Tag Archives: Spam

The Spammers, The!

Posted on December 13, 2007 by Kelson

I recently noticed that the mail server was experiencing 4 times the typical number of SMTP connections. It didn’t seem to be under any stress, though, not as far as server load went. So I watched the log file trail, and saw a bunch of messages coming in to nonexistent users with the pattern, FirstnameLastname@alternativebrowseralliance.com.

My first thought was that someone was running a dictionary attack against the domain, trying many different addresses to see which might be valid. Then I noticed that they seemed to be coming from <> — in other words, they were bounce notices.

Great. A Joe Job.

I enabled a catch-all temporarily. That did cause the server to slow down, as it was now actually processing the quadruple load instead of kicking back 3/4 of it with a “User unknown” error. (I hadn’t thought to disable spam scanning on the domain first.) In the 30 seconds before I turned it off again, it picked up 25 non-delivery notices. And those are just the ones that got past the spam filter.

As it turned out, they were just random junk. Some spammer had picked the domain and was using it to forge random From: addresses, and we were getting the bounces. In the old days they made up the whole address, but it’s easy to check whether a domain exists. So now they pick some real domain and make up a fake address. That’s harder to detect unless the domain in question uses some sort of verification system like SPF or DKIM.

So it wasn’t a Joe Job: no one was trying to besmirch the site’s reputation. It still meant extra traffic to the mail server, though.

This problem is called backscatter, and it exists for two reasons:

  1. The sender address on an email message is easy to forge, like writing a fake address on an envelope.
  2. Many mail systems will accept a message first, then process it. If it then decides to reject it, it can’t respond to the actual sender, only to the one listed in the message—and in the case of spam, it’s usually forged (see #1).

I don’t send any mail using the domain. The only reason it even has mail pointed anywhere is so that I can receive mail sent to the webmaster for the Alternative Browser Alliance. I suppose I could set up a -all (no servers are authorized) SPF record, and hope some recipients decide not to send bounces. But I’m not sure how much it would actually accomplish.

Anyway, the two lessons to take away from this are:

  • Reject messages to bad recipients in the initial SMTP transaction. It’ll protect your server from backscatter (and dictionary attacks), because you won’t have to queue and process all the extra junk.
  • Don’t generate bounce messages after the fact based on something as easily forged as the supposed sender. Otherwise, you’ll be contributing to backscatter.

Posted in Spam | Tagged , , , , | Leave a comment

Linkage: Authorship, Allergies & Alternate History

Posted on December 2, 2007 by Kelson

Catching up on interesting links from the past week.

Balkanized North America Map (thumbnail)Balkanized North America: what if every region that started independent had stayed that way, and every region that threatened to secede from the US or Canada had succeeded? (via ***Dave)

Enter Sandman: Who wrote “Footprints”? You’ve probably read the poem, or heard it, in which the narrator dreams of walking along a beach with God, and looking back and noting how many sets of footprints there are at different points in their life. It turns out at least four people claim authorship. (via Neil Gaiman)

Lunar UnicycleRetro-Future: To the Stars! Science-fiction illustrations from 1930–1970, many of them from Soviet/Eastern Bloc countries. (via Slashdot, though I noticed it popped up again today on The Beat)

My Son’s Food Allergies: Danger Every Day: An essay on a family dealing with their toddler’s serious (i.e. life-threatening) food allergies. I am so glad I didn’t have things this bad when I was younger. Fortunately for me, mine didn’t get really dangerous until I was around 17 or 18—just in time to go off to college and get exposed to all kinds of strange food! (Found on CNN)

Citizens Against Ugly Street Spam (CAUSS): volunteer group that tears down unsightly (and illegal) signs stapled to telephone poles and such. I saw their site a few years ago, but had no idea that they were not only still around, but had expanded to multiple cities. (again, via ***Dave)

Posted in Politics, Sci-Fi/Fantasy, Writing | Tagged , , , , , , , , | Leave a comment

Tired of Pingback Spam

Posted on November 20, 2007 by Kelson

Bad Behavior and Spam Karma do a good job of fighting most of the spam that hits this site, but over the last few weeks I’ve seen a (relatively) new kind that seems to require manual intervention: pingback spam.

It took a long time for spammers to really start abusing pingbacks, because of two things: First, pingbacks require the remote site to link to your site before they can get you to link to theirs. Second, it was just so much easier to abuse trackbacks and ordinary comments. I guess those have gotten locked down enough that it’s worth the effort to target pingbacks now. Continue reading

Posted in Spam | Tagged , , | 5 Comments

Random Tech Bits

Posted on October 26, 2007 by Kelson

Taking a break from the fire commentary:

Mac OS X LeopardApple: Finally pre-ordered Mac OS X Leopard, removing the temptation to run out to an Apple store or Fry’s this weekend (though I’ve been meaning to put some more RAM in the Windows box). Saved a few bucks by ordering from Amazon ($10 off the family pack, would’ve been $20 off the standard box), and picked the free shipping so that I won’t be tempted to install it until there’ve been a few days’ worth of bug reports.

Meanwhile, I’m wondering when Safari 3 comes out for Windows and Tiger. Tonight at 6:00? Monday? I’m looking forward to this putting some of the new CSS3 capabilities into the hands of potentially 5% of the web audience.

