Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« March 2006 | Main | May 2006 »

April 29, 2006

Blog Comment Spam Permalink

When I started this blog, I made a conscious decision to not permit comments. I know it's not particularly democratic (I would be a benevolent dictator), but the alternatives were not very pleasant. I've seen blog after blog be killed with comment spam. The typical way to block it is to start a registration system. But I don't want to collect anyone's email address, nor do I have the time to act as a filter or moderator.

Not allowing comments, however, hasn't stopped comment spammers from trying to sneak their way into this site. Here's the submission from one who must have thought that my Contact Form feeds directly into a visible page somewhere:

Name:
   Alena
Question:
   <a href="http://[domain_removed].com">Hello all</a>I will continue to visit enjoyed the reading thanks

That is the quintessential comment spam—a compliment about how great the blog is, with a link to some spamvertised site. The double goal here is to get search engine crawlers to log a link to the spamvertised site, thus facilitating the spamvertised site being crawled and noted as being linked to by third-party sites.

The spamvertised site didn't even get a visit from me. A little research suggests that it's an "adult" site.

Perhaps the fact that they expended the effort with a very low probability of success means that they're getting more desperate. One can only hope.

Posted on April 29, 2006 at 09:30 AM

April 25, 2006

What Will They Sell Next? Permalink

Here's a spam subject line that gets the imagination racing:

Subject: shame of sex? we can change it

The source code view of the message, however, reveals it to be your basic Cialis drug spam.

Whew!

Posted on April 25, 2006 at 12:31 PM
About Passwords Permalink

I rant and rave in Spam Wars about the bane of passwords for online activity, along with recommendations about how to create good ones and even record them safely.

Microsoft has also written up some guidelines about generating secure passwords that are pretty good. It's worth a read, if for no other reason than to observe how weak most user passwords are.

The article points to another page that has a password checker script running on it, where you can enter a password and let it evaluate whether it considers the password to be weak, strong, or "best." Although I doubt that Microsoft is collecting passwords as you enter them (the script runs only on the client), I (and the SANS Internet Storm Center) still recommend against entering an actual password into the field to test. Trying a fake password with the same pattern of characters (lowercase, uppercase, number, symbol) would be safer, and should yield the same result.

Creating a set of strong passwords is only half the battle. The other half is making sure you don't get punk'd into giving them up to phishers and other crooks.

Posted on April 25, 2006 at 11:30 AM

April 16, 2006

About the "Email Tax" Permalink

On April 3, 2006, I was one of several witnesses who testified before a Select Committe in Sacramento, CA. The title of the hearing chaired by Senator Dean Florez was: "AOL: You Have Certified Mail! Will Paid E-mail Lead to Separate, Unequal Systems or is it the Foolproof Answer to Spam?"

This hearing grew out of the hubbub caused by AOL's announcement that it was going to use Goodmail as a sender accreditation service, and the outcry from various groups unified around the DearAOL campaign. That campaign did a good job of branding the notion of an "email tax" into the minds of many.

AOL managed to mis-communicate a lot of what it was doing with regard to whitelisting senders. And, just when you think they got their message out correctly, they "step in it" again by censoring email messages that included links to the DearAOL Web site. If they ever get to the bottom of that caper, I bet they'll find it was the work of an overzealous employee in the email department who was upset by the inflammatory (and often ill-informed) comments posted in the DearAOL blog, and didn't want any AOLer to learn about it. Unfortunately, the results make AOL look, once again, like an Evil Email Empire. They really have to stop aiming the rifle at their own feet and pulling the trigger.

Back to the Sacramento hearing, I was on the first panel of witnesses in a section titled "Defining the Issue." The following is a copy of my prepared statement read into the record.

My name is Danny Goodman, a freelance writer for the past 25 years (San Mateo County resident since 1983) and author of the book Spam Wars (2003, SelectBooks), as well as 41 other computer-related titles. To help me monitor electronic mail (email) systems that consumers face, I currently have email accounts at America Online, Comcast, EarthLink, Google, and Hotmail. My primary email activity is based at my own domain (dannyg.com), where I have managed the email server since 1995, including responsibility for all spam filtering. Spam and virus statistics from that domain are posted daily at my Spam Wars web site (spamwars.com/stats.html).

I appear here today to share my thoughts from the point of view of my primary audience, the electronic mail-using consumer. Issues surrounding email spam are complex, but I will limit this discussion to the area of deliverability of email messages, which appears to be the crux of some recent controversy.

As I document in my book, an absolute definition of “spam” is difficult to establish. My working definition is as follows:

An automated email message sent to the recipient without explicit prior consent.

In practice, however, spam is in the eye of the recipient. To one ISP customer, the twelfth mortgage refinancing invitation of the day is highly undesirable; to another customer of the same ISP, that same message may be the only piece of email received the entire day, and may, in a sense, be welcomed as entertainment or even proof that one’s email is still working. However, if the volume of that kind of message increases beyond the recipient’s acceptable threshold, such email messages suddenly become a “spam problem.”

Overlooked in many legislative activities surrounding spam is that the subject matter of the message is of no importance to the “problem.” Thus, narrowing definitions to phrases such as “unsolicited commercial email” is a wasteful exercise. Instead, the problem with spam is that unlike unsolicited postal mail, spam places the greatest burden not on the sender, but on: a) the infrastructure that relays and receives messages; and b) the recipient, whose communications, computer, and time resources are gobbled up by a relentless flow of unwanted messages.

From the recipient’s point of view, the issue is one of consent, not content. An ideal relationship between sender and recipient is a two-way agreement: the sender transmits automated messages to the recipient because the recipient has explicitly requested to receive such messages. In other words, recipients are best served in what is called a “confirmed opt-in” scenario (the Direct Marketing Association refers to this technique as “double opt-in”). In this technique:


  1. The recipient signs up to receive mailings (typically at a web site) by submitting an email address to the sender.

  2. The sender responds via email to the submitted email address with a coded link.

  3. The recipient clicks on the link or enters the code into the sender’s web site to confirm that the subscription is a legitimate one.

This approach eliminates the possibility of “being subscribed” to a mailing list without the addressee’s prior consent. A sender who transmits automated messages exclusively to subscribers through the confirmed opt-in mechanism (and promptly handles subscription cancellations) is, in my opinion, a responsible email sender, not a spammer.

(Admittedly, some confirmed opt-in recipients either forget that they had confirmed their subscriptions, mistakenly report subscribed mailings as spam, or inherit reissued email addresses that had previously confirmed subscriptions. Thus, at times, even a responsible sender might be accused of spamming, but certainly not at the levels of a sender who indiscriminately transmits messages to address lists gathered through a variety of means, legal and otherwise.)

The bottom line for consumers’ relationships with their ISPs is that recipients want to receive messages that they want and would prefer that their ISPs filter or segregate messages that they don’t want, regardless of content. As simple as that request sounds, it presents enormous difficulties for ISPs.

Email filtering technologies improve all the time, as do spammers’ determination to bypass those filters. Even the best filtering technologies at the ISP level will be less than perfect. Some spam will get through; and some desired messages will get rejected, deleted, or sidetracked into “spam suspects” folders. In addressing its customers’ spam concerns, an ISP must constantly balance filtering undesirable email against delivering desirable email—and sometimes it’s the same message for different recipients.

I should also note that senders come in all shapes and sizes. Among the senders whose messages seem to be most undesirable among spam fighters in the United States are those who violate one or more provisions of the U.S. CAN-SPAM law. These are predominantly senders who use numerous deceptive tactics, fail to identify themselves, send to addresses illegally harvested from the Internet, rarely permit unsubscriptions, and relay their messages anonymously through hijacked computers around the world. It is their goal to minimize the expense of delivering as many messages to as many email addresses as possible so that even a minimal response rate will result in a profitable campaign.

It is this criminal class of spammer, along with the growing underworld of scammers and those dedicated to hijacking personal computers that cause the greatest grief to ISPs. Customers expect their ISPs to act as shields to this Bad Stuff. The efforts that responsible ISPs and organization email administrators expend—in terms of software, hardware, and personnel—to fight off this incessant flood is the real “email tax” that everyone pays, like it or not. Every email user pays that tax with time and/or money (e.g., a portion of subscription fees).

That an ISP would turn to an email sender accreditation service as a tool to manage incoming email is not surprising. My understanding of these services is that they assist an ISP in determining if a particular sender adheres to defined guidelines. On the one hand, the mass of sleazy spammers who commit the most and worst offenses would never subscribe to any such service because of both the expense and the need to identify themselves truthfully. On the other hand, if an ISP used such a service as the exclusive gatekeeper to incoming automated email, it would fail to deliver some desired messages from legitimate and responsible email senders who can’t or won’t pay for accreditation. Customers of such an ISP would soon revolt and leave for the other readily available ISP alternatives (or use other email systems accessible through the Internet, including free ones). It wouldn’t take long for a host of unaccredited but responsible confirmed opt-in senders to warn potential subscribers away from “ISP X” because it doesn’t deliver their mailings. Woe unto the ISP who is perceived to be an arbitrary censor of desirable incoming email.

