K-Squared Ramblings

Link Laundering

With bloggers squashing obviously-spammy links* as fast as they can, comment spammers have evolved. (I think they’ve reached the level of slime mold now, rather than amoebas.) They’re trying to make their sites look like blogs. And I’m seeing two main techniques, one involving Trackbacks/Pingbacks, the other involving manual person-at-a-keyboard commenting.

Pingbacks and Trackbacks are two ways for one site to notify another that it’s linked to it, and provide an excerpt of the context. Essentially, they’re automated comments. You read a post on some other site, you write your own response, linking to the original post, and your blog software submits the equivalent of “Hi, I read your post, and it got me thinking. I ended up writing my own post over here…”

Where spam is concerned, the main difference is that with Trackbacks, the submitting site provides an exceprt, but with Pingbacks, all it submits is the URL. The receiving blog then retrieves the page and scans it for the link, building an excerpt from the context. The upshot of this is that Pingbacks automatically verify that yes, the site really did link to you, which meant that a lot of early comment spam was submitted using Trackbacks. The obvious response to that was to set up spam protection to verify links on incoming Trackbacks. And the obvious response by the spammers was to put up real links, at least long enough to let the victims verify them.

So now, a lot of trackback/pingback spam seems to come from sites running actual blogging software, but not really posting any content. Just “So-and so wrote an interesting post today” over and over, hundreds of times a day. Half the time they don’t bother to match the name to the actual link. This is the kind of spam that prompted my recent re-evaluation of spam plugins on this site.

Then there was the sneaky post I got on Thursday. It was a sort-of half-on-topic comment on a post about movies, and the author’s URL pointed to what appeared to be a blog about movies. OK, fair enough, but I was still a bit suspicious since it didn’t look like they’d actually read my post.

I skimmed the site looking for things like cobbled-together sentences, and an idea of how long it had been around. Then there was a random post about guitars, in a different writing style. I figured, okay, maybe they’re doing one of those paid-post things.

Then I moved the mouse cursor over one of the links.

It quickly became clear that every single outgoing link on the front page was pointing to ultimate - free - downloads - dot - com, whether it was a movie title, or an actor, or a song title.

At this point I’m not sure whether the site in question is simply an elaborately designed intermediary created to “launder” the links to spam sites, or whether it’s a legit blog that’s been hijacked by someone replacing their links. I looked around at some of the older posts and I do see links to Amazon and a couple of other sites.

*This is also why I’ve stopped using the Alternative Browser Alliance as my URL when commenting on browser-related blogs. Even though I’m making an on-topic comment, I don’t want people to take a look at the link, say, “Hey, this isn’t a person, this is some weird campaign thing!” and delete the comment…and worse, get a rep as a comment spammer. So these days I just link everything here.

The Spammers, The!

I recently noticed that the mail server was experiencing 4 times the typical number of SMTP connections. It didn’t seem to be under any stress, though, not as far as server load went. So I watched the log file trail, and saw a bunch of messages coming in to nonexistent users with the pattern, FirstnameLastname@alternativebrowseralliance.com.

My first thought was that someone was running a dictionary attack against the domain, trying many different addresses to see which might be valid. Then I noticed that they seemed to be coming from <> — in other words, they were bounce notices.

Great. A Joe Job.

I enabled a catch-all temporarily. That did cause the server to slow down, as it was now actually processing the quadruple load instead of kicking back 3/4 of it with a “User unknown” error. (I hadn’t thought to disable spam scanning on the domain first.) In the 30 seconds before I turned it off again, it picked up 25 non-delivery notices. And those are just the ones that got past the spam filter.

As it turned out, they were just random junk. Some spammer had picked the domain and was using it to forge random From: addresses, and we were getting the bounces. In the old days they made up the whole address, but it’s easy to check whether a domain exists. So now they pick some real domain and make up a fake address. That’s harder to detect unless the domain in question uses some sort of verification system like SPF or DKIM.

So it wasn’t a Joe Job: no one was trying to besmirch the site’s reputation. It still meant extra traffic to the mail server, though.

This problem is called backscatter, and it exists for two reasons:

1. The sender address on an email message is easy to forge, like writing a fake address on an envelope.
2. Many mail systems will accept a message first, then process it. If it then decides to reject it, it can’t respond to the actual sender, only to the one listed in the message—and in the case of spam, it’s usually forged (see #1).

I don’t send any mail using the domain. The only reason it even has mail pointed anywhere is so that I can receive mail sent to the webmaster for the Alternative Browser Alliance. I suppose I could set up a -all (no servers are authorized) SPF record, and hope some recipients decide not to send bounces. But I’m not sure how much it would actually accomplish.

