kasia in a nutshell

Having good google ranking is often useful :)

Posted by kasia at 07:59 PM | Permalink | Comments (4)

A quick look at my spam folder indicates nothing has changed and our world is still dominated by sex and money.

Ah, it's good to know nothing changes.

Posted by kasia at 05:06 PM | Permalink | Comments (2)

I've had the dubious distinction lately to be the center of attention of many mail servers. Oh, it's not because I'm witty and fun (and I am) it's because some lowlife spammers (may the fleas of thousand camels infect their beds) decided to use my domain as the return address of their junk.

Fear not some say, just use spf!. So I did.. I switched dns servers on my domain (yah, I was using register.com's and they suck) and generated an spf record.. and now there is one live on the domain as of around 10pm last night. Thanks to all this trouble and work I now have irrefutable, scientific evidence of how well spf works. this well. See that little dent at around 10pm last night? That's about how many servers actually implement spf. Wow, that was so totally worth it. Like, great.

Posted by kasia at 07:58 PM | Permalink | Comments (10)

I got spammed today by some website called onevoice.org. Now on surface, that would appear to be some well-meaning grass-rooty type of place trying to help the little guys be heard.. What makes me suspect it's more like astroturf is well, the whole spamming me thing. The email came from a residential Road Runner IP in Texas.. (spam warning right there) using Eudora Internet Mail server the demo version of all things.. Unless that last bit of info was spoofed. It's easy enough to do.

I decided to do a little bit of google investigating just to see what this is all about. Surprisingly, there is actually very little to be found on google about these guys. The current "about us" page lists a Edie Littlefield as "Executive Director". Not much on google about her either.. I decided to call the phone number listed on the domain. It's in San Diego and manned by an answering machine professing to belong to a Dale Sundby. Google produced quite a bit more information for this person .. and if it's the same guy (San Diego bit matches at any rate) so did Forbes. At some point, he appears to have been the Chairman and considering he paid someone to design the website, he mostly likely funded it as well.

None of this says much of anything.. but when a "grass roots" website starts to spam people and usenet it's a little suspicious. Particularly if they're fronted by someone who is obviously net-savvy.

Curious.

Posted by kasia at 09:53 PM | Permalink | Comments (1)

I got home about an hour ago from my California trip to discover my mail server has been working overtime. Quick glance through the logs revealed tons of rejected messages to random email addresses.. reminiscent of a dictionary attack. But that wasn't it.. it's something much, much more annoying. See, dictionary attacks can be easily blocked. They normally come from infected machines in a limited address range and a counter-measure can easily be scripted. This is something that essentially amounts to a DDOS attack against my mail server. A spammer used my domain as a return address on a lot of spam. Looking at the graph above, I would say this will only get worse before it gets better. I guess time to setup SPF... although I doubt it'll help much here.

Posted by kasia at 11:41 AM | Permalink | Comments (5)

Steve has a pretty good tip on rejecting spammers with Postfix HELO controls.

In addition to that, I also use a combination of spamassassin and header checks to drop spam at the door:

In main.cf:

header_checks = regexp:/etc/postfix/header_checks

In /etc/postfix/header_checks:

/^X-Spam-Flag:.YES/ REJECT spam

What happens here? Spamassassin adds the X-SPAM-FLAG header and postfix rejects the message based on that.. This of course is only recommended if you're certain your spam rules are not providing false positives.

Posted by kasia at 12:02 PM | Permalink | Comments (0) | TrackBacks (2)

As an experiment, I left two typical comment spams in one of my entries (now deleted) only long enough to be archived by Google. I was curious what would happen. In less than 24 hours since the original comment spam arrived the entry was spammed, nay, bombarded with 356 brand new spam comments. The spammer found my entry via google searching for one of the couple dozen urls spammed in the comment body. Here is a screenshot of what google cache was still showing today. (The spam was actually removed already). That was pretty fast, wasn't it? In other words: Unremoved spam + fast google caching = lots more spam. Obviously just removing the comments is no longer good enough, time to work on preventing them from arriving in the first place (I have a hangup about using mod_perl, so no mt_blacklist).

Posted by kasia at 09:13 PM | Permalink | Comments (9) | TrackBacks (17)

Now this is amusing, a feedback item received at dslr:

Hi, I am Radhika from <removed> site. We came across your site, where there are some links to <removed> from the page Could you please remove <removed> links from your site as we don’t want any incoming links to our site. Kindly remove the links ASAP. Thanks & Regards Radhika G, iGlobalMedia Group Email: radhikag@iglobalmedia.com

A google search on the domain (removed from the text) provides a usenet full of their spam, comment spam all over weblogs and well, if they don't want a link then my mother is a turkey! (sorry mom).

Obviously geared at websites with hope the owners will fall for it and write a "Haha, look at these idiots, they don't want a link" article with, of course, a link.

Sneaky, sneaky.

Posted by kasia at 10:22 AM | Permalink | Comments (2)

I am getting quite annoyed with how some people decide to limit their spam intake. I don't like spam in my inbox either, this is why I use spamassassin and bayesian filtering in my email client. It works quite well, I rarely see any crap in my inbox. Some people take the other route: make others do the work for them.

Well guess what, when you're asking for an e-mail from a busy website that automates e-mail processing you better either not use a tool that requires a challenge-response from the server or learn how to use it properly (whitelist).

To all those people who allow challenge e-mails to go out as a response to a solicited-automated email, phbbfft. You will just not get the e-mail and not be able to use half the features on the website, too freaking bad. This is no way to fight spam -- it's just a way to annoy others.

Posted by kasia at 07:20 PM | Permalink | Comments (3)

.. but this is such a horrendously bad translation (I wonder from what language?) that it deserves to be retained for posterity..

Dearest Hot- Client!

I am "Gradually H. Juliana", and I work on Reasonable-ProgramTools corporation.

You realy is very momentous for our organization!

You spend your banknot and time on my organization,
and I like to let you know that our organization have conclude update of soft listings.

