Thank you Brian Krebs of the Security Fix. He has just made the internet a little better place. He’s worked for several months investigating a group that is believed to have been hosting provider for up to 75% of the Internet’s junk email as well as child porn websites, rogue anti-virus software and who knows what other slime. Great work Brian. He essentially contacted the service providers of the group in question and presented them with the evidence that he and others uncovered.

The company is also the apparent host of the master servers for FIVE well known botnets: “Mega-D,” “Srizbi,” “Pushdo,”"Rustock” and “Warezov,” according to the full writeup at the Washington Post. As if that weren’t enough – they also had many sites that were distributing information stealing trojan horse viruses through browser exploits (i.e. just visiting the page get’s you a free virus…)

Hopefully actions like this will continue to increase the costs for the spammers and make what they do “economically unviable”. However, I suspect we’re not to that point yet and will likely see them scatter like roaches to other locations and continue their spamming from somewhere else.

In reading over at the Gmail Blog, I came across this suggestion to try with Gmail. The idea is, let’s say your address is johndoe@gmail.com Okay, next time you sign up for a mailing list, or need a free website login, use johndoe+freelogin@gmail.com or johndoe+spam@gmail.com or any other unique identifier (something you’ll be able to track.) The idea is this… gmail ignores anything after a + in the address and the mail will still get to your inbox, but… here comes the cool part.

Now, you can set up a filter on that incoming address. If all you use that address for is the free login to a website and start getting junk in 2 months on that address, you can start filtering that to a junk mail folder. So, it got me to thinking that maybe this is possible with other mail servers.

I tested on my westhost based accounts and it works for them as well as my home mail server. SO…. here’s how you test just send yourself a message to youraddress+testing@youraccount.com whatever your email address is with +testing between your name and the @ sign and see if it goes through. IF you’re like me and have more than one email address you might test from one account to the other just to make certain that this works “from the outside”.

Most mail clients allow you to setup filtering or rules for messages based on the recipient address so you can implement this trick with most any mail program.

Another note in the gmail blog was that you can insert periods (.) in the first part of your email address as well and gmail ignores them. (I know this won’t work with as many mail servers…) There again within gmail you can use this to sort/filter an incoming message based on the recipient address.

Now some of us feel like the cat is already out of the bag with regards to spam, but even if you already get a fair amount of junk, there’s no time like the present to start using different psuedo-addresses for each site that you frequent as a defensive measure against tomorrows junk mail.

My only real concern with this method is how easy it might be for someone to just strip the information from the + to the @ in a batch of email addresses, but… many probably won’t bother to go to that extra effort.

A little over a year ago I was doing a web search for my email address (something that’s worth doing from time to time.) I ran across my name in a text file hosted at a domain called…..
http://www.freestuffengine.com/ There is a different site active at that domain now (although I don’t know if it’s owned by the same group, it may be….) Anyway, there were VERY large text files with (according to the file name) a million addresses. And YES… mine was in there.

my address was in a file called…. nima_1million_1of2.txt

Once I located this, I used wget to make a mirror of it on my hard drive as evidence and then complained (if I recall correctly) to the domain holder/hosting provider. I wanted to hold off posting here until I was certain it was down (for what I assume are obvious reasons.)

So, yes, there are gigantic lists of email addresses out there for sale…

I’ve replaced bare email addresses on web page with either an encoded variation of the email or with a contact form to discourage spam scrapers and other automated tools from using it for a spam magnet. Well, it seems there are some tools that automatically submit forms – after all that’s what’s brought us the annoying captcha’s we see everywhere now. (You now those pictures with squiggly letters and numbers that you sometimes have to redo two or three times if you can’t read it correctly.) Well, Sans is talking about some interesting alternatives to the traditional captcha for protecting a form from automated spam bots.

Over the last couple weeks I’ve gotten persistent and annoying spams from a place that is currently at broadcastemailcompany.com (although they have had variations on their domain during that time.) broadcastemailgroupcom and broadcastemailcorporation.com are some of their other recent aliases. They claim in the email that their offer is only for non-profit groups and to excuse the inconvenience if you have received this by mistake. Over the last weekend though, I received 7-10 of these on various postmaster@ and root@ addresses (Plus one sales@ address) for the various domains that I either own or administer for others.

Part of the problem is that there are a few addresses that are required in the specs that someone actually gets the messages going there. I receive that contact information for around 20 domains….

Add www.emailadvertisingagency.org as one of their aliases.

