Robert Accettura's
Fun With Wordage

This happened a few weeks ago. I kept it quiet and reported it. Hasn’t happened again, and I haven’t heard anything, so I presume it’s fixed.

It appears spammers have learned to hijack Google Alerts for spamming purposes. By setting up an alert with a spam text, the email is sent through Google’s mail servers. Because it’s plain text, most Email clients will parse the link in an email to make it clickable. Effectively Google is running an open mail server. Here’s what I saw when I visited Google’s site to see if it really was in my account:

So apparently a spammer was smart enough to realize they could hijack this functionality to send spam through Google. I emailed Google a few week ago about this problem, and didn’t hear back. I haven’t seen another, so I presume they fixed this problem by now. From what I’ve read Google is pretty prompt with this stuff.

This just shows how careful you need to be with security of web forms. Even something innocent sounding like this can be hijacked to send nasty payloads. A spammer could have used this to send links to infected files, etc. All looking like legitimate Google emails (because they are from Google).

Here’s what the email looks like (slightly sanitized by me):

(more…)

Ok, so 1 business day after I found a few spammed sites:

• Apple has removed the page, no comment.
• Riverside, CA acknowledged and said they are in the process of resolving. I’ll keep an eye out to see how long it takes.
• AOL has removed the page, no comment.

So there you have it, 3 reports, 2 of which are resolved in 1 business day, 1 other report is still in the works.

I was surprised myself to see the response time.

Edit [3/21/2007]: Riverside, CA has removed the links, and disabled that forum to prevent future problems.

I’ve recently seen an increase in spam around here slipping through the filter. In an attempt to keep this site clean, I keep a close eye on comments. Typically checking several times a day, and removing URL’s that are pure spam, or just inappropriate. But over the past several days things have been getting stranger.

The typically very clean mac.com (Apple Inc.’s .mac Web Hosting service) seems to be a spam haven. The last several days, I’ve been seeing several spams for a “Streammate” site hosted by Apple. This is one of those porn spam sites (which I get a hundred a day). What’s interesting is that it doesn’t seem to get shutdown promptly. Do they not monitor the service? It’s not like it’s even free. This is paid hosting. Most hosting services have some spam sites. It’s virtually impossible to avoid. But they should be removed when found.

Not only is Apple hosting these Spam pages, but so are others including the City of Riverside, California, who links to the Apple hosted spam.

The URL’s relevant in this case are below as an image to prevent any Google Juice, as well as unsuspecting clicks. You’ll have to very intentionally type them into your URL bar. The contents may not be appropriate for all audiences, who knows what badware lies within. Be warned.

I’ve contacted Apple and The City of Riverside. Lets see how quickly this is handled.

Edit: Just realized AOL’s hosting too.

Edit: See the update.

Google has started providing notification before it lets you visit a search result known to contain badware. It’s done in partnership with StopBadware.org, who has a list of sponsors including: Google, Lenovo, and Sun Microsystems.

So far the feature seems pretty good. I’m sure there will be a few C&D’s trying to get this feature taken down, now that some companies have found their revenue model shattered. To help prevent accidental blacklisting they have been trying to contact websites that are blacklisted so they can try and fix it (should they want to). Hopefully that will eliminate/minimize any errors.

I’d venture most people stumble upon these sites one of a few ways:

1. Spam, or it’s instant messaging counterpart Spim. Linking to dubious websites in hopes of generating revenue at a computer owners expense.
2. Search results. The prime situation where a web surfer visits sites out of their ordinary traffic patterns and may fall victim to such practices.

Google just took a big bite out of #2. Gmail/Yahoo/Microsoft/AOL have been working hard on #1. That should really help make the web a safer place… until the next menace takes the web by storm.

Since 9/19/2006 when I last emptied my Junk folder, my personal email address has 1.65GB (yes, gigabytes) of Spam/Viruses in it. That is in my opinion a sign of a serious problem.

Oh yea, a few weeks ago, we began auto-rejecting email from certain blacklisted servers, which drastically cut down on spam. And still it almost hit the 2GB mark.

Imagine how much wasted electricity spam filtering costs due to consuming CPU cycles and hard drive I/O. Not to mention the financial cost.

On a side note, for Thunderbird users:

I like to keep a mail archive, I do so using the trash. I just don’t empty. But I don’t want my “Junk” in there. So what I do is periodically delete it.

