Tux

...making Linux just a little more fun!

link suggestion - blog banned by Google

list at SPAMMER.net [list at SPAMMER.net]
Tue, 19 Dec 2006 22:40:34 -0500

Hi. My name is Eugene Gershin. Perhaps we have met online, but more probably you don't know me from Adam. I monitor blogs for XXXXXXXXXXXXX, and came across your post.

I'd like to welcome you to look at XXXXXXX XXXXXX's blog. XXXXXXX - an anonymous Israeli politician - writes extremely controversial articles about Israel, the Middle East politics, and terrorism. XXXXXX is equally critical of Jewish and Muslim myths, and advocates political rationalism instead of moralizing. Google banned our site from the AdWords, Yahoo blocked most pages, and Amazon deleted all reviews of XXXXXXX's book, XXXXXXXXXXXXXX: X XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX. Nevertheless, 170,000 people from 78 countries read the book.

Various Internet providers ban us periodically, but you can look up the site on search engines. The mirror xxx.xxxxxxxxxxxxxxx.xxx/xxxx currently works.

Please help us spread XXXXXXX's message, and mention the blog in one of your posts, or link to us from linuxgazette.net/131/lg_mail.html. I would greatly appreciate your comments.

Best wishes, Eugene Gershin


Top    Back


Rick Moen [rick at linuxmafia.com]
Tue, 19 Dec 2006 20:24:29 -0800

Quoting list at SPAMMER.net (list at SPAMMER.net):

> Hi. My name is Eugene Gershin. Perhaps we have met online, but more
> probably you don't know me from Adam. I monitor blogs for
> XXXXXXXXXXXXX, and came across your post.

Wow, this is the most cannily constructed automated spam I've seen in a good long while. He almost carries it off. And then:

[snip several short paragraphs of memetic payload]

> Please help us spread XXXXXXX's message, and mention the blog in one
> of your posts, or link to us from linuxgazette.net/131/lg_mail.html. 

The feet of clay show in this concluding paragraph, this being where "Eugene Gershin" fails the Turing Test, and is revealed to be just another mailbot parsing millions of Web pages and then spamming mailto hyperlinks found there.

My MTA will accordingly be autorejecting all future mail from that source.

-- 
Cheers,       "What a pity [Standard Oil exec] H. H. Rogers's money is tainted."
Rick Moen                 -- some commentator of the day    "It's twice tainted:
rick at linuxmafia.com  'Tain't yours, and 'tain't mine."  -- Mark Twain, replying.

Top Back


Jason Creighton [jcreigh at gmail.com]
Tue, 19 Dec 2006 23:05:45 -0700

On Tue, Dec 19, 2006 at 08:24:29PM -0800, Rick Moen wrote:

> Quoting list at SPAMMER.net (list at SPAMMER.net):
> 
> > Please help us spread XXXXXXX's message, and mention the blog in one
> > of your posts, or link to us from linuxgazette.net/131/lg_mail.html. 
> 
> The feet of clay show in this concluding paragraph, this being where
> "Eugene Gershin" fails the Turing Test, and is revealed to be just
> another mailbot parsing millions of Web pages and then spamming 
> mailto hyperlinks found there.

I don't think just hyperlinks: I recieved a copy of this spam as well, and I don't think my email address is linked on that page in any other form than "jcreigh at gmail.com". Looks like spammers are starting to parse that too. I don't really care, since I get tons of spam anyway, but the s/@/ at / obfuscation probably shouldn't be counted upon.

Jason Creighton


Top Back


Rick Moen [rick at linuxmafia.com]
Tue, 19 Dec 2006 22:28:07 -0800

Quoting Jason Creighton (jcreigh at gmail.com):

> ...the s/@/ at / obfuscation probably shouldn't be counted upon.

No, it certainly should not.

Any form of e-mail address obfuscation that gets used widely, as the "rick at linuxmafia.com" format is by (e.g.) GNU Mailman is trivially hackable by spammers' tools such as address harvesting scripts. Actually, the real legitimate use for those rather silly forms of obfuscation is entirely different -- and utterly cynical:

It's a device to aid listadmins in overcoming knee-jerk objections to keeping mailing lists "open" (publicly archived). In any online community, there will always be at least one participant who really doesn't "get" how spammers work, but is absolutely convinced that the rest of the world must "protect his[/her] privacy", by scrambling to expunge it from public view, every time it pops up.