I’ve detailed some of the struggles I had for a bit with FLOODS of comment spam. Details of the issue and a fix which has been rock solid for Wordpress can be found in the following posts (reverse chronological order): Update on comment spam storms, trackback spam countermeasures such as akismet and trackback validation, another trackback storm, botnets spreading trackback spam?, Initial trackback storm. To sum up though, I’ve found 2 plugins to make for a rock solid combination here in wordpress. Akismet (which caught 99% or so of trackback spam) and The trackback validator plugin which caught everything else. (99% sounds good, but when you’re getting thousands of attempts a day?)

Anyway, since installing this combination I have NOT had trackback spam.

What brings all this to memory…. The Security Fix is talking about Microsoft’s discovery of blogspam as a problem and how many of the free services (including Google’s own blogger.com) are being exploited in MASSIVE ways to create multiple doorway pages for individual adsense users. THen comments/trackbacks are spammed to get traffic and increase domain “Pagerank”… It seems that the main point of Microsoft’s study is to make a swipe at Google’s anti-spam efforts, but….

For its part, Google suggests bloggers incorporate its “nofollow” attribute for hyperlinks in comments left by users, so that links in comments don’t get any credit when Google ranks Web sites in search results.

Of course the main thing is to net let comment spam stay, it’s a lot easier though to keep it from posting in the first place and the tools that I mentioned do that automatically. Both plugins are wordpress specific, although the Akismet API might be adaptable to other blog/cms platforms.

As I’ve already commented today…. there has been a massive trackback spam swarm going on the last 24 hours. I’ve now racked up 1300 or so in the Akismet filter on this site and another 150 or so on another two sites. Akismet has been very impressive in defending this attack. Only 1% of the trackbacks slipped through, or about 14 or so across three sites. I’ve looked to see what other measures I can take against trackback spam and found one that looks like it should eliminate the 1% that got through.

It’s a simple concept that I’ve seen implemented at the Washington Post blogs. It basically validates IF there is a link to your site in the post that’s “tracking back”. It’s called Trackback Validator Plugin and should work for anything around Wordpress 1.5 and up. Akismet looks to be available for other blog/cms as well. If you’re using another cms I’d look into a trackback validator. In theory, this should stop the rest of the trackback spam and likely take a bit of the load of akismet, because I would think it would filter things out before they get to akismet. Testing it on this site right now, will add to the others later.

In other words…. if you’re tracking back to this site now you will need to have a link to the post in your article. It shouldn’t be a big deal for legitimate trackbacks. Thanks and good luck in the trackback spam war…

I wonder if whole legions of spammers of all stripes are rejoicing over the demise of email spam fighters Blue Security?

–update 5/19/06–

Ok the twin trackback defence measures of Akismet and the trackback validator have been in place for 18 hours or so now (Akismet has been in for months – but the trackback validator plugin just came into place yesterday to stop the 1% of trackbacks that were slipping past akismet. It appears as though Akismet is the first line of defence, then if trackbacks slip through, I’ve seen an email notification (which I’ll likely be shutting off…) and when I go to moderate – it’s just not there – so the trackback validator has been doing a standup job of taking out th leftovers.

There has been yet another swarm overnight (and another already this morning – so I’m up about anohter 400 or so attempts. Trackback validator will likely go up on all my wordpress installs now. My only concern was that it could interfere with akismet. I may leave the email notifications of posts on for now, given that it’s a very small number that’s slipping past akismet – although at some point, I may need to just disable those. (BTW akismet has caught over 2000 on this site alone, another couple hundred on another two sites.) – The last two batches were credit card and then hotel/travel related (just fyi).

All of the the swarms of trackback spam seemed to last an hour give or take a few minutes, so it does look kind of like “rent-a-bot” activity, lots of different IP addresses, trackback spam sites seem to have a common theme – the last batch was insurance type sites…. a sampling of about three or four found that they were all cloaked redirects for the same site/page …. http://www.finance-portal-online.com/insurance.php ALL are registered with moniker.com and all the insurance related domains being spammed (that I checked) redirect to the finance-portal-online.com site above which is registered to a “Bill Bilton” whose email is given as bill at top-support.net ….

Interestingly… Rated-insurance.com, 1time-insurance.com, and Insurance-related.com
which were some of the names used (with subdomains a plenty), had either support-4u.net or marketing-support.info email addresses as tecnical contacts… looking up THOSE domains led to support-2000.net, support-4u.net (from marketing-support.info) and finally support-2000.net had top-support.net emails as the contact information.

Top-support.net seems to be the “lowest common denominator” that all roads lead to… Curtis Joe curtis_joe at top-support.net
Private
Mancill Rd
98
Ringsted
Kansas
72414
US
Phone: +1.8993488105

The address does not seem legit (at least running it through google), but… it does turn up other stories of the same type swarm..

