Spamhuntress

I’ve seen countless examples lately of mail sent from legitimate accounts via Squirrelmail. Do a search for “authenticated user” on news.admin.net-abuse.sightings and sort by date. You’ll see it’s become quite common.

I don’t know exactly what’s happening here, but I assume spammers have stolen passwords for legitimate accounts somehow.

I know of one case where the spammer changed the password of the account a while after the spamrun was complete.

If your established password stops working, do some due diligence after you get a new one issued.

The spammy mails were still in the Sent box in one account!

Got blocked from your blog, or other Bad Behavior equipped software? Update it. I got word that my wiki didn’t work, and went looking for an explanation when I couldn’t even log in myself. Here’s the writeup from the creator of Bad Behavior:

Upgrade to 2.0.11

I occasionally find ways to monitor IP space for spam, viruses etc. Here’s one such new way to monitor your IP space:

Project Honeypot’s IP space monitoring

You know, I once notified my neighbor that his machine was compromised because of one of those services. Turns out he had a pirated version of windows (I believe it was windows 2000?). Because of that he didn’t get updates. Let’s just say that machine was doomed. Format c: /s - or something like that.

Webspam is constantly evolving. A while ago a spammer told us spammers had long since moved on from what us anti-spammers were writing about. That webspam had moved on from comment spamming blogs. And I was sure he was right. What I’m seeing now, is the newbies spamming my blog. The spammers who don’t yet know what they’re doing, for the most part, with a few comment spammers who rely on inventive wording thrown in.

Today I’ve been on the trail of a spammer who’s constantly trying new things. He’s been at this for a long time. Eugene Blagodarny (some of you are no doubt tired of my talking about him). Lately he’s been using upload scripts to place spammy pages on otherwise clean sites. Not links to spammy pages, but regular throwaways that redirect to his money sites or his affiliate links. There might be other spammers doing the same thing, I just haven’t found their trails yet.

And this guy is using any upload script he can find. He’s not just searching for specific types of scripts. In one case I confirmed that he misused a custom written script that was used on ONE website.

In addition to any upload script he can get to accept his HTML pages (usually with .htm extension), he’ll leave comments or user profiles anywhere his javascript redirects will work. Some of his favorites are HyperNews (comments), Twiki (user profiles) and SnipSnap (userprofiles with uploads). He’s also (I assume) signed up for user accounts at compuserve in Germany.

He then comment spams other websites with links to his upload pages and redirect enabled comments, in order to get them into search engines. They’re often hidden on the websites he’s uploaded them to, so he needs to get them linked by other means.

What does all this mean?

If you’ve got a website that has an upload script that accepts HTML files, you need to be alert. Either recode to not accept HTML files, have a good admin interface and check it for uploads every day. Or remove the script altogether. Another possible option, if you haven’t been targeted yet, is to add a robots.txt file that bans search engine indexing of the directories your uploaded files are deposited in.

If you’ve got an interactive script on your website, make sure they don’t allow javascript redirects. That includes old scripts for guestbooks, forums etc.

If you’ve got a free website service, such as free homepages, free blogs, free groups, free forums, you need to recode those services so javascript redirects won’t work. Disabling iframes and frames pointing to somewhere else would also be proactive. I know of at least one free webhost who runs scripts every night, looking for certain keywords that spammers tend to use, and then disabling pages en masse. Identifying obfuscated redirects would also help you remove other sites with those redirects on them.

While looking at HyperNews misuse, I started thinking. How would an owner of a HyperNews site nuke all the comments with redirects?

A script that looks for common redirect code would get a lot of those comments, providing the template doesn’t contain that type of code. On the other hand, HyperNews is dead. It’s too hard to keep up these days. Spammers will just pump out the comments without checking for admins who clean their installations. So the only logical step is to remove the software altogether.

But, owners of free blogs and free websites, should definitely scan for redirect code. And remember that the moment you remove sites containing one type of code, the spammers will try and outwit you. So it’s an arms race, all the way.

And if you’ve got a website with any kind of interaction: The spammers will find a way to use your scripts against you. So you need to stay vigilant and monitor everything. Don’t want to monitor anything? Remove all the interactive stuff, and stick to clean HTML. OK, CSS might work, but php and cgi is out. While you’re at it, you should move to a dedicated box…

Seriously, the most cutting edge is way beyond guestbook spam by now. It’s high time we rethink our old methods for combating webspam. It just doesn’t work.

Update: Check out Google Groups spamvertizing of HyperNews spam. Don’t know what the point is, unless Googlebot spiders links in their groups. But there it is anyway.

Eugene Blagodarny has started using uploading scripts as means of turning regular clean websites into spammy websites.

Here’s an example (that will hopefully be removed soon) of his handiwork:

m4l.berlios.de/pub/Main/MarkusMerk/

He likes using the username MarkusMerk.

But the problem goes deeper. Any file upload facility needs to be turned off unless you’re able to monitor daily (wikis that aren’t too busy might be able to keep it a little longer. Mediawiki also seems immune - doesn’t like html files). Upload facilities are often part of wikis, forums and content management systems that support communities. The SnipSnap blog software is especially vulnerable.

And HyperNews needs to be removed altogether.It’s a forum like script, with articles that can be commented on. It allows javascript redirects, and Eugene has been turning any installations into spam heaven for a while now. I notified the creator of the script of the problem a few weeks ago. So far no response.

There has been a lot of talk about zombies and how ISP’s are the ones that should catch and quarantine them. You won’t get an argument from me about that. They should, period.

But why don’t they?

They are in the business of making customers happy, period.

And customers who feel spied upon and vilified by their ISP aren’t happy.

So we need the zombie catchers to tell us how we can spy on our customers in such a way they won’t feel like we’re reading their mail, or know what they’re doing. They want to be able to keep using P2P networks in peace, and whatever else they’re doing, short of child porn.

This story tells of how spammers deliberately use the mailservers of big companies to serve their e-mails:

Joe-job spammers shift tactics to evade filters | The Register

The thing is, that wouldn’t be possible if the big company’s e-mail server would reject e-mails instead of bouncing them…

The proper way to collect spam you want to use for going after the bad guys, is to hide them in plain sight, and never publicize them.

So I’ve been working on a theory of how it could be done - by regular dudes.

Say you have a website, and you want to hide a spamtrap on that domain. Put a link on your front page. Hide it under an image nobody would think to click on. Such as a plain counter or something else silly. Put a nofollow on the link. And outlaw the site for search engine spiders on the page itself, just in case there are links to that page from somewhere else (who knows, right?). The point with the nofollow, is that you’ll be doing something Google frowns on.

You’ll use invisible text to stash a mailto and the e-mail address. Just the way the harvesting bots like’em. I doubt they’d be able to differentiate between visible or invisible text, eh?

This is just a theory. Feel free to jump in and tell me why it’s a stupid theory.

This isn’t something ordinary users will see much of. But come again if you’re the administrator of a busy mailserver…

Spammer lists of e-mail addresses are full of misspellings. I can only imagine where they’re coming from!

*improper line breaks? lastname-firstname.lastname@domain.tld is quite common

*an extra or missing first letter. Yep, they lose the first character of the username, or even append one or more.

*Made up usernames. Sure, that’s a given, they do dictionary attacks, after all.