The dutiful, intellectually honest, community-knowledge-minded answer to that person goes as follows: "Sir [/ma'am], if you think you can use an e-mail address even minimally on the Internet in 2006 and hide it from spammers, you're kidding yourself. Ask yourself: Can you absolutely guarantee that nobody will ever add your address to an MS-Wind0ws "address book" of the sort used by MS-Outlook Express and MS-Outlook, or other MAPI clients? No? Well, then logic obliges you to acknowledge that statistically that is very, very likely to happen, and multiple such people are very likely to get their MS-Wind0ws machines virus-infected, at which point the zombified Wind0ws box will report your e-mail address directly to the spammers. Game over. Finis. And this happens very quickly in today's Internet."

That would be the correct, relevant counter-argument. The problem is: The logic is complex and requires paying attention -- and so it invariably fails to convince those who raise that objection.

So, instead you say "Oh, no problem. See here? Mailman will obscure your address, and thus the bad guys won't be able to get it."

One completely irrational analysis, convincingly rebutted by a bogus but generally accepted answer -- thereby carrying out the good office of permitting mailing lists to be open, thus better benefiting the public by being publicly searchable.

But, here, I've given you both answers, pro bono publico. Go forth and do evil, or not, as you think best. Far be it from me to say which is which.

-- 
Cheers,             
Rick Moen                 Support your local medical examiner:  Die strangely.
rick at linuxmafia.com

Top Back


Raj Shekhar [rajlist2 at rajshekhar.net]
Wed, 20 Dec 2006 11:59:11 +0530

Rick Moen wrote:

> Quoting list at SPAMMER.net (list at SPAMMER.net):
> 
>> Hi. My name is Eugene Gershin. Perhaps we have met online, but more
>> probably you don't know me from Adam. I monitor blogs for
>> XXXXXXXXXXXXX, and came across your post.
> 
> Wow, this is the most cannily constructed automated spam I've seen in a
> good long while.  He almost carries it off.  And then:
> 
> [snip several short paragraphs of memetic payload]

I fell for it :-( . I would have posted a link to it from my blog. FWIW, the actual blog seems to somehow related to this.

-- 
raj shekhar
facts: http://rajshekhar.net | opinions: http://rajshekhar.net/blog
I dare do all that may become a man; Who dares do more is none.

Top Back


Rick Moen [rick at linuxmafia.com]
Tue, 19 Dec 2006 22:55:12 -0800

I wrote:

> Any form of e-mail address obfuscation that gets used widely, as the
> "rick at linuxmafia.com" format is by (e.g.) GNU Mailman is trivially
> hackable by spammers' tools such as address harvesting scripts.

And I forgot to add an important footnote to that comment:

By contrast, obfuscation methods that aren't used widely may be very, very useful.

Jeremy Zawodny uses an utterly brilliant local modification to MovableType on his blog (http://jeremy.zawodny.com/, that completely defeats the 60% of Web comment spam that is from automated spammer processes: http://jeremy.zawodny.com/blog/archives/002836.html In short, Jeremy modified MT's standard comment form to ask "What's Jeremy's first name?"

Humans type "Jeremy" (or "jeremy") and are not significantly impeded. Bots, by contrast, get foiled.

Obviously, if spam-tool authors start custom-coding their scripts (the ones they sell to spammers) for Jeremy's one-off locally modified version of MovableType, he can trivially change the question occasionally, e.g., to ask "What colour is a ripe banana?"

That still leaves the other 40%, the spam posted individually by humans saying "I really like your site, and wanted to recommend [URL] to all your readers" and such. Jeremy has to use other means to combat those.

-- 
Cheers,                 Katrina's Law:  Any sufficiently advanced incompetence
Rick Moen               is indistinguishable from malice.  
rick at linuxmafia.com                           (coinage attrib. to Paul Ciszek)

Top Back


Benjamin A. Okopnik [ben at linuxgazette.net]
Wed, 20 Dec 2006 08:58:08 -0600

On Tue, Dec 19, 2006 at 08:24:29PM -0800, Rick Moen wrote:

> Quoting list at SPAMMER.net (list at SPAMMER.net):
> 
> > Hi. My name is Eugene Gershin. Perhaps we have met online, but more
> > probably you don't know me from Adam. I monitor blogs for
> > XXXXXXXXXXXXX, and came across your post.
> 
> Wow, this is the most cannily constructed automated spam I've seen in a
> good long while.  He almost carries it off.  And then:
> 
> [snip several short paragraphs of memetic payload]

My vgrep-based filter tripped off just before that: "I monitor blogs [...]" We're not a blog. I do have to say, though - this definitely comes off as miles more similar to real email than the average hunk'o'compressed pork.