And that’s just looking at one of the three trackback spam swarms over the last 24 hours. If I have time I may look into the casino spam if I still have some samples…. I forget what the first batch was now.

–update–

Just after I posted, I thought I’d better go ahead and look before the casino spam got pushed off the list and into oblivion….

So, it looks like the casino spam subdomains aren’t necessarily cloaked redirects, but slightly different look for each “doorway” subdomain. I just sampled two, so I don’t know about ALL of it… anyway… here’s one domain Secured-casino.com, that was registered with surprise – moniker what a small world. Anyway, the administrative/technical contacts list team-support-24×7.net (hmm… someone really likes -support- domains…) Well WHAT a coincidence…. team-support-24×7.net lists as it’s administrative contact and email address at support-2000.net now this is just too much…. Checking out casino-2u.com which is another of the spammed domains… low and behold their contact emails are at support-2000.net as well. (Which if I recall has top-support.net for it’s contact information.) Seems like all roads lead to top-support.net Now their web site announces that it has been registered at moniker.com and is “coming soon”.

I just can’t wait to see wait useful and interesting products and services they’ll have. Judging by this google search for top-support.net spam, I don’t think I’m the only one to have discovered their “services”.

While looking through the google results, I found a couple interesting “war against spam posts. Also, there’s this outing spammers post which helps put a name to the bulgarian twin spammers responsible. (You just can’t make this stuff up….) Iavor Zahariev and and Todor Zahariev. Spamhuntress has some evasive techniques… apparently they’ve used open proxies. Here’s a page with LOTS of history on the duo…

And as I check the logs I see I’m in the midst of another swarm… They still seem to be on the insurance kick and spam filtering still seems to be working quite well. Here are a couple of log entries covering about a minutes worth of the swarm…

82.114.69.131 - - [18/May/2006:09:57:47 -0600] "POST /2005/07/25/daylight-savings-changes-in-the-works/trackback HTTP/1.1" 200 90 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; NetCaptor 6.5.0RC1)"
203.154.224.16 - - [18/May/2006:09:58:32 -0600] "POST /2005/08/22/the-passing-of-dr-bob-moog/trackback HTTP/1.0" 200 78 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)"
61.19.51.228 - - [18/May/2006:09:58:53 -0600] "POST /2005/08/24/more-on-wireless-networking-security/trackback HTTP/1.0" 200 78 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"
219.93.174.101 - - [18/May/2006:09:58:54 -0600] "POST /2005/07/25/trademark-issue-over-microsoft-vista/trackback HTTP/1.1" 200 91 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M)"
202.142.180.6 - - [18/May/2006:09:58:54 -0600] "POST /2005/08/15/dhsus-certnist-launches-nvd/trackback HTTP/1.0" 200 79 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iRider 2.21.1108; FDM)"

A sampling of IP addresses brings us to (from bottom to top) Pakistan, Kuala Lumpur, Thailand, and another Thailand entry…. interesting a southeast asian sampling this time. The last sampling of IP’s I took were mostly US/European/ entries, with one Asian country of origin that I don’t recall. One ip couldn’t be traced at samspade.org and I really am not energetic enough to follow.

Well…. have fun storming the castle and all…. I’m moving on to other topics.

Can’t help coming back again – this has been a longer sustained storm – “the 2PM eastern hour today brought to you by phentermine….” it seems that http://phenterminehclhere.blogspot.com/ is really heavily promoting in the trackback spam right now. They’re the last 98 or so entries in akismet’s filter and picked up right where the insurance sites left off.

Looks like I may have tagged the wrong spammers… Zahariev spam not done by Zahariev – interesting twist and it will be interesting to see what further info may come out.

BTW, I’m now up to something like 1200 on this site and another 100 or so on another two domains. Akismet has acted like a champ with just 1% getting through. I wish there were a way to tag a trackback as spam and report to akismet. I don’t see a way to do that (without moderating ALL trackbacks… which I may have to look into if this keeps up.) This storm seems to have subsided, the last 10 minutes being quiet – about 3 hours and a few minutes *(15 minutes at the most). The fact that’s it’s relatively closely time to last x hours makes it look quite bot-ish.

If you’re having trouble with trackback spam, I’d highly suggest akismet, it’s free and the API key to use it is free as well. I signed up for a site at wordpress.com and have put maybe 1 post there. At some point in time, if I ever make more than $500 a month from my sites, I’ll be glad to pay them for the service. It’s acted like a true champion…. 1% of the trackback spam has slipped through and I suspect if I can find a way to slip the trackbacks into the moderation queue I should be able to tag that pretty easily.