[Opera Logo]Opera: Speaking of web browsers, Opera 9.5 beta came out yesterday. In addition to lots of work on rendering & site compatibility (as seen through the last few weeks’ worth of alpha releases), they’ve launched a new service called Opera Link. It’s primarily a bookmarks sync service, plus a web-accessible interface. So you can automatically sync multiple copies of Opera—including Opera Mini—and also be able to access those bookmarks from Firefox, IE, or a computer where you’re a guest (friend, computer lab, cafe, etc.). I think the biggest impact here is going to be syncing between the desktop and phone, like Safari on the desktop and the iPhone.

On the other hand, imagine adding a bookmarklet or Firefox extension to more easily update from—or even fully sync with—other browsers. Or better yet, a way to synchronize Opera Link with, say, del.icio.us, which can integrate fully with both Firefox (via an extension) and Flock.

Spam: I’m astonished that, with the amount of comment spam that hits this blog (many thanks to Bad Behavior and Spam Karma for helping stem the tide!), I’ve only netted 7 comment spammers for Project Honeypot since they started tracking comment spam 6 months ago. I guess the software is smart enough to only hit the real forms?

WordPress: Just released version 2.3.1 with a bunch of bugfixes and (of course) a security fix. Updated.

Posted in Apple, Browsers, Opera, Spam | Tagged , , , , , , | Leave a comment

Sneaky Spammer

Posted on September 12, 2007 by Kelson

Judging by a quartet of comments posted this evening, 3 of which slipped past Spam Karma, someone’s started outsourcing comment spam to India. (I’m serious, the IP addresses were assigned to Bharti Airtel and BSNL Internet, both ISPs based in New Delhi.)

They were posted quickly, as if they’d been composed in another editor and pasted into the form. More importantly, they were actually posted through the form, not just sending data directly to the handler. And most tellingly, the posters had gone to the effort to fill out the CAPTCHA that Spam Karma provides to allow human commenters to recover from a false positive.

The one I liked best, from a technical perspective, was posted on Tall Ships of San Diego. The spammer had followed my link to the San Diego Maritime Museum, then followed that to a page describing one of the ships, the Californian, and generated a post by stringing together sentences from that page. The whole thing linked to a student loan site.

At first glance, it looked like a garbled, on-topic comment from someone who maybe didn’t speak English as their first language. That happens, and if it’s a legit comment, I leave it. In fact, I considered leaving the comment but deleting the author URL, until I looked up the ship. (It wasn’t one of the ships we toured on our visit, and I didn’t recognize the name.) As I looked at the ship’s profile, I started recognizing text from the comment. At that point it became clear what was going on, and I started looking at the other comments posted over the last few hours.

Posted in Spam | Tagged , , , | Leave a comment

Trackback spam is back

Posted on August 22, 2007 by Kelson

I’m surprised it took so long, but trackback spammers seem to have finally figured out that they can sail past the simplest check against trackback spam—does the calling page actually link to the page being trackbacked?–by temporarily adding that link.

Or maybe they have for a while, and they’ve only just started getting past my other layers of defense (namely Bad Behavior and other checks by Spam Karma).

*sigh*

Posted in Spam | Tagged , , | Leave a comment

Spam from the Third Age

Posted on August 19, 2007 by Kelson

I’ve held off on posting funny spam subject lines lately, but I just had to comment on this pair. First up:

Mazrim Taim was one of those, raising an army and ravaging Saldaea before he was taken.

It’s a quote from Lord of Chaos, the 6th book in Robert Jordan’s fantasy series, The Wheel of Time. The next one is a bit less obvious:

If Lan was attempting jokes, however feeble and wrongheaded, he was changing.

I wasn’t sure about this one, since there must be other stories with characters named Lan, but Google Book Search found it in book 5, The Fires of Heaven.

I’ve seen lots of spam that used filler from The Wizard of Oz and other novels old enough to be in the public domain. Project Gutenberg and the like have been transcribing them, making free plain-text ebooks for years, making it easy to snag a couple of lines of actual English text.

In theory this should be harder to identify as filler than randomly-generated text. Continue reading

Posted in Sci-Fi/Fantasy, Spam | Tagged , , , , | 1 Comment

Catching up with Image Spam

Posted on August 2, 2007 by Kelson

Since adding the MSRBL-Images signatures to our spam filters at work, I’ve occasionally dropped in to Spam or Not to help rate their submissions. It uses the “Hot or Not” concept, but instead displays an image that’s been submitted as spam, and asks viewers to rate just how spammy it is. The results feed back into developing their signatures.

Right now they’re just 10 images away from rating every single image in their database.

Total Images: 308780
Total Ratings: 314616
Rated Images: 308770 (99.99%)

Unfortunately, I seem to be mostly getting already-ranked images, because that third number isn’t climbing in step with the second. And of course, when it comes to spam, you can rate all you want—they’ll make more.

Posted in Spam | Tagged , | 3 Comments

No comment?

Posted on April 27, 2007 by Kelson

Project Honeypot recently started tracking comment spammers as well as email harvesting bots. Oddly enough, even though they have data going back to March 22, and even though Bad Behavior and Spam Karma have blocked an incredible number of spam comments on this site (Bad Behavior has blocked 3807 connections in the past week alone)....none of the honeypots I manage have trapped a single comment spam.

And no, the honeypot on this site isn’t protected by those plugins.

Posted in Spam | Tagged , , | Leave a comment

Pro-whaaat?

Posted on March 15, 2007 by Kelson

A piece of spam came across the abuse desk the other day hawking something called “Viagra Professional.” Just as some songs aren’t suited for elevator music, some products aren’t suited for Microsoft-style naming schemes.

Think about it: Outside the pharmaceutical industry, what *ahem* profession would have a use for Viagra?

Posted in Humor, Spam | Tagged , | 3 Comments