Spamhuntress

I got an e-mail, that I thought was interesting enough to use here, with my reply. Munged, of course:

I need some help tracking down a spammer, and I found your site, and I was wondering if I could hire you to help me solve this problem.

I’m being attacked intentionally (for reasons that are not clear) by a spammer who is using some of my domains as their forged return address, causing me to be overwhelmed by bounces.
I know they are targeting me specifically, because I just added SPF to the main domain DNS records they were hitting, so they just switched to one of my other domains.

Due to the nature of their spam (random email addresses) and how I processed email on my site (allowing wildcard addresses) it has been very difficult to filter out the bounces.

Because they are using random email addresses and because I was already using a large collection of email addresses at my domains, it has become very difficult to filter out the bounces. Furthermore, the bandwidth is choking my little server.

Could I hire you to help me figure out who the actual human being is behind this spam? I have endless bounces to look at, and I’m getting pretty desperate.

Thanks for your time.

My reply (and remember I had his headers to look at, so I had more information than what was in his e-mail):

Hi xxxx,

You said you’re being targetted intentionally, but that the reasons are not clear.

Well, that tells me it’s not intentional.

Spammers would switch FROM domains with SPF for good reason. It’s got nothing to do with you, and everything to do with SOP (Standard Operating Procedure).

Check for IP addresses on the bounces that include the original mails. Chances are extremely good that they come from all over the place.

They would rather pick domains with catch all e-mail, and without SPF, all things being equal.

If Exim doesn’t allow you to switch off catch all, I’d advise you to do set up another server instead. Postfix runs fine on Debian, and allows you to bounce mail to non-existing addresses in the SMTP handshake. Which means no more bounces, but quite a bit of handshake activity.

You can add another server as an SMTP gateway, and shunt the mail to your primary POP3 server (which can be your existing Exim server). Just change the MX records to point to the new server.

If you set it up like that, chances are extremely good they’ll stop targetting your domains.

Because this isn’t about you, it’s about maximizing the chances their spam will reach the intended targets.

If you’re not satisfied I’ve hit the nail on the head, forward some samples of spam. Including the bodies and subject lines.

Finding out exactly who’s behind the spam can be done in two ways:
1) Backwalk from an exploited machine to the IRC channel used to feed info to the zombie, then figure out who the hacker is (and yes, it’s usually a hacker hired by a spammer). This can be done from a spam, as long as you’ve got the clout to make the ISPs or companies harboring the zombies listen. But you need resources and clout to really pull it off. Even so, the incentive to keep beating the odds are enormous, because of the payoff for some types of spam.
2) Or track the payoff. Who hired the spammer or benefits from the spam.

But like I said, I think I’ve cracked your case. It’s really no different from anyone else with catch all e-mail, lacking SPF or anything else that makes the domain less palatable to spammers.

After getting another comment from one of the buckwheat people, I realized I was looking at a new comment category.

These people are doing what I’d term “commercial comments”. Not automated spam, but still using the blogging system to their end. The way Paul did his original comment, it was just a suggestion for someone who could help me replace my pillow (and his prices are good, especially compared to an overly pricey one I found in Norway).

So, how about I give those who want to promote a site some tips instead?

Instead of coming right out and saying I’ve got a product for you, the smart way, and the acceptable way, is to say something on the topic. Like for instance when I mentioned my buckwheat pillow as an aside, the smart way might have been to comment on how frequently one should replace buckwheat pillows. Comment on the various forms of uses and how that might affect how long they last before they go bad. What would make it go bad? Buckwheat pillows actually have properties that should make them last longer than other pillows. Compared to other pillows, fungi doesn’t really grow in them (unless they’re filled with contaminants like saliva, dandruff and I don’t know, I’m just guessing).

So, if I were talking about buckwheat pillows, I’d welcome comments from someone who knew more about them. Someone who had something to tell me I didn’t know, or something that was going just that little bit further than my text. Or telling me I was wrong in an assumption.

This isn’t really about buckwheat pillows. It’s about commercial comments. How do you get to do those without setting off spamhunters and vigilante bloggers, making them wonder if you’re a spammer doing searches for target terms.

And yes, I think that’s something that’s heating up right now. Folks doing targeted searches, then leaving comments relating to those terms. Recently I got a long rambling comment about penis enlargement. It read like a comment, a real comment. But I know it was a commercial comment gone wrong. Why? Because the name of the post was “African sucker”. I originally thought this was someone doing a search for sucker (sounded reasonable to me). Turns out the search term was: african blog. Looks like the comment was done by hand, and the contents were pasted into the form. But my post was on page six in Google, and if I do a search for the comment contents, I find lots of them on blog posts with the word African somewhere in the body of the post… So, not exactly on topic, but it looks like a real comment, apart from the topic.