> The feet of clay show in this concluding paragraph, this being where
> "Eugene Gershin" fails the Turing Test, and is revealed to be just
> another mailbot parsing millions of Web pages and then spamming 
> mailto hyperlinks found there.
> 
> My MTA will accordingly be autorejecting all future mail from that
> source.

If nothing else, this should be a wake-up call to the people who believe in content-based spam filtering as a primary measure. If you have nothing better, then that's how it goes - but if you have the option, SMTP-time rejection is the only way to go.

This type of thing is rare for the moment (I've seen less than a half a dozen until now), but spammers are constantly refining their techniques, and this one certainly lends itself to duplication. In effect, they'd have to hire a "letter writer" to structure their message; after that, they would proceed in their regular fashion.

Just for comparison: the one sent to 'tag@' actually made it through into my main box (I've got TAG slightly scored up in SA - we get a number of queries that smell quite spammy); however, all the ones sent to the other LG addresses that I handle ended up in my spam bucket. Here's one to 'ben@':

X-Spam-Status: No, score=2.5 required=5.0 tests=BAYES_50,NO_REAL_NAME,
        RCVD_IN_BL_SPAMCOP_NET autolearn=no version=3.1.1
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
genetikayos.com
Note that Kayos' SA filter passed it as non-spam - 2.5 out of 5. Mine, however, managed to catch it:
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on Fenrir.Thor
X-Spam-Level: *
X-Spam-X-Spam-Status: Yes, hits=3.5 required=3.0 tests=BAYES_99=3.5
        autolearn=no version=3.1.7
X-Spam-Status: Yes, score=3.5 required=3.0 tests=BAYES_99 autolearn=no
        version=3.1.7
Not by much, though. Note that I consider anything that hits 3.5 as spam (versus the default 5); this requires me to be active about whitelisting and putting up with the (very rare) instance of a false positive; the former is taken care of with a Mutt macro, the latter is a matter of a minute or two per day.

This type of email, however, is going to skew that ratio for a lot of people. I have little doubt that we'll see more of it as time goes on.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *

Top Back


Benjamin A. Okopnik [ben at linuxgazette.net]
Wed, 20 Dec 2006 10:02:30 -0600

On Tue, Dec 19, 2006 at 10:55:12PM -0800, Rick Moen wrote:

> I wrote:
> 
> > Any form of e-mail address obfuscation that gets used widely, as the
> > "rick at linuxmafia.com" format is by (e.g.) GNU Mailman is trivially
> > hackable by spammers' tools such as address harvesting scripts.
> 
> And I forgot to add an important footnote to that comment:
> 
> By contrast, obfuscation methods that aren't used widely may be very,
> very useful.
> 
> Jeremy Zawodny uses an utterly brilliant local modification to MovableType 
> on his blog (http://jeremy.zawodny.com/, that completely defeats the 60% of 
> Web comment spam that is from automated spammer processes:
> http://jeremy.zawodny.com/blog/archives/002836.html  In short, Jeremy 
> modified MT's standard comment form to ask "What's Jeremy's first name?"
> 
> Humans type "Jeremy" (or "jeremy") and are not significantly impeded.
> Bots, by contrast, get foiled.

John Walker, of AutoCAD fame, has been using a similar Turing test for quite a long time: his "FeedbackForm" CGI script requires the ability to solve a linear equation before you can send webmail.

http://www.fourmilab.ch/webtools/feedbackform/

Note that you can set the $minorder and $maxorder variables in the script to make the requirement more stringent: the default (1) is linear, but '2' gets you a quadratic, '3' is cubic, '4' is quartic, and so on. [grin] I can visualize some very exclusive lists formed along those lines.

John is also, incidentally, the author of the "demoronize" script (removes Micr0s0ft-specific formatting from text files) that I just mentioned to Rick in private email. Funny how that works.


Top Back