Category Archives: Spam

Mail Enhancement

After reading Kiri‘s analysis of her email, I was curious about my email. But first…

Dr. T sent me mail earlier today because I have hit the Big Time. Yes, my obscure, PG-13 blog is deliberately blocked by a Fortune 500 company:

Access Denied (policy_denied)
Your system policy has denied access to the requested URL.
The above Website is blocked. For assistance please Call XXX 853 5555-Option 1 and then 5 – Network Support Team

The best working theory I have is I’ve insulted the product manager by making unflattering observations about marketing partnerships, 5-gallon buckets of paint, or dryers.
But which?

Since I’m already banned, I might as well get on with the topic today. For the last week, I’ve been analyzing my personal mailbox to determine:

  • How much mail do I get?
  • How effective is my spam filtering?
  • How were the non-spam handled?
  • What general characteristics of spam were observed?

Continue reading Mail Enhancement

WordPress 2.1

One of my complaints against Movable Type was that SixApart didn’t update the software very often, especially now that they’re pursuing the “Enterprise” space. Since switching to WordPress six weeks ago, there have been three updates. I don’t know if I should be happy it’s so actively developed, or worried that it’s still got enough security issues that they have to release interim patches. However, one down side of switching is I have to revist the issue of spamments (bogus site referrals or PPP comments), something I had tamed two years ago.

A common pattern to these spamments shows up in my site logs as follows:

smtpgw.umcsd.um.edu.my - - [21/Jan/2007:22:24:27 -0800]
"POST /w/wp-comments-post.php HTTP/1.1" 404 84
"https://www.jimcarson.com/a/2004/07/where_does_all_1.shtml"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Although they purport to be referred from my site, I know they’re faking it because the page they refer “from” no longer exists. This is confirmed by scanning back in the logs for accesses from that address. What’s disturbing is how many similar access I’ll see from different hosts. For this particular page, I see these “visitors:”

1 125.90.64.72
1 131.107.64.93
2 200.88.223.98
2 205-200-65-121.static.mts.net
1 220.72.196.68
1 59.11.146.64
1 60.217.227.140
2 60.217.227.141
1 61.240.111.196
1 61.55.135.167
1 67.128.2.9
1 dns1.tcn.ed.jp
1 host57.201-252-42.telecom.net.ar
1 proxy02-hcm.vnn.vn

When I see patterns, such as the case with the 60.217.227.* machines, I’ll block the entire subnet using .htaccess.

deny from 60.217.227.
deny from .info

This is works for spammy concentrations of sites (especially the 80.* hierarchy), and to a lesser extent, but a quick scan of the list above shows how distributed the problem is, limiting the method’s effectiveness. Most of these machines have been bot-fested.

Removing the original wp-comments-post.php script resulted in a sharp decline in the number of spamments who are just blindly trolling for the blind link. There are still bots that parse through the html, finding references to my “diespammers.php” comment script. The next time I change the script name, I’ll also edit the form identifier to remove the obvious place the bots can scrape. Doing this on Movable Type reduced the spamments to a trickle.

I set up a “preview” mode for comments. This uses the filosofomio plug-in, which has a CAPTCHA option. I know some people hate CAPTCHAs, but at some point it may become necessary. Since I’m an offramp on a tertiary road of the information superhighway, I don’t need the nineteen digits in multi-coloring, wavy fonts and lots of speckles (like Blogspot). As an end user, I find these are a real pain in the ass because I inevitably get the letters wrong. On one of the forae I maintain, I had to implement a CAPTCHA to thwart the spam-bots that sign up for accounts. I tried to make them extremely easy, and hopefully funny, to a human. For example:

Do you see a giant, pink Energizer bunny in the photo? (Hint: the answer will be immediately obvious.)

Hard-filtering on keywords hawking the same, uh, product has had limited effectiveness. Currently, if someone posts any comment containing the name or web site of a discretionary pharmaceutical product, below-the-belt engorgement aid, or pay per view variants of adult recreational activities, that comment immediately gets tossed into the spam bin.

I have had less success with various anti-spam plugins. In particular, any of the canned CAPTCHA-based schemes I’ve tried don’t work with some browser (*cough* Internet Explorer). This is likely some obscure style sheet issue that will take a month to track down. Even the venerable Akismet plugin worked well … until I upgraded WordPress.

Distributed comment spamming

Today I had my first distributed, coordinated comment spam attack. This one was interesting because within a five minute time span, twenty comments were posted to three separate entries. The comments used a similarly formated message but linked to different, legitimate web sites. They were also from completely different IP addresses (list below the fold).

Clearly something in the Movable Type 3.3 upgrade broke my captcha. I have comments moderation on until I have time to deal with it.
Continue reading Distributed comment spamming

Impress her… not

A “Joe-Job” is when a spammer sends out thousands of emails, masquerading as someone else. When the (334) emails bounce or (three) people respond, it comes to the lucky joe-jobbee, e.g. me. The deluge of mail headers this morning suggest distributed spammery, so I’m not even going to bother with firing off futile requests to ISPs to flog customers who have inadequate firewalls and virus protection. (Yes, I realize virus protection is unnecessary for those practicing safe hex.) Luckily, the barrage was as fleeting.

All of the mails direct the recipient to the same site in Thailand, 202.142.213.36 (rev-ip.isp-thailand.com).
Clearly there’s enough financial return for spammers to (wait for it…) keep this up. However, I have to wonder about the mega-gullability of someone who would buy an erectile dysfunction elixir based on an unsolicited email.