Recently in Spam Category

I got asked a question at work today that had me stumped (although spf might be a solution).
The scenario:- The spammer create a spam email and spoofs the from email address. The From email address is set to be a spamtrap email address - one of the emails that will blacklist your domain if you send email to it.
The email then gets sent out to a million people - several of whom have out of office assistants turned on, and so they reply to say they are out of the office.
The result:- The spamtrap email address gets an email from your domain and your domain gets blacklisted. Your users can't send emails to valid recipients and spamcop takes forever (12-24 hours on the best of days) to get your machine white listed again.

So my question is - how do you solve this problem or work around it? You need to keep out of office on so that genuine users will know if their email is going to get read or not. I was thinking that possibly spf would work. A user who is likely to check spamcop for blacklists is also likely to check spf records. If you have spf records set, then the spoofed email would not be accepted in the first place...... The only flaw with this is that it relies on both the relay machine AND the recipients to do spf checking - and not a lot of people do that.

I contacted 1&1 the other day to see if I could set up spf records for helsby.net but they don't support it on any of their packages - seems a shame, but also seems to be in keeping with their policy of not letting you getting your hands dirty in the real management of the network and making everything gui-ized.

I've finally had enough with the trackback spam and have disabled trackbacks on the blogs - It's very rare that I get a valid trackback so I'm not missing much - by all means link to me - I'll see it by checking the referrer logs.

Not sure whether it will do any good, but you can sign up to opt out of credit card offers, loan offers, mortgage stuff and all the other rubbish that gets sent to you as soon as you buy a house by registering with the optout website run by experian and other credit agencies. You can opt out for 5 years online, if you want to permanently optout you have to print a form out and sent it in the post. I guess this is so that most people can't be bothered to do that and forget after 5 years.
I did try using the phoneline to do this a while back but it uses (allegedly) voice recognition and wouldn't recognise my name or address. Kristen was getting quite frustrated listening to me trying o say my name and address with an american accent so pulled the phone from me and tried to do it herself, but it wouldn't accept her pronounciation either.

hmmmm - I've just been hit with 234 trackback spams to the blog (and all the associated emails that details). I thought mtblacklist was meant to stop this sort of thing! Anyway, I went to load the pings up and when I went to delete them it came back with an error that said it was not able to load the ping for deletion. But when I went to redo it there were no spammy pings - weird.

We purchased a new (to us) car yesterday and so I've spent some time looking at warranty/service packages for the car.
Within an hour of passing my details onto CarWarrantyProvider.com I was starting to get spam to the unique email address I provided them. Stay away from this company. I've yet to actually receive the information that I requested from them, but I have been offered $1500 deposited in my account because I might receive temporary financial assistance, and all sorts of other naff stuff. Good job I can bounce the email back in control panel :-) I guess I should have checked their privacy policy before submitting my information. Hopefully I won't get bombarded with telephone calls.

I've been receiving a lot of spam email from Pfizer (who make Benadryl in the US) after trying to find out where to get Benadryl in the US. They never responded to my email request, their telephone response was incorrect ("we don't do it over here" is wrong) and now they've been sending me marketing emails with unsubscribe links that show how naff their database server is.
It wasn't until I eventually found an email address for their privacy office AND complained to etrust that I got some action from them to investigate the problems. Apparently they "understand the frustration and would like to help you in
the most efficient way."
I've suggested they do the following:-

1. Monitor your privacy address so you would have taken action on the request (with forwarded email) I sent on the 2nd Octobe


2. have working unsubscribe links in a newsletter.


3. have contact information on your website so that people can contact you to get off if a and b don't work


4. Don't send out emails with a fake/unread return email address

At lunch this afternoon we were talking about how the number of unsolicited calls seems to have dropped since the donotcall list had taken effect on our phone number. Previously we were getting about 4 or 5 calls before lunch and this week we might have had one call and even then we're not sure if it was related to a previous company that we might have contacted.
Anyway, about 10 minutes after thinking everything was working, there were 2 people standing at the door and were trying to get us to sign up for membership at the local golf company. A joke was made that the donotcall list was working so they were visiting instead.

Got my first piece of spam delivered to my inbox at gmail today. Not bad in just under a year of use (I signed up 1st July 04). In that time I've also not had a false positive either. The only spam that I have had to the email address has been some sort of "working under pressure" mailing list that somehow got my address from somewhere. Seeing as though I am careful about who I give the email address to I know I didn't sign up for it and it also looks like gmail is more resilient to the mailbombing antics that yahoo and hotmail seem to face.

I went to microsoft.com today and there was a big banner for hiding your email address from spammers. Along with the 5 steps to improve your security, this is some sensible advice for newbies. Incidentally did you know this is Nation Cyber Security Awareness Month? I didn't and the month is almost over. I think the homepage for this is staysafeonline.info but I'm not sure - a quick google search didn't show up a definitive answer to a homepage.

I've recently discovered a new service called blogexplosion which is a formalised link exchange which claims that "you refer new members to BlogExplosion you will receive a portion of the traffic they generate for as long as they are a member". Sounds like a pyramid marketing scheme to me! The only way I've heard about it so far has been from commenters talking about it in their link - in other words, spam. Needless to say I've not signed up for the service and I'm not likely to unless they have an enforced acceptable use policy to stop people spamming their link so they can get more traffic.
The amusing thing is that they have a "top rated blog". Presently the top 6 sites have 10 stars out of 10 with only 1 vote....hmmm I wonder who voted for that blog then - the owner perhaps?

We all know that opting out of spam is a really bad idea as it just confirms you read the spam, but apparently the latest round of spam can infect your machine with a trojan when you click on the unsubscribe link
Thanks Register

There is a new version of TheBat! out and so the authors sent out an email to their database. Unfortunately the reply address was misconfigured in that any replies went back out to the list again - oops! At least only one email got through before they stopped it.

There's a new version of MTBlacklist out but this posting has two mistakes in it. The first is that it doesn't end in eig but eg, and it should be A-F not A-Z. Therefore the line should read

$str =~ s/\%([0-9A-F]{2})/chr(hex($1))/eg;

Why is it that the only spam that seems to get past the Outlook 2k3 spam filter is advertising dodgy copies of microsoft software (and others). It seems to catch most of the other spams I get so its kind of ironic really.

Went to visit Dabs.com this evening in firefox, with adblock and popublocker active, yet it still managed to popup a window for highstreetshopper with no other interaction by me. I also found a similar problem when I tried to go to veggietales.net (which is a defunct domain). The veggietales one I can sort of understand as this redirects to a .jsp file called popupwrapper and sure enough 30 seconds later a popup appears. Not sure (or care) how dabs have done it - its just annoying.

I got my first spam in my gmail account over the weekend. It therefore took about two days from posting my email address on a newsgroup posting to getting spam. It was for the Nigerian 411 scam :-( If I get any more then I may drop the account and setup another one using my other gmail invite.

Hooray - 6 more spammers got fined by ICSTIS to a total of £450,000. Shame that ICSTIS don't have the power to ensure that the poor people scammed get their money back. As to them not operating in the uk, what good is that? They're based out of the uk in the first place. Seems to me that they'd have been better stopping Smile Telecom from sending sms's out.

Well it looks like my blacklist worked last night and the night before. Each night, about 8pm I get about 200 hits from about 20 different ip address's (unfortunately dialups so they change) trying to promote various sick web pages. The past two nights they have been blocked by blacklist. However i've not made any changes apart from adding captcha and the log doesn't say it was denied due to that. What is interesting is that I thought the blacklist would automatically ban ip address's on repeated spams but it doesn't seem to have done that. More investigation needed I think!

I installed the captcha plugin and spent about an hour to get it to work. The instructions only mention editing comments.pm but if you have installed blacklist then you need to edit mt/extlib/jayallen/MTBlPost.pm instead and make sure you edit the write section (he has two subroutines depending on which version of MT you are running). Hopefully this will reduce the amount of spam submitted on this site as I really don't want to spent an hour a day removing the comments and deleting the email on my machine(s)

Has anyone else been hit with loads of spam comments on their site? Despite throttling of comment submissions AND the blacklist in the past couple of days i've had 25+ comments hit per day with about 100 in the latest attack. Most of the pages are either bestiality or incest related so have now been banned but its a right pain.
Update Another 300+ spam comments got in. I'm sure that a lot of them should have been picked up by mtblacklist though as they either contained words on the list or should have been triggered by spam. Something is seriously wrong.

I received a uk lotto notification that I had won 2.5million dollars in an email this morning. Quite why a UK Lotto would pay out in dollars and send notifications to europe,america and Africa I don't know. However they did make the mistake of including a UK contact address in London and a uk based phone number (mobile). I've therefore bothered to actually pass this information onto the police as they might just have been dumb enough to give correct contact information.

We had a package addressed to our marketing manager. On the front cover of the label was a label saying "contains delicate medical material - ViagraLolly". This caused much amusement in the office as you can imagine. Inside was the Viagra Lolly - an effective cure for idea impotence. Although its a spoof item to help your "creative juices flowing" in the wrong companys hands (ie ours) this could cause major problems with a lot of mickey taking and embaressment for the recipient.

For the past couple of weeks I've been getting very strange spam with contents such as $B:#F|$O$J8$K$J$C$F$O$$$?$@ which is really weird. I just tried adding the first 20 or so characters of the email into the web front end to MT and it totally mucked up my keyboard, so I guess its some form of an ANSI keyboard remap or something? All I can think of its some sort of japanese spam (as a lot of the emails are .jp address's)
Anyone else seen this?

There's been a new version of Popfile released which has some pretty major enhancements. Make sure you read the documentation before installing. I'll be doing that in the next few days I hope.

I was suprised to hear my computer making some noise when checking some links from a blog and discovered the culprit was about.com which is using java ad's in the browser. Identical in the way to flash ads, but using java. Seeing as though I have the click to view plugin, I don't see the flash ad's but I saw heard this one. I really hope this is not the start of a new trend.

Yahoo have now introduced a spam filter to their newsgroups. The daft thing is that not only is it having loads of false positives, it actually still sends you the email, but includes the spam email as an attachment. The only way this really helps is that it stops you accidentally opening spam messages containing web bugs to verify your email address. It also puts [spam] at the front of the subject (and an x-header line) so that you could put a filter on it. However with no way to whitelist or blacklist senders or any obvious means of training the spam engine its going to be more hassle than its worth.

For some reason outlook 2003 decided that the email from one of our servers sent after the backup completed successfully was spam. The email is practically identical to the one it sends every other night, but last nights one was spam weirdly enough!

Blocked the ip address 62.213.67.122 from this site this evening after checking my MT logs. Several times today it's been used to try and spam this site, but the blacklister got them first :-) Its a site in Russia so I doubt they've got real concerns looking at this site.

MT-Blacklist Comment Spam Clearinghouse: Comment blacklist submissions is the place to go when a spam comment is received

Finally got round to installing the MT-Blacklist - A Movable Type Anti-spam Plugin at lunchtime. Don't know why I haven't done it earlier really!

As an alternative to mailinator.com I've discovered dodgeit where you can instantly give out fake/temporary email addresses such as ibm@dodgeit.com and then monitor the "mailbox" as an rss feed. I guess this is similar in functionality to mailbucket, but dodgeit is specifically designed for this purpose, whereas mailbucket is designed as an email to rss gateway.

Got a comment spam on one of my pages today - fortunately they only spammed one comment, with a "I like your website" followed by loads of links to loads of different web sites. I just promptly deleted it. Then tonight when I checked my rss feeds, one guy had been hit about 15 times with the same comment, but from "different people" - the script obviously uses different names such as lisa, phil etc.
(sounds like the author might be an eastender fan)

Orange have details on what to do with spam sms messages including a free number (7726/spam) to forward them onto. They will collate and then forward them onto the Telephone Preference Service to investigate. Now I just wish Vodafone and T-Mobile will do the same thing.

Although I don't use outlook express and stopped using Cloudmarks spamnet with outlook when they went to the pay model, the beta version of Cloudmark's Spamnet for outlook express is now available to download and use.

I've installed James Seng's Bayesian filter for MT on this blog and laboriously went through all my comments and marked them as not spam. (A button to mark ALL comments as spam or not spam would be nice for first installations. Most people have probably already cleaned out their comments from spammers when they install something like this). Now it reckons that all my comments are 50% likely to be spammers and 50% unlikely to be spam. Will be interesting to see if this changes over time!

Seeing as though I have a new mobile number I've had to register again with the Telephone Preference Service

The lowlife who spam my comments will get added to Feedsters Comment Spammer listing

I downloaded and installed SurfSecret's Spamdrop the other day on the office pc, and so far out of the 217 messages received today, not one of them has been detected as spam. The interface is VERY similar to the cloudmark SpamNet software but a bit clunkier. It does provide whitelisting and blacklisting though which is good however in order to get to this functionality and to see the spam stats you need to go to Tools/Options/Spamdrop/Advanced/ - a one click button on the toolbar that gets installed would be a lot friendlier. The other thing is that their faq page says it works via a web proxy, but when I checked our firewall logs traffic on port 8600 was being blocked.

Interesting article about how ICSTIS is going after the sms spammers and the number of complaints they have received. They include details about the spammer who spammed me and then got fined £50k

I received a 411 scam mail today that claimed they were Mohammed Abacha and had been imprisoned, with a link to the BBC website about the imprisonment. If I replied to a canada.com address then I could claim my share in $29million dollars. Funny how they sent the email via a french (free) email portal though!

Report from the BBC reckons that the UK has banned Spam messages. The main flaw that I can see is that it doesn't take effect until December, will only be of use on emails sent from the uk (ie 0.0000000001% of spam) and will not count for business address's. Whats the point of excluding business address's when there is so much screaming about the millions of pounds being wasted by staff having to deal with spam emails? Does that mean sending to sales@ or info@ is a loophole spammers could exploit as they could claim they are sending it to a business address? With the catchall facility most emails have, then emails to these address's are going to get through. This is similar to the ICSTIS stance on spam sms messages to the mobile where they won't take action on complaints i've made because its a business mobile (as if the sms messages were business related OR the spammer realised it was a business mobile? Likely story).. I really wish the people who lived in the Ivory towers of lawmaker land would open their doors and get some real life experience!

Heard back from ICSTIS today about my complaint .

I need to find a way of spamencoding emails on the website (or removing the email address's from MT as I think I got my email address crawled from it. At the moment the only spams that seem to be getting through to my mailbox are the Nigerian 411 ones.

Following on from the post about Microsoft suing 15 spammers, they have finally admitted that one of the alleged spammers is actually innocent. I hope that they did more than apologise after dragging his name through the mud like that. Mind you, it serves as a warning for anyone buying a domain to make sure that it's not been used for spam in the past.

Decided to download the spam from my mailserver on localhost to my mail client so I can clean the mail server up and also take a look at some of the spam. They are getting quite clever now in how they avoid spamfilters. One I saw the other day used the fact that invalid html tags are ignored. So the spam contained a line such as "get y<hello>our ne<world>ws her<test>e" which would get past a spam filter looking for the words "get your news here".

I got another 411 email today with interesting details on how they got my address - "However, we will sign a binding agreement, to bind us together I got your contact address from the Girl who operates computer,"
Just wait until I see Girl who operates computer again - how dare she pass my details on!

I've joined and configured this site to work with the SpywareInfo Harvester Project which tracks spammers by getting their ip address from spam emails they've sent. The two spams that I have received to this new domain so far (one today and one yesterday) have both been sent by crawling the website and sending emails to a particular email address unique to their ip address. These ip's are now blocked from the entire website (although I need to think whether thats the best thing to do with these ip's or not)

Received my first spam to the absoblogginlutely.net domain today which isn't bad going as I've had it a couple of months. They got the address by crawling my spambot page for email address's on the 26 July and sent the email on the 26th.

The latest in hacker hijacks is to target permanently connected pc's and create a website using a ring of these pc's. news.com has more details.

In a very embarrassing situation, AOL blocked Messagelabs emails as they had detected Messagelabs as a spammer due to having an open relay...Embarassing as Messagelabs tout themselves as an antispam and anti-virus provider!

Had my first spam comment arrive last night, at least I think it was spam....it was in a foreign language and to a post I wrote months ago. Its not there any longer! Thats not too bad considering i've had a blog for over two years now!

Using Apache to stop bad robots , Dive into Mark and KungfuGrippe all have related links which I'll have to investigate sometime I get a chance.

More Like This talks about how he has a mobile as they don't get telemarketing calls (after a discussion about how to register or unregister phone numbers on the US Do Not Call list that was just recently launched). The blokes lucky - I'm still getting spam sms's on the mobile - although we don't get telemarketing phone calls probably due to the excessive charges to ring mobile phones.

Ironically after I posted about Microsoft's anti-spam feature in exchange, Neil posted that Microsoft are now going to sue the spammers who sent stuff to their hotmail subscribers....Maybe I should forward them all my spam that I get on hotmail and the other 100 odd emails I get to my old email account.

I turned on filtering by domain for an email address at work the other day to reject emails from certain address's as we were getting spammed. This was done by entering the address in the form of @domain.tld in Exchange Manager, expand the Global Settings container, right-click the Message Delivery object, and select Properties to open the Message Delivery Properties dialog box. Go to the Filtering tab, Click Add, then enter the SMTP address of the external sender who is propagating the loop. Use "@domainname.tld" to reject all email from domain domainname.tld (but don't put in the quotes). That looked like it was all you needed....but nope - i was still getting the test emails i was sending from this domain. The secret is to go to the virtual smtp server, open the virtual server's Properties dialog box and go to the General tab. Click Advanced. Select the IP address that you want to configure, then click Edit. In the Identification dialog box select the Apply Filter check box. Then restart the smtp server and emails get blocked!
Why Microsoft didn't put a useful tooltip of dialog box to warn that you need the second step I don't know.

