February 23, 2013

"Vehicle Protection Center": stay away!

Paper spam, today. An official-looking mailer (fold side edges, then remove top stub to open) starting with bold, underlined text, “THIS LETTER IS TO INFORM YOU that if your factory warranty has expired, you will be responsible for paying for any repairs.”

Read that sentence again, because I did. Rephrase it: “If your umbrella is closed, you will get wet when it rains.” When I read obfuscation like that, I get suspicious immediately. All caps PLEASE CALL IMMEDIATELY in the next block of the letter really raises my hackles, just because I get ornery when I feel like I’m being herded.

Sure enough, despite including the make, model (Honda) and year of one of our cars, this mailing had nothing to do with Honda, and probably not with any other manufacturer. In fine print at the bottom, “Vehicle Protection Center is an independent nationwide company marketing vehicle service contract on behalf of leading third party administrators.” Which means nothing. Third sentence of that paragraph: “Vehicle Protection Center is not affiliated with any auto dealer or manufacturer.”

Here’s the thing: I never had any intention of purchasing an extended warranty. I turned it down when we bought the vehicle. Our history is of driving cars for years—decades, now—beyond their warrantees, and if they break, we pay for it. (Revolutionary, I know.) So I looked these folks up online. Sure enough, I don’t have to scroll too far down in the search results to find a page titled “Don’t be fooled by this vehicle extended warranty mailer from Vehicle Protection Center”.

This mailer is sleazy, and I’m posting this not because I think my regular readers would be fooled, but because I want that link above to come up closer to the top of search results.

Posted by pjm at 8:14 PM | Comments (0)

March 7, 2012

I never said that

“Marketer sends clueless email to blog author” is such a tired cliché I’m almost embarrassed to write this, but apparently the marketers still haven’t found their clues.

Here are two clues:

  • If you’re going to say, “When you say X, you’re not kidding!” make sure I actually said X.
  • Don’t say “Your site may have single handedly saved our sanity!” when I’ve only posted nine times in a year.

I’m not going to mention their name because their site looks like the site of a small, struggling start-up. But future marketers, you’re on notice.

Posted by pjm at 7:28 PM | Comments (0)

May 11, 2008

Well, that explains a lot

My Google traffic

Remember how I was complaining about all the ringtone spam which appeared to be pointed at this site, apparently causing me to drop in the search rankings? I was puzzled, at the time, by the inbound links; why would anyone link to this domain for spammy content which wasn’t here?

This afternoon, while I was backing up the site in preparation for a server move, I found four different locations on the site where loads of files had been hidden, most of them set up to look like a big blog about… ringtones. Or some other thing people spam for a lot. The files were mostly datestamped around January or February of this year. Some of them were hidden in directories named with a leading dot, which made them invisible in listings unless they were specifically requested; others were simply stuffed in with valid files. It looks like there was something to that ringtone stuff after all.

It could’ve been a lot worse; because of the placement of most of the files, they were not listed in my XML sitemap, nor were they in frequently-updated directories.

I’ve deleted the files, and as I was moving the site anyway, most of the passwords will become invalid soon. I simply accelerated my move process. But it’s not at all clear to me how the files got there.

Or, for that matter, if I’ll be able to convince Google that I’m not a spammer. Any more, anyway.

Posted by pjm at 3:23 PM | Comments (0)

May 5, 2008

It depends on your definition of "ethical"

Adam Gaffin at Universal Hub draws our attention to a new “service” in which you pay for “relevant” comments to be left on “high-page-rank blogs”, which helps your site “rank better in the SERPs.” (SERP = Search Engine Result Page.)

The part I find most amusing is their attempts at self-justification:

YES, Buying Blog Comments is 100% ethical and NOT spam!

…and yet they’re spending the rest of the page explaining how their technique leaves comments which won’t be deleted by the site moderator. Now why would a site moderator ever want to delete 100% ethical, not-spam comments?

(If there’s any confusion in your mind, buying blog comments is 100% unethical and is spam.)

No extra points for counting the spelling and grammatical errors. Note that I have used rel="nofollow" on the link to the sleazy ones.

Now Playing: Workin’ For A Livin’ from Picture This by Huey Lewis & The News

Posted by pjm at 1:28 PM | Comments (0)

April 9, 2007

Reducing set size

Once again, some algae is using a domain at which I get mail for fake return addresses on a spam run. Last time, it was this domain, and I turned off the catch-all address, but I’ve been using the catch-all at this other domain much longer, and consequently I’ve distributed more addresses which I might like to stay active. I’ve been getting one or two bounces a day for a while, but today the spammer got greedy and I decided to act.

So how to keep legit addresses open? I could try to remember them all… or I could write a Perl script to scan my mail directory for email addresses at that domain and return a list of all it finds, along with a tally of how many times they’re found to help me decide if a given address is a “keeper.” (Stand back, I know regular expressions!)

And now I have a list.

Technorati Tags: , , ,

Posted by pjm at 3:54 PM | Comments (0)

January 29, 2007

Easy spam filter

With my new Mac at home talking to my old Mac (and the two of them therefore cutting me out,) I’ve been working on department machines today, living on the web and on my department account. Like being on the road, it slows down the rate at which I can get anything done, because my familiar tools aren’t close at hand.

One thing I’ve noticed in relying on webmail rather than a desktop mail client is that SquirrelMail, at least the version my webhost is using, doesn’t display inline email graphics by default. This means that even though I’m deprived of the very helpful spam filter on my mail client, the spam that does get through is essentially gibberish: the image, where the real sales message lies, is simply not shown. I still have to delete the mail, but I don’t have to make any effort to ignore the contents.

Posted by pjm at 5:02 PM | Comments (0)

July 20, 2006


Sometime this evening, some fungus somewhere sent out a wave of spam with spoofed (and random) return addresses to this domain.

I’m foolish; when I registered the domain, I kept a “catch-all” address so that any username at this domain would wind up in my mailbox. I think I’ve deleted several thousand messages in the last fifteen minutes; if you sent me email (other than to my academic address, or gmail,) this evening, count on my not having received it.

The catch-all is being turned off. I’m only accepting specific addresses now. If you don’t know one of them, take a guess; you’ll probably hit.

And I’ll reiterate something you should already know: when considering anti-spam software, ask yourself, “Does this software consider the possibility that a return address can be spoofed?” If it doesn’t, it’s bad software.

Now Playing: I Think I’m Paranoid from Version 2.0 by Garbage

Posted by pjm at 10:03 PM | Comments (0)

January 1, 2006

New referrer spam theory

I’m seeing more referrer spam without clear spammishness—in fact, I’m getting “referrers” from perfectly legitimate blogs which don’t have a link to here.

My current theory is that link spammers (be they referrer spammers, comment/trackback spammers, whatever,) are trying secondary spamming: boosting the pagerank of blogs they’ve spammed by spamming links to them. That was certainly the case yesterday, when all the spammed links were to weblog entries that were absolutely choked with spam comments. Today, not so much. Maybe the spam comments are elsewhere on the blogs?

Posted by pjm at 10:49 AM | Comments (0)

December 1, 2005

Weird spam comments

I think someone’s trying to flood MT-Blacklist with junk. I’ve had, now, two different spam comments on old entries without real URLs, just (apparently) random seven-letter domains with (apparently) random subdomains and a dot-com on the end. Both messages contained mostly garbage text, with junk names and email addresses, then three domains: one in the link field of the submission, and after the garbage text in the body, an HTML line break followed by <a href="http://junk_url_2">link</a> http://junk_url_3.