Our firm like remind u that our firm suggesting that this time Our firm have more greater 
program-listings popular soft for huga cheap value with Your personal Buyer concession.

would you be so kind as expend Time of yours dearly-bought time to test our Updated oem-soft 
catalogue righ here: <url removed>

Truly yours, 
Customers Service subdivision, "Gradually H. Juliana"

This was just a test to see if people read spam, right?

Posted by kasia at 03:12 PM | Permalink | Comments (5) | TrackBacks (1)

This is new.. now instead of pointing to their own sites, spammers are pointing to weblog entries that are full of comments with links to their sites..

So.. you.. the people who don't clean up your weblogs, like, say kevin jones.. start cleaning,
you're making the problems worse. Check your entry #461..

Yo, Wesner, look at your May 20th entry.

illogicz.com entry #70.

Jason Hannagan April 17th, buddy.

And last, but I'm sure not least Ms Rader your march 4th entry is just full of spam and being spammed on others weblogs.

I didn't pull these out of google.. they were spammed on my blog. Start cleaning people!

Thanks.

Posted by kasia at 09:28 AM | Permalink | Comments (2)

Our mail server at dslreports sustained a pretty impressive dictionary attack last night. Over 100K messages from an ISP in Spain. These guys are not amatuers, so of course, first step is checking of blacklists & such, after all, we filter against them - it helps to stop quantities of the spam. The ISP is indeed blacklisted on several IP blocks.. but not the one that attacked us. Which is interesting considering a google search produces an impressive list of spam reports directed at them. Obviously they got a new IP block and are already putting it to use to host a professional spam operation (well, at least one).

Spammers are taking over the web, clogging networks with worthless traffic, flooding servers and inboxes. Why are organizations like RIPE assigning new IP blocks to ISPs that are already heavily blacklisted for hosting spam operations? Wouldn't it be in their best interest to keep these guys confined to their existing assignment? Sometimes I wonder about these organizations.

RIPE (Réseaux IP Européens) is a collaborative forum open to all parties interested in wide area IP networks. The objective of RIPE is to ensure the administrative and technical coordination necessary to enable the operation of the Internet within the RIPE region.

We're facing an IP shortage, but apparently it's not an issue for spammers to get new IPs assigned. These 'collaborative organizations' are not exactly working for the benefit of the Internet.. maybe I'm just naive in thinking that is what their goal should be.

I'm not holding my breath waiting to hear back from the various abuse departments I reported this to.

Posted by kasia at 01:52 PM | Permalink | Comments (7)

I've written about referer spam before and sadly things haven't changed much. My site, as do many others, still gets hit on regular basis by referer spam bots in their never-ending quest to increase google ranking. Unfortunately, bandwidth is cheap and they don't appear to care that hitting my site is not going to help them - google does not index my statistics pages, so appearing there doesn't help anyone get a better pagerank.

I use mod_rewrite and what is now a forest of rules to deny them http access.
Worst offenders by far:

RewriteCond %{HTTP_REFERER} allinternal\.biz [OR]
RewriteCond %{HTTP_REFERER} djhits\.com [OR]
RewriteCond %{HTTP_REFERER} ass-traffic\.biz [OR]
RewriteCond %{HTTP_REFERER} drtushy\.biz [OR]
RewriteCond %{HTTP_REFERER} asstraffic\.biz
RewriteRule .* - [F,L]

Helpfully, this particular bot comes from one IP. Thanks guys, that's very thoughtful of you..

iptables -A INPUT -p tcp -s 69.31.79.2 -j REJECT

Of course, my iptables are full of these entries from flood-comment spammers already.. Most of these are proxies, but many appear to be hijacked machines on dsl and cable connections. People without firewalls suck.

212.21.228.22
adsl-68-122-118-202.dsl.pltn13.pacbell.net
233-cust-102.venturenet.net
82-41-114-38.cable.ubr05.dund.blueyonder.co.uk
195.38.93.230
mail.tsp-diffusion.com
160.80.2.236
200.222.12.98
c414-2.impsat.com.co
81.192.204.166
208.60.60.3
24-117-149-192.cpe.cableone.net
80.58.33.172.proxycache.rima-tde.net
sys53.3fn.net
i-195-137-51-66.freedom2surf.net
200.223.11.155
pi15.krosno.sdi.tpnet.pl
mikrotik-noc-eth0.antelecom.net
210.95.104.2
206-10.istrength.net
208.32.128.15
210.8.211.138
host83-54.pool81113.interbusiness.it
alfaproxy.pai.net.pl
mail2.westsiderc.org
216.94.87.66
ddsl-216-68-163-214.fuse.net
eul0600086-pip.eu.verio.net
alfaproxy.pai.net.pl
srv.vibehosting.com

Posted by kasia at 10:13 AM | Permalink | Comments (0)

Temporarily as it seems someone is having fun blasting me with comments.. 100s of comments from different IPs... so while I come up with a quick solution involving scripting and IP tables comments are off for all entries.

Well, that is except this one.

Update: okay, so much for spammers.. comments back.

Posted by kasia at 02:14 PM | Permalink | Comments (4)

In my never-ending quest to fight comment spam in my weblog I have been closing off older entries to comments. This works remarkably well, comment spam has come down significantly. Unfortunately, the attempts have not. A simple sampling of my log shows over 200 POST requests today to entries with turned off comments. Obviously, a spam bot. This begs for a new rewrite rule. Granted, the comments were not posted, but it annoys me regardless.. so from now on, if you wish to make a POST request to my server there is a new condition.. you need to be referred from my domain.. Turned off the referer in your browser? Bummer.. you can't post comments.

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} !.mt-tb\.cgi*
RewriteCond %{HTTP_REFERER} !.*unix-girl\.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$
RewriteRule (.*) /post_error.html [R,L]

The above Rule will send anyone who tries to post to my server without a referer from my domain to an error page. Of course, many spam bots use the actual url they're posting to as a referer.. for those just need to depend on either the user agent (one I saw was just "-") or some idea I'll come up with later.

Side benefit: also stops all those stupid scripts looking for formmail and friends.

