Posts tagged: SPAM

Comment Spam

Other than using Akismet, the anti-comment-spam measures I have in place here are pretty primitive. I block some common patterns and blacklist some IPs. (I don’t have plans to make it any more sophisticated since I’ve told myself any new blog engineering effort needs to go to the new Django-based version, not the old PHP5 one.)

I was looking at server logs this week and noticed an unusual number of POST requests, then realized that they were foiled comment-spam attempts. I counted them up:

Library of 1000 scammy spams

One of my neglected side projects, purportal.com, features a “Scammy spam library” where I share the text of scam emails I’ve been collecting. Today it reached the 1000-specimen milestone, so I wrote a little script to count word frequencies. The raw list reads like some of the less coherent messages itself:

account email our please ebay me paypal information bank any address through contact security am money funds us million…

I posted a bit more on the purportal.com news page.

More unexpanded spam macros

I posted one simple example of this a while back, but this one’s much better. (I’ve removed some uninteresting stuff like the actual routing.)

From ...
Received: ...
Date: ...
Received: from 192.168.0.%RND_DIGIT (203-219-%DIGSTAT2-%STATDIG.%RND_FROM_DOMAIN
[203.219.%DIGSTAT2.%STATDIG]) by mail%SINGSTAT.%RND_FROM_DOMAIN (envelope-from
%FROM_EMAIL) (8.13.6/8.13.6) with SMTP id %STATWORD for <%TO_EMAIL>;
%CURRENT_DATE_TIME
Message-Id: <%RND_DIGIT[10].%STATWORD@mail%SINGSTAT.%RND_FROM_DOMAIN>
From: "%FROM_NAME" <@FROM_EMAIL>
To: undisclosed-recipients:;

%TO_CC_DEFAULT_HANDLER
Subject: %SUBJECT
Sender: "%FROM_NAME" <%FROM_EMAIL>
Mime-Version: 1.0
Content-Type: text/html
Date: %CURRENT_DATE_TIME

%MESSAGE_BODY

That Received: line looks like a nice template for a SpamAssassin rule, if you use SpamAssassin.

Spam stats redux

My spam stats page was broken for a while, but I’ve fixed it. Looks like I’m rejecting about 10,000 spam attempts per day, which is significantly less than I expected given the rate of growth when I last checked the numbers a few months ago. It’s possible some of this reduction is due to the fact that I’m no longer collecting spam via spamtrap addresses, with some of those addresses (which accounