taint.org: Justin Mason’s Weblog

Spam: eWeek recently published an article entitled ‘Spammers’ New Tactic Upends DNS’ , which notes that:

One .. technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. After the mailings go out, the spammer registers the domain early the next morning.

By doing this, spammers hope to avoid stiff CAN-SPAM fines through minimal exposure and visibility with a given domain. The ruse, they hope, makes them more difficult to find and prosecute.

The scheme, however, has unintended consequences of its own. During the interval between mailing and registration, the SMTP servers on the recipients’ networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.

This had me stumped when I read it, since an email from a nonexistent domain is a pretty reliable spamsign (it’s used in the NO_DNS_FOR_FROM rule in SpamAssassin, for example, which hits about 2% of spam), has been a rule in the default ruleset for several years, and there’s no sign of that behaviour in our spam traps.

After some discussion, Suresh Ramasubramanian came up with this explanation of what’s really happening:

Verisign now allows immediate (well, within about 10 minutes) updates of .com/.net zones (also same for .biz) while whois data is still updated once or twice a day. That means if spammer registers (a) new domain he’ll be able to use it immediatly (sic) and it’ll not yet show up in whois (and so not be immediatly identifiable to spam reporting tools) - and spammers are in fact using this “feature” more and more!

That does sound a much more likely explanation, and matches what’s been seen in the traps.

So: WHOIS, not DNS.

Tags: article, dns, domain, eweek, explanation, rule, smtp, spam, spammer, spammers

Spam: my slides from the presentation I gave at Toorcon 2004, ‘Spam Forensics: Reverse-Engineering Spammer Tactics’, are now up. Hope they prove enlightening ;)

Tags: engineering, forensics, hope, presentation, reverse, spam, spammer, tactics, toorcon

Conferences: Hey — I’m talking at ToorCon 2004 down in San Diego this weekend! Come along and check it out, if you can.

I’d better hurry up and file my presentation slides pronto ;) The topic is:

Spam Forensics: Reverse-Engineering Spammer Tactics

In this talk, I’ll discuss how the SpamAssassin project has identified reliable signatures indicating that a message is spam, by reverse-engineering spammer tactics from the spam mails themselves. I’ll also discuss several specific features that we have identified, how we found them, and why the spammers add them.

Tags: conferences, forensics, hey, presentation, pronto, reverse, spam, spammer, toorcon, topic, weekend

Politics: Kerry in Colorado:

“Just to put your minds all at ease, I have four words for you that I know will relieve you greatly,” Kerry told the fund-raiser. “How does this sound? Vice President Hunter Thompson.”

Travel: Great posting on culture shock and ‘going native’ at Yankee Fog.

Hacks: Dan Kaminsky’s LayerOne presentation hits Slashdot. Definitely one of the highlights of that conference.

Spam: confession for two: a spammer spills it all. Interesting — especially since the spammer winds up earning less than he would have working for Starbucks.

It’s also worth noting this posting from Gary Smith on the sa-users list, in which Gary filled out a spam form with some not-entirely-valid info — with hilarious results!

So I did talk to some of these lenders. Apparently they buy leads from www.lendergateway.com . One guy that I talked to was irritated because it costs him $100 per lead they sell him and it’s supposed to only be sold to him. He apologized quite a bit and was nice enough to give me the information on who sold him the names. The number he game me goes to voicemail which I’m going to try later. A couple other people told me what I can do with myself and one lady kept saying that she couldn’t give me information on who provided her with my information.

The stupid thing is each time I talk to them I tell them I’m on a cell and that I need their name and number and I’ll call them right back. They give it to me… So when they hang up I start calling again and again. I’ve been irritating the hell out of them…

Anyways, that’s the fun storing of what happens when these forms are filled out.

$100 per spurious ‘lead’ would make a serious dent, if enough spurious leads showed up… ;)

Tags: ease, fund-raiser, great, information, lead, number, politics, sound, spam, spammer, travel

Conferences: LayerOne was seriously great! Got to meet up with some really interesting people; discuss some nifty stuff; and get some new angles on the whole hacking scene.

Seriously, that was well worthwhile, especially in terms of potential new ways to deal with spam, and issues to watch out for in terms of spammer techniques in future. A great techie conf, and the boozing^Wsocialising was pretty good too ;)

I’m actually giving some thought to going to Defcon after that…

Tags: conf, conferences, future, got, layerone, scene, seriously, spam, spammer, stuff, techie

Spam: /.: New Method of Spam Filtering: ‘A simple and easily implemented scheme for combating e-mail spam has been devised by two researchers in the United States. P. Oscar Boykin and Vwani Roychowdhury of the University of California, Los Angeles use their method to exploit the structure of social networks to quickly determine whether a given message comes from a friend or a spammer. The method works for only about half of all e-mails received - but in all of those cases, it sorts the mail into the right category.’

Abstract here. It appears it classifies 53% of the emails and leaves the other 47% as undiagnosed.

The problem with this scheme is that it relies on the data in the To, From, and CC fields being accurate. Currently, there’s no means to stop spammers faking those addresses.

A trivial way to get around this filter, similarly to the other filters that trust the From address, is for a spammer to send a message using your address in both the From and To fields. Most people would include themselves in their web of trust, hence the spam would get through.

A more resilient method uses IP addresses from the Received headers in conjunction with the From address. Once you do this, you can no longer use To and CC data — and the scheme becomes pretty much similar to SpamAssassin’s auto-whitelist.

Tags: address, filtering, message, method, new, scheme, spam, spammer, trust, use

Funny: he’s commanding Captain America to do what?

(via Memepool.)

Tags: clone, discussion, google, javascript, link, pagerank, site, spam, spammer, trick, use

Wired: Turn Back the Spam of Time. An article about the time-travel spammer, now fingered as Robert ‘Robby’ Todino:

The anonymous e-mail offered $5,000 to any vendor capable of promptly delivering a collection of far-fetched gadgets for conducting time travel. Among the mysterious devices sought by the message’s author were an ‘Acme 5X24 series time transducing capacitor with built-in temporal displacement’ and an ‘AMD Dimensional Warp Generator module containing the GRC79 induction motor.’

He’s genuinely interested, it seems — but has a few psychological difficulties. (Thanks to Gary Stock for spotting it.)

Tags: article, collection, spam, spammer, time, todino, travel, turn, vendor, wired

Aardvark.co.nz: The Sound Of A Spammer’s Laugh. Depressing reading. The article’s has screenshot of two MMF-spam dropboxes — here’s one. It’s full of mails from the spammer’s victims. Upshot: make sure your friends know not to reply to spam — and definitely not MMF spam. Mind you, if you’re reading this blog, you and your friends are probably too smart for that anyway ;)

Also: Brad Templeton on spam’s 25th birthday; Brian Hayes in American Scientist. The latter has this nice (although wholly unscientific ;) graph of spam topics — and it sounds like Brian’s getting spammed by artmarket.com.

That raises an interesting point. Spam is frequently trumpeted (by the spammers) as ‘targeted’. What this often means, in reality, is that they’ve just randomly selected addresses and put them in a list as supposedly targeted for a given topic; or else run a Google search for a related term, and shoved a load of addresses from all pages found into a ‘targeted’ list.

For example, my spam load includes:

• Artmarket, above. I’ve never been known to buy art, apart from a few cheapo prints, and that was off-line.

• The septic tank spammers. I have about 30 spams from the last 2 years flogging septic tanks. I don’t even know what one looks like.

• Turkish political spam. Don’t have a clue. I went to Turkey on holiday once, but I never gave my email address to anyone ;)

• the obvious stuff everyone gets: Japanese, Chinese and Korean spam. I can’t even read the ideograms, let alone understand the written language.

Plus the usual MMF, get rich quick, and porno spam. Not once have I seen a spam hawking DVDs of Koyaanisqatsi, classic breakbeat releases, or the new William Gibson novel — now that would be targeting. But no…

Tags: aardvark, artmarket, depressing, laugh, list, load, mmf, sound, spam, spammer

Wow. A spammer has already scraped my blog and caught that one-use cdt_comment_go address I posted a week or so ago. That has to be a record. Ah well, Bayes and the SBL are catching it nicely…

The spammer in question is artprice.com, aka. artlist.com, aka a bunch of unrepentant spammers who’ve been out-and-out spamming for years, from France. Nothing worse than a full-time spamhaus. My consolation is that if they do this after August, I can prosecute them for it, since France is in the EU ;)

Just for reference, if anyone finds this on a Google search: the address was a one-use disposable job, for comments on a survey, posted once, and never used for sign-ups or even to send a single mail message. This is 100% spam, through and through.

Tags: aka, bayes, blog, cdt, com, comment, record, sbl, spammer, week

I’ve been getting a very wierd attack on my sites recently, including this blog, the SpamAssassin websites, and http://jmason.org/ , whereby some luser is sending lots of requests, using made-up URLs in the referral field. Initially, I thought it was some kind of underpowered retaliation for SpamAssassin, but if that’s the case, they need to bone up a bit more on how these things work ;)

Alternatively, it could be an attempt to gain Googlejuice, by getting links from public referrer logs (my ones are).

Up ’til about a month ago, it was all porn sites. Recently, though, it’s been a selection of real domains that sound like they were put together by combining dictionary words or something.

All the attempts have come from IP address 216.127.68.58, owned by Everyone’s Internet, Inc. in Houston, TX:

216.127.68.58 - - [31/Mar/2003:00:01:53 +0100] “GET / HTTP/1.1″ 200 72143 “http://www.aircheckfactory.com” “User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”

Here’s the domains in question:

• AIRCHECKFACTORY.COM
• ALTOTECHNOLOGY.COM
• BAIDYANATHINDIA.COM
• NXTCENTURY.COM
• TIMEART.NET
• WOTEVA.COM

Perhaps they’re recent lapsed domains which the spammer has picked up. Otherwise, what’s the connection between Baidyanath (a manufacturer of Ayurvedic products in India, thx Suresh) and ‘woteva’ (which sounds like ‘whatever’ in a UK english accent)?

I’ve whois’d them all, and they all seem to share two things: the name ‘Robert Woodley’ (or its initials), and the number (772) 594-2421. Area code 772 is – guess where — Florida. They should just cut to the chase and put ‘The Spammer State’ on their numberplates.

The pages on those sites are automatically-generated using what looks like USENET postings and google image search results, with a link to Commission Junction.

None of the names are in ROKSO, it seems. Do they ring a bell with anyone reading?

Date: Thu, 03 Apr 2003 13:20:06 -0800
From: (spam-protected) (Justin Mason)
Subject: whois details on referrer spam

Registrant:
Michael Lewisham
RW Internet
PO Box 4723
Grand Cayman,  8621
Cayman Islands
Registered through: ozwebsites 
Domain Name: AIRCHECKFACTORY.COM
Created on: 03-Jan-03
Expires on: 03-Jan-04
Last Updated on: 03-Jan-03
Administrative Contact:
Lewisham, Michael  (spam-protected)
RW Internet
PO Box 4562
Grand Cayman,  7238
Cayman Islands
(772) 594-2421      Fax -- 
Technical Contact:
Lewisham, Michael  (spam-protected)
RW Internet
PO Box 4562
Grand Cayman,  7238
Cayman Islands
(772) 594-2421      Fax -- 
Domain servers in listed order:
NS1.MYDOMAIN.COM
NS2.MYDOMAIN.COM
NS3.MYDOMAIN.COM
NS4.MYDOMAIN.COM
Registrant:
Michael Lewisham
RW Internet
PO Box 4723
Grand Cayman,  8621
Cayman Islands
Registered through: ozwebsites 
Domain Name: ALTOTECHNOLOGY.COM
Created on: 29-Dec-02
Expires on: 29-Dec-03
Last Updated on: 29-Dec-02
Administrative Contact:
Lewisham, Michael  (spam-protected)
RW Internet
PO Box 4562
Grand Cayman,  7238
Cayman Islands
(772) 594-2421      Fax -- 
Technical Contact:
Lewisham, Michael  (spam-protected)
RW Internet
PO Box 4562
Grand Cayman,  7238
Cayman Islands
(772) 594-2421      Fax -- 
Domain servers in listed order:
NS1.MYDOMAIN.COM
NS2.MYDOMAIN.COM
NS3.MYDOMAIN.COM
NS4.MYDOMAIN.COM
Registrant:
Robert Woodley
Robert Woodley Internet
PO Box 401
Grand Cayman,  7651
Cayman Islands
Registered through: Go Daddy Software (http://www.godaddy.com)
Domain Name: BAIDYANATHINDIA.COM
Created on: 09-Jan-03
Expires on: 09-Jan-04
Last Updated on: 09-Jan-03
Administrative Contact:
Woodley, Robert  (spam-protected)
Robert Woodley Internet
PO Box 4634
Suite 205
Port Vila,  8621
Vanuatu
(772) 594-2421      Fax -- (772) 594-2421
Technical Contact:
Woodley, Robert  (spam-protected)
Robert Woodley Internet
PO Box 4634
Port Vila,  8621
Vanuatu
(772) 594-2421      Fax -- (772) 594-2421
Domain servers in listed order:
NS1.MYDOMAIN.COM
NS2.MYDOMAIN.COM
NS3.MYDOMAIN.COM
NS4.MYDOMAIN.COM
Registrant:
Wanker Engineering
PO Box 9816
Auckland,  3522
New Zealand
Registered through: Go Daddy Software (http://www.godaddy.com)
Domain Name: NXTCENTURY.COM
Created on: 21-Mar-01
Expires on: 21-Mar-04
Last Updated on: 21-Mar-03
Administrative Contact:
Engineering, Wanker  (spam-protected)
Wanker Engineering
PO Box 9816
Auckland,  3522
New Zealand
3530912167      Fax -- 
Technical Contact:
Engineering, Wanker  (spam-protected)
Wanker Engineering
PO Box 9816
Auckland,  3522
New Zealand
3530912167      Fax -- 
Domain servers in listed order:
NS1.LYNXWEBHOSTING.COM
NS2.LYNXWEBHOSTING.COM
Registrant:
Robert Woodley
Robert Woodley Internet
PO Box 4634
Port Vila,  8621
Vanuatu
Registered through: Go Daddy Software (http://www.godaddy.com)
Domain Name: TIMEART.NET
Created on: 16-Mar-01
Expires on: 16-Mar-04
Last Updated on: 16-Mar-03
Administrative Contact:
Woodley, Robert  (spam-protected)
Robert Woodley Internet
PO Box 4634
Suite 205
Port Vila,  8621
Vanuatu
(772) 594-2421      Fax -- (772) 594-2421
Technical Contact:
Woodley, Robert  (spam-protected)
Robert Woodley Internet
PO Box 4634
Port Vila,  8621
Vanuatu
(772) 594-2421      Fax -- (772) 594-2421
Domain servers in listed order:
NS1.MYDOMAIN.COM
NS2.MYDOMAIN.COM
NS3.MYDOMAIN.COM
NS4.MYDOMAIN.COM
Registrant:
Robert Woodley
PO Box 4573
Grand Cayman,  871251
Cayman Islands
Registered through: Go Daddy Software (http://www.godaddy.com)
Domain Name: WOTEVA.COM
Created on: 16-Mar-00
Expires on: 16-Mar-04
Last Updated on: 16-Mar-03
Administrative Contact:
Woodley, Robert  (spam-protected)
Robert Woodley Internet
PO Box 4573
Grand Cayman,  87125
Cayman Islands
(772) 594-2421      Fax -- (772) 594-2421
Technical Contact:
Woodley, Robert  (spam-protected)
Robert Woodley Internet
PO Box 4753
Suite 205
Grand Cayman,  87125
Cayman Islands
(772) 594-2421      Fax -- (772) 594-2421
Domain servers in listed order:
NS1.MYDOMAIN.COM
NS2.MYDOMAIN.COM
NS3.MYDOMAIN.COM
NS4.MYDOMAIN.COM

Tags: attack, blog, com, luser, referral, spamassassin, spammer, urls, wierd, woteva

while thinking about the CDT’s report on spammer address-scraping techniques again, it occurred to me that one finding is very significant; high-traffic websites probably get much more spam than low-traffic ones.

Now, I’ve got spamtraps up on pretty much all my sites, using a variety of methods:

<

ul>

But all my sites are small-time, really. ;) So — anyone out there in the blogosphere care to help out the SpamAssassin project, by feeding us trapped spam? It’d be simply a matter of adding a mailto: link, hidden in a comment on a prominent page of your high-traffic website. Gimme a mail to this address if you do.

(warning: that address will expire in 6 months. if you’re reading this after Aug 2003, use the addr on this page instead.)

The spam trapped in such a way is fed into a number of spamtrap-fed network systems, like Razor, DCC, Pyzor, and the Blitzed OPM blacklist. It’s also used during the SpamAssassin score-regeneration process.

Tags: block, cdt, finding, mailto, page, report, spam, spamassassin, spammer, text

Leonard notes the ‘Random word of mixed symbols with length 1 to 27′ type spammer obfuscation, suggesting it’s ‘open source spam’; I reckon it’s more ‘literate programming spam’, in that it’s self-documenting. But it certainly is very wierd. Maybe some spamtool developer has a COBOL fetish.

Anyway, just got back from a very enjoyable work trip to find my visa documents have arrived — so things are probably going to heat up ’round about Thursday, when I have my interview at the US Embassy. Once that happens, it’s full speed ahead on flights, shipping, figuring out how to transport the cat, handing over house to new tenants, etc. etc…

Tags: length, literate, obfuscation, random, source, spam, spammer, the, type, word

subject line of the week — sounds like the spammer’s been listening to Homer’s Vocabulary Builder tape:

Subject: < Hi Jm, I am Bella, concupiscent youngster >

Tags: builder, concupiscent, line, spammer, subject, tape, vocabulary, week, youngster

Jeremy describes a way to kill off ‘joe-jobs’ — the practice of forging somebody’s address on spam, generally used to get around ‘does this user exist’ spam-filters, also used to ‘punish’ folks the spammer doesn’t like. Anyway, JZ’s suggestion is this:

One of the ideas tossed about was to implement a system that would make it easy for any MTA (Mail Transfer Agent–the programs that deliver e-mail on the Internet) to verify that a message that claims to be from somebody@yahoo.com really is from a yahoo.com user.

This is technically doable. And it might be a good idea. Especially, as I argued, if one of the other big players (AOL or MSN/Hotmail) jumps on board and uses the same technique. If either one began to do the same, I expect that a domino effect would follow. Boom. Instant adoption.

But then he doesn’t say how to do this in a way that a spammer can’t forge. Dammit. ;)

Anyway, on with the message.

… However, one interesting objection was raised during the debate…

Wouldn’t that just cause spammers to prey on domains that are less equipped to ’swallow a few million bounces per hour without breaking a sweat’? (To paraphrase a co-worker.)

Yep, it would — until those domains also instituted similar systems. Anyway, those domains are victims now anyway; I would say only about 50% of my spam comes from forged Yahoo!, Hotmail or other domains — the rest uses domains of small ISPs, and the occasional joe-job.

But back to the system. I would guess what Jeremy’s talking about is pretty similar to the system Pedro Melo describes in the comments. It consists of 2 components:

• a header added by the MTA at relay time — X-Originator-Signature.
  • This contains ‘an internal identifier for the person who sent it …, a timestamp, and a MD5 of those two fields and a third secret passphrase I keep.’

• a CGI script on a web server, which validates a pasted X-Originator-Signature header against what hashing those values with the secret passphrase produces, and responds ‘yea’ or ‘nay’.

A nifty idea. Jeremy, was that what you were thinking?

Tags: com, hotmail, message, mta, somebody, spammer, system, user, way, yahoo

Kaitlin Duck Sherwood writes a trip report. Good tidbits:

• many big players in the mail-sending side want to see an SMTPng; a new protocol which is spam-resistant.

• Jon Praed of the Internet Law Group said that ‘better spam filters make his job easier: the more contortions that a spammer goes through to make sure that the messages go through, the easier it is to convince a judge that the spammer knew it was wrong.’ Excellent!

Tags: group, internet, law, protocol, report, sherwood, side, smtpng, spammer, trip

Torture A Spammer, a nifty Flash game from “white hat” email-marketing firm, emailSherpa.

Tags: emailsherpa, firm, flash, game, hat, spammer, torture

looks like some spammer has read the FormMail advisory I co-wrote with Ronald F. Guilmette; expect to see more spam where the spam message appears before the “Below are the results of your feedback form” line.

Of course, SpamAssassin catches this anyway. ;)

Tags: below, course, feedback, form, formmail, line, message, spam, spamassassin, spammer