Edit: See comment #1 for a better way, or for my way, read on.

First close Thunderbird. In your profile, find your Mail folder, then your mail server, and you’ll see a file called Junk. Delete it and create a blank. Or in any Unix OS:

rm -r Junk
touch Junk

Then open up Thunderbird, right click on the Junk folder (will still show # of items, though none exist), select “Compact”. It will soon reset to 0. Done. Nothing mixed in your trash. Perhaps a nice extension would be a hard delete, one that didn’t go to the trash, but just wiped the contents away.

Overview

Bayesian Filtering is a great method for fighting spam. Unlike rule based filtering which spammers can easily adapt to with simple modifications, Bayesian adapts with the spammers changes, making it much more difficult for them to defeat the filtering. As a result it’s used in server side mail filtering as well as client side filtering in various products including Mozilla Thunderbird, SpamAssassin, and SpamBayes. Despite this level of “intelligence” it’s not foolproof. Like anything that analyzes unsanitized input, its vulnerable to poisoning. To be fair, there is a debate on if it exists or not. I personally believe it does exist.

(more…)

If you have bluetooth on your phone, there’s yet another reason to turn it off when you don’t use it. Besides saving battery life (which is always a good thing), and just general security you’ll be seeing more and more spam as time goes on if you keep it on. It’s already a problem in some places. Here’s an auto translated version of the linked article in English.

It’s to easy to just spam cell phones with phone book entries, video’s, text messages, pictures, etc. Even if you don’t accept them, your phone will still go off to let you know you have an incoming request. I would bet it won’t take long befor apps exist for PDA’s to automatically spam any bluetooth device in range. Then a spammer can just walk through the streets, malls or stores to send spam. Talk about discrete marketing.

What a mess, and I doubt it will be fixed anytime soon. We’re still getting email spam with no end in site.

Seeing these results is pretty cool. I hope someone has/will come up with a way to have a test like this running periodically (at least weekly, if not daily or multiple times a day) which does an analysis on Phishing sites and how many are being blocked. I’d presume Google and other data services would have some interest in this. It could be as simple as an extension for browsers (yes IE too) which reads a feed and visits each site, and reports the results to a web service. Running in a confined environment (virtual machine, or dedicated box) free of tampering. I think the real advantage would be to see how effectiveness varies over time as phishers become more sophisticated.

Take for example spammers. First spam was pretty simple, now they are using animated GIF’s, sophisticated techniques to poison Bayesian analysis, botnet’s etc. I presume over time we’ll see the exact same thing with Phishing attacks. I doubt it’s going to get any better. On the positive side of things, this is still at it’s infancy, so we can start learning now, and be more aggressive than people were about the spam problem, which got way out of hand before everyone realized it was really something to worry about.

I’d ultimately like to see just percentages of different anti-phishing blacklists/software updated frequently, so we can keep a running tally. Perhaps it would be a good indicator of when phishing tactics require a software or methodology update. I think overall everyone would benefit from some industry collaboration rather than competition. The problem with phishing is to be effective your research must be good. To do good research you need to cast a wide net, and capture only one species of phish while not letting any dolphins get stuck in the net (sorry, couldn’t resist).

I’d be curious to know what others think of such testing, and efforts (from general users, as well as anti-phishing/spam vendors). Is the war against spam effective? Should the same techniques be used? Is it time for coalition building? Should we each go in alone? How do you monitor changes in techniques used by phishing?

I know Google is pretty serious about keeping up with the data in a very timely manner, and from what I can tell, most other vendors are as well. But I wonder how industry wide statistics could further benefit. Perhaps simply the competition of trying to have a higher average score. Perhaps simply the detection of changes in techniques (noted by everyones collective decline in detection rate).

I’d love to hear what others think of Phishing protection. It’s a rather interesting topic that many don’t give too much thought to, but it really is an important part of how browsers make the internet safer.

This weekend my Contact page got spammed. It’s now rewritten and using a few blacklists (including Akismet) among other techniques to eliminate spam. Should be much better now. I also think the handling of attachments should be better.

The spam appeared to be from a botnet, based on the fact that no 2 seemed to have the same IP address. So just blocking IP’s wasn’t an option.

Now things should be even better.

And the spamming of Google Earth begins. I guess it was only a matter of time.