Anyway, the two lessons to take away from this are:

• Reject messages to bad recipients in the initial SMTP transaction. It’ll protect your server from backscatter (and dictionary attacks), because you won’t have to queue and process all the extra junk.
• Don’t generate bounce messages after the fact based on something as easily forged as the supposed sender. Otherwise, you’ll be contributing to backscatter.

Linkage: Authorship, Allergies & Alternate History

Catching up on interesting links from the past week.

Balkanized North America: what if every region that started independent had stayed that way, and every region that threatened to secede from the US or Canada had succeeded? (via ***Dave)

Enter Sandman: Who wrote “Footprints”? You’ve probably read the poem, or heard it, in which the narrator dreams of walking along a beach with God, and looking back and noting how many sets of footprints there are at different points in their life. It turns out at least four people claim authorship. (via Neil Gaiman)

Retro-Future: To the Stars! Science-fiction illustrations from 1930–1970, many of them from Soviet/Eastern Bloc countries. (via Slashdot, though I noticed it popped up again today on The Beat)

My Son’s Food Allergies: Danger Every Day: An essay on a family dealing with their toddler’s serious (i.e. life-threatening) food allergies. I am so glad I didn’t have things this bad when I was younger. Fortunately for me, mine didn’t get really dangerous until I was around 17 or 18—just in time to go off to college and get exposed to all kinds of strange food! (Found on CNN)

Citizens Against Ugly Street Spam (CAUSS): volunteer group that tears down unsightly (and illegal) signs stapled to telephone poles and such. I saw their site a few years ago, but had no idea that they were not only still around, but had expanded to multiple cities. (again, via ***Dave)

Tired of Pingback Spam

Bad Behavior and Spam Karma do a good job of fighting most of the spam that hits this site, but over the last few weeks I’ve seen a (relatively) new kind that seems to require manual intervention: pingback spam.

It took a long time for spammers to really start abusing pingbacks, because of two things: First, pingbacks require the remote site to link to your site before they can get you to link to theirs. Second, it was just so much easier to abuse trackbacks and ordinary comments. I guess those have gotten locked down enough that it’s worth the effort to target pingbacks now. Read the rest of this entry »

Random Tech Bits

Taking a break from the fire commentary:

Apple: Finally pre-ordered Mac OS X Leopard, removing the temptation to run out to an Apple store or Fry’s this weekend (though I’ve been meaning to put some more RAM in the Windows box). Saved a few bucks by ordering from Amazon ($10 off the family pack, would’ve been $20 off the standard box), and picked the free shipping so that I won’t be tempted to install it until there’ve been a few days’ worth of bug reports.

Meanwhile, I’m wondering when Safari 3 comes out for Windows and Tiger. Tonight at 6:00? Monday? I’m looking forward to this putting some of the new CSS3 capabilities into the hands of potentially 5% of the web audience.

Opera: Speaking of web browsers, Opera 9.5 beta came out yesterday. In addition to lots of work on rendering & site compatibility (as seen through the last few weeks’ worth of alpha releases), they’ve launched a new service called Opera Link. It’s primarily a bookmarks sync service, plus a web-accessible interface. So you can automatically sync multiple copies of Opera—including Opera Mini—and also be able to access those bookmarks from Firefox, IE, or a computer where you’re a guest (friend, computer lab, cafe, etc.). I think the biggest impact here is going to be syncing between the desktop and phone, like Safari on the desktop and the iPhone.

On the other hand, imagine adding a bookmarklet or Firefox extension to more easily update from—or even fully sync with—other browsers. Or better yet, a way to synchronize Opera Link with, say, del.icio.us, which can integrate fully with both Firefox (via an extension) and Flock.

Spam: I’m astonished that, with the amount of comment spam that hits this blog (many thanks to Bad Behavior and Spam Karma for helping stem the tide!), I’ve only netted 7 comment spammers for Project Honeypot since they started tracking comment spam 6 months ago. I guess the software is smart enough to only hit the real forms?

Wordpress: Just released version 2.3.1 with a bunch of bugfixes and (of course) a security fix. Updated.

Sneaky Spammer

Judging by a quartet of comments posted this evening, 3 of which slipped past Spam Karma, someone’s started outsourcing comment spam to India. (I’m serious, the IP addresses were assigned to Bharti Airtel and BSNL Internet, both ISPs based in New Delhi.)

