Robert Accettura's
Fun With Wordage

Many people think that making an image out of an email is a good way to protect it from being harvested by spam bots. It’s now possible to convert it from an image to email link via a Firefox extension. Guess what, an email harvester can do this just as well. What’s a better solution against email harvesters? Don’t put any trace of an email address online, use a form. Yes you could distort the image a bit to make it more difficult, but using a CAPTCHA as an email isn’t going to make you any friends. JavaScript can also be done, but no reason why it can’t be interpreted (though that may be more difficult in some cases, since a JS engine isn’t the easiest thing to work with, and implementing anything less can easily be defeated by throwing some extra JS in there. Some discussion on the Firefox Extension implementation can also be found on Gerv’s blog where he proposed the idea.

This happened a few weeks ago. I kept it quiet and reported it. Hasn’t happened again, and I haven’t heard anything, so I presume it’s fixed.

It appears spammers have learned to hijack Google Alerts for spamming purposes. By setting up an alert with a spam text, the email is sent through Google’s mail servers. Because it’s plain text, most Email clients will parse the link in an email to make it clickable. Effectively Google is running an open mail server. Here’s what I saw when I visited Google’s site to see if it really was in my account:

So apparently a spammer was smart enough to realize they could hijack this functionality to send spam through Google. I emailed Google a few week ago about this problem, and didn’t hear back. I haven’t seen another, so I presume they fixed this problem by now. From what I’ve read Google is pretty prompt with this stuff.

This just shows how careful you need to be with security of web forms. Even something innocent sounding like this can be hijacked to send nasty payloads. A spammer could have used this to send links to infected files, etc. All looking like legitimate Google emails (because they are from Google).

Here’s what the email looks like (slightly sanitized by me):

(more…)

Ok, so 1 business day after I found a few spammed sites:

• Apple has removed the page, no comment.
• Riverside, CA acknowledged and said they are in the process of resolving. I’ll keep an eye out to see how long it takes.
• AOL has removed the page, no comment.

So there you have it, 3 reports, 2 of which are resolved in 1 business day, 1 other report is still in the works.

I was surprised myself to see the response time.

Edit [3/21/2007]: Riverside, CA has removed the links, and disabled that forum to prevent future problems.

I’ve recently seen an increase in spam around here slipping through the filter. In an attempt to keep this site clean, I keep a close eye on comments. Typically checking several times a day, and removing URL’s that are pure spam, or just inappropriate. But over the past several days things have been getting stranger.

The typically very clean mac.com (Apple Inc.’s .mac Web Hosting service) seems to be a spam haven. The last several days, I’ve been seeing several spams for a “Streammate” site hosted by Apple. This is one of those porn spam sites (which I get a hundred a day). What’s interesting is that it doesn’t seem to get shutdown promptly. Do they not monitor the service? It’s not like it’s even free. This is paid hosting. Most hosting services have some spam sites. It’s virtually impossible to avoid. But they should be removed when found.

Not only is Apple hosting these Spam pages, but so are others including the City of Riverside, California, who links to the Apple hosted spam.

The URL’s relevant in this case are below as an image to prevent any Google Juice, as well as unsuspecting clicks. You’ll have to very intentionally type them into your URL bar. The contents may not be appropriate for all audiences, who knows what badware lies within. Be warned.

I’ve contacted Apple and The City of Riverside. Lets see how quickly this is handled.

Edit: Just realized AOL’s hosting too.

Edit: See the update.

Interesting to see that after a Blogger was sued over comments posted a blog, there is a federal court ruling that pretty much says that’s not allowed.

Something tells me, if a kid clicks on a blog spam link that goes to a porn site, you can still get 40 years in prison.

Spam is easy these days, there is enough filtering technology available. But legitimate, yet vile comments still can sneak by. It’s hard to police sites at times. We don’t all have the time to sit and watch them. I do my best but every so often, I do believe one may slip by that if I had thought longer, I would perhaps have moderated.

Since 9/19/2006 when I last emptied my Junk folder, my personal email address has 1.65GB (yes, gigabytes) of Spam/Viruses in it. That is in my opinion a sign of a serious problem.

Oh yea, a few weeks ago, we began auto-rejecting email from certain blacklisted servers, which drastically cut down on spam. And still it almost hit the 2GB mark.

Imagine how much wasted electricity spam filtering costs due to consuming CPU cycles and hard drive I/O. Not to mention the financial cost.

On a side note, for Thunderbird users:

I like to keep a mail archive, I do so using the trash. I just don’t empty. But I don’t want my “Junk” in there. So what I do is periodically delete it.

Edit: See comment #1 for a better way, or for my way, read on.

First close Thunderbird. In your profile, find your Mail folder, then your mail server, and you’ll see a file called Junk. Delete it and create a blank. Or in any Unix OS:

rm -r Junk
touch Junk

Then open up Thunderbird, right click on the Junk folder (will still show # of items, though none exist), select “Compact”. It will soon reset to 0. Done. Nothing mixed in your trash. Perhaps a nice extension would be a hard delete, one that didn’t go to the trash, but just wiped the contents away.

