RSS 2.0: Main
RSS 2.0: Comments
I found this comment on one of my client’s blogs today.
hello , my name is Richard and I know you get a lot of spammy comments , I can help you with this problem . I know a lot of spammers and I will ask them not to post on your site. It will reduce the volume of spam by 30-50% .In return Id like to ask you to put a link to my site on the index page of your site.
Did you hear that? He’ll tell the spammers to stop. What a gift.
Seven Habits of Highly Effective Spambot Hunters: Josh Clark is doing some crazy fun stuff to counter comment spammers on Big Medium. I love it.
Big Medium counters this by covering its tracks, never using the same field names twice. Every time you visit the page, all of the field names change. The field names are MD5 hashes of the page’s slug name, its database creation date and a server secret. A semi-obfuscated timestamp is mashed with this field name, creating a 50-digit field name that changes every second.
If the correct combination of field names are not received, the form submission is discarded.
EU Rejects Spam Maker’s Trademark Bid: This phenomenon is interesting. The company that makes Spam has essentially lost their name — it was stolen by the rest of the world and there’s nothing they can do about it. Even if they claim a legal victory, it’s not going to help them. They’re never getting the word back in any meaningful sense.
The producer of the canned pork product Spam has lost a bid to claim the word as a trademark for unsolicited e-mails. EU trademark officials rejected Hormel Foods Corp.’s appeal, dealing the company another setback in its struggle to prevent software companies from using the word “spam” in their products, a practice it argued was diluting its brand name.
Subliminal advertising in spam?: I followed this link, and I think I bought 100 shares.
The spam contains an animated GIF with four frames. One of the frames (which contains the actual spam message) remains visible for 17 seconds. The other three frames are displayed for 10ms or 40ms, and each of those contains a little random noise and the word BUY in random positions.
Reader feedback on bizarre no-link spam: A while back, Mark over at Boing Boing posted about some odd spam comments he’d seen that had no URL. If there’s no URL, why post the spam? In the last week, several readers have approached him with theories. Some of them are interesting.
I’ve found that many times innocuous-looking comments with no url are used to sneak past sophisticated blog-spamfilters […]. Many of these filters give a ‘karmic boost’ to commenters who already have one approved comment. By not posting any links at all, they have a better chance of getting their foot in the door […]
[…] If the spammer […] can attribute these numbers to a particular blog or email address, they can see which sites are ‘hot ones’.
I’ve long suspected that spam is (or could be) used by spies or (more likely) terrorist cells. There is so much NOISE in email, it’s the perfect place to hide SIGNAL.
Thanks to Akismet we’re almost spam-free these days.
So, a few of us here at work got a spam today with this as part of the body:
Your credit doesn’t matter to us
We believe this should have been caught by our spam filter. However, if you copy the text and paste it into notepad, it come out like this:
Your cr y ed y it doesn’t matter to us
How the heck are they doing that? How am I or any other software supposed to stop that? We are using Mailsweeper and it isn’t doing a very good job. What is everybody here using for their corporate spam filter solution? And yes, we are running Exchange.
Once again, Matt Smith has come and rescued me from spammers. A couple of weeks ago, I was at my wit’s end. Some commentors recommended Akismet, but I thought it was WordPress-only. Then Matt emailed me to tell me there was a Movable Type port. Given Matt’s track record of helping me banish spam, I decided to try it.
It’s not perfect, but it’s very, very, very good. Spams that get through to the site have dropped 97%. I’ll get maybe one per day now.
I don’t even know how Akismet works. I think it’s a Web service of some kind, but — to be honest — I don’t much care. I just dropped the directory into my plugins, applied for and received a wordpress.com key, and spam went bye-bye.
They ask that if you make over $500 a month from your blog (we do), then you should pay $5 a month for the API key. Worth every penny.
So, thanks Matt. And thanks to the other Matt that created Akismet in the first place. Thanks to them, the Gadgetopia comments feed isn’t such a bad place to hang out anymore.
Well, comment spam has finally done me in.
A big new wave launched about a week ago, and we’re getting spammed about once every 2 minutes, 24 hours a day. I have to manually delete over 100 comment spams a day in three or four “shifts” at the MT interface.
For every one that gets on the site, nine or ten are caught, but the bastards still manage to get dozens on the site throughout the day, where they sit for hours. The fact that these idiots are getting some value, however small, is just pissing me off.
I’m going to install HMPassphrase over the weekend. This is the Movable Type version of WP Gatekeeper, which I posted about last year after encountering it on Joseph Scott’s site. It asks you a simple question, to which you must provide the correct answer before it will accept your comment (“What color is the sky?”, “What color is an orange?”, “What shape is a wheel?”, etc.)
I hate to do this, but I’m just sick of it.
