[…] Craigs*list has implemented a phone verification system in certain categories to reduce SPAM content. When you attempt to make a post, it asks for you to verify yourself by typing in a viable phone number. It automatically calls it and repeats a verification code which you must then enter for your post to go live. If your post gets flagged, the phone number you verified with will be blacklisted.

So while email address are cheap and disposable, phone numbers are not, and every spam post is bound to blacklist a phone number.

The link goes to a forum newsgroup thread where a bunch of spammers talk about it and conclude that they’re more-or-less screwed. There’s a lot of talk about getting cheap VOIP numbers, but the closest workable idea they found was to go to public places and use pay phones.

This presumably has the added benefit of binding a set of spam postings to the same phone number. So, if one of them gets flagged as spam, you could find everything else verified from that number and pull them down at the same time.

Via Reddit

hello , my name is Richard and I know you get a lot of spammy comments , I can help you with this problem . I know a lot of spammers and I will ask them not to post on your site. It will reduce the volume of spam by 30-50% .In return Id like to ask you to put a link to my site on the index page of your site.

Did you hear that? He’ll tell the spammers to stop. What a gift.

Big Medium counters this by covering its tracks, never using the same field names twice. Every time you visit the page, all of the field names change. The field names are MD5 hashes of the page's slug name, its database creation date and a server secret. A semi-obfuscated timestamp is mashed with this field name, creating a 50-digit field name that changes every second.

If the correct combination of field names are not received, the form submission is discarded.

The producer of the canned pork product Spam has lost a bid to claim the word as a trademark for unsolicited e-mails. EU trademark officials rejected Hormel Foods Corp.'s appeal, dealing the company another setback in its struggle to prevent software companies from using the word "spam" in their products, a practice it argued was diluting its brand name.

The spam contains an animated GIF with four frames. One of the frames (which contains the actual spam message) remains visible for 17 seconds. The other three frames are displayed for 10ms or 40ms, and each of those contains a little random noise and the word BUY in random positions.

I've found that many times innocuous-looking comments with no url are used to sneak past sophisticated blog-spamfilters [...]. Many of these filters give a 'karmic boost' to commenters who already have one approved comment. By not posting any links at all, they have a better chance of getting their foot in the door [...]

[...] If the spammer [...] can attribute these numbers to a particular blog or email address, they can see which sites are 'hot ones'.

I've long suspected that spam is (or could be) used by spies or (more likely) terrorist cells. There is so much NOISE in email, it's the perfect place to hide SIGNAL.

Thanks to Akismet we're almost spam-free these days.

Your credit doesn't matter to us

We believe this should have been caught by our spam filter. However, if you copy the text and paste it into notepad, it come out like this:

Your cr y ed y it doesn't matter to us

How the heck are they doing that? How am I or any other software supposed to stop that? We are using Mailsweeper and it isn't doing a very good job. What is everybody here using for their corporate spam filter solution? And yes, we are running Exchange.

It's not perfect, but it's very, very, very good. Spams that get through to the site have dropped 97%. I'll get maybe one per day now.

I don't even know how Akismet works. I think it's a Web service of some kind, but -- to be honest -- I don't much care. I just dropped the directory into my plugins, applied for and received a wordpress.com key, and spam went bye-bye.

They ask that if you make over $500 a month from your blog (we do), then you should pay $5 a month for the API key. Worth every penny.

So, thanks Matt. And thanks to the other Matt that created Akismet in the first place. Thanks to them, the Gadgetopia comments feed isn't such a bad place to hang out anymore.

A big new wave launched about a week ago, and we're getting spammed about once every 2 minutes, 24 hours a day. I have to manually delete over 100 comment spams a day in three or four "shifts" at the MT interface.

For every one that gets on the site, nine or ten are caught, but the bastards still manage to get dozens on the site throughout the day, where they sit for hours. The fact that these idiots are getting some value, however small, is just pissing me off.

I'm going to install HMPassphrase over the weekend. This is the Movable Type version of WP Gatekeeper, which I posted about last year after encountering it on Joseph Scott's site. It asks you a simple question, to which you must provide the correct answer before it will accept your comment ("What color is the sky?", "What color is an orange?", "What shape is a wheel?", etc.)

I hate to do this, but I'm just sick of it.

I'm sorry if your comment is delayed, but it's either that or TypeKey, which I don't really want to do either. This sucks. I have to find a solution of some kind -- I'm open to suggestions.

The certified e-mail system would require advertisers to pay $2 to $3 per 1,000 messages. The plan is optional, though AOL and its tech partner, Goodmail Systems, cannot guarantee that all non-certified e-mail with Web links and images will be delivered.

Nothing has changed except:

1. AOL is making money hand over fist.
2. Marketers have a nice, handy way around spam filters at AOL.

This will do nothing to dissaude hardcore spammers. Zero. Nada. Zilch. They're no worse off than they were before, so why should they change? The economics of spam are the same for them. This just means there's a new class of spammer: those that have paid AOL for the right to bypass the filters.

This is crap.

I had shared my Yahoo Calendar with my wife, so she could add events. Somehow I must have hosed it up, because some idiot has managed to add events to my calendar so that I'm amply remind that I need to join his Party Poker site every single day.