I have to assume this is just some kind of crap-flood. I’m deleting the comments, but not reporting the URLs or putting them in the blacklist. Maybe it’s time I upgraded to MT 3.2? (Or switched to something else?)

Posted by pjm at 1:47 PM | Comments (1)

August 25, 2005

Done with Trackback

I’m turning off Trackback by default on all new posts. Nobody’s legitimately used the trackback links except me since March (maybe if/when they read Julie’s book they’ll try?), and I’m getting buckets of spam by that route. If it’s a problem, let me know; otherwise, just comment if you’ve posted on a theme I mention here.

Update: To close Trackback on all previous posts without opening/editing each one in the Moveable Type interface, you’ll need to manipulate the database by whatever means you get access to your database. The SQL you need is this: “UPDATE 'mt_entry' SET 'entry_allow_pings' = 0 where 1;”. Then you’ll need to go in to the “Templates” section of the web interface and edit the “Individual Entry Archive” template to remove the Trackback URL section, then rebuild your site.

Posted by pjm at 4:08 AM | Comments (0)

July 22, 2005

Easy way to recognize referrer spam

…when there’s a typo in the URL being spammed: htpp://

The e-mail anti-spammers have, for a long time, had a set of rules about spammers. It would appear that #3, at the very least, continues to apply to link spammers.

Now Playing: Heavens from Seven by James

Posted by pjm at 8:29 AM | Comments (0)

July 8, 2005

Spam for the cat

Subject line in this morning’s spam folder:

Re: Account balance catnip

I still junked it, but it might have sparked Iz’s attention.

Posted by pjm at 9:50 AM | Comments (0)

March 29, 2005

Shades of grey

I spent some time yesterday implementing greylisting on our secondary MX. I found it fascinating, but if neither of the two key parts of that sentence (“greylisting” or “secondary MX”) mean anything to you, you may want to skip this. (If you understand one or the other, in the extended entry I’ll give a thumbnail explanation of both, before outlining my installation.)

This has become a bit of an epic. I’m not sure if I want everyone to skip it, because it’s hopelessly technical and geeky, or read it, because I put so much time into it…

Now Playing: I See Monsters from Love Is Hell by Ryan Adams

Continue reading "Shades of grey"

Posted by pjm at 2:07 PM | Comments (3)

March 12, 2005

Anti-comment-spam tip

I’ve mentioned this in passing once before, but it bears repeating and calling attention to. A few months ago I changed the name of my Movable Type comment script to foil comment spammers. Some of them have bots which can figure out the new script name, but it appears that many of those bots have a bug: they can’t distinguish mixed-case URLs. Since my new script name has both capitals and lowercase letters (my personal shorthand for this site is F.o.P.,) and URLs are case-sensitive, I am seeing a lot of not-found errors in my log where spammers try to access the comment script using an all-lower-case URL.

So, if you’re changing the name of the mt-comments.cgi and mt-tb.cgi, try using mixed-case names. It’s not utterly foolproof, but it turns out the comment spammers are only run-of-the-mill fools.

Posted by pjm at 4:06 PM | Comments (3)

March 9, 2005

How to recognize phishing scam emails

When I talked about pharming I alluded to some signs that indicate an email is a phishing scam. It’s possible to “learn” to recognize the scams just by seeing enough of them; maybe I just recognize patterns more easily than some. These are the patterns I’ve picked up in phishing scams; hopefully they’ll be useful to you.

When it comes to mail from any financial institution, from PayPal to the Fed, the best policy is to treat it as a scam unless you can verify the message using some “out-of-band” method. For example, call your bank by telephone to confirm an email request from them, rather than replying to “their” email or going to their website. A real brick-and-mortar bank is still more likely to send you paper mail than ask for information via email.

The first and most obvious sign of a scam: the supposed source of the message is an institution you don’t do business with. I happen to have kept me clear of most of the big national banks, so nearly every phishing scam I get fits this bill. These are gold, because you know they’re scams; the bank has no reason to be sending you email. Take a good look, because this is what scams look like.

Second sign: the message resembles one you’ve identified as a scam. As near as I can tell, there’s one phishing gang which simply changes the logo and institution name, but otherwise sends identical mail. If your financial institution sends HTML mail, they’re likely to style the whole message, framing the text completely with design elements. Black Arial text on a white background with a logo floated in the upper left screams home-made.

Third sign: HTML-only email. There should be a plain-text version of the message included in the email, in case the recipient’s mail software can’t display HTML messages. (Such mailers do still exist, and many people prefer them.) HTML has many ways of hiding the real destination of a link; plain-text does not, which is why scammers prefer not to send plain-text. If it’s HTML only, don’t trust it!

Fourth sign: Check the URL. You should be able to view the HTML source of an HTML message, and see where the link is actually taking you. (It will be inside quotes in a section starting, <a href="">). If the href value doesn’t appear to match the text that’s underlined and blue, don’t trust it… and the harder it is to figure out where the link goes, the less you should trust it.

Fifth sign: Read the headers. Reading the headers used to be the way to trace spammers to their source; with the rise of open proxies and PC botnets, tracing spam usually just leads to a compromised Windows box on a DSL line. But in the case of phishing scams, you don’t need positive identification of the source; you just want to confirm whether it comes from who it says it comes from. If you’re really uncertain about an email, you can learn a lot by using the message headers to find out where it got started. I don’t have the time or space to explain header-reading here, but there are a number of introductions on the web.

With any luck, these five things should be enough to tell you if a message is a scam or legitimate. I doubt it’s comprehensive, though; these are just the things I consider. If there’s another warning sign you use to detect email scams, put it in a comment, and we’ll let Google index it all.

Update, February 18, 2009: This entry is the single biggest magnet for comment spam on this site, so I’ve turned off comments here. I’m sure if you have something legitimate to add, you’ll find another place. Thanks.

Now Playing: Seasons Changed from My Friends and I by Patiokings

Posted by pjm at 12:26 PM | Comments (9)

March 7, 2005

Buying the pharm

This is some rambling, and it has nothing to do with pill-pushing spam. Rather, it’s a new kind of attack called “pharming.”

The background principles are these. There is a hierarchy of servers out on the internet which serve to translate domain names (like into numerical addresses. This process is called “resolving” a domain name, and your system asks one of these servers to “resolve” domain names whenever you use a domain. (There’s intricate caching rules which I won’t get in to now, since they’re not relevant.)

By now we’ve all heard of “phishing,” where various black-hats send us email pretending to be from banks we don’t have accounts at, trying to fool us into going to websites which look like those of the banks and filling in (“confirming”) our personal data and account information, which they can then use for several avenues of fraud. Phishing can be combatted by education: once a user understands that you can’t trust everything you see in e-mail, it becomes pretty simple to recognize the ruses used by the phishermen.

Pharming takes this to the next level. Instead of trying to fool you into going to a site which is not that of the financial institution, they “poison” the DNS servers such that when you “resolve” the domain name of the bank, you are sent to their website instead. Your browser says, but the numerical IP address is somewhere else. It is nearly impossible to recognize this kind of scam.

