A Russian spammer just wanted me to mail him a signed photo. But why?
This week, I received an email that had all the hallmarks of spam: a generic-sounding note that made no reference to a specific recipient, poorly translated into broken English, that was picked up by my mail client as junk.
"Good day," proclaimed the nondescript subject line from a .ru address. But the content of the message caught my attention. The signatories "Family Sidorov" weren't asking for money or offering me an unmissable investment opportunity. They weren't trying to hawk any self-enhancement products. They didn't claim to be minor royalty. All they wanted was for me to send a signed photo to a snail-mail address in Saint Petersburg.
I didn't for one second think that anyone could legitimately want my autograph, but I did wonder what exactly Valeriy Sidorov and his family were hoping to achieve. If I did send him the photo, what would he do with it?
Bernie Hogan, a researcher at the Oxford Internet Institute, told me over the phone that it was a new one for him. He suggested, however, that the interest in an autograph could have something to do with the rise in digital signatures.
"Now it's becoming increasingly conventional to be able to 'sign' a document with a digital signature, which is like a photo of your signature," he explained, and referenced Apple's Preview app as one that allows you to then place that signature in PDF documents. "Now that's become increasingly accepted, of course because they're still just digital copies, they would be a great source for new forms of identity fraud."
Hogan speculated that it might be possible to just crop the signature out in Photoshop and use it for some kind of criminal application, though said he had not seen this kind of cybercrime before. My apparent "admirers" suddenly seemed less friendly.
Searching Google for any known autograph scams, I came across a few blog posts from people—often little-known musicians, writers or models—who had received similar requests and taken to the internet to ask what the catch could be.
In 2009, author Leigh Purtill wrote that she received several requests from people based in Germany and Poland. She got suspicious when the requesters didn't fit her target readership of teen girls, and found other people had been approached with the same message. Her post has since gathered 163 comments, many from people who have received similar spam.
These people actually want autographs. But not because they're mad fans
Even back then, some raised the idea of identity fraud, though others were unsure. Forgery seemed unlikely, they suggested, given most public figures wouldn't sign a fan autograph with the same signature they use on their bank cheques anyway.
The answer, it transpired, was much more low-tech. It seems that at least some of these people actually want autographs. A lot of them. But not because they're mad fans.
Purtill told me in an email that she eventually tracked down the pictures she'd sent out the first time she was approached—for sale online. "I did eventually find my signed cards for sale on eBay," she wrote. "For 1 euro each! Whoo-hoo, what a bargain."
"Upon further sleuthing, I have discovered whole websites dedicated to autograph seekers," she added. "They share information with each other in the forums sections: who to contact, how to contact them, and so on. They go directly to the individuals, rather than through celebrity publicists. And the people who are being emailed run the gamut from writers to actors to chemists to race car drivers!"
Alina Simone, an American musician and writer, was another target of one of these autograph hunters. She got a message signed off Sandy, who gave an address in Buffalo and played the classic spam sympathy card: her husband Kenny had gone through surgery and would be "thrilled" with a signed photo. After Simone's suspicions were raised—"[W]ho the hell wants an autographed photo nowadays? Didn't that go out of fashion in the sixties?" she wrote in a blog post—she searched the name given, Kenny Thrun, and found that he was apparently very prolific in his signature collecting.
She emailed me a link to a post online from one apparently Buffalo-based Kenny advertising autographed photos of "TV and movie stars, singers and bands of all styles of music. sport stars in all sports football, baseball, basketball, hockey, Nascar, Indy, golf, tennis, boxing, MMA, Olympics and others. US and world leaders, astronauts, chefs, comedians, cartonests [sic] and other celebs."
Who the hell wants an autographed photo nowadays? Didn't that go out of fashion in the sixties?
I searched to see if anyone else had been targeted specifically by my Valeriy, and didn't find much in the way of autograph hunting. But I did see him crop up asking for other random memorabilia.
Both in an email thread to members of a local political group and in the comments section of a post on politics in Mali, he asked for "advertising materials, souvenirs with logo of your party, T-shirt, tags, handles and badges," and gave the same address I was sent. In a Facebook post on the wall of a hotel, he asked for "something of your choice with the logo of the hotel, such as pens, T-shirts, DVD or USB flash drive with a video of your property or something else that we were able to remember the children beautiful moments of our joint holiday at the hotel."
I suppose even these knick-knacks have some kind of infinitesimal value, if you accumulate the stuff in large quantities. And that, of course, is the whole MO of spam.
While sending out hundreds of emails seems like an old-school technique, Hogan said it's still surprisingly effective in bulk. "These days it appears that phishing is more successful than merely spam and the classic 419 scam, but there's no evidence to suggest these things are unsuccessful," he said. It costs little to send out thousands of messages, and a few responses could make it worth the sender's time.
Hogan's advice was to not open an email like this, as that could give the sender proof that your address is live. "Even if you just open that email and it has an image in there, that's now sent a signal back to Russia that says your account is active; you're receiving email," he said. In a full-blown spam campaign, that proof could even make your email address valuable for the spammer to sell on.
For her part, Purtill suggested that if you're a modestly successful person in your field and you get an autograph request that seems suspicious, you should be wary. "When people from other countries request signed photos, they are flattered as I was, but wary so they do a Google search first," she wrote. "They *know* they are not Taylor Swift!" Another trick she suggested was to ask which song/book/performance of yours the sender enjoyed, as a spammer is unlikely to bother responding, but a real fan wouldn't have trouble answering.
The comments section on her old blog post has become something of a forum for people to name and shame their "fake fans." Those targeted with emails often leave the name and address given so others can beware of the tricksters. She said that only two people had ever got in touch to request their details be removed, one of whom went to great lengths to prove he was in fact a real fan.
From his blatantly copy-pasted email, I'm pretty sure Valeriy is no great fan of my own work. Intriguingly, however, I did find his details listed on a Philippines-based stamp collectors' website. Looks like he's just really into his collecting.