Edit: Added a line which will except trackbacks.

Posted by kasia at 10:38 PM | Permalink | Comments (8) | TrackBacks (6)

It seems more and more spam is getting through my spamassassin settings, so I've been re-evaluating my rules, looking at what others are using and seeing what comes through and what doesn't.. Came up with a little set of rules which appears to be helping quite a bit. I have yet to come up with a false positive with these, but your mileage may very depending on who emails you and how (I never get html email, for instance, so that can be scored high).

RCVD_IN_SORBS is downgraded to zero, since I just discovered it's giving a positive match to mail.dslr.net which is not listed -- hence the blacklist is not reliable.

Note: I use a required_hits setting of 5

HABEAS_SWE=2
HTML_FONT_BIG=2
HTML_FONT_COLOR_RED=2
HTML_IMAGE_ONLY=4
HTML_MESSAGE=2
MIME_HTML_MOSTLY=2
MIME_HTML_ONLY=3
RCVD_IN_BL_SPAMCOP_NET=2
RCVD_IN_DSBL=2
RCVD_IN_DYNABLOCK=2
RCVD_IN_NJABL=2
RCVD_IN_NJABL_PROXY=2
RCVD_IN_SBL=2
RCVD_IN_SORBS=0
UPPERCASE_20_50=2

Posted by kasia at 11:17 AM | Permalink | Comments (6) | TrackBacks (2)

It appears that comment spam is here to stay, and attacking the source produces little to no results. Best we can do is get rid of the pesky trash they throw our way and move on with our lives.

The more we delete - the less reason they have to continue, so with all this diligence why is the spam still around? Because not everyone appears to care. Those who don't are the ones providing the spammers a reason to continue flooding our personal web space with their greasy messages full of slimy urls. I see no reason why anyone should put up with spam in their weblog unless it's pure, old laziness. Enough is enough, there are plenty of ways you can deal with it.

• Just delete them as they arrive, this is easy if you only get a few and becomes tedious and bothersome quickly.
• If you use MT, Jay Allen's mt-blacklist is your friend. Install it, use it, learn to love it.
• Close off older entries to comments. This will cut down on your spam considerably as the weasels usually arrive via google searches. Jeremy has a tip on that.
• Require registration to comment - I hate this one, but if it's the only way for you, whatever, just do it.

Sounds like bothersome, tedious work? That's because it is, but when you open your site to the public and allow them to leave a mark on your pages you have to take the responsibility to make sure your site is not hurting the community -- otherwise you're just a selfish amoeba and need an attitude readjustment. If you don't want to do this, don't enable comments, simple as that. Just like running a mail server brings forth the responsibility of making sure spammers cannot use you, so does running a weblog, a guestbook or a forum site. Make sure spammers have no reason to target us.

One may ask, is this reallly such a big problem? You bet your sweet linux box, here's a sampling of weblog authors who appear to not give a hoot:

A few thousand words on India or a few dozen casino links?
Addicted to DSLReports or just spam?
Happy New Year and happy spam!
Good advice can I have some viagra with that?
Apparently Safari MT bookmarklet solution is playing blackjack.
Typepad isn't bug free but this entry is sure full of spam!
You also missed a hell of a lot of spam.
I don't know what this says but I know spam when I see it.
Live Journal users are not immune.
The spam post.

This just in a quick google search, I could probably dig up a few hundred more if I was so motivated. Maybe if I do a set of links like this once a week some will get embarrassed enough to clean up their act. If they notice.. not like they noticed all the spam they're hosting.

Note: If you're an owner of one of the above weblogs and came here from a trackback ping I left you, hiya, I'm glad I got your attention, now clean up please, you're helping spammers.

Posted by kasia at 07:44 PM | Permalink | Comments (9) | TrackBacks (2)

Blacklisting IP addresses of spammers is a common and effective method of keeping spam away from our inboxes. There are many excellent lists that can be used for this purpose. Personally I like ordb which is a list of open relays and sbl.

Another list is SPEWS which goes a step further than majority of lists and blacklists entire IP blocks of ISPs known to host spammers. On the surface this may seem like a good idea - after all, if an ISP hosts a spammer it is more likely to host more spammers and blocking the entire range may be useful in stopping such future crops of bad guys. This feeling quickly goes away when one realizes that innocent customers of the same ISPs are also blocked by the list -- without a chance of being removed until the ISP cleans up its act. In other words, they're collateral damage and this seems acceptable to those behind the list.

DSLReports found itself in just such situation recently as I discovered the reason some of our users were not receiving their requested email is due to ISPs filtering their incoming traffic through SPEWS. There is another factor to consider here.. the IP of our server is blacklisted at level 2 which, according to SPEWS FAQ should only be used if someone wants to filter their email very aggressively. It isn't surprising that with the ever increasing deluge of spam a couple ISPs would follow the advice of "professionals" and use the more aggressive method of filtering their traffic. (Incidentally, I have been asked by several people to expose the ISP(s) who are filtering at this level but I refuse to start a witch hunt and will not do this).

To make the long story short, the article Karl and I wrote created some noise (slashdot, etc) and grabbed the attention of news.admin.net-abuse.email, which is the newsgroup you're directed to when you wish to be removed from the SPEWS blacklist. We followed up with an interview with the CEO of our ISP and it seems nac is well on their way to cleaning up house with the 3 listing remaining on spamhaus down from 12 just a few days ago. Not bad, hopefully it'll be zero very soon.

Of course, what this results in is claims that "DSLR showed that SPEWS works". Well, not really. Yes, we did manage to grab the attention of our ISP and get the CEO involved in cleaning up their abuse department.. that's true, but this is because we are a relatively well known site and can create enough noise to be a pain. Your average ISP customer does not have that leverage. So, yes, it worked, nac is cleaning house, but no, this does not prove the method of blacklisting entire block ranges works in the long run. Not to mention that if we were approached with "hey guys, nac is a pain, help us" we probably would have.. nobody wants to be associated with what is seen as "spam friendly ISP". Of course, case might be made that we should have been watching the lists and seen this sooner, but neither of these things happened and 'what ifs' aren't very productive.

In the last few days I have read many arguments for the way SPEWS operates and many against it.. What it boils down to for me, is that the people behind SPEWS do not see anything wrong with the collateral damage of blacklisting innocent people who may not have the resources to affect how their ISP operates and are only left with the choice of either switching to a different provider (not always possible or easy as anyone with a website knows) or routing email through an external host (ironic, that this is the same method spammers use to by-pass blocks).

The most popular of arguments:

SPEWS doesn't block anyone, they just provide a list.
True, they do not block anyone, their lists is utilized for that. Now let's pretend that an adult makes this argument, one may assume that as an adult s/he understands that actions have consequences. The list is published with a specific purpose in mind -- to be utilized as a list of IPs to block from receiving mail servers. Anyone can make a list, but as soon as you make it publicly available and clearly describe what this list includes you need to take the responsibility to make sure that the content is accurate and true. So, yes, while SPEWS themselves do not block anyone, as producers of the list they are responsible for its content.

Administrators have a right to block whoever they want
That they do, my argument isn't with the administrators blocking anyone, my argument is with SPEWS knowingly including IPs that have never produced a byte of spam on a list that is used by many administrators to filter incoming email. It's an unfortunate fact that many admins do not even know that SPEWS does this, that's clearly seen if you scan comments in both our news stories - quite a few people admitted to using SPEWS and being unaware that innocent customers of ISPs are listed, not just spammers. In my honest opinion, any administrator of a large server who refuses email solely on a SPEWS listing is irresponsible and if s/he were my employee they would be looking for a new job.

SPEWS works
I addressed a part of this earlier. It worked in this case, it doesn't work in the other cases, otherwise the list would be much shorter, wouldn't it? If it worked ISPs wouldn't stay listed on it for long (nearly a year for nac).

Using SPEWS means I get less spam
I'm sure you do, I'm sure you would get even less spam if you blacklisted the entire Internet, in fact you would get no spam, but you'd also get no email. If you can live with that, be my guest, but can your customers? (Obviously people running their own servers can do as they please).

There are few to none false positives with SPEWS
That's my favorite. Running a large mail server (that's 40K+ emails a day) means you cannot possibly know what your false positive rate is. Anyone who claims they do is full of it. With a smaller server, it's possible to scan through logs and see what was rejected, but once again, for anyone running a small server none of this applies as their email blocking choices affect only them, not thousands of customers as would be the case with an ISP.

You support a spam-friendly ISP therefore you support spam
I think this one just deserve a thorough and complete eye-roll.

Fact is, there is no evidence that a list like SPEWS is anymore effective in stopping spam than a less aggressive list that blacklists only known spammers. I would venture an opinion that any administrator who is responsible for a large mail server and uses SPEWS to deny incoming email is irresponsible and is allowing his/her personal feelings about spammers get in the way of performing a service to his users.

Posted by kasia at 08:49 PM | Permalink | Comments (10)

I'm an acm member and have been for years. In reality, I just read the publications and use their email address as I've had it since college.

Some time ago their database of email addresses was compromised, that's bad enough.

Today I received spam sent to one of their anouncement mailing lists. That's just sad. Get a clue acm!

Posted by kasia at 11:36 AM | Permalink | Comments (1)

We all hate spam, me no less than others.. but seriously.. can we do something about this ridiculous method of blacklisting entire IP-blocks whether they belong to a guilty party or not just to get even with an ISP that is presumably hosting spammers?

dslreports.com a website that openly fights against spam.. blacklisted by spews as part of the entire IP-block.. and of course there is no chance of removal.. just a several hundred word rant... not instructions (although you would think from the link...). Thanks for wasting 15 minutes of my life reading that. I know what spam is and I know why it's bad.. we don't spam.. and moving ISPs is not an option.. so essentially spews is blacklisting us for.. what again?

This isn't solving a problem, spammers will not use a blacklisted host and don't care about the carnage they leave behind as they hop from ISP to ISP.

Posted by kasia at 10:26 PM | Permalink | Comments (12) | TrackBacks (1)

It is rare that a piece of spam slithers into my inbox through all my ever vigilant filters -- so when it does, I pay attention. These days spammers are no longer greasy 16 year olds with a dsl connection, now they're sophisticated, bright, innovative opponents.. any other types drop off the map so quickly they don't know what filter hit them. It becomes a game.

"How did this one get through"
"Oh, I see, clever boy"

Filters improve, and as a result, spammers improve. A spammer who can get through my filters and infiltrate my inbox is a worthy opponent indeed. Either that or just incredibly lucky.

Today's gem comes with new methology, not just relying on fooling the filters, this one meant to fool the recipient. Of course, that point is not new, spammers have done this since the early days of "MAKE MONEY NOW" schemes on usenet.. but typically they try to appeal to the reader..

Subjects like...
"About last night"
"Re: resume"

..and so on.

Anyone can see through those, especially when they attempt to appeal with a personal touch and include the email prefix in the subject..

"You didn't call joe01239clas"

Well, gosh, all my girlfriends call me that, I should read it now! Not. What is the one thing that almost everyone is guaranteed to read?

"You're such an asshole!"

In small print inside "buy viagra" -- all jokes about the subject and enclosed message aside.. that's pretty damn clever.. Who can pass up a message that alludes to causing any sort of wrong doing? Play at that little guilty devil inside all of us.. Well, it only works once, no goal, your ball.

Posted by kasia at 11:15 PM | Permalink | Comments (8) | TrackBacks (4)

New "anti-spam" legislature bought and paid for by corporate America. This is ludicrous, self-congratulatory legislature that solves nothing.. in fact it enables companies to spam provided they use real headers and add removal instructions.. of course those probably will be a 900-number in most cases.

Anti-spam.. that's laughable.. Karl has more to say on the issue.

Posted by kasia at 10:18 PM | Permalink | Comments (6) | TrackBacks (2)

I suppose that's putting it lightly.

Why, why, oh why do they try so hard to circumvent spam filters? Isn't it rather obvious that a person who uses filtering is thoroughly uninterested in viewing their offer of a larger penis, bigger breasts all while chewing viagra and paxil?

Surely, there must be a better way to market to the gullible.. if I was so uh, well, dumb, as to believe the products they're pushing work.. I probably would not be using spam filters..

It's just so frustrating..

1. Spamassassin let it through.
2. Apple mail client didn't notice it.
3. Well.. I did and deleted, congrats? You got me to hit my delete button?

Who is the idiot who buys from these people, I want to kick his ass.

Posted by kasia at 08:35 AM | Permalink | Comments (10) | TrackBacks (3)

i) For those two MT-using bloggers who have not yet seen Jay Allen's blacklist plugin for Movable Type, here it is. It sounds like a great idea and I'm sure it works quite well.. unfortunately not at all with mod_perl.. The inevitable slowdown of not running MT under mod_perl would probably negate the time saved no longer deleting spam comments, so I'll have to wait on this one.

ii) I got tired of looking through spamassassin-marked-spam. Over the last year or so that I've been using spamassassin only 2 or 3 real e-mails were marked as spam.. and the cause there was over-use-of-html-in-email-syndrome aka "Mom, quit using that crap for e-mail". So.. result?

/^X-Spam-Flag:.YES/ HOLD

In header_checks.. Postfix rocks.

What's that.. you sent me email in HTML and I didn't get it? Gee.. bummer.

Posted by kasia at 08:37 PM | Permalink | Comments (2)

Spam in comments continues to increase... I get about 10 or 20 a day now (delete, delete, delete).. So looking for patterns..

1. It's always done by a real person.. does not appear to be an automated script.
2. Inevitably, the original hit is a result of a google search.

Maybe I should just disallow commenting for all who arrive via google..

Maybe if Google fixed their bloody methods and stopped treating weblogs to high rankings for everything this wouldn't be an issue.. since the whole point of this spam is to increase a site's google ranking.

At any rate, this is getting more annoying by the day.. yet another thing ruined by spammers.

Posted by kasia at 11:52 AM | Permalink | Comments (8)

Door-to-door salesmen. I thought they all died out with the ease of e-mail spamming.. but apparently not. The perils of living in suburbia.. lots of houses with lots of people in them and easily accessible by foot for the right-minded perky college student.

*ding dong*

[Insert long diatribe about winning some contest (a trip to Cancun! You ever been there?) which culminates in a brochure with subscription options for such fine magazines as Reader's Digest]

k: "Uh, no thanks".
sg: "Don't you want to help me win?"
k: "No, not really, but nice guilt trip"

Not even a good bye and he's walking off to the next house over.. and our admittedly short but yet so spunky and perky relationship ends.

Oh well.. still.. it's something to tell your grandkids 50 years from now as they marvel at the idea of people selling things door-to-door.

Posted by kasia at 04:28 PM | Permalink | Comments (9)

I've received an e-mail today claiming to be from ebay and requesting confirmation of information.. That's nothing new, of course.. we've all seen these scam email soliciting information.. The clever part of this one was that the entire e-mail content was just an image, which was of course a link..

Looks quite real, doesn't it? I bet my mom would have fallen for it.. If she used ebay.. I've tried to explain to her why html in email is bad, but she doens't get it, sigh.

Posted by kasia at 08:41 PM | Permalink | Comments (8) | TrackBacks (1)

Most commercial websites these days will serve you pop ups. It's a fact of life that is only fixable with a pop-up stopper (newer mozilla has it built in, as does opera and safari) and some good-old-fashioned ignoring of websites that stoop that low to make $0.10.

The one thing that scares me is that people are so used to this advertising technique they do not stop and question when a website that never served them pop-ups before suddenly spawns gater-ware. Now we're in territory of adware.. What's scummier than serving your users pop-ups? Serving them pop-ups that install "adware" (scumware?) on their PCs and spawn flashing advertisements on any website they visit. At dslr, we get accused of serving pop-ups on regular basis.. which we don't, never have and never will.. Now considering that probably about 1% of people who get them even bother asking, reporting or just plain-old bitching about it .. that probably translates into a healthy percentage of the general internet-surfing population with spyware and adware on their machines. Marvelous.

We're hunting down and prosecuting socially-inept high school kids who happened to have modified an existing virus.. but nobody cares that half the net-users out there are infected with malicious crap spawned by evil advertising companies. So.. it's okay to install software on someone's machine without their consent to make money.. but do it to say "Bill Gates sucks" and you get a jail term. Gotta love it. Capitalism at work.

Posted by kasia at 10:22 PM | Permalink | Comments (12) | TrackBacks (1)

Only in the form of increased spam! I keep getting spam for "internet keywords".. in fact, several of them a day.. every day.. every week.. every months.. ugh..

Is it just me?

(Yes, I do use spamassassin, but I check my spam folder to make sure no real mail got caught).

Posted by kasia at 09:22 PM | Permalink | Comments (2)

Dave Barry gives telemarketers a taste of their own medicine:

The American Teleservices Association isn't laughing at Dave Barry, not after the Pulitzer Prize-winning humor columnist for The Miami Herald listed the group's telephone number in his Aug. 31 column and sparked a flood of phone calls to the group's offices.[...]

Thousands of Barry's readers have done as they were told, forcing the association to stop answering its phones. Callers now hear a recording, which says that because of "overwhelming positive response to recent media events, we are unable to take your call at this time."

Posted by kasia at 08:52 PM | Permalink | Comments (2)

It seems everywhere I turn lately, there are assholes trying to figure out a new way to annoy people by marketing to them... Using peoples resources without permission.

What is it this time? Spam in blog comments.. something that's been around for a while, but this is the first persistent idiot I found.. So for the first time, I've made use of MT's nice feature of banning an IP from posting comments.. which is so much cleaner than a service denial at apache level. Not to mention I don't have to edit my config files.

The dweeb who uses 61.181.5.147 (probably a hijacked PC or open proxy anyway) has been consistently posting comments with links to porn sites in my weblog.

Posted by kasia at 01:30 PM | Permalink | Comments (15) | TrackBacks (2)

This is so slimy how can it possibly be legal? Yes, that's on my work linux box.. a little funny, really.

Posted by kasia at 08:42 PM | Permalink | Comments (11) | TrackBacks (2)

If you're using spamassassin and have rbl checking turned on, it's pretty important to either turn it off or hack your spamassassin install to not use osirusoft anymore. Due to some wonderful DOS attacks the service has become totally unreliable (more offline than on) and when it does return results they're unpredictable. It flagged several of my e-mail as coming from open relays.. ones I knew for a fact were not... So you could be dropping email and not even know it.

To turn off rbl checks in spamasassin:

skip_rbl_checks 1

To just turn off osirusoft, you can be an idiot like I and hack the .cf files.. or just use the simple directions over here (thanks Steve).

Posted by kasia at 08:59 PM | Permalink | Comments (7)

Through the amazing powers of grep and various other assorted unix utilities I think I can conclusively say that whoever is the proud owner of 64.237.60.52 is a referer spammer.

Out of the 50 or so domains that two websites on my server were spammed with, this one IP is common to all.. and is the first hit with such referer.. consistent browser string, not a bot and very pingable.

NetTransactions, LLC CHOOPA-NETBLK01 NET-64-237-32-0-1
64.237.32.0 - 64.237.63.255
VIREX c/o Choopa.Com CHOOPA-64-237-60-0 NET-64-237-60-0-1
64.237.60.0 - 64.237.61.255

NetTransactions, what a surprise.

Posted by kasia at 07:24 PM | Permalink | Comments (29) | TrackBacks (1)

Actually, I'm just reposting same article I wrote for dslr today..

MSNBC reports that according to a survey of some 1,200 Internet users conducted by ePrivacy Group "Three out of four Americans favor a 'Do not spam' registry".

Modeled after the Federal Trade Commission's "Do not call" registry, it appears on the surface to be a good idea. That is until one realizes that a large percentage of spam comes from outside of the US and it would, of course, be impossible to enforce. Given this little tidbit one may go as far as saying that a "Do not spam" list would instead become a "Please spam me" one as enterprising spammers worldwide would gain access to a nicely formatted, easily accessible list of real e-mail addresses. Did I mention free?

Fear not, despite this grim prediction, such a list will probably not come to life thanks to practically zero support for any anti-spam legislature in the Congress. So though the survey states what we already know -- people do not want spam -- the government is not exactly listening. Senator Charles Schumer of New York is creating warm and fuzzy feelings by supporting this idea but his efforts may perhaps be better served supporting something more definite and enforceable. One idea that comes to mind is enforcing the rules at the level of the ultimate seller, not just the spammer himself. Not only would this prevent companies from hiding behind contracted mailers it would bring these (mainly US-based) businesses under the control of US law and hit them where it hurts the most: in the pocket.

Any anti-spam legislature whose basis is an opt-out type list is a black hole of wasted effort and will only appease the news media while providing little to no relief for those whose mailboxes are under deluge.

Originally posted at dslreports.

Posted by kasia at 09:14 PM | Permalink | Comments (2)

New milestone in my Internet life -- I have just received my very first piece of spam in Spanish.. After the initial chuckle and lame jokes shared with various buddies I realized the real problem.

Spam assassin completely missed it..

X-Spam-Status: No, hits=0.0 required=5.0

Nada! Not even half a point!

Why?

It's a plain text email without obviously forged headers and spam assassin relies heavily on commonly used phrases..

This is going to be a nightmare if this first e-mail indicates that I've gotten on some foreign-based spam lists... Unless of course foreign-language support is built into spamassassin.. Once again, we rely too heavily on the whole world speaking English.

Oy

Posted by kasia at 10:54 AM | Permalink | Comments (10)

Spotted in my spam file:

... I have been totally disabled for the past eight years. I cannot work out of the home and I am trying to live on my social securoty.[more "pity me"crap cut out]

I contracted with an advertising company . This company does addvertising for Universal Studios and a few more. They have asked me to get names, the town you live in and your and telephone number. For evey one of these they will pay me a dollor.

The only thing that you would get is one advertisement from the compay. Do you think you could do that for me? I will be so grateful to you... [sure.. and then my name and number will end up in someone's email box..]

The mispellings are a nice touch.. ends with a name and number which is listed under that name in Wallingford, CT (the town I work in.. ).. and on usenet on a BBS list from 1995 (heh).. but the IP originates in NYC .. so either this person is really, really stupid for listing her name or some poor woman is now being flooded with phone calls from irate spammed people..

Posted by kasia at 09:58 PM | Permalink | Comments (2)

With a subject like that and a sender with that name it could frighten anyone..

From: Jerry Garcia
To: me
Subject: See ya soon!

(Of course it was spam)

Posted by kasia at 09:18 PM | Permalink | Comments (4)

Forget increasing your penis size, breast size, having better sex or getting that much needed free vacation.. now you can also buy steak knives through the convenience of spam in your inbox..

At least it's something different.

Professional Steak House Steak Knife LIQUIDATION !

Okay, that was exciting.

Posted by kasia at 04:48 PM | Permalink | Comments (1)

Entire ISP blacklisted because SNET doesn't have an abuse@ email address..

*bad* idea.. why?

The mail server I use is hosted on a business DSL line provided by SNET. It's a completely legit business account running completely legit servers. The only problem is SNET does not provide reverse DNS entry other than their own. Really, they don't.. we tried for years to get them to do it.. unfortunately they're our only cost-effective option here in Connecticut for running a server.

My domain has a working abuse@ email address, but I am being blacklisted from mail servers due to this entry because my server's reverse DNS entry is x.snet.net.

This is taking spam fighting way too far, it will not stop spammers, it will stop legit people like me. Blacklisting entire ISPs works against the very people anti-spam groups are trying to protect.

Perhaps SNET did choose not to obey RFC rules.. but *I* did and I only have control over my server.. not SNETs.