Anyway, my point is, if you want to promote your site, do it the smart way. Don’t do ad copy. Don’t say straight out that you sell something. Don’t pepper the comment with links. Just write something helpful on topic, leave the URL to your site in the proper place (under your name), and let people find it on their own, if they like what you write.

Makes sense, eh?

Oops: Should clarify that in this post, script writers doesn’t mean programmers, but people who write for movies etc.

Gerard Jones has a website where he’s posting contact info for publishing and movie industry people. He’s come under fire from Universal because he’s listing their e-mail addresses.

A lot has been said about this already, and I’ll just point you in the general direction:

Cinematical story 1, Cinematical story 2

Most of those who see this story, see it from the general public’s view. My perspective is different. I have an entertainment website. I get sent lots of requests from scriptwriters who want actors and other people to have a look at their scripts. And I have the unenviable task to tell these budding screenwriters their first dose of reality: Nobody wants your script. It doesn’t matter how wonderful it is, and how much it would outgross the top movies if given half a chance. There are too many scriptwriters and too many scripts in this world. Famous people get lobbied scripts from anyone and everyone they come across. From their gardener to their hair dresser. The easiest way to ensure you’ll never work with a celebrity again, is to try and hand him a script in person. Unless you’re already a famous moviemaker or someone the celebrity has a lot invested in. And even then, the movie should already be financed. Those are the magic words: Financed.

And it’s true what Universal says. They don’t accept submissions unless they come from an agent. That’s what the top agencies do. They put together script writers and producers. Sell them as packages. That’s how movies get made these days. I’ve seen cases that may have been legitimate, where newbie producers stole ideas and then got sued. It’s not worth it, so the really savvy players protect themselves by not accepting unsolicited scripts. Which means a steady stream of scripts by e-mail is a logistical and legal nightmare. I understand why they try to stop this, though I question their methods. I’m not sure they’ve picked their methods wisely.

So Gerard Jones is deceiving people, if his message is that people can e-mail or phone up people in the business and pitch projects. I haven’t checked if that is his message. Journalists sometimes sensationalize, so I won’t accuse him of being naive without cause.

But, there’s another issue here. Let’s overlook Universal’s clueless talk about spam for now. There are cases where you could talk about spam. I’ve seen scriptwriters sending form letters to in excess of 20 e-mail addresses in one go. That’s at the very least clueless, and probably what some of them do. In that context, I can understand why Universal are reminded of spam.

But the most important issue here is a third person listing e-mail addresses on the web, unmunged. It’s not just inconsiderate, it should be illegal.

There, I said it, it should be illegal!

We know that spambots prefer websites when they harvest addresses for spamruns, and for a website owner to post other people’s addresses that have absolutely no protection against spambots, is at the very least clueless, and at worst malicious.

I even munge e-mail addresses posted by other people on my entertainment forum. I edit their posts, even munged their own e-mail addresses. It’s either that, or fight a losing battle against the spambots. And even then it might not be enough.

So, the real issue for me is the posting of unprotected e-mail addresses on the web by third parties. Can we get some awareness going on that issue?

Update:
I should probably tell any budding scriptwriters who happen on this site that not everything is lost. A friend of mine has a good idea. He arranges readings of his scripts. It helps that he has lots of good actor friends, so he’s able to get them to help (they get exposure, he gets his scripts heard). Some do small independent films. Some film demos. Some do theatre productions. Some send their scripts to script competitions (watch out for scams, there are plenty of them). And you could do what Gerard Jones does: He becomes famous for something else, then leverages that fame. If he succeeds is another thing. But if he’s the typical entertainment types, he’s having the time of his life right now. They thrive on attention…

I’ve been looking for a safe solution for surfing via wifi for a while, and here’s one that looks promising:

A thumdrive with stealth software

Question is, can we achieve the same effect with software loaded onto our already purchased thumbdrives? I mean, I’ve already heard of portable Firefox and Thunderbird. So did this company make a stealth version, or does it exist elsewhere, just waiting for me to download?

Also, they’re not telling you the whole story. “Public” computers often have keyword logging software or hardware on them. So you’d have to use the Roboform, and be careful what you write, unless you’re actually using your own computer via wifi and everything’s encrypted.

Any thoughts?

Update: Looks like it’s using Open Source programs (Firefox and Thunderbird), and then adding Anonymizer, which is software you normally have to pay for. Frankly, it should be possible to make something similar yourself, if you’re so inclined, and you’re willing to pay for Anonymizer.

One review noted that if you’re using it at work, your IT department can still see where you’re surfing. If that’s true, then Anonymizer isn’t encrypting the addresses. For this to truly protect you while using wifi, it has to encrypt the actual data going back and forth. The Anonymizer servers are acting as a proxy server, doing that task.

You could theoretically use another server to do that, but you’d need some software to encrypt and communicate with your server.

