on Saturday she replied that she would send a replacement check on Monday. On Tuesday, I sent a follow-up email to Alex to see if she was still interested in the antique cupboard, but she didn’t respond.

Unexpectedly, I received a replacement check on Thursday. It was also sent via priority mail, tracking number 9405501699320004370294. The return address was Waddell Realty of Columbus, GA. The check was for the amount of $2,500.00. (Apparently, the larger amount will compensate the scammer for the additional effort my transaction is taking.) The payor on the check is A Mar Group (sic) of Masfield (sic), TX and drawn from Regions Bank, of Mansfield, TX. The check has the same signature as the first one. At this point, I decided I have collected enough evidence and stopped my conversations with Alex.

As shown in the Bing map, if a single scammer is involved, she is doing a lot of driving. The towns of Brunswick, Columbus, and Rock Hill form a triangle over 200 miles to a side. However, if the criminal organization is sophisticated, there may be a person in each city whose activities are overseen by a single mastermind. More on that next.


Figure 3. Map showing physical locations of the scammer(s)

Anatomy of a criminal enterprise

There are two roles being played by the criminal(s) involved in this scam. The mastermind and the dummy. Both roles can be played by the same person, but I suspect they are separate. The mastermind gains access to checking account information for businesses in order to create the phony checks. Perhaps she buys a list off the internet. Or she compiles the list themselves by bribing people who provide services to businesses, such as janitorial service providers, lawn maintenance companies, office suppliers, caterers, etc. to provide copies of checks from clients. Or since this is all about scams, the mastermind approaches a small janitorial business and says she is from the bank investigating fraud and ask for copies of all checks received from businesses. It may not be a coincidence that the two checks I received both have auto dealerships as the payor.

The mastermind also finds the names of innocent people with unique names, like Alexis of Shoreline, and creates fake gmail accounts with those names. The mastermind also has a computer program designed to quickly find new Craigslist postings and automatically send inquiries to the seller with generic questions about the product (e.g., how old is this antique, who was the manufacturer, where was it made, what kind of wood is used, has it been refinished, etc.).

I believe my email communications have been with this mastermind. For all I know, this person actually is the woman named Alexis who lives in Shoreline. But more likely, this person is a man, doesn’t live in the U.S. at all, and can’t be located, much less arrested and prosecuted.

I went back and found one of the emails I received from Alex. Her email address is I opened up the header information and noted her email IP address was A whois search locates the IP address in Mountain View, CA and lists the owner as Google. That’s not very helpful.

The dummy in this fraud scheme does the grunt work. This person may actually have been duped into participating and doesn’t even realize she is a criminal. This is similar to my belief that many of the scam artists I encountered in Paris (blog post Mar 2011) may be criminals but are also victims.

One task of the dummy is to forge checks. Forgery does not take special skills like you see in the movies. It simply requires the person to own a computer with an inkjet printer. Whenever the mastermind gets a live lead she tells the forger to print a check and mail it to the address requested. The forger gets paid (or is promised to be paid) a piecemeal rate for doing this work. But perhaps she is told to pay the priority mail postage out of her own pocket and doesn’t gets reimbursed (if at all) until the victim’s MoneyGram arrives. The use of priority mail allows the mastermind to monitor the work activity of the forger over the internet. If the forger takes too long to mail out checks or makes mistakes like misspelling the victim’s name, she is fired.

The other task of the dummy is to act as a drop box for receiving the MoneyGram payments and deposit them into the mastermind’s bank account, probably outside the U.S. She is also probably paid piecemeal (or told she will be). Her work activity is monitored by the mastermind using the MoneyGram reference number and dollar amount data that the scam victim kindly provides. If the dummy steals any of the money, the mastermind turns her over to the police. Since this person uses her real name and address for the drop box, she is also likely to get arrested if any of the victims pursue a case. She may also be sued by victims to recover funds. She is in a really high risk, low payout position.