I've reverted my version of Popfile to the prior version 0.81 as the latest version seems to leak memory - often I would come home to find dialog boxes were not being displayed on the screen fully - and it had an annoying bug in that the tray icon was invisible and kept disappearing at random intervals (although how an invisible item can disappear is another topic) and it meant the rest of the icons would jump around the screen as they moved along the taskbar. AND it took forever to reclassify a spam.

Remember when a local hosting company sent me a snotty email when I politely pointed out some mistakes on their website? Today I got their newsletter....which I hadn't asked for. Their first paragraph says they want to know how they are doing and they welcome feedback..yeah right....They have a competition that asks how many layers of support they have....I've entered zilch - so I'm expecting to win that one. They then go on to talk about how bad spam is and how we can avoid it......despite the email itself being spam (although you could VERY slightly argue that I've initiated contact with them once - but at no time did I ever ask to be put on their mailing list)....Their is an opt out procedure to the mailing list - I have to reply to a named individual to ask to be removed. no automated removal option or suggested subject so they can categorise the requests and they don't mention the address they have used to send to you (its a bcc). I've told them to remove all helsby.net address's and I've not been very polite about it this time!

I posted a response to the Security focus mailing list yesterday and the message got through - to at least most of the subscribers. I had two out of the office auto replies (unfortunately too far away from here so I can't burgle them) , one undeliverable and two challenge/response prompts from subscribers with spamarrest. What amazes me is that if someone is of enough techie calibre to belong to a Security mailing list but they don't have the knowledge to disable Out of Office replies (which tells the person that they are unavailable for a long period of time - probably on holiday at this time of year, therefore their home is vacant and their account might well be open for dialin/ras access and sometimes they give internal phone numbers which might be useful for social engineering purposes),or the user has used an email address that is "protected" by spamarrest. Whats the point of signing up to a mailing list if everyone on that mailing list (or the majordomo bot) has to acknowledge their posts to you again? I can guarantee that the subscriber is going to find the mailing list VERY low traffic!

Oh, and I also had an interesting bounce from an email address ending in blogger.com that had "Your message could not be posted because of the following reason(s):jcoffi.securityfocus @ blogger.com, XML-RPC Error" Not sure why that message came back or what it relates too....maybe the folks internally to blogger have an email to blog gateway so the mailing list becomes web enabled for their internal users????

I received a spam email about hardcore porn today to an email address that had only been given out to emusic.com Either they are selling their membership list against their security policy, they have been hacked, or someone is sending to VERY random email address's (where the first 6 out of 12 characters are vkxcih). Any of the possibilities is not good. I'd recommend you don't use their service (I can't even remember why I signed up) and I'm deleting the email address that was used so I don't get any more.
update The email address used was vkxcihisrnxe@ and I never tick the box to allow them to share my details so it shouldn't have been passed on. I have over 100 address's at this domain and this was the only one that received the spam so a dictionary attack seems unlikely. Admittedly 100 email address's out of 36 to the power of 12 is not a lot! But then the odds of getting one spam to that random address is a lot more than winning the lottery.

The day after the statutory 31 days I have to wait for the Telephone Preference Service to take effect, I get another SMS spam. This one is getting a formal complaint.

There's a new version of Popfile out now. There are loads of improvements, the major one (for me) being on Windows platforms where there is now an icon in the system tray. This gives the ability to shut down the service instead of having to go to control panel/services to shut it down, and right clicking on it also gives the option to load the interface up in a web browser. Worth upgrading.

Finally heard back from ICSTIS about my complaint about the spam txt messages that I was getting from various companies including Zed UK. They've basically said they can't do anything but instead I need to contact the Office of the Information Commissioner (OIC) who can deal with the complaint as long as I've been on the Telephone Preference list at least 28 days (and/or asked to be removed from the spammers phone list). The OIC can be reached on 01625 545700 to register a formal complaint.

Got my first spam from signing up on a guestbook - Hey Kelly - afraid yours is the guilty party :-( They were offering me the klez removal tool - which was probably the virus itself! After all if you have klez on your computer then you don't have an av tool, so how are you going to know that the unsolicited attachment is not klez itself! On other anti-virus software news, I am going to remove mcaffee from this computer as it really is pants. When this machine got infected (twice) with Magistr it was unable to repair the files and they had to be deleted - and they were a few windows files! I updated the software by hand (as there is no automatic update facility) and it found yet another virus on the computer - downloader-aw trojan. However, when you look on their website to get more information on this virus - it is not listed! The nearest that I could find is that it was created using a virus toolkit. If that is the case, then how come the software didn't pick it up - the toolkit has probably been around for yonks! Norton's AV is going on real soon!
Update Instructions on removing downloader-w trojan are on mcafee's site (note name difference!)