Half of this discussion is in Derek's blog which sparked the whole thing..

Edit: As said by Derek, I'm wrong, it's not about not having an abuse address it's about requiring a certain format of abuse emails.. which I do have to admit is ridiculous.. but that doesn't change my stand that blacklisting the entire ISP is counterproductive at best.

Posted by kasia at 10:15 PM | Permalink | Comments (9) | TrackBacks (1)

As I notice more and more spam in my inbox and more and more people attempting to spam a website I help out with.. it makes me wonder.. Is spamming only going to get worse?

It seems logical to me that it will as economy has not improved much at all. Jobs are hard to find - particulary in technical fields - and people get more desperate...

For a laid-off technical person spamming may seem like a good temporary solution to a bad situation, after all it has to generate some results -- otherwise so many wouldn't do it. The recent stories of Alan Ralsky and his new home purchased with spam-earned income won't help this any.

So given a relatively easy to deploy possible income generator, I think more and more people will go this route.. It's surely unethical and slimey.. but better than stealing.

Posted by kasia at 10:22 AM | Permalink | Comments (1)

Redkernel Softwares (no link for you, you lame bastards) has been spamming my referrer logs.. that's bad enough.. but they also fake google searches to show up in my site stats with a link. Slimey.. lame.. and now in my hosts.deny file.. I really need to script this.. I'm sure a lot more people will pick up on spamming this way.

10 hits today.

213.36.82.225 - - [01/Nov/2002:13:31:07 -0800] "GET / HTTP/1.0" 200 1840 "http://www.google.com/custom?cof=AH%3Acenter%3BS%3Ahttp%3A%2F%2Fwww.redkernel-softwares.com%2F%3B&domains=redkernel-softwares.com&q=redkernel-softwares&sitesearch=redkernel-softwares.com" "RedKernel_WebCrawler (<a href=http://www.redkernel-softwares.com/?dir>RedKernel_WebCrawler</a>)"
213.36.82.225 - - [01/Nov/2002:13:31:03 -0800] "GET / HTTP/1.0" 200 1840 "http://webcrawler.redkernel-softwares.com/?5Wla9C61uXJtLnNzyQ" "RedKernel_WebCrawler (<a href=http://www.redkernel-softwares.com/?dir>RedKernel_WebCrawler</a>)"

Posted by kasia at 09:12 PM | Permalink | Comments (2)

Verizon made a settlement with the notorious spammer Alan Ralsky. According to this article he is "barred" from sending messages to Verizon customers.

The settlement, parts of which are secret, means that Verizon's 1.64 million Internet customers in 40 states will no longer receive spam from Alan Ralsky, whose Michigan- based company, Additional Benefits LLC, is considered one of the largest sources of bulk e-mail.

Outside of wishing that this settlement was not secret.. (why exactly is the spammer being treated so nicely?) I wish they had gone a step further and prohibited him from sending messages through the Verizon network altogether.. that way, unable to control Internet routing, he could be breaking the agreement anytime he sent spam.

Maybe next time.

What we need is legislation that prohibits marketing by using customer's own resources without explicit permission from said customers. Hence, you can't send me marketing email (using my bandwidth and storage space) unless I permit it (opt-in list), you can't market yourself in my referrer log (using my server and my bandwidth) without my permission, and you cannot post marketing comments in my weblog without my permission.

Why is the government protecting businesses, not constituents. We are living, breathing humans, corporations are made up entities.. why do they have more rights? I cannot legally protest McDonald on their property without their permission, but they can fill up my inbox with marketing messages against my wishes. Why are McDonald's rights (it's just an example) more important than mine?

Posted by kasia at 08:05 PM | Permalink | Comments (2) | TrackBacks (1)

Seems this is now of more interest.. wired just did a story on this new spam form.

Referral logs, intended to collect information on who visited a website and how they happened to arrive there, are being stuffed with bogus links. Curious bloggers who click on a logged link to see who visited their site are instead led to pornography or advertising sites.

No kidding.. I wrote about it here, here and here.

Spammers, once again, take something useful and make it less so.. and where's our legislature in all this? Oh yes, too busy protecting rights of corporations instead of the people they're supposed to serve.

Repeat after me..
It is NOT okay to use someone's resources to spam them with marketing messages..
It is NOT okay to interfere with someone's usage of email to spam them with marketing messages.
It is NOT okay to interfere with someone's usage of system logs to spam them with marketing messages.
It is NOT okay to interfere with someone's usage of the internet to spam them with marketing messages.
It is NOT okay to fill peoples lives with marketing messages.

Fictional entities (corporations) should not have rights above those of living humans (dead ones can't be spammed).

How long before http://www.weblogs.com and http://blo.gs can no longer defend themselves from spammers and will discontinue their services? I'm guessing less than a year. Thanks a lot.

Posted by kasia at 03:10 AM | Permalink | Comments (4) | TrackBacks (2)

The company I discussed in this entry just hit my server today. Now they join the lucky few in my list of banned IP addresses.

ip48.ip54.com Address: 207.253.71.48

Posted by kasia at 02:41 PM | Permalink | Comments (0) | TrackBacks (2)

Not going to link to the page, I refuse to provide them more traffic.. I hate advertising enough as it is, but I hate it even more when they use *my* resources without my permission to spam me with a message I don't want to see. I've already been spammed with this method before and I hate being duped this way. Get out of my system logs.

From the spam service website:

We are doing referrer marketing: adding your URL as a referrer in the logs of thousands of weblogs. If you are seeing this page, referrer advertising worked with you.

Thankfully, no, read this on Inluminent. Here's hoping nobody is stupid enough to actually pay them money.

You might also see it as a PR tool for bloggers.

Q: How many weblogs can you reach?
A: We are currently reaching 55,250 weblogs, more being added every hour.

The best PR tool for a blogger is to create interesting content that others want to read, not make others visit through deception. This could only turn me off from reading a weblog. In fact, I should start checking my referrer logs closely and keep a list of weblogs that subscribe to this service, just to make sure I don't visit them. In fact everyone should do that.. just to make sure this company makes no money from spamming other peoples system logs.