Nearly. But not completely. This is where digital certificates come in. Certificates have a dual role. First, they are one side of an asymmetric key encrypted conversation between hosts, which is their most widely known use. They’re what puts the padlock in your browser window and assures you that your credit-card number is encrypted as it passes over the wild, wild internet on the way to the browser. But they are also signatures, issued by a signing authority and serving as proof that your site is what it says it is. If I tried to serve a certificate claiming I was here on this site, your browser would pop up all kinds of warning flags.

Likewise, if I serve a “self-signed certificate” as a key, as I might when providing secure webmail, your browser will pop up a different error. It will say, sure, the certificate matches the domain name, but nobody vouches for it. (Actually, it will say something like, “The certificate wasn’t issued by a recognized authority,” or “No trust path could be established,” but those all mean the same thing to geeks.)

Which leads to an uncomfortable place. To efficiently guard against pharming, we should be conditioning users to pay attention to those warning messages from their browser, not tune them out. That probably means not using self-signed certificates for webmail or SSL email. But that, in turn, would require us to cough up $300 to a certificate authority which doesn’t actually do much other than a cursory verification of our paperwork stating that we are who we say we are.

My paranoia and my New England flintiness are in conflict here.

Now Playing: Welcome To The Occupation from Document by R.E.M.

Posted by pjm at 10:35 AM | Comments (1)

March 1, 2005

More feeds, less mail

I’m becoming a passionate supporter of web feeds (RSS and/or Atom) in place of broadcast e-mail lists.

One of our authors has been running a broadcast list for several years. His previous list host closed him down last week (he had been a visiting professor there, and has returned to his home institution) so he moved the list to our server.

This morning I found close to 100 bounce messages in my inbox, and so far this morning I have spent most of my work time reading the bounces and removing the (presumably bad) addresses from the list.

Why centralize that garbage? Let’s give them a feed and let them subscribe and unsubscribe when they want to. We can even let them slice and dice which categories of the list content they want feeds of. Everyone wins: the list maintainer has less work to do. I have less work to do. And the users have more options.

Well, those users who understand what a feed is and how to subscribe to one, that is.

Now Playing: Seagull from Nowhere by Ride

Posted by pjm at 11:49 AM | Comments (0)

February 7, 2005

I don't expect you to understand...

…why I find it so amusing to review log summaries of spammers trying to relay mail through a host which isn’t a valid mail exchange.

Actually, I’m not sure I understand it myself. But it is funny.

Now Playing: Can’t Get There From Here from Fables Of The Reconstruction by R.E.M.

Posted by pjm at 9:15 AM | Comments (0)

February 3, 2005

Collateral damage

I’m making a few more tweaks to my anti-comment-and-referer-spam .htaccess file. The two significant changes, for now, are the addition of a new user-agent block (from Candygenius through Ann Elisabeth) and, more importantly, an exception for Google, which merits more discussion.

A few visitors have pointed out to me that since click-throughs from Google results include the search string, if you’ve got something on your site which might legitimately match a search for one of the terms in our regex, you’ll reject the click-through, even though it was (presumably) a legitimate visitor from Google. You might see this as a feature, since you can search your domain plus a banned string to test the block (it seems unlikely that someone would legitimately be searching for one visitor’s example, poker.) But maybe you want everything from Google. Since we know the form of a legitimate referer from Google, we can add this line:

SetEnvIfNoCase Referer "^\..+/search.*" !spam_ref

…which clears our spam_ref environment variable and lets the request through. Note that this has to come up after our big regexp.

While I’m at this, though, I asked my host about alternatives. Specifically, I’ve been reading about mod_security, which might be quicker, easier to understand, and hopefully less dangerous if mucked up. It’s installed on my host, so I may try it. I’ll keep you posted.

I was amused at the response from my hosting company, though; they couldn’t figure out how I was using mod_setenvif. (“But you won’t be able to access the environment variables until they get to a CGI…”) Apparently they didn’t know you can access the environment variables from both mod_access and mod_rewrite. So we can use the relatively-simple-to-understand mod_setenvif to set up the pins for the mod_access and mod_rewrite bowling balls. (Or, to mix my metaphors, mod_setenvif just walks through the forest with spray-paint, while mod_access and mod_rewrite follow with chainsaws.)

Now Playing: Battle of Who Could Care Less from Whatever & Ever Amen by Ben Folds Five

Posted by pjm at 10:57 AM | Comments (0)

January 25, 2005

Not using nofollow

I thought rel=nofollow was a relatively good idea when it was first discussed, but now that I’ve seen the drawbacks I’ve decided not to use it here.

Anyway, it seems that my efforts to block referer spam have done quite a lot to keep out the comment spammers, as well. Between that and MT-Blacklist, I haven’t had comment spam visible here for months. So why deny my few drops of Google Juice to my innocent commenters (both of them)? Even if “innocent commenters” is an oxymoron?

Now Playing: Monster from ‘Mousse by The Nields

Posted by pjm at 10:02 AM | Comments (1)

January 21, 2005

Surreal spam

I just had a mortgage spam with the subject line taken from Bulgakov’s The Master and Margarita. (Specifically, the subject line was Re: The bookkeeper Vassily Stepanovich.)

It was jarring, at first, to contrast great literature with scuzzy spammers. But then I checked that the character was really who I thought he was: one of those “little people,” the apparatchiki who have been part of Russian society since long before the Soviets, burrowed in to the giant bureaucracy of a giant country, little tsars of their own tiny fiefs with their souls shrunk small from disuse.

And I thought, yeah, a spammer could see themselves there. He comes in for a bad day in the wake of the book’s events, which is comforting. One hopes the spammers will similarly get theirs one day.

Now Playing: Godless from Thirteen Tales From Urban Bohemia by The Dandy Warhols

Posted by pjm at 9:18 AM | Comments (0)

January 17, 2005

New blacklist

More for the denied strings list:


Posted by pjm at 8:53 PM | Comments (0)

Spammers out of hand

Despite my best efforts, most of the leading referrers in my logs for the weekend are spammed. That’s really only an annoyance to me, because I don’t actually display my site stats anywhere; it’s just a waste of my time and the spammer’s processor cycles. (Not that they care; cycles are cheap, which is why they can waste my time with them.) Despite blocking the UA string Dorothea notes, it’s still the #3 UA string hitting my site. And…

I served more 403 Access Forbidden responses than real pages (200 OK) yesterday. 403 codes are now my top response code.

Remember the first time you got more spam email than real email in a day? I really hope this doesn’t go the same way, because the percentage of non-spam email at work right now is in the single digits.

I don’t have words for how pathetic this is.

Update: Tuesday, 18 January Monday’s logs were much better, though 403s again threatened to overtake 200s. I am also seeing 404s on the default MT comment and trackback script names, numbering in the hundreds; since I changed the names of those scripts, they’re just wasting cycles. I’m also getting some 404s on the true new names of the scripts—I capitalized some characters in the names, and the spammers are trying all lowercase. Silly spammers, URIs are always case-sensitive after the domain part!

Posted by pjm at 5:19 PM | Comments (1)

January 14, 2005

A little meanness

I’m extending my anti-referrer-spam .htaccess file a bit. The idea was to take a mod_rewrite idea from Ed Costello (which, for some reason, isn’t working on this site anyway) and apply it to the giant mod_setenvif regexp I’ve been building from Dorothea’s suggestions and my own logs.