Additionally, if an ISP uses such a service as just one of many tools to manage email, customers would equally revolt if they discover that a sender who pays his way automatically gets a “free ride” for unwanted messages into inboxes. Just as spam is in they eye of the recipient, a garbage email message will still be considered a garbage email message, no matter how many “gold stars” the ISP attaches to it. If the service and ISP do a poor job of eliminating unwanted messages of any kind, the customer has little incentive to remain a customer. Woe unto the ISP who allows itself to become known as a spam conduit.

As I stated earlier, email users simply want to receive messages they want and not be flooded with messages they don’t want. An ISP that applies tools that fail at that basic task risks losing its customers in what has become a highly competitive marketplace.

My personal take on the DearAOL uproar is that it has turned out to be a tempest in a teapot. On the other hand, it's great that there are people and organizations out there to keep an eye on powerful business entities and call those companies to task for potentially abusing their powers. Those behind DearAOL also learned (as if they didn't already know) that a short, catchy word banner ("email tax") leaves an impression more powerful and longer lasting than the meat of the details being said in front of it. Reminds me of "Mission Accomplished."

Posted on April 16, 2006 at 01:24 PM

April 15, 2006

Social Engineering and Spyware Permalink

Imagine receiving an email message that begins as follows:

To: dannyg@dannyg.com
Subject: Your computer is infected
From: Microsoft Corporation
Date: Sat, 15 Apr 2006 00:58:40 -0700 (PDT)

Your Computer is Infected with Spyware!
Please make updates to your antivirus.

After that comes some marketing blah blah about a product called TrustSoft AntiSpyware. You are then urged to "click here" to "be redirected to the TrustSoft AntiSpyware product page." Unless you look into the source code of the email message, you probably won't see the URL that you'll visit by "clicking here":

http://[domain_removed].com/.update.microsoft.com/.winupdate/.spyware/Setup.exe

That link is directly to a Windows executable file, which will either download or run on your machine (depending on your settings and dialog box choices). My source for evaluating malware is not working at the moment, so I can't definitively tell you which piece of garbage this Setup.exe file is. I'll append an update if I find out more.

This email message is intriguing for a couple of reasons.

First, whatever the initial payload is, it is not being served directly from TrustSoft's Web site. Instead, somebody has hijacked a Web site in much the same manner that so many Web sites around the world get hijacked to host phishing pages and identity data capture software. The dead giveaway is the use of directory names that begin with a period. Directories with these names probably would not show up in directory listings viewed by the site's owner. Phishing hijackers do this all the time, making it difficult for less-than-geeky Web site administrators to even believe that their sites have been compromised.

Second, at this point, it's hard to know if this spamming campaign is being done by a TrustSoft affiliate (who is breaking numerous CAN-SPAM law provisions), or if it's someone simply abusing the TrustSoft name in the email message to spread some completely unrelated chunk of malware. TrustSoft has, in the past, run afoul of U.S. law, so it makes them an easy target for a Joe Job.

But let's just take another look at this message through the eyes of an unsuspecting and non-technical email user. You've probably heard that spyware is bad ("mmkay"). And here you get a message that says it's from Microsoft advising you that your computer is infected. "Oh dear," you say, "I'd better click the link to get a free download of this antispyware program!"

Click, you're dead.

UPDATE: Analysis of the payload reveals it to be a Trojan that uses Internet Relay Chat (IRC) channels to communicate with its "controllers." The precise activity that your PC would be called upon to do would be up to the controller du jour, but likely one or more of the following: keylogging, spam relay, adware, email address harvesting.

Posted on April 15, 2006 at 10:40 AM

April 03, 2006

Phishing Phony Survey Prices Falling! Permalink

On the heels of what can be called a flood of phishing messages promising $20 gift certificates for filling out a Chase Bank survey, I just saw a message promising only $15.

Quiz:

A) Has the phishing bubble burst?
B) Will prices plummet for future phony surveys that want to capture your login, password, and credit card number?
C) Is it just a stupid phisher who doesn't realize that to catch more phish, you have to increase the bait?

Answer:
C

Posted on April 03, 2006 at 10:27 AM