They were posted quickly, as if they’d been composed in another editor and pasted into the form. More importantly, they were actually posted through the form, not just sending data directly to the handler. And most tellingly, the posters had gone to the effort to fill out the CAPTCHA that Spam Karma provides to allow human commenters to recover from a false positive.

The one I liked best, from a technical perspective, was posted on Tall Ships of San Diego. The spammer had followed my link to the San Diego Maritime Museum, then followed that to a page describing one of the ships, the Californian, and generated a post by stringing together sentences from that page. The whole thing linked to a student loan site.

At first glance, it looked like a garbled, on-topic comment from someone who maybe didn’t speak English as their first language. That happens, and if it’s a legit comment, I leave it. In fact, I considered leaving the comment but deleting the author URL, until I looked up the ship. (It wasn’t one of the ships we toured on our visit, and I didn’t recognize the name.) As I looked at the ship’s profile, I started recognizing text from the comment. At that point it became clear what was going on, and I started looking at the other comments posted over the last few hours.

Trackback spam is back

I’m surprised it took so long, but trackback spammers seem to have finally figured out that they can sail past the simplest check against trackback spam—does the calling page actually link to the page being trackbacked?–by temporarily adding that link.

Or maybe they have for a while, and they’ve only just started getting past my other layers of defense (namely Bad Behavior and other checks by Spam Karma).

*sigh*

Spam from the Third Age

I’ve held off on posting funny spam subject lines lately, but I just had to comment on this pair. First up:

Mazrim Taim was one of those, raising an army and ravaging Saldaea before he was taken.

It’s a quote from Lord of Chaos, the 6th book in Robert Jordan’s fantasy series, The Wheel of Time. The next one is a bit less obvious:

If Lan was attempting jokes, however feeble and wrongheaded, he was changing.

I wasn’t sure about this one, since there must be other stories with characters named Lan, but Google Book Search found it in book 5, The Fires of Heaven.

I’ve seen lots of spam that used filler from The Wizard of Oz and other novels old enough to be in the public domain. Project Gutenberg and the like have been transcribing them, making free plain-text ebooks for years, making it easy to snag a couple of lines of actual English text.

In theory this should be harder to identify as filler than randomly-generated text. Read the rest of this entry »

Catching up with Image Spam

Since adding the MSRBL-Images signatures to our spam filters at work, I’ve occasionally dropped in to Spam or Not to help rate their submissions. It uses the “Hot or Not” concept, but instead displays an image that’s been submitted as spam, and asks viewers to rate just how spammy it is. The results feed back into developing their signatures.

Right now they’re just 10 images away from rating every single image in their database.

Total Images: 308780
Total Ratings: 314616
Rated Images: 308770 (99.99%)

Unfortunately, I seem to be mostly getting already-ranked images, because that third number isn’t climbing in step with the second. And of course, when it comes to spam, you can rate all you want—they’ll make more.

No comment?

Project Honeypot recently started tracking comment spammers as well as email harvesting bots. Oddly enough, even though they have data going back to March 22, and even though Bad Behavior and Spam Karma have blocked an incredible number of spam comments on this site (Bad Behavior has blocked 3807 connections in the past week alone)....none of the honeypots I manage have trapped a single comment spam.

And no, the honeypot on this site isn’t protected by those plugins.

Pro-whaaat?

A piece of spam came across the abuse desk the other day hawking something called “Viagra Professional.” Just as some songs aren’t suited for elevator music, some products aren’t suited for Microsoft-style naming schemes.

Think about it: Outside the pharmaceutical industry, what *ahem* profession would have a use for Viagra?

Enhance your… mortgage?

I suppose it was only a matter of time before these two genres of spam collided. Today I received a spam advertising body-part enlargement products, with a link to a site called bmsMUNGEDcommercialmortgage.info (without the MUNGED).

Apparently, getting a new mortgage is supposed to increase my ability to handle huge tracts of land.

Flash Fraud

Got an interesting phish today.

Subject: Error in your billing information
From: Keystone Savings Bank.

Hmm, Keystone, eh?

Apparently, it *is* a challenge

Every once in a while, a comment spam manages to get past both Bad Behavior and Spam Karma. Oddly enough, it always seems to be on the same entry: “Abuse Contact” is not an invitation.

I guess spammers like a challenge as much as anyone else.

Eye Gouging

Here’s another example of randomly-generated spam somehow being appropriate:

This morning I received an image-based stock spam. The sender’s name was listed as “eye gouging.” Yes, spam does sometimes make you want to gouge out your eyes (or perhaps the spammer’s). May I recommend the Grammar Spork™ (NSFW: language) for such cases?