Any other solutions out there we should look at?

I heard from a guy a while ago who had his passwords stolen while travelling, and the script kiddies who stole it had used it to mess with his server. Shudder…

Edit: Here are alternate solutions: Company VPN, Terminal server at work, Remote Desktop to your home machine, your own VPN set up from home.

I use Spam Assassin for some addresses these days, and I’ve done some investigating on how to safely filter spam.

What I came up with, was that with the addresses I have going through the test server these days, I could probably discard mail with 14 or more stars, and not have a single positive.

Each address and domain is different in regard to the type of spam and “legitimate” mail it takes in, so don’t take this as gospel without a testing period. On one domain I have, I got lots of forwards and people who made their own mailing lists. When you’ve got a typical forward, to a long list of e-mail addresses, with a Yahoo address sent from a mail client (not from their web interface), that mail gets a lot of punitive stars by Spam Assassin. Enough to boost it over the tagging threshold of 5 I had at first (I boosted it to 6 because I’m probably not the only one who have clueless friends…).

But for now I don’t discard, and sorting through 99 mails a day sorting the tagged spam for possible false positives was driving me up the wall. So, how could I cut down on the amount of sorting I have to do, and still be able to sort those that may potentially be false positives by hand?

Well, if you’ve got Pegasus Mail, that’s not a problem, because you can sort by number of stars. Here’s my filtering rule:

*X-Spam-Level: [*][*][*][*][*][*][*][*][*][*][*][*][*][*]*

And I add that one by opening the filtering rules, clicking Add Rule, and choosing Expression. Then enter that phrase (double check that your Spam Assassin actually uses the header tagging that way, and possibly change the line).

Then go to Action, choose Move and choose the folder you want them moved to by clicking on Set.

How would we do this with other mail programs? Is it possible to filter by number of stars (14 or more, for instance) in Outlook Express, Outlook or Thunderbird?

It took me some researching to get the rule right in Pegasus, because * is a wildcard character, and had to be escaped to get it right.

I mentioned wanting to replace my buckwheat pillow in a recent post.

Would you believe I found TWO comments in the moderation queue directing me to sites where I could order them?

One might have been a coincidence - a fan of them tipping me of a site. But two? Nah.

And my little sweep of the logs confirmed my suspicion. Two live people searched blogger and Google for mentions of buckwheat pillows and then left comments.

I can’t make up my mind if I think it’s downright spam or smart marketing. I won’t get them blacklisted, but since this is a spam hunting blog, I won’t approve their posts either.

Now, let’s see what happens after this post has been sitting there for a while. Any promoter stupid enough to hawk buckwheat pillows with comments on this post might be in for a public flogging, at least…

And as for how helpful they were: I’m not looking for a supplier anywhere but Norway, so it’s not helpful to me…

I wrote about a Norwegian spammer a while back. He’s at it again. And this time he says it’s not spam. Here’s what he says verbatim:

NB! Denne email er ikke ”Spam”! Vi har til hensikt å nå innkjøpsansvarlig i alle Norske bedrifter i Norge. Vi har i den forbindelse innhentet email adresser til alle
selvstendig næringsdrivende i Norge. Skulle De allikevel ved en feil motta denne email som en privatperson. Vennligst slett Dem fra
distribusjonsliten ved å bruke alternativet nedenfor. Det kan opplyses at De muligens mottar email på Deres private email adresse, hvis
De har oppgitt den i forbindelse med Deres og/eller andres næringsvirksomhet.

This is in Norwegian, so I’ll summarize. He says it’s not spam. That they’re planning on reaching everyone in Norway that’s responsible for purchases for companies. They’ve gathered e-mail addresses for everyone who has a company in Norway. And then he goes on to say that if you should receive this e-mail as a private person, please remove yourself by using the alternative below.

He’s trying to bypass the Norwegian laws, that says that it’s (still) OK to contact a company, by using the company e-mail address. But it’s not OK to spam an employee at a company.

So, a lot of people will probably be fooled by this, but it’s still spam. I happen to have access to the logs of a multi-domain mailserver, and I tracked some addresses he sent this to. Some of those could NOT be found at the Norwegian registry for such information.

One of the addresses I tracked is an old address. It’s no longer in service. I can’t find it anywhere, so I can’t imagine how he could have gotten it the way he said he did.

Another address is for a sales representative for a large area, but not a company owner. He should not be on a list such as that.

Then there’s another company, where they sent e-mail to two addresses. One is listed on the central registry, the other is listed on another company search I’d never heard of. Both addresses are still active.