If it’s not obvious by now, I’ve tightened up the spam filtering. We’re getting hammered by comment spam this last week or so — some big new round of scripts is going off.
I’m sorry if your comment is delayed, but it’s either that or TypeKey, which I don’t really want to do either. This sucks. I have to find a solution of some kind — I’m open to suggestions.
AOL to charge fee as way to cut spam: Marketers can now pay America Online to ensure their messages are delivered and not flagged as spam. How is this not bribery?
The certified e-mail system would require advertisers to pay $2 to $3 per 1,000 messages. The plan is optional, though AOL and its tech partner, Goodmail Systems, cannot guarantee that all non-certified e-mail with Web links and images will be delivered.
Nothing has changed except:
This will do nothing to dissaude hardcore spammers. Zero. Nada. Zilch. They’re no worse off than they were before, so why should they change? The economics of spam are the same for them. This just means there’s a new class of spammer: those that have paid AOL for the right to bypass the filters.
This is crap.
Get this for a new spam angle —
I had shared my Yahoo Calendar with my wife, so she could add events. Somehow I must have hosed it up, because some idiot has managed to add events to my calendar so that I’m amply remind that I need to join his Party Poker site every single day.
These aren’t on my calendar — I have the bonehead’s username and I’ve turned it into Yahoo. But I checked my settings again, and I only allowed “Trusted Friends” to view and add events to my calendar.
No idea how it happened, but it just proves that spammers are bleeping weasels.
I found this subject line in my spam trap this morning:
Get your site seen by 100K+ now-%RND_SUBJ
Apparently he screwed up the “random subject” parameter in his spam generator.
Last week, I posted about installing SpamAssassin for Exchange. It was a simple install, and it worked pretty well. I was getting a 50% filter rate right out of the box, and I was confident I could get it up to 70% or so by cranking down the threshold.
In a comment to that post, Matt Smith turned me on to SpamStopsHere, which is a filtering service. I’m currently in the middle of a 30-day trial, but there’s no going back: they have essentially turned off the spam faucet — completely.
SpamStopsHere (SSHere) is the “nuclear option” for spam filtering. You actually change all your MX records in DNS to send all inbound email to them first. They filter it on their servers and only forward what’s left over. (I shudder to think what kind of big iron they have running over there to process all that mail…)
SSHere gives you the five or six IP addresses from which they will connect to your server so you can lock it down to only accept email from those addresses.
(This is necessary because when some crafty spammers query DNS for your domain and find nothing but SSHere domain names, they try to get around it by just blindly sending the email to “mail.yourdomain.com” (Cowards! Face the filters like men!). Several hundred spams a day were getting around the system by doing this. But by locking down my SMTP servers to accept only connections from SSHere addresses, there’s effectively no way to get email into my network that hasn’t been filtered.)
What this all means is that you never even see the spam — your server only fields messages that have gotten through the SSHere filters. And that ain’t much, believe me.
They have six levels of filtering. The first three catch the really easy stuff — I just toss anything that pops on one of these filters. I don’t even send an NDR — the email just disappears into the ether.
The second three filters are more fine-tuned. For example, one of them simply filters out email from the 11 countries from which 90% of spam originates (China, Nigeria, etc. — though you can allow certain countries to pass, if you have people there that send you legitimate email; or you could just whitelist one or two people). For these three filters, I have the email forwarded to a special mailbox on my network, just in case there’s a false positive (there hasn’t been so far).
They have whitelists, blacklists, and custom filters. Plus, you can filter out email with selected attachment extensions (.vbs, .exe, .scr, .bat, etc.). On top of all that, you can pay extra and get anti-virus screening on all the email that passes through the system.
The result? A 99% filter rate, and not one complaint about a false positive. (I count as “filtered” email that pops on the second group of filters and gets forwarded to my sandboxed email address.)
(Yes, 99% — we get spammed like crazy over here. I have three brokers who have had the same email addresses for eight years now — and at least five of those years had the addresses in unencoded “mailto” links on a well-spidered Web site.)
What’s great about having this done off-site is that my email server has hardly anything to do now. It’s fielding 1/20th of the email it was before (why not 1/100th? Because it still receives emails flagged and sent to the sandboxed account.), and it doesn’t even have to run them through SpamAssassin anymore. It’s almost idle. Additionally, spam is a Bad Thing. And anything that keeps Bad Things off my network is, by definition, a Good Thing.
Pricing is good: I’m paying $26 a month for one domain and 15 email addresses. Worth every penny.
Another thing I appreciate: SSHere’s Web site is full of great technical and support information. This solution isn’t for the faint of heart or people with a single email address, so they assume you know something about email when you come to check them out. They discuss all the gory details of the DNS-based solution, and explain all their filters in graphic detail so you have complete confidence in what they’re proposing before you pull the trigger.
Ironically, this whole situation has made me a little…sad, really. I’m obviously happy with the service, and I’ll keep using it, but there’s no gee-whiz factor to it. I mean, there’s no sense of accomplishment like when you set up your own spam filter and thwart the bad guys single-handedly. I just changed a few DNS records, locked down an SMTP server, and that was it — spam go bye bye. Where’s the sport? The challenge? The thrill of victory?
But [sigh], that’s another post entirely…
(Note: SSHere has a referral program. But if you decide to use them, give them Matt’s name, not mine. He’s responsible for bringing them to my attention, and I don’t want anyone to think I’m shilling for something just to get free stuff.)
I was looking for a spam filter for my Exchange server. I had great luck with SpamAssassin on another box (just regular SMTP), and luckily I found two great resources today:
How To Use SpamAssassin on Win32: This is a fantastic example of someone documenting something they know how to do, and documenting it well.
It’s a fantastic body of information, written by someone who has been doing it for a long time. Everything is covered, including odd permutations, bugs, warnings, dependencies, etc.
Exchange SpamAssassin Sink: This event sink fires on every inbound message, writes it to a file, sics SpamAssassin on it, and parses the result. It can just add headers to the message (allowing client filtering), or it can toss it altogether.
I installed this whole solution in about two hours this afternoon, including tuning and fiddling. It’s currently filtering away like crazy — 50% of inbound email is spam right now, and I know I can turn down the threshold quite a bit yet.
On a well-powered Windows Server 2003 machine, it’s taking one second to filter each email. (It’s probably less, but the logs don’t list micro-seconds. Suffice it to say that no email has taken more than one second to process.) Remember, however, that none of the network tests (Razor, Pyzor, etc.) work on Windows, and they’re what tended to add all the processing time.
What’s nice about this setup is that it saves all email in “Ham” and “Spam” folders. While this is a bit of a privacy risk, obviously, it also allows you to save up thousands of good and bad emails then train SpamAsassin’s Bayesian filter on them (it even inclues a BAT file to do that in one click). My understanding is that SpamAssassin gets scary-good when you have a well-trained Bayesian database behind it.
Sky Captain and the World of Tomorrow: I posted on this entry over at Joseph’s Scott’s blog, and he has an interesting comment spam prevention tool going on.
The comment form asks you a question — in my case, “What color is an orange?” I tried to be cute and put “Um, orange?,” but it doesn’t have much of a sense of humor. Unless you write, simply, “orange,” you get no joy in posting your comment.
Interesting concept. When the page reloaded, the question was the same, so bots could predict it. But (1) no bot is going to custom program something for one site, and (2) he can just change the question to something like “When was the War of 1812?”
I think he’s got a winner here. Is it any better than a captcha? I don’t know. Easier, though.
Blogger is evidently a really easy way to set up and run search engine spamming campaigns. No Web development experience required.
All of the illustrated “blogs” were found under one user profile at blogger. As you can imagine, each page was a keyword-saturated pile of garbage…with affiliate links, of course.
This must be an amazingly efficient way of doing this. I’m sure this is just the tip of the iceberg.
Print Story: Andrew Kantor: Could spam die out all by itself? Maybe.: Andrew Kantor has a theory that anti-spam tools will actually win the spam wars. He postulates that after they cross a certain threshold of effectiveness, the spam business model will fall apart.
But spam has a weak spot of sorts. Unlike viruses, which are written out of sheer malice, spam exists because there is profit in it. As the profit goes away, so will the spam.
Spam exists because it makes someone money, directly or indirectly. The long-term benefit of better spam filters won’t be simply keeping spam out of our inboxes, but in rendering the entire spam business model unsustainable.
I think he’s right, but I think tools will have to take drastic measures before they’re effective enough to work — like, for instance, turning us into a whitelist-only world.
When that happens, I could see the spam market dry up, but we’re 10 years out, at least. And by then, the fundamental technical underpinnings of email will probably have changed anyway.
Have any other blog owners noticed a marked shift in spamming? Comment spam used to be the big threat, but spammers have suddenly (in the last two weeks, perhaps) shifted to trackback spamming. For every one comment spam I get these days, I’m getting five bad trackbacks.
Anyone else?
The spammers win again. A hosting company we work with sent me this in reponse to a support email I sent. I used to email their support desk all the time with great results. It was really handy. Now:
Due to high volumes of Unsolicited Commercial Email (SPAM), this incident will not be responded to. We can only answer questions through our Knowledge Base or our Web Form.
I wonder how many other companies this has happened to. Spam killed our ability to manage catch-all email accounts, is any “non-known” email contact the next thing to die? It’s becoming a white-list only world.
I have an acute need to punch a spammer in the mouth right now.
