My MovableType spam defenses have kind of run amok. It was letting through a ton of spam which led me to disable anonymous comments. For its next trick it decided to trash valid comments.
The first method used for trashing valid comments was a rule that http:// shouldn’t appear in the commenter’s name field. That wasn’t a problem until openID. The crappy OpenID plugin I’m using doesn’t put the OpenID displayname in the name field. Instead it pulls a URL including the name and the server. A quick tweak to the ruleset fixed that problem.
The next issue I found was when my own comments were getting blocked (when using a test account not my regular comment account which is set up as a trusted commenter). The Spamhaus zen filter was blocking me. Back in July, MovableType reported that one of the old blocklists was going away and they recommended using zen.spamhaus.org instead. Since I like spamhaus I accepted that recommendation uncritically. Now I find out that “ZEN is the combination of all Spamhaus DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, the XBL and the PBL blocklist”. The problem is the PBL is he policy block list. Its like the DUL. Its designed to prevent end users from sending mail directly to recipient mail servers. They should go through the ISP mail server. That is not the sort of list you should be using with HTTP. Endpoint computer should be browsing directly to my website and making comments.
A better Spamhaus list to use is the XBL. Be aware however that according to Spamhaus, “The XBL contains mostly dynamic IP addresses, meaning the user you would be blocking is probably not going to be the user with the exploited computer. Please do not block innocent users.”
You’re probably better off forcing the user to prove they are human with a Captcha rather than using (misusing) block lists.
Archive for the ‘Spam’ Category.
The spam filter has run amok
Backscatter
One of our users is a victim of backscatter and has been reporting them to the abuse mailbox at work.
Backscatter is the unsolicited mail that occurs when a spammer sends out email as you and poorly configured email server return all manner of notices to you. Its funny to watch the Barracuda spam firewall spamming the employee with the message Undeliverable: **Message you sent blocked by our bulk email filter** and an RFC rejection. Along with that is the usual ‘out of office’ and non-deliverable reports.
I figured there really isn’t much we can do. I decided that maybe its time to adjust the SPF record and change it from a ~all to a -all setting. Surprise, Surprise, I found that there was not a SPF record for the domain in question. I’m not sure if I dropped the ball on that or if our external DNS provider did something crazy again. At any rate, that is getting fixed but given how few people use the SPF record, I dont think it will be a lot of help.
ISC Diary: Spam Storm effecting Canada
Today’s SANS handler diary notes a SPAM storm is effecting the availability of mail servers at some companies in Canada.
Its always amusing to note spammer mistakes in formulating the email addresses. In this case it looks like they are using $firstname$randomword$lastname. That’s not going to work very well. 
The sheer volume, is causing some issue though.
The handler suggests that it is a best practice to reject email for bad addresses at your MTA, immediately after receiving the a bad RCPT TO. I agree that will prevent a whole lot of unnecessary mail processing. I am concerned though that in the absence of additional software, this will assist the spammer with address harvesting. If the bad guy can determine that you only accept valid addresses, and you don’t have a mechanism to kill directory harvesting attempts, they’ll be able to brute force valid addresses. Companies like Postini (Google) and MessageLabs have this sort of feature. I dont know about other MTAs.
FDF Spam
F-Secure is reporting in their blog that they are seeing spam in FDF file attachments. FDF files will open in Adobe Reader. Spammers are using this as their latest attempt to bypass spam filters.
Getting Blacklists leads to clean computer
Interesting article about an ITWeek writer and an email blacklist.
He learns he’s blacklisted. He wonders how this can be, but ultimatly he tracks it down. interesting stuff.
Spam Automation Tools
Brian Krebs links to the XRumer auto-submitter in an entry in the Washington Post Security Fix. Its interesting to see the software that is out there for pumping spam into on-line bulletin boards.
XRumer, uses search engines to gather target forums, it then automates the registration and posting of the spam. They brag in the feature list that they can get around captchas, and email verification. There is a long video demonstrating its use.
GCW: Coast Guard Mandates Anti-Phishing Training
According to a Government Computing News article, the Coast Guard is requiring all of its computer users to “take mandatory training on how to avoid fake e-mail messages that try to acquire sensitive data in a technique known as phishing and even more highly targeted attacks known as spear phishing.”
That reminds me of a anecdote I heard recently where the Air Force gave anti-phishing training, and then followed up with a test phishing email purportedly from a high ranking officer. Because of the power of the rank of the email they still got a very high click through rate. Obviously more training was needed. That or a better filter.
Your gmail addressbook may have been exposed
According to various web reports, Google was using javascript to store your Gmail address book while you’re logged in. As a result if you are logged into gmail, any other website you visit could request your Gmail addressbook.
This flaw has now been resolved, but it does give one pause about the danger of javascript.
Stration Spam Connection
iDefense is connecting the Stration virus with the recent rise in spam volume according to an article in Information Week.
Spam image technique
John Graham-Cumming blogs on a new animated gif techniques spammers have used to thwart OCRing. His entry a day earlier is interesting also.