Q: How mush does it cost?
A: The cost of a referrer broadcast is CAN$ 1500, which converts roughly to US$ 1000. We accept Visa and MasterCard.

Anyone who has to pay money to get others to read his writing probably isn't worth my time anyway.

How low will marketing companies get before something is done about this? Why are advertisers still legally allowed to use peoples own resources to spam them with unwanted marketing messages?

Posted by kasia at 07:59 PM | Permalink | Comments (2) | TrackBacks (3)

I'm sure I'm not alone in the practice of checking my referrer logs to see where most of my visitors come from.

This morning, I found an odd one..

216.123.202.196 - - [13/Oct/2002:03:58:47 -0700] "GET http://www.unix-girl.com/blog/ HTTP/1.1" 200 114362
"http://avs.raverpussies.com/members/absolutesex/d114d45d/Jack-Lisa0083.html" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"

There were eight of these entries all referring back to what looks like randomly generated string within the 'raverpussies.com' site and all requesting just my /blog/ directory (the most popular page on my site).

Being the paranoid conspiracy theorist that I am, I thought this odd at the very least.. so armed with my trusted lynx (very carefully and wearing rubber gloves) I opened the said website.. As suspected, it's just another porno site with zero relevance to my page (other than I'm a female and am equipped with the same type of body parts that are apparently splayed all over the pages there). I would strongly suggest nobody visit them unless they want endless pop-ups and a high-jacked browser..

The obvious conclusion.. I've been spammed through my referrer log! A google search unearthed this kuro5hin article from May 2001 on this very topic.

It certainly looks like this slimy practice isn't new at all.. just new to me. With the relatively new custom of displaying the recent referrers on the front page of many blogs I can see this quickly growing in popularity.. After all.. it's an easy way to get yourself linked from pages that are guaranteed to have multiple daily visitors.

Excuse me, I now have to go sanitize my logs. Pass the lysol.

Posted by kasia at 09:49 AM | Permalink | Comments (3) | TrackBacks (4)

I wonder how coincidental is this with today's anouncement by Verizon that they're going to use MSN for their cell phone web services now?

Complete with links.. hmm.... (omitting the links below.. they don't need my help in getting hits).

MYVZW
f: tracie@myvzw.com
s: The Complete Guide for Attracting and Seducing Women

Attracting beautiful women is EASY- if you know how to do it

Yep.. Just what I need too! I've always wondered how I could attract beautiful women more easily..

Posted by kasia at 05:24 PM | Permalink | Comments (2)

My internet provider (AT&T) whom I pay $45 a month for my service seems to want to sell me out to spammers and telemarketers.. I am pretty mad..

Read more about this in the post I made on dslreports.com

If the business model is not viable to survive at current subscription rates.. raise the rate.. don't sell out the customers!

Posted by kasia at 12:35 AM | Permalink | Comments (1)

This quaint text was included on top of a spam message I received today (To see the full message with headers click on "more" link on the bottom of this entry.).

LEGAL NOTICE: Pursuant to the requirements of 47 USC Sec. 227 b(2)(B)(ii)(I), and related FCC regulations, this message is *not* an unsolicited email (UCE). This message is the product of a consensual, pre-existing and ongoing relationship between sender and recipient. Attempts to intercept this message are in violation of 18 U.S.C. 2511(1) of the Electronic Communications Privacy Act (ECPA), which subject the interceptor to fines, imprisonment and/or civil damages.
This newsletter is a supplement you subscribed to.

Okay, my friend, you picked the wrong gal to spam..

1. "This newsletter is a supplement you subscribed to". - Two lies right there...
   
   • (a) I don't define newsletter as a one-time mailing about a crappy product.
   
   
   • (b) I know what I subscribe to.. this isn't it.
   
   
2. Remove me link: hm, you need my fulll name to remove me from your spam list? I don't think so.. If I was stupid enough to provide this information on your site I'm pretty sure it will just become a commodity - valid email address AND a name! Nice try.


3. Title 47, Sec 227 b(2) reads:
   Regulations; exemptions and other provisions The Commission shall prescribe regulations to implement the requirements of this subsection. In implementing the requirements of this subsection, the Commission -
   
   (A) shall consider prescribing regulations to allow businesses to avoid receiving calls made using an artificial or prerecorded voice to which they have not given their prior express consent;
   
   (B) may, by rule or order, exempt from the requirements of paragraph (1)(B) of this subsection, subject to such conditions as the Commission may prescribe -
   
   (i) calls that are not made for a commercial purpose; and
   
   (ii) such classes or categories of calls made for commercial purposes as the Commission determines
   
   (I) will not adversely affect the privacy rights that this section is intended to protect; and
   
   (II) do not include the transmission of any unsolicited advertisement; and
   
   (C) may, by rule or order, exempt from the requirements of paragraph (1)(A)(iii) of this subsection calls to a telephone number assigned to a cellular telephone service that are not charged to the called party, subject to such conditions as the Commission may prescribe as necessary in the interest of the privacy rights this section is intended to protect.
   

Do I even have to say it? Title 47: "Telegraphs, telephones and radiotelegraphs"




1. Does not apply to the Internet, you spammed me via e-mail


2. Is meant to protect consumers from unsolicited contact by people like you


3. Does not define what unsolicited email is or is not, since it has nothing to do with email


4. This message is not a product of a pre-existing ongoing relationship between us (I'm not that desperate for a relationship, thanks for asking). However, by sending me this lovely piece of junk you have pissed me off enough to formulate a new, ongoing relationship in which I will make sure you will lose some things.. like your Internet access.. your website and any other thing I may find while tracking you down.. good luck.

I hate spammers, but what I hate even more are stupid spammers that try to tell me that not only do they have the right to spam me, but put *Legal threats* (unfounded as they may be) in their message.

Continue reading "Spammers and lies" »

Posted by kasia at 02:14 PM | Permalink | Comments (1)