The first step is to extend my existing SetEnvIfNoCase rules. Until now, I’ve been simply setting the environment variable, because deny works based on its mere existence. However, to make it play nicely with mod_rewrite, I’ve added a value (yes) to the variable, so SetEnvIfNoCase lines now look like this:

SetEnvIfNoCase Referer .*\.hq_inform\.com.* spam_ref=yes

Now, we swipe some of Ed’s mod_rewrite code, but change the conditions. (Note that you need to have RewriteEngine on somewhere above this in your .htaccess file for this to work.)

RewriteCond %{ENV:spam_ref} ^yes$ [NC]
RewriteCond %{HTTP_REFERER} ^(.*)$ [NC]
RewriteRule ^(.*)$ %1 [R=301,L]

Line by line, it goes like this: First, if the environment variable spam_ref contains the value “yes” (nothing more or less than those three letters in that order, and (second line) there is a “Referer” value in the HTTP request, then we apply the rule. (The second rule looks redundant, considering that if there was no “Referer” the spam_ref variable wouldn’t be set. You’ll hit both rules, or neither. But we need that second rule to get the “Referer” value stored, for the) Third line, if the above two matched, rewrite the request URL to the value of the “Referer” value (the %1 is expanded to the previous match, which was on the second line.) This gets sent out as a 301 Redirected response, which, according to Ed, then gets logged on their site as entirely tail-chasing and not involving my site at all. (Hey, I didn’t ask for the traffic; they did.)

See the access file for the whole workup.

Now Playing: Best Black Dress from Live From Northampton (Disc 2) by The Nields

Posted by pjm at 2:14 PM | Comments (1)

January 3, 2005

MacMall loses (another) customer

So, after I left a voice-mail message for MacMall regarding the spam I got at an address I’d given to them, today I got a call back.

First he tried to refer me to the privacy policy on their website. I let him know I had already read it. The privacy policy clearly states, he said, that we may share your email address with partner companies. I asked if his partner companies were usually selling prescription drugs. Well, he said, perhaps the partner company let the address leak to the company engaged in the shady sales of pharmaceuticals. I asked if perhaps the terms under which they rented or exchanged email addresses to partner companies forbade those secondary companies from further distributing the address. He didn’t know. I suggested that perhaps he look in to that. Throughout the call, he was resolutely unapologetic; his basic line was, it’s all right there in the privacy policy.

So, a few direct lessons from this episode:

  • MacMall’s privacy policy can be condensed to, “We may sell your email address to spammers.”
  • MacMall does not pay particularly close attention to the terms under which they share their customers’ personal information. Therefore, anything you share with MacMall, you share with spammers.
  • MacMall will allow you to opt out from receiving mail from them (I did this long ago) but you can’t opt out of mail from their partners. I think this may be illegal, actually.

From these I can reach a few more conclusions:

  • MacMall doesn’t care about spam.
  • MacMall’s privacy policy is a fig-leaf. If it wasn’t considered standard operating procedure to have one, they wouldn’t.
  • Since MacMall is earning revenue by sharing the email addresses of its customers in such a way that they fall in the hands of spammers, MacMall is profiting from spam as defined by the CAN-SPAM law. It’s not unreasonable to say that they are in violation of the spirit, if not the letter, of that law—and if they’re not in violation of the letter, it’s because of their lobbyist buddies, the DMA, friends of junk mailers and spammers everywhere.

I suppose it should go without saying that I’m not buying from MacMall any more? I’d encourage you to do the same, and stay clear of their alter ego, PC Mall, as well. If you don’t like their privacy policy, don’t buy, and this company’s privacy policy would be improved if they’d scraped up some roadkill from the highway and posted that instead.

I’m not the first to figure this out, either.

Now Playing: No Surprises from OK Computer by Radiohead

Posted by pjm at 4:41 PM | Comments (0)

December 29, 2004

Spam from MacMall

I just got spam offering to sell me a variety of prescription drugs, addressed to an email box I used only for ordering from MacMall.

It should be interesting to see how they explain this. Their website is crawling; maybe they’ve been compromised? In any case, this is almost certainly a screaming violation of their privacy policy, assuming they have one.

Now Playing: MacMall’s hold music (nasty stuff, by the way)

Posted by pjm at 2:15 PM | Comments (0)

December 16, 2004

More defensive measures

Email this morning from my web host sent a blanket announcement about load problems they’re having due to weblog comment spam, largely to MT weblogs like this one. They mentioned that they’re blocking the IP addresses causing the most problems, but asked us to

“…please do what you can to reduce the likelihood of your site being a target. Install any applicable anti-spam plugins or disable comments on your weblog altogether.”

I do, in fact, have some of the toughest available defenses installed, here and on a few similar installations I help out with. I’m more than a little concerned, however, since some recent reading suggests that I might be winning something of a Pyrrhic victory—the defenses themselves might swamp the system, given a sufficient spam-load.

So, I’m taking a few other steps as I have time today, which may temporarily break things. (I’m moving mt-comment.cgi, if you care.) In the long term, I’m interested the utility of other strategies like “captchas” and TypeKey but I’m concerned that they ultimately hand the nuisance caused by the spammers—who, by the way, provoke mental profanity so vicious that I actually surprise myself—on to you, the innocent commenters. Eeeugh.

Now Playing: Free Will from Night Opens by Rich Price

Posted by pjm at 9:54 AM | Comments (2)

December 15, 2004


It is relatively well known that any e-mail address which appears on a website is likely to attract spam. Spammers spider the web looking for strings that look like email addresses, and plug them in to the vile flow. I tested this by using multiple addresses on one of my domains; spam comes almost exclusively to the one I had on my website. Many message-board type websites mangle (or “munge”) the addresses of those who comment in order to keep the addresses from being machine-recognizable; that’s where you get spelled-out things like the addresses on comments at the PHP site, “user at domain dot tld” and the like.

On the other hand, it is considered good form to let people know how to reach you by e-mail, and it is user-friendly to have a clickable link with the mailto:address@domain.tld format, so visitors can just click the link to start a message.

There’s a balance, and it’s created by using spammers’ techniques against them. They frequently duck content filters by sending HTML content in an “encoded” format which is decoded by the mail reader but doesn’t have the magic trigger strings when the filter goes through the plain text. I’ve taken to doing the same thing with email addresses on websites.

I encode email addresses to entities. There are named entities for certain characters, like the ampersand (&amp;) or em-dash (&mdash;) but one can use ASCII numbers to encode any character in the standard ASCII set, including numbers and letters and @ symbols. So address@domain.tld becomes &#97;&#100;&#100;&#114;&#101;&#115;&#115;­&#64;­&#100;&#111;&#109;&#97;&#105;&#110;­&#46;­&#116;&#108;&#100;. This isn’t an email address to a spider combing the page for addresses; however, a browser will render it as though it was plainly typed.

This method only works as long as the spammers’ address-scrapers are relatively dumb. If they start decoding entities, we’re in trouble (again.)

I wrote a little Perl filter to encode these for me. If you’re using BBEdit (and if you’re not, why not?) put this in a file in your /Applications/BBEdit/BBEdit Support/Unix Support/Unix Filters/ folder. To encode a chunk of text, highlight what you want to encode, then go to the #! menu, look under “Unix Filters” and select whatever you named this file. I’m still using BBEdit 6.5, but I’m relatively certain it will still work with BBEdit 8. (Anyone care to send me a copy to test with?)