Overview

Bayesian Filtering is a great method for fighting spam. Unlike rule based filtering which spammers can easily adapt to with simple modifications, Bayesian adapts with the spammers changes, making it much more difficult for them to defeat the filtering. As a result it’s used in server side mail filtering as well as client side filtering in various products including Mozilla Thunderbird, SpamAssassin, and SpamBayes. Despite this level of “intelligence” it’s not foolproof. Like anything that analyzes unsanitized input, its vulnerable to poisoning. To be fair, there is a debate on if it exists or not. I personally believe it does exist.

(more…)

If you have bluetooth on your phone, there’s yet another reason to turn it off when you don’t use it. Besides saving battery life (which is always a good thing), and just general security you’ll be seeing more and more spam as time goes on if you keep it on. It’s already a problem in some places. Here’s an auto translated version of the linked article in English.

It’s to easy to just spam cell phones with phone book entries, video’s, text messages, pictures, etc. Even if you don’t accept them, your phone will still go off to let you know you have an incoming request. I would bet it won’t take long befor apps exist for PDA’s to automatically spam any bluetooth device in range. Then a spammer can just walk through the streets, malls or stores to send spam. Talk about discrete marketing.

What a mess, and I doubt it will be fixed anytime soon. We’re still getting email spam with no end in site.

Thunderbird 2.0b1 is out, I updated a few days ago. I really love the new tagging functionality. Being able to create your own tags makes organizing mail about 100X easier. The presets of 1.5 just weren’t enough. As far as the UI goes, I was initially not to fond of the earth tone coloring, but I think the new icons are starting to grow on me. There is also a new phishing detection (similar to Firefox). To test it, I looked in my spam folder for a few phishing emails to test the new filter against. So far so good.

The only downsides thus far is bayes spam filtering is not performing as good as it did on 1.5. I reset things, hopefully after a few days of learning it will resolve itself. Or perhaps it’s a lingering regression in 2.0. It is after all still in beta. The other is the new mail notification doesn’t seem to open mail if you click on it. I was hoping it would open email when clicked. Perhaps it’s just not obvious where to click. The appearance and effect seems to be much better now.

It’s hard to write even a mini-review of beta software, since it is just beta and things are incomplete or subject to change. I plan to write more on it closer to the 2.0 release. Despite it’s lower profile development (compared to Firefox), and more subtle changes) it’s really evolving. The changes made really do make it a much better experience.

I do have a business degree, so occasionally I like to discuss how tech and business collide (yes it does happen). This time it’s about blogging and business.

Most corporate blogging is pretty poor. For the most part it’s slightly reworded press releases put on a blog-styled webpage. A few companies on the other hand break this model such as Lenovo, Sunbelt Software, Sun, and Google’s various blogs (though the official Google blog is rather lame, the product blogs are pretty good as are some prominent Google employees such as Matt Cutts). Even Microsoft has blogs. Apple so far has not been blogging with the exception of WebKit. There are others, but these are my favorite of the tech sites.

Then you have some who have used blogging for grassroots marketing, most notably the Firefox marketing effort. There is also blogging among the people behind it that give anyone interested a good detailed look at what’s coming. In my personal opinion that has been extremely successful in a marketing sense, and as a form of sharing information.

Some companies apparently try to get into blogging through a concept called Pay Per Post. Pretty much as it’s name implies bloggers are paid to link and discuss products/services. In my opinion it’s a rather dishonest technique to boost page rank and convince people that bloggers like their product/service. Of course search engines are effectively helpless in this technique since it would be somewhat hard to tell the difference since they are disguised to look legitimate and done in coordination with the site owner, rather than the linkbombing comment spam does. Search engines don’t seem to mind, though note if the links aren’t relevant it may be the exception to the rule. Though that all could (and likely would) change if it starts to degrade the quality of search indexes. It wouldn’t be the first time a problem was initially underestimated (think spam).

Then there is the ethical side of things. Do they all require you disclose that you were paid for the post? Until now, they haven’t had to, though that’s changing. The FTC obviously has an opinion on what they think of marketing without disclosure. Toni Schneider doesn’t think it will catch on, and he’s one of the guys behind WordPress.com. I hope he’s right.

The ever insightful Matt Mullenweg (also behind WordPress.com) notes that blog posts matter and marketing needs to adjust to the new online world. The question I pose is how? So far the only answer I see is the model Lenovo, Sun, Google use that involves good open honest community building and information. People seem to appreciate the inside look they provide. I know I do. I read several of them on a routine basis. But will they all go this route?

It’s important to note it’s not just blogs that are drifting into commercialization with everyone wondering just how to go about it. Digg is another example with a Pay Per Digg scheme threatening it. YouTube also got fooled by pro’s pretending to be someone they aren’t.

I do believe that 2007 will prove to be an important year for blogging in general. This is one of the ongoing struggles that will likely be realized in the upcoming months. How will this effect credibility of those who choose blogging as a medium to communicate? Dunno. Looking at the success of organizations that do use the medium, I’m pretty sure it will be worth keeping around for the foreseeable future. It will be interesting to see how things play out. One thing is for certain: these are very interesting times on the net.