False Positives in Scam Emails

We often think about false positives as being a defensive problem. Whether it's searching through your junk folder to find an email that an overzealous filter mistook for pharmaceutical SPAM or trying to diagnose why a new application can’t download its updates due to a protocol mismatch, false positives can be a costly annoyance in terms of both time and money.

What you might not think about is how the same rules apply to those on the offensive side of computing, and the interesting incentives that it creates.

Let's take for example the common Nigerian 419 scams, which bank on the greed and gullibility of their victims by enticing them to send some relatively small amount of money in exchange for a larger payout later. Sometimes they ask for help to get an exiled prince and his wealth out of the country, other times you’re asked to bribe an official so that there is no record. You might have noticed that these schemes are usually very far fetched, and tend to be written in very poor English with a number of typos and misspellings. What you might not have realized is that this is an evolved false positive reduction technique.

The initial emails are sent out in bulk, often through compromised hosts, and are essentially free. However, followup emails generally require a human to be involved, and therefore are costly in comparison. By crafting their initial emails to be so outlandish, they’re able to guarantee that anyone who responds is likely to follow through on the rest of the scam, leading to a higher chance of profit.

Cormac Herley at Microsoft Research wrote a detailed paper on this phenomenon a few years ago, and while dense is well worth the read.