#!/usr/bin/perl -w

while (<>) {
    for ($i=0; $i < length($_); $i++) {
        $out = ord(substr($_, $i, 1));
        print "\&\#", $out, "\;";

As an added bonus, if you run the script from the command line (echo "address@domain.tld" | ./ it will display the entities on standard output (with a trailing carriage return entity, &#10;, unfortunately.)

I haven’t a clue how this would work in Windows, and I’m not sure I want one. But it’s Perl, after all; it should be workable somehow.

Now Playing: Capsized from You Were Here by Sarah Harmer

Posted by pjm at 10:45 AM | Comments (1)

November 4, 2004

Weird comments

Two unusual comments were embedded in today’s batch auto-moderated by MT-Blacklist. (By the way, if you post to an entry which is more than fourteen days old, or which hasn’t had a post approved in the past day, I’ll need to “approve” it before it goes up. You wouldn’t believe the comment spam which I haven’t needed to erase from pages for that reason; I just delete it from the moderation queue.)

These posts read like the goofy short e-mail messages which have virus-laden .zip files attached: “Hi, how are you,” or, “I found your site through blogspot.” They have screamingly generic email addresses at big ISPs, and include URLs to sites which match the names, but don’t exist.

In other words, no commercial message whatever. Just quasi-random noise.

What’s the point?

Update, November 9th: Ben Hammersley’s noticed the same comments. Same names and domains, as well. I’ve had several more; I’m auto-moderating them now in MT-Blacklist.

Now Playing: Ripcord from Pablo Honey by Radiohead

Posted by pjm at 9:58 AM | Comments (1)

September 28, 2004

The latest assassin

How did it take me a week to notice the new SpamAssassin site?

It’s part of the Apache Project now (a good thing considering their excellent web server) and it would appear that I need to upgrade us, here, since they’ve released the 3.0 version.

Unfortunately, spam filtering is not unlike anti-bacterial soap: if you use the same stuff for too long, the nasties get the chance to adapt around it.

Now playing: In The Lost And Found (Honky Bach) from Figure 8 by Elliott Smith

Posted by pjm at 11:59 AM | Comments (0)

September 10, 2004

Yet another referrer-spam access file tweak

Are you sick of this yet?

If you don’t know what I’m doing here, rather than re-explain it all, I suggest you read where I started and yesterday’s changes. If anybody is finding this vaguely interesting or morbidly amusing, I could tie it all up in a nice summary someday when I’m otherwise unoccupied or want to postpone something tedious.

Suffice it to say that, for one, examination of my server logs suggested that mod_rewrite was not always playing well with my site (reaching the max number of redirects and timing out, which suggests a loop) and julie was still not able to post comments, despite her tenaciousness in the face of continuing rejection.

So, I rewrote Kasia’s comment-spam hack with mod_access (which, as it happens, makes liberal use of mod_setenvif as well.) Here’s what I wound up with:

# Comment spam rules
SetEnvIfNoCase Request_Method POST spam_com
SetEnvIfNoCase Request_URI ".mt-tb\.cgi" !spam_com
SetEnvIfNoCase Request_URI ".mt-xmlrpc\.cgi" !spam_com
SetEnvIfNoCase Referer ".*flashesofpanic\.com.*" !spam_com

# Referral spam blacklist
SetEnvIfNoCase Referer .*\.locators\.com.* spam_ref
SetEnvIfNoCase Referer .*\.popex\.com.* spam_ref

# Access section
Order Deny,Allow
Deny from env=spam_ref
Deny from env=spam_com

The first section assumes that all POST requests are attempts at comment spam, and sets the environment variable spam_com appropriately. We then make three exceptions: for mt-tb.cgi, which allows trackbacks, for mt-xmlrpc.cgi, which allows ecto, and for requests referred from this site, which should allow comments submitted through forms on the site (i.e. legitimate comments.) Each of those un-set the spam_com variable if they match.

The next section sets a similar variable, spam_ref, if the “Referer” (sic) header matches certain known referrer-spam domains. So far, we’ve only used mod_setenvif.

Then, the third section actually issues the mod_access directives: if either of these variables were set in the first two sections, the request is denied and a 403 “Forbidden” error is returned instead.

I have reason to believe this is working, but when I tested it last night, the comment submission timed out without sending anything back to the browser. The comment was accepted, though, and I’ve had one or two comments since then. If you’re (still) having trouble commenting, please let me know and I’ll try to suss it out. I haven’t taken the time to spoof a request that would trip the tests yet, so my basis for saying, “it’s working,” is just that comment spam and referrer spam are way down here lately.

A weakness to this approach is that it relies on a blacklist approach for the referrer spam blocking, and as this becomes more widespread, administering that blacklist is rapidly going to become impractical (consider, for example, having to blacklist everyone who spends fifty bucks on Reffy—or nothing for Reef.) The comment-spam block is a wholesale lockdown which then whitelists certain conditions; how can we build a similar algorithm for referer values?

Now playing: Too Close To Heaven from Too Close To Heaven • The Unreleased Fisherman’s Blues Sessions by The Waterboys

Posted by pjm at 1:02 PM | Comments (0)

September 9, 2004

Another referrer-spam strategy

Since julie (or should I say, “Franklin”) is having trouble posting comments, despite not being a comment-spammer, I figured it was time to try some other experiments with my comment-spam and referrer-spam control file.

Using mod_access instead of mod_rewrite, we can set a server environment variable when the referer matches one of our badly-behaved folks. Then we can deny access (returning a 403 “Forbidden” error, rather than our custom error page or even a 404 “Not Found” error) if that variable is set. To add more sites, we add more lines. We’d remove the last two lines from the file I posted before, and add this:

SetEnvIf Referer .*\.locators\.com.* spam_ref
SetEnvIf Referer .*\.popex\.com.* spam_ref
Order Deny,Allow
Deny from env=spam_ref

The first two lines define the environment variable “spam_ref” if the “Referer” value matches the specified pattern; in each line, that pattern is a site which has been a referer-spam problem site for me. The third line just specifies the order in which we’re going to control access (check for denials first, then allow access) and the final line denies access if the environment variable was set in the first two lines.

I’ve done something similar to control access to a website we manage where our partners manage authentication and access control on their servers; I accept referrals from their domain and internal referrals, and refuse all others.

I don’t know if this will work any better than the mod_rewrite strategy (heck, I don’t know if this will work,) but it never hurts to have More Than One Way To Do It.

Now playing: Clean Up Kid from Songs From The Other Side by The Charlatans

Posted by pjm at 3:43 PM | Comments (0)

September 8, 2004

I never thought...

…I’d be filtering visitors to this site based on where they’re coming from.

The thing is, they’re not really visiting, nor are they coming from where they say they’re coming from; they’re just requesting a page with a bogus referrer (and probably just routing the response to /dev/null.) They’re hoping I’ve got some sort of page somewhere which lists referrers (either recent, or most active) and that they’ll be picked up by the Googlebot.

One in particular, “locators dot com” (I’m not linking them for obvious reasons) was making such bogus requests a few dozen times a day, with various bogus subdirectories on their site attempting to attract search terms. So I dropped them in the site .htaccess file, right below the comment spam hack (which has been remarkably effective, by the way.)

