Spamhuntress

I’ve started over from scratch with a few HP computers of various ages.

As some of you know, HP computers come with rescue partitions these days. They’re supposed to be used instead of installing from a windows CD. So if you do start from scratch (new harddrive, for instance), you might be in for a few surprises, like I was.

One older machine came with a sticker for a win2000 license, but I felt like installing win98 on it (only put such a machine offline or behind a good router firewall). The installation was text book, until I was finished and discovered that the display driver was wrong. Looked horrible. Turns out it needed drivers for just about everything. HP is really good about drivers. You can download everything you need from HP’s site, no matter how old the computer is. Just search their site for the exact model number. And using a different OS wasn’t a problem with this particular computer.

An AMD Pavilion that must have been a race horse in 2003 was due for a complete reinstall. I didn’t have the original harddrive, and the harddrive I put in had had a Debian flavor on it.

It has one DVD drive and one DVD burner. But no matter what I did (yes, verifying in bios that it’s set to boot from one of the drives, changing drives even), I could not get it to boot from the DVD drives.

Solution:
First a win98 boot floppy with fdisk on it. To kill of the Linux MBR:
fdisk /mbr

Then, disconnect the built in DVD drives, and connect a plain vanilla CD-ROM drive, with the windows CD in it.

This time it works…

Heh, the first time I did this, I just grabbed the first CD-ROM I saw. And marvelled at how slow the windows installation went. Turns out the CD-ROM was made in 1996. So I got a newer one (yanked it out of a machine at the office), and the installation worked.

BTW, there’s usually a sticker with a windows license key on HP machines. To use those, you need an OEM windows CD. The license will not work with a retail version CD. Fujitsu Siemens CD’s are usually OK. They don’t have bloatware built in, like some rescue disks (Dell, HP, and I’m sure others are filled with bloatware). One win98 CD I tried refused to install on a non-Fujitsu Siemens machine, but winXP usually works. Well, at least the machine hasn’t foobared yet. I didn’t have time to register windows last night… Hopefully I won’t have trouble with switching the DVD drives back? WinXP has copy protection that pays attention to the hardware you use for a windows installation…

Update: I had to call Microsoft to get the WinXP copy activated. Because it had been activated before, and the hardware was changed a little bit since (new harddrive), it wouldn’t activate by itself. Calling Microsoft was pretty painless. The automated thingy didn’t work, but all the guy at Microsoft needed to know, was that it was the same box, and that the code on the license sticker hadn’t been used for other computers as well. IE, that it wasn’t pirated, just a new harddrive on the same box. I’ve been thinking. Let’s say I want to test out some software on the box, but don’t want to ruin my main installation (not time to reformat). I’m not sure if Microsoft would understand the distinction - one machine, several instalations alternating? Maybe an image of the finished and patched OS would be in order, before I put on a lot of software?

Also, as I said below. Both DVD drives failed and had to be replaced. I don’t know why they failed, but they wouldn’t work in any of my tests.

I was contacted by someone who’s been under a heavy deluge of faked sender spam bounces for months. He wanted help in making it go away.

I have a few tips that can be used, and I’ll put some of them here:

First of all, a faked sender spam is different from the classic Joe Job. You can read more about the Joe Job here, and some advice on handling it:

Sabotage! Coping With The Joe Job

There’s also advice there that you can use for fake sender spams, but he doesn’t address the faked sender bounces many domain owners experience today. Those spamruns are done with non-existant addresses at your domain.

Perhaps the biggest perpetrator of large scale faked sender spams is Leo Kuvayev. He’s tagged some of my customer’s domains, so I know how bad it can get until you take countermeasures.

1) Turn off catch all, so you don’t receive all those bounces.
2) Verify that your mailserver REJECTS mail to non-existent e-mail addresses, instead of BOUNCING them. This will significantly reduce the load on the server. This is default if you’ve got cpanel with catch all turned off. Send yourself an e-mail to a nonsensical address at your domain, and verify that your local mailserver is the one sending you the bounce.
3) Put up a notice (small textlink)on your website with information about the spamruns, if it keeps on going.
4) If your domain is used for very few e-mail accounts, and you’ve got full control over where people send legitimate mail from with your domain as sender, you can check out SPF (Sender Policy Framework). Also investigate other techniques like DomainKeys etc.

All of my suggestions will make your domain less palatable to the spammers. But if they’ve been using it for some time, they may not notice, since they don’t get the bounces anyway. However, if you act proactively and remove catch all before the first faked sender spamrun, they may bypass your domain altogether.

And remember: Unless you’ve got access to your mailservers logs, you won’t know if the spamruns continue after you’ve removed catch all - unless they tag an existing e-mail address by mistake.

Another factor you should remember, is that a faked sender spamrun will increase the total spam load against your domain. Some people have rules that put all sender addresses into their address books. When they get hit by a virus, that address book gets copied by spammers. Whammo, lots of mail to non-existent addresses. So removing catch-all will take care of that too.

That guestbook was moderated, so no spam actually got through. But even so, it was spammed to death. So much so I had no way of figuring out if any legitimate messages had been posted.

So, it’s gone. And good riddance!

December 8, 2005, I told a guy that he was virus infected and should get his computer cleaned.

He interrogated me on what my interest was in telling him this. Verry suspicious of me.

I verified at the time that it really was his computer that was infected. And assumed he’d fix it.

Today, I did a random sweep through my logs, looking for Norwegian mailservers with wrong configuration.

And find one mail with a HELO that mimics that of my own server. So I immediately knew the mail was generated by malware of some kind.

The e-mail address is his. And the IP address is the same as several months ago…

Gee, you’d think he’d clean his computer after being handed the solution on a silver platter? I guess not. Next call will go to his ISP, demanding he’s shut off…

OMG, I just checked my referrers.

Loads of people accessing my PR storm for sale post.

Turns out they’re searching for Webattacker, that SEW was talking about in a comment.

I THINK the reason is an article in PCmag a few hours ago.

I just hope all those people searching for it are just curious, and don’t intend to USE it!

I had lots of blocks on my site, but the spammers got past them. Then I figured out that the blocks for specific files would negative general blocks.

I removed the file specific blocks I had for wp-comments, and lumped all my blocks in a general lump.

I’ve had significantly less comment spam since…

But frankly, I think much of the decline has to do with the spammer with the broken user agent I reported on a few days ago.

Edward Falk reports on the iBill leak and deniability:

The Spam Diaries: Stolen iBill subscriber information used to generate custom phishes

A while ago, I was talking about a pendrive that encrypted communications, and included a browser, e-mail program and password keeper.

The perfect companion for the security minded cyber cafe using globetrotter.

I was enchanted with the idea, but was looking for a roll your own solution.

What I’ve found, is that you either need to buy an anonymizer service with encryption, use your job’s VPN, or have your own “server”.

The least involved do-it-yourself solution for the non-corporate types is described here:
HOW-TO: SSH HTTP proxy setup - hack a day - www.hackaday.com _

That solution could be put on a pendrive, and probably is used exactly that way by quite a few school children.

The other solution is more geeky, and “better” in many ways:
OpenVPN.
Perfect for sharing with friends.

Before you choose one of those solutions: There are lots of other solutions, and you’ll find quite a few of those in the comments on the SSH post.

But I’d like to add a caution. There are other security concerns other than sniffing network traffic:
*Eyeballing you inputting your passwords
*Stealing your laptop
*Installing keyloggers on cyber cafe computers.
*Computer history and cache if you use other people’s computers without Firefox to go on a pendrive.

With care, you can avoid snoops getting useful info even when using unsafe networks and computers. But it takes some thought and precautions.

I had a comment on one of the Roy Giles posts. Very on topic, in fact I’ll quote it here:

All spammers are slime, but when you are supposed to be someone with
morals, such as a Christian minister, it sure shows he doesn’t.

Most spammers we deal with are more random than what you describe. Some
likely are doing this, but most of them are not.

Problem is, there’s a spammy link (that I’ve removed) in the URL field.

freewebs.com/sportsbook

OK, so maybe he’s a one time spammer? Thought I’d put that to the test, so I searched for his IP number. And found lots of guestbook spam. And then noticed he tended to use this one e-mail address, so I tried that:

sawer@yahoo.com - Google Search

See? He’s a spammer alright. The comment on my blog was absolutely on topic. And hand written. But most of his spam isn’t, as you can see from the selection in Google.

He’s advanced enough he uses encoded javascript to hide his affiliate ID:
searchadv.com
ID: 49996

But he doesn’t use his own domains as cutouts, so he isn’t the most sophisticated spammer I’ve seen in that respect.

I went through the spam comments today, and tried to spot any repeat offenders.

Found:
207.58.130.217
vps.onlyfind.info

User agent:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Pretty weird requests too:
“POST /index.php? HTTP/1.1″ 200 28030 “http://spamhuntress.com:80/index.php?”
“POST /wp-comments-post.php? HTTP/1.1″ 302 5 “http://spamhuntress.com:80/wp-comments-post.php?”
“POST /wiki/Special:Search? HTTP/1.1″ 200 11347 “http://spamhuntress.com:80/wiki/Special:Search?”

I think this bot should be blocked, both by IP number and behavior.

Here’s how to block the user agent and similar user agents in .htaccess:
SetenvifNoCase User-Agent “User-Agent” spambot=yes
deny from env=spambot

I saw the same behavior from this IP number:
72.36.223.107
(check Google. Loads of guestbook spam)
There are other IP numbers as well.

Both those IP number present an empty website, when you access it in a web browser. Which probably means the servers are virtual webhosts.

The spammer was spamvertizing louis vuitton purses, and used a site at blogspirit.com

It had a very tricky redirect to
searchboard.info (80.77.88.4 - hqhost.net
which again had a 302 redirect to
topresult.info (80.77.80.145 - hqhost.net)

Whois:
Admin Name:Nikolay Markov
Admin Organization:sia
Admin Street1:Skolas 28
Admin City:jurmala
Admin State/Province:Jurmala
Admin Postal Code:2111
Admin Country:LV
Admin Phone:+371.3465476
Admin Email: gogogh7878@yahoo.com
Name Server:NS0.HQHOST.NET

Admin Name:Markovich
Admin Organization:inbox
Admin Street1:Skolas 28-47
Admin City:Jurmala
Admin State/Province:
Admin Postal Code:2011
Admin Country:LV
Admin Phone:+371.6054515
Admin Email: tt7777@inbox.lv
Name Server:NS1.HQHOST.NET

And of course, the links we finally see, have those typical encrypted affiliate advertising links.

Finally, the contents of the spam is sometimes in German. They look like they’ve been harvested from real guestbook entries. One comment type refers to the blog as a guestbook. My guess is this is an old guestbook spammer that’s started hitting blogs as well.