(This arrangement seems similar to that between the mortgage brokers in boiler rooms selling zero money down home loans to unqualified buyers and the investment bankers on Wall Street selling the resulting CMOs to pension funds. Guess which ones got caught and went to jail.)

A good mastermind could probably manage a dozen dummies scattered around the country. So, how does the mastermind find these gullible underlings to do the dirty work and take enormous risk in getting caught in the scam? My guess is by running ads in Craigslist! The ad may have looked something like this:


Great opportunity as a document expeditor.

• Prepare and print checks, invoices, other shipping documents
• Package and ship completed documents
• Accept payments from customers and make deposit to bank accounts
• Track packages and payments and issue reports
• Perform other office tasks as assigned

Job Requirements:
• Must have own computer and color inkjet printer
• Must have own car for trips to post offices and banks
• Proficient in Microsoft Office, Word, Excel, Outlook

Yes, Craigslist is a wonderful tool for recruiting victims for criminal enterprises.

Contacting law enforcement

Had I fallen prey to this scam, I would have been out about $1600. This is a felony, so I want to report this crime. But to whom? The local Bellevue police can’t do anything about this crime. Even the Washington state attorney’s office can’t do anything. The scope of this crime is national or international.

I look for information on check fraud scams. There’s a lot. There is even a blog dedicated specifically to Craigslist scams, though it hasn’t been updated in a long time. Going to the Craigslist site, there is some advice on how to avoid scams and who to report them to.

Following craigslist’s advice, I report my incident to the Federal Trade Commission (FTC) using its online complaint form at

I also report it to the FBI’s Internet Fraud Complaint Center using its online complaint form at

Then I call RBC Centura Bank, the bank that the first check I received was drawn against. I explain to a bank employee that I have a counterfeit check and want to report it. She thanks me and says the bank is already aware of the problem. She notes that it is impossible for them to stop this type of criminal activity. (If you think about it, you can see why. The checks are being deposited by innocent victims all around the country. As long as the payor’s account is still open, the depositing banks have no way to know that the checks are counterfeit. Even after the check is returned to the payor bank, it has no way to recognize the check as counterfeit. It isn’t until the payor complains that the fraud is discovered and the bank account is closed. By this time the forger, directed by the mastermind, is writing checks from a different account.)

The bank employee asks me if I received the check by mail. I reply yes, and she tells me to report it to the post office as mail and wire fraud. I report the incident to the US Postal Inspection Services using its online complaint form at

As a last step, I report the email fraud to Google phishing incident report at This wasn’t really a phishing scam, but there are not other methods of contacting the gmail team. Hopefully, if the police serve Google with a search warrant, the company can identify the location of the miscreant posing as Alex.

After filing these reports, I don’t have much confidence that anything will be done. Catching Ychantiz, the woman running the drop box, should be easy. She willingly provided her name and address. But she probably doesn’t know she is a criminal. Same thing for the person who is mailing out the checks, if it is a different person. She probably shows up at the post office every day with priority mail packages. The time stamps on the packages can easily be compared with video surveillance footage to identify her. But it is doubtful that either of these people has ever met the mastermind or know that person’s real name or location. Once caught or tired of the scam, these underlings are on their own. The mastermind will just find new underlings, find new checking account data, create new email addresses, and find new Craigslist sellers to target.

Why Craigslist is hard to use

The fine folks at Craigslist is very aware of the problem of scams. Their website strongly urges sellers to only deal with local buyers and to not send money by wire or by mail.

In order to make it difficult for buyers and sellers who are not local to meet, the Craigslist database is filtered by location. There is no easy way for a seller in one city to let buyers nationwide see their wares. Similarly, there is no easy way for a buyer in a city to see all the sellers of a particular trinket across the U.S. One can only do this by running a query on each local Craigslist site.

The best way of running multiple queries to use a computer program and display the results in your own custom web page, a process called a mashup. Lots of websites encourage this and publish an application programming interface (API) that helps developers to automate the query and populate their own database.