If you’ve got direct access to your file tree and your host is using Apache, you can upload a file named .htaccess to the root of your site. (Some hosts may not allow this.) Here’s what’s in mine:

RewriteEngine on
RewriteCond %{REQUEST_URI} !.mt-tb\.cgi*
RewriteCond %{REQUEST_URI} !.mt-xmlrpc\.cgi*
RewriteCond %{HTTP_REFERER} !.*flashesofpanic\.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$
RewriteRule (.*) /post_error.php [R,L]
RewriteCond %{HTTP_REFERER} locators\.com
RewriteRule (.*) /post_error.php [R,L]

The first line turns on mod_rewrite. The next six implement Kasia’s comment spam hack, with a modification to allow access for ecto and my domain name rather than hers (obviously.) The last two lines send the bogus referrers from the slimeballs to the same error page. (Notice that you’ll have to create an error page to direct the slimeballs to.) Obviously, you can duplicate the next-to-last line (with an [OR] flag) for other slimeballs’ domains, create a custom error page for them (how about Cannot Find Life?) or other creative ideas. Notice that you need to escape the dots in domain names, because . is a wildcard character in regular expressions, which is the pattern-matching engine mod_rewrite uses but is far too complicated for me to get started on here.

I also suspect I could just deliver 404s to the referrer spammers without using mod_rewrite at all—maybe mod_access. I haven’t looked in to that yet.

As usual, your mileage may vary. I’m not claiming that this file won’t lock down your site, crash your host’s server, DOS everyone in your bookmarks, or forward all your ex’s archived email to your mother; I’m just saying it works for me.

Now playing: Unsatisfied from Let It Be by The Replacements

Posted by pjm at 11:52 AM | Comments (0)

August 25, 2004

Kicking comment spam where it hurts

Ian Hicks has been seeing “odd” spam coming in to technical discussion lists at the W3C (World Wide Web Consortium, for those not up on their TLAs.) The message is pretty curious; it’s actually almost on-topic for the list, but when you read it closely, it looks like something Eliza would generate from the message it replies to. And, then there’s the porn links spamvertized at the bottom of the message. Hmmm, Google gaming, perhaps? The publicly-archived-mailing-list version of comment spam? Almost certainly.

What’s interesting about Hixie noticing this is that he’s actually in a position to do something about it. Thinking in terms of page markup…

I’m thinking that HTML should have an element that basically says “content within this section may contain links from external sources; just because they are here does not mean we are endorsing them” which Google could then use to block Google rank whoring. I know a bunch of people being affected by Web log spam would jump at that chance to use this element if it was put into a spec.

It’s an interesting thought, and definitely a tag you’d see wrapping the comments section of nearly every weblog on earth. Still, when I start imagining the consequences, I’m not as excited. There’s plenty of disagreement within computer science about whether languages (programming, scripting, or markup) should be simple and restrictive (they shouldn’t let their users screw up) or powerful and dangerous (they can do wonderful things, but you’ve got plenty of rope to hang yourself.) This tag definitely falls under “powerful and dangerous.”

For one thing, it would need to be used to be effective, and look how many websites are still being laid out in tables rather than CSS. For another, it would really need to be used judiciously. I’ve drawn a lot of benefit from information posted to just the sort of web archive which might get wrapped in that tag. I suppose if the text of the messages is still indexed, they’d still be reachable, but it would make it notably more difficult to troubleshoot some problems. Really judicious use of the tag would be required.

On the other hand, if someone steps in immediately to “take the bullet” and make these comments and list archives an unattractive target for link spammers, perhaps they won’t get clogged with dross in the first place.

I suppose it’s the comment spammers mucking up web archives for us, just the way the email spammers are making our mail unusable, and the real problem are the unscrupulous gaming the system to the detriment of all. That’s a damn shame, of course. But I’d be really cautious about implementing a tool to hasten the same sort of damage the link spammers are steering us toward anyway.

Now playing: Don’t Bang The Drum from This Is The Sea by The Waterboys

Posted by pjm at 8:33 AM | Comments (0)

August 11, 2004


I started out thinking, “Wow, that was an amazingly silly piece of spam. Can you believe how surreal spam is getting nowadays?”

I thought about what a shame it would be if we never got any more spam, so we couldn’t get a regular laugh about how hapless internet marketers trying to make a quick buck go to criminal lengths to deliver entertaining crap to our inboxes several thousand times a day, and how absurd the stuff is.

Then I realized that I think that nearly once a day now, and even the silly and absurd ones don’t even get an audible laugh anymore. (Well, not from me, anyway.)

This process took about five seconds.

I think that means I’ve achieved post-spam thinking.

So why am I still getting spam, now that I’m post-spam? Besides that our filters aren’t perfect, I mean.

Now playing: Maya from Forget Yourself by The Church

Posted by pjm at 5:04 PM | Comments (0)

July 7, 2004

Bounty hunter

Today’s SANS Newsbites includes this note:

FTC Considering Spammer Bounties (30 June 2004)
The Federal Trade Commission is considering offering a bounty on spammers equal to at least 20% of any civil penalties the FTC collects. The FTC will report to Congress in September regarding the plan, after it has has time to compile and review expert testimony. The proposal has met with criticism; some say it would promote Internet vigilantism.

“Promote Internet vigilantism?” Are they serious? That’s like saying that watering your garden promotes rabbits.

Anyone who has done more than casual research into the anti-spam community is probably aware that internet vigilantism is the primary force keeping spam from rendering email (and Usenet, remember that?) unusable as a communications medium, and has been since the days of Canter and Siegel.

Those of us who administer mail servers have long been protecting our systems with the best firepower we can find, because we know there’s no public entity doing it for us. (Can we dispense with the fictional idea that CAN-SPAM did anything but fool some Congressmen into thinking they’d done something about the spam problem?) Offering bounties means the admins with the time can start bringing that firepower out and using it on behalf of the rest of us. Best thing the FTC has done in recent memory, I say. The only way they could top it would be authorizing the use of deadly force.

Now playing: Lawrence, KS from Golden Age of Radio by Josh Ritter

Posted by pjm at 1:40 PM | Comments (0)

June 24, 2004

More disconnected spam statistics

Another thing that’s wrong with spam: the lists are bad. One of the bits of data coming from Logwatch is what addresses we reject mail from, and how often. Yesterday, we rejected 24 attempts to send mail to an address belonging to an editor who left nearly a year ago.

Sure, after getting enough 500 errors (in email, error numbers in the 500 range mean, “It’s permanently broken, give up,” as opposed to 400 errors, which suggest, “Try back later”) eventually the spammer might weed this out of their list, but by that time they will undoubtedly have spread it to other lists, far and wide. I can fully expect to be bouncing spam for this former employee as long as I’m with the company.

More recently, a copyeditor left. One of her email addresses was her first name, the predictably common “Jennifer.” We bounced 77 messages “for her” yesterday. I can only offer my sympathy if we ever hire another Jennifer.

Now playing: Saddle Up from Let It Rock: The Best of the Georgia Satellites by The Georgia Satellites

Posted by pjm at 8:31 AM | Comments (0)

June 3, 2004

You've got scams!

I think if I actually managed to choke off the flow of spam into my users’ mailboxes, many of them would miss the entertainment value of complaining about it.

One in particular has had a series of notifications about winning European lottery tickets. (I’m sure this is some sort of variant on the infamous “Nigerian” advance-fee scam.) We wondered today just how many tickets she had “bought.” It occurred to me, though: if x out of every y tickets bought are winners, and you buy zero tickets, wouldn’t you then have a theoretically infinite number of winners?