Another company had no e-mail address on their registration. But one employee could be found on their website as a contact e-mail. The way I read the Norwegian law, that address can’t be used to spam. You can use addresses from the company registration, and domain@domain.no, and possibly info@domain.no or post@domain.no (BTW, I advise you not to use those addresses, either in Norway or internationally. domain@domain.com, sales@domain.com, info@domain.com and webmaster@domain.com are generally spammed to death). Not exactly sure which ones are allowed. Anyway, I don’t see how they could finagle that this address was allowed. I also found another e-mail address at that company, that I can’t find on the company homepage, though the address is still active.

Finally, I’ll give you the full headers, munged:

Return-Path:
Received: (qmail 29703 invoked from network); 3 Dec 2005 18:37:57 -0000
Received: from munged (HELO munged) (munged0)
by 0 with SMTP; 3 Dec 2005 18:37:57 -0000
Received: from smtp1.uniweb.no ([195.159.128.247]) by munged with
InterScan Messaging Security Suite; Sat, 03 Dec 2005 20:06:38 +0100
Received: (qmail 31129 invoked by uid 210); 3 Dec 2005 22:04:41 +0100
Received: from 203.101.44.130 by smtp1 (envelope-from , uid
0) with qmail-scanner-1.25st (f-prot: 4.6.0/3.16.7. perlscan: 1.25st.
Clear:RC:0(203.101.44.130):. Processed in 5.029382 secs); 03 Dec 2005
21:04:41 -0000
Received: from unknown (HELO Lars) (salg@exc-npi.no@203.101.44.130) by
smtp1.uniweb.no with SMTP; 3 Dec 2005 22:04:36 +0100
Reply-To:
From: “Vi dekker ditt behov!”
To: “Vi dekker ditt behov!”
Subject: =?iso-8859-1?Q?Til_innkj=F8psansvarlig?=
Date: Sun, 4 Dec 2005 00:19:43 +0530
Organization: Npi
MIME-Version: 1.0
Content-Type: multipart/related;
boundary=”—-=_NextPart_000_0096_01C5F86A.60826FB0″
X-Priority: 1 (Highest)
X-MSMail-Priority: High
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Importance: High
Thread-Index: AcX4N8hk8Lq+53RPQt2DXIeo2gj/3A==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Qmail-Scanner-Message-ID: <113364387891831123@smtp1>

Update: OMG, I just found something hilarious:

http://pluss.venstre.no/organisasjon/0000D38D-8000000B/0000DDC2-8000000B/

It’s apparently some sort of mail box belonging to a political organization. It popped up when I searched for the fax number of the spammer. So it was indexed by a search engine (not sure which). But this is a scandal by itself, though… Their web mail system is wide open!

Found an article about a loophole in the Norwegian spamming law. This is ancient news. But as I’ve pointed out in this post, the spammer who sent the spam above wasn’t too careful. He SAID he was sending the spam out according to the law, but in reality I couldn’t find that he had washed his list properly.

Chris from Mexico offered to talk to Alestra about their proxies that have been misused by spammers in a comment on this post yesterday.

I haven’t seen the Alestra proxies used much lately. I was wondering if any of you have updated info on them?

I’ve seen some spammers use whois protection from small registrars or webhosts. The problem with that, is that the guy whose name is on the registration, is the one who’ll receive the flak and get a reputation for being a spammer.

So, unless you’re GoDaddy or something similar, with a whole department for whois protection, don’t go there. Don’t front for your customers, unless you know them personally and can walk over and drag them by the ear to make restitution if they do something stupid.

I got this comment posted to an old post by Search Engines web. I thought it was better to highlight it in a new post (he’d already munged the address).

So, as you can see from his post, we’ve got YET another submitter to fight against. Can we please try and get this one OFF the market? And is there a way to do it? After all, there is no doubt this should be illegal.

Anyway, here’s the comment as he posted it:

————————

Had to go back quite a ways to find a compateble topic to post this to.

This recent email highlights an important fact - phpbb is relatively
less secure than VB

Hi info & Warrior Friends,

Discover the new way of advertising on the
Internet!

=> http://*forumsubmit.6te.net/index.html

Discover the power of the Forum Submitter!
Brandnew software revolutionizes the power of
online advertising -never seen before!-
BRAND NEW FOR NOVEMBER 2005!

=> http://*forumsubmit.6te.net/index.html

“Forum Submitter Pro” – this software will allow you to
submit your messages practically in any forums / message
boards / bulletin boards which are based on most popular
script in this area – phpbb. “Forum Submitter Pro” will
allow you make this submission 99% automatically and
will allow you avoid and/or minimize reaction of built-in
anti-flooding mechanisms of phpbb script.

=> http://*forumsubmit.6te.net/index.html

===================================================
We have done it again with this BRAND NEW release
Message Board and Forum Submitter.This 2005 Release
Submitter is designed to give all serious marketers the
EDGE in the quest for Traffic and PageRank.

—————

Update: I can’t find the wording from this e-mail anywhere on the web, and the address doesn’t work (which is a good thing, come to think of it).