However, to deter criminal programmers, Craigslist does not publish an API. Most craigslist mashups are created using screenscraping. That is, a programmer has to tediously hardcode the requests to the Craigslist database and then figure out how to extract the data they want from the web page that is returned. It is easy for a human to read a webpage, but It’s a lot of work to program a computer to do it. Yet some honest people have done this. And apparently some criminals have found the effort worthwhile  too.

by George Taniwaki

I was surfing the web when I noticed a pop-under window appear on my second monitor. Check it out.


I clicked OK and got this pop-under window.


Very nicely done. This is a spoofed website designed to make the visitors think they are at the official Adobe Flash Player download website. There are only a few problems I see. First, the criminals who want me to download their software didn’t bother to register a domain name and just point users to the IP address of their server. You can see the IP address in the address bar. They could fool a lot more people if they registered a domain name like They they could have a server name like If you don’t look carefully, then you might think you were actually on Adobe’s site.

Second, the software product name is Adobe Flash Player, not Flash Player. Again they could fool a few more people if they included the correct product name in their pop-up window.

Finally, they misspelled “Uinstall” in the footer navigation.

Anyway, I didn’t have to see this second pop-up to know there was a problem. I knew there was something amiss as soon as I saw the message in the first pop-up window. The phrase “WARNING!” in all caps and with an exclamation point is an amateurish flourish.

All of the problems should raise flags to the user. They are obvious and sloppy errors on the part of the criminals. But I guess the type of person that would click “Install” is not very careful.

Does using Internet Explorer make you stupid? I think not, but sometimes it can trick you. (See part 1 of this story here.)

I use a variety of browsers and operating systems, but my favorite is Internet Explorer 9 running on Windows 7. I like the feature that combines the address bar with the search box into a single text edit field. It allows me to just type a company name in the search box and the browser will resolve it into a domain name for me. (Of course, not everyone likes this design.)

Anyway, a few minutes ago I was using Safari on my Mac and typed “Ikea” in the address bar. Naturally, what I really wanted was “”. Safari doesn’t automatically send invalid URLs to the search engine like IE9 does. I have Comcast broadband at home. Comcast detects and captures any invalid URLs and displays its own custom DNS error page, a practice called DNS hijacking. A portion of the page is shown below.


Custom DNS error page. Image from Comcast

Notice that the first item is a sponsored link that has the title “ – Official Site” and has the URL that I wanted highlighted in green. Naturally, I clicked on it. After a few redirections, this is what I see:


It sort of looks like an Ikea home page. Image from

This looks like it could be the official IKEA site, but it isn’t. The domain name displayed in the address bar is not for but for, one of those credit card scam companies that is basically a phishing site. The top part of the page is designed to look like it is complete. But you will notice that the scroll bar indicates there is more content below the fold. If you are willing to scroll down, you’ll see the following disclaimer:

IKEA is a registered trademark of Inter IKEA Systems B.V. is not affiliated with IKEA®. All IKEA® trademarks are the property of IKEA® and does not, in any way, claim to represent or own any of the IKEA® trademarks or rights. IKEA® does not own, endorse, or promote or this promotion.

This Gift Program is not endorsed, sponsored by or affiliated with the manufacturers and retailers of the gift items listed above in anyway. All trademarks, service marks and logos are property of their respective owners.

Well, I guess that disclaimer may protect them from lawsuits by Ikea (trademark infringement) or from disgruntled customers and state attorneys general (fraud and deceptive trade practices). But I doubt it.

This sucks. Only a credulous rube would actually purchase a prepaid credit card. But everyone is forced to waste time figuring out that this is not the Ikea website and either manually typing in the correct URL to get there or go back to Comcast’s search page and click on a different link.

However, I don’t blame Comcast for this travesty, at least not directly. I believe the search results on the DNS server not found error page are provided by Yahoo (which uses Microsoft Bing as its search engine) and that Yahoo and Microsoft run the keyword auctions that populate the sponsored links. Thus, it is up to them to ensure that the green text in the sponsored link ads matches to the domain that the user will be redirected to.