These aren't on my calendar -- I have the bonehead's username and I've turned it into Yahoo. But I checked my settings again, and I only allowed "Trusted Friends" to view and add events to my calendar.

No idea how it happened, but it just proves that spammers are bleeping weasels.

Get your site seen by 100K+ now-%RND_SUBJ

Apparently he screwed up the "random subject" parameter in his spam generator.

In a comment to that post, Matt Smith turned me on to SpamStopsHere, which is a filtering service. I'm currently in the middle of a 30-day trial, but there's no going back: they have essentially turned off the spam faucet -- completely.

SpamStopsHere (SSHere) is the "nuclear option" for spam filtering. You actually change all your MX records in DNS to send all inbound email to them first. They filter it on their servers and only forward what's left over. (I shudder to think what kind of big iron they have running over there to process all that mail...)

SSHere gives you the five or six IP addresses from which they will connect to your server so you can lock it down to only accept email from those addresses.

(This is necessary because when some crafty spammers query DNS for your domain and find nothing but SSHere domain names, they try to get around it by just blindly sending the email to "mail.yourdomain.com" (Cowards! Face the filters like men!). Several hundred spams a day were getting around the system by doing this. But by locking down my SMTP servers to accept only connections from SSHere addresses, there's effectively no way to get email into my network that hasn't been filtered.)

What this all means is that you never even see the spam -- your server only fields messages that have gotten through the SSHere filters. And that ain't much, believe me.

They have six levels of filtering. The first three catch the really easy stuff -- I just toss anything that pops on one of these filters. I don't even send an NDR -- the email just disappears into the ether.

The second three filters are more fine-tuned. For example, one of them simply filters out email from the 11 countries from which 90% of spam originates (China, Nigeria, etc. -- though you can allow certain countries to pass, if you have people there that send you legitimate email; or you could just whitelist one or two people). For these three filters, I have the email forwarded to a special mailbox on my network, just in case there's a false positive (there hasn't been so far).

They have whitelists, blacklists, and custom filters. Plus, you can filter out email with selected attachment extensions (.vbs, .exe, .scr, .bat, etc.). On top of all that, you can pay extra and get anti-virus screening on all the email that passes through the system.

The result? A 99% filter rate, and not one complaint about a false positive. (I count as "filtered" email that pops on the second group of filters and gets forwarded to my sandboxed email address.)

(Yes, 99% -- we get spammed like crazy over here. I have three brokers who have had the same email addresses for eight years now -- and at least five of those years had the addresses in unencoded "mailto" links on a well-spidered Web site.)

What's great about having this done off-site is that my email server has hardly anything to do now. It's fielding 1/20th of the email it was before (why not 1/100th? Because it still receives emails flagged and sent to the sandboxed account.), and it doesn't even have to run them through SpamAssassin anymore. It's almost idle. Additionally, spam is a Bad Thing. And anything that keeps Bad Things off my network is, by definition, a Good Thing.

Pricing is good: I'm paying $26 a month for one domain and 15 email addresses. Worth every penny.

Another thing I appreciate: SSHere's Web site is full of great technical and support information. This solution isn't for the faint of heart or people with a single email address, so they assume you know something about email when you come to check them out. They discuss all the gory details of the DNS-based solution, and explain all their filters in graphic detail so you have complete confidence in what they're proposing before you pull the trigger.

Ironically, this whole situation has made me a little...sad, really. I'm obviously happy with the service, and I'll keep using it, but there's no gee-whiz factor to it. I mean, there's no sense of accomplishment like when you set up your own spam filter and thwart the bad guys single-handedly. I just changed a few DNS records, locked down an SMTP server, and that was it -- spam go bye bye. Where's the sport? The challenge? The thrill of victory?

But [sigh], that's another post entirely...

(Note: SSHere has a referral program. But if you decide to use them, give them Matt's name, not mine. He's responsible for bringing them to my attention, and I don't want anyone to think I'm shilling for something just to get free stuff.)

1. How To Use SpamAssassin on Win32: This is a fantastic example of someone documenting something they know how to do, and documenting it well.

   It's a fantastic body of information, written by someone who has been doing it for a long time. Everything is covered, including odd permutations, bugs, warnings, dependencies, etc.

2. Exchange SpamAssassin Sink: This event sink fires on every inbound message, writes it to a file, sics SpamAssassin on it, and parses the result. It can just add headers to the message (allowing client filtering), or it can toss it altogether.

I installed this whole solution in about two hours this afternoon, including tuning and fiddling. It's currently filtering away like crazy -- 50% of inbound email is spam right now, and I know I can turn down the threshold quite a bit yet.

On a well-powered Windows Server 2003 machine, it's taking one second to filter each email. (It's probably less, but the logs don't list micro-seconds. Suffice it to say that no email has taken more than one second to process.) Remember, however, that none of the network tests (Razor, Pyzor, etc.) work on Windows, and they're what tended to add all the processing time.

What's nice about this setup is that it saves all email in "Ham" and "Spam" folders. While this is a bit of a privacy risk, obviously, it also allows you to save up thousands of good and bad emails then train SpamAsassin's Bayesian filter on them (it even inclues a BAT file to do that in one click). My understanding is that SpamAssassin gets scary-good when you have a well-trained Bayesian database behind it.