Either way, it looks like these s[p|c]ammers have sufficiently advanced math skills to have determined the value of division by zero.

(Thumbnail explanation of the above cryptic word: it’s a regular expression, a way of expressing text strings with some flexibility. In this case, a string beginning with “s”, containing either “p” or “c” in the second position, then “ammers” over the rest of the string. It should match either “spammers” or “scammers” successfully, and it’s very brief. Unless you feel compelled to include a four-sentence explanation.)

Now playing: Pendulums from All of Our Names by Sarah Harmer

Posted by pjm at 3:50 PM | Comments (0)

April 28, 2004

More frustration in the spam wars

Jeremy is encountering the same problem we did a few weeks ago: someone sent him mail (regarding his new book, which I would probably find really cool if I was using MySQL at that level) and his attempt to reply prompted a “prove you’re not a spammer” challenge from TMDA, a challenge-response system not unlike SpamArrest. The summary is that when you initiate the conversation, you shouldn’t then be sending challenge-response messages when they reply. (Do you ever wonder why people aren’t responding to your email?) I’ll just reiterate that I don’t think this is the way to win the spam battle. The comments to Jeremy’s post are quite interesting, actually, because he has enough readers to have comments on both sides of the issue.

I seem to post about spam a lot, but it has been a significant problem for me in this job. Our poor little gateway mail server gets hammered with spam daily. We reject between 6,000 and 8,000 connections daily based on a few DNS block lists, which means we simply refuse to “talk” to these addresses no matter what they’re sending. There’s only thirty of us in this office, so we’re averaging over two hundred rejections per person, per day. Then SpamAssassin kicks in; I don’t know how many it tags for the whole office, but it’s more than one per hour for me. Then three or four more per day make it down to get filtered by Apple Mail (or many of our Windows users use POPFile.)

That’s got to be more than half our incoming mail. It’s probably past sixty percent, maybe more like seventy. That’s disgusting.

Now we’re hearing more about a variety of spam being classified as “SEO Spam,” or Search Engine Optimization spam. It’s not driven to create a sale right away, like the UCE in your mailbox; rather, it is taking advantage of the community-driven parts of the Web to create more links to a site in hopes of gaming the search engines. It includes comment spam on weblogs, like the stuff that drove me to install MT-Blacklist, and now Wiki Spam. Unlike UCE, which is driven by the idea that if we send email to enough people, eventually we’ll find someone who wants what we’re peddling, SEO spam is driven by the idea that everybody is searching for what we’re selling, and therefore we must put billboards everywhere. Growing up in a state which outlawed billboards in my lifetime for an analogous reason: Eeeyugh.

(Cute new ecto trick below. Not sure if I’ll keep it, particularly since I usually wind up writing across several songs.)
Now playing: Blues For Your Baby from the album Too Close To Heaven • The Unreleased Fisherman’s Blues Sessions by The Waterboys

Posted by pjm at 10:37 AM | Comments (2)

April 22, 2004

Mysterious failures

There were more transient email failures this morning. Like last time, parts of the system worked, other parts didn’t. Restarting the daemons didn’t help. Watching the log file (tail -f /var/log/maillog produces a nice stream of log messages as they are appended to the log file) showed that there was a lot of stuff going on successfully (it is infuriating to see the amount of time that server spends beating off brazen spammers—it’s like watching someone trying to do patient embroidery in a mosquito swamp.) And yet stuff was timing out. (I blame the spammers. I always blame the spammers.)

A theory from a helpful colleague suggested DNS timeouts. (That is, the service which resolves internet names like into numeric IP addresses was responding so slowly that my mail servers were giving up.) Our service provider does that for us; maybe they’re getting swamped. Maybe I need to be doing that down here? Another service to administer when I don’t quite understand the subtleties of the configuration files (and yes, I’ve got the cricket book.)

One thing that does have to happen is making Raven our backup mail exchange (MX) instead of our ISP’s mail server. The ISP guarding the back door is forced by their situation as a service provider to be more lenient about suspected spam, and a lot of trash is relayed in by that route. If I have responsibility for both primary and secondary MX, I can be equally strict on both of them, and hopefully lighten the load on both.

Posted by pjm at 1:17 PM | Comments (0)

April 7, 2004

Nastier and nastier

Another interesting worm came in (I’d say “over the transom” but perhaps “through the scuppers” might be a better term?) just now.

It’s the usual “your email account has been suspended” message (uh huh, you’re suspending my email?) with a twist: no attachment. Just a link.

I didn’t follow the link, not even with my Mac—I ran “dig” on the IP address to get the relevant domain name, (which is, by the way: Do Not Touch!) Then I opened a “telnet” session to the web daemon for that domain, and hand-keyed the HTTP request. The page served sniffs your browser and version, and serves a CGI script if you’re using particular versions of Microsoft Internet Explorer. I’m not willing to spoof IE and deliberately download the CGI, but I’m betting twenty bucks to a paper cup of lukewarm tea that it’s nastiness coded to exploit one of the many vulnerabilities for that browser.

So: I can’t block them at the mail server, because there’s no attachment to get a grip on. I’m currently sussing out firewall rules to prevent my users from even connecting to that web server, but how many malware-spewing hosts can I manually firewall? I have to hope they heard my explanation last time (“Nobody’s suspending your email unless it has my PGP signature on it!”) for the time being… and strongly advocate that my Windows users dump IE and move to Mozilla.

Posted by pjm at 12:02 PM | Comments (2)

Still psyched about challenge-response spam "prevention"?

How about the New Scientist article detailing how to kill a mail server, triggering a DDOS by sending an email forged to appear to come from that server. Now, look at how much spam has spoofed return addresses and consider that “DDOS” means “Distributed Denial Of Service.”

This has been a public service announcement courtesy of the One Question Certification Test for E-Mail Filter Authors.

(Thanks to Nancy M. for the first link.)

Posted by pjm at 11:37 AM | Comments (0)

March 31, 2004

Clarification for SpamArrest users:

You contacted our company. It is therefore your responsibility to be listening for our response. We should not have to jump through your “prove you aren’t a spammer” hoops when we try to respond to your initial inquiry.

Any spam-filtering system which falls down like this is broken. Period.

(Thanks to Nancy M. for the links.)

Posted by pjm at 10:11 AM | Comments (3)

March 26, 2004

And one last word for the comment spammers...

(OK, sorry, that was probably uncalled for. I got two of ‘em in quick succession, just as I was installing MT-Blacklist. First I edited them so they appeared to comment on their own spelling, which was poor, and to change the spamvertized URLs to point to the MT-Blacklist page. Then I deleted them. I considered changing the links to the Slashdot-popular domain, which is emphatically not work-safe, but decided they probably didn’t care.)

(Further comment for those who saw the earlier post and are wondering if I can even swear properly: fsck (work-safe).)

Posted by pjm at 2:37 PM | Comments (0)

March 25, 2004

Check your weapons

Another NYT article in today’s “Circuits” section is called “Stand and Fight: An Arsenal for Spam Victims.” Unfortunately, it deals mostly with commercial anti-spam tools, and I’ve mentioned my problems with these before. It mentions challenge-response matter-of-factly, as though there are no drawbacks to suggesting to random people trying to get in touch with you that they might be spammers. Still, they’re trying.

I’m trying, too. A preponderance of drug spam in my inbox (“Spam giving you a headache? We’ve got the pill for you!”) finally spurred me to tweak our SpamAssassin rules, and it has worked well. I’m keeping a close eye on the losers, to see what’s worked; an autopsy, if you will. Working backwards, a few rulesets added from the SpamAssassin Custom Rules Emporium (thanks to Jeremy, who keeps posting useful stuff, for the link) have been helpful, but mostly they’ve served to inflate the scores of stuff that might have been caught anyway. Much more useful were the small list of tweaks Kasia posted.

Steve F. of the incredible company Panic Software has a pretty good post detailing the reasoning behind his SA rules adjustment.

Posted by pjm at 1:19 PM | Comments (1)

Morning dissonance

There was an afully weird collection of links and news on my radar screen this morning.

There was yesterday’s NY Times story on something we’ve seen a good bit of here, “Online Swindlers, Called ‘Phishers,’ Are Luring Unwary.” Remember, AOL help desk people will never ask for your password.

And the condescending (and somewhat dated) spoof, “Welcome to the Internet Helpdesk.”

Yet despite all this, “For Some Internet Users, It’s Better Late Than Never.”

Once largely written off as a lost cause, older Americans are now coming into their own as Internet users. … “People are continuing to learn and stay mentally active instead of vegetating,” [Leonard Krauss] said.

What I want to know is, what’s the rate of virus and worm infection among new internet users (of whatever age) relative to the internet population at large? (Yes, that’s bitterness talking; I am, in general, in favor of people learning new things.)

Posted by pjm at 9:57 AM | Comments (0)

March 11, 2004

Jail a spammer, part 2

Or, as has been the case twice in the last week, you can catch them abusing the Habeas warrant mark, and report them, so Habeas can go after them with trademark and copyright law. Much tougher than CAN-SPAM (which I think should come up when you search Google for "miserable failure," but I didn't make that particular Google-bomb.)

Anyway, both the NYT and Wired News carried news of spammer lawsuits from major ISPs today. Much as I love to see spammers with their feet in the fire, I'd rather not see the fruits of any successful lawsuits lining Microsoft's pockets. Spread it around down here, where the damage is being done. Where my poor little Bluebird, which should be perfectly adequate to serve mail for a thirty-mailbox office, is getting so hammered with spam that it sometimes shuts down the mail servers to avoid overload. If we have to cough up for a new mail server with more horsepower... well, that's all very nice for the hardware dealers, but it's an unacceptable expense for a small business like us.

Posted by pjm at 10:37 AM | Comments (0)

March 10, 2004

Jail a spammer

It can't happen fast enough. Did you get a...

...stock solicitation? Send it to the SEC.

...Nigerian (or "advance fee") scam? Sic the U.S. Secret Service on 'em.

...offer to sell prescription drugs without a prescription? (This seems to be the bulk of my spam lately...) Try the FDA.

(via the helpful folks at the U of Oregon...)

Starting tomorrow, the FTC is soliciting comments on CAN-SPAM. My comment, of course, is, "Why couldn't they pass a law that works? Say, one with capital penalties and enforcement provisions?" But if you want them to know what a shambles that law was (you're getting less spam, right?) they want to know at

Posted by pjm at 3:48 PM | Comments (1)

February 27, 2004

More spam

With everyone having pretty much given up CAN-SPAM as an expensive joke, it looks like the people who can actually drive change (read: monopoly or near-monopoly power) are making some. Sendmail, which I mentioned last week, is moving to support both Yahoo and Microsoft's anti-spam measures at the domain level.

This looks nice on the face of it. Sendmail, Yahoo and Microsoft probably have a finger in upwards of 80% of the non-spam email sent in the USA, and they may be able to at least arrange some kind of interoperability. (Nice metaphor in an unrelated article: "...most of us are more or less resigned to keeping both types of screwdrivers in our toolkits—we'll use whichever one is handy and fits our needs.")

Still, there are some serious problems to be faced. First, as I said last week, how do we figure out the switch? I can't be the only one trying to admin a mail server which is running a heavily-patched sendmail one or two point-releases behind the current stable, chewing my fingernails wondering if the vendor will get most of the security patches released before they EOL the box. Who's going to bring me up to spec?

Second, it's all very well to check domains on email against the IP of the actual sending machine, but I'd like to hear more about how that's going to be enforced. For instance, I own this domain and expect to be able to send mail with this return address. However, at home, I'm required to send outbound mail through Comcast's mail servers. So, my mail will bear a return address from, but won't appear to have touched a system listed as a mail exchanger for that domain. Am I now cut off from sending email at home? I should hope not.

Following on that, I should point out that We offer the widest range of drugs available and provide access to complimentary online medical consultations.

What's available: ' Va.l.ium % Pntermi/n/ ? v|@grA . +X+ANAx - So.m.a

Puh-leeze get them off our internet! This... this... words fail me. Excuse me while I go outside and scream...

Posted by pjm at 1:34 PM | Comments (0)

February 26, 2004

Military-Industrial Complex

Everything I do at work to filter spam from our incoming email is "free software" ("Free as in speech," they say, "not free as in beer.") There's a bit in Wired News today which underlines that decision. Two new filter developers (using various refinements on mathematical recognition of spam fingerprints) are claiming Ivory-soap levels of accuracy in identifying spam, which is a good thing on it's own. But what I find remarkable is the reaction of the "professional" spam-hunters like Brightmail:

"People can make any kind of claim at any time," said Francois Lavaste, vice president of marketing at Brightmail. "You can make claims today, but what matters is how they hold up down the road."
Even if independent tests prove CRM114 and Dspam to be more effective, Lavaste cautions potential users to consider whether they need the training and support that vendors of commercial solutions can provide.
"ISPs might find it attractive and acceptable, but is it an ISP-class solution?" said Lavaste. "That remains to be seen."

Here's the problem: Brightmail depends, for its very existence, on a continuing flow of spam to justify the expense of hiring them. What is their incentive to completely shut out spam? It's like the Soviets; once they were in power, where was their incentive to achieve "true Communism" where "the state would wither away?" Brightmail doesn't want to wither away, and they don't want open-source spam filters cutting in to their business. Whereas the open-source spam-filtering guys would rather get back to doing something really interesting, instead of shoveling manure. Who would you trust to get the job done properly?

Posted by pjm at 9:30 AM | Comments (0)

February 19, 2004

Dealing with spam

Jeremy Zawodny linked to an excellent ACM article by Eric Allman. Allman (whose claim to fame is that he wrote sendmail, the MTA which handles mail transmission on something like 80% of the *nix hosts on the internet) complains that by addressing the spam problem through block lists and filtering (as I do) is solving the problem at the expense of the same people shafted by the spam problem in the first place - the average user. He's right, of course, but the ultimate solution, shifting the cost of spamming from the recipient to the sender, would require replacing the SMTP standard, which would mean a wholesale shift in the plumbing of the internet. To put this in everyday terms, imagine the telephone shift from pulse dialing (the clicks produced by rotary phones) to tone dialing. Now imagine if people with pulse dialing hadn't been able to call people with tone dialing while the transition was happening. See the problem? Not one I've got a solution to, certainly, which is why I go on filtering.

Articles like this make me wonder if I should join ACM (in addition to my Usenix/SAGE membership) so they'll keep them coming.

Posted by pjm at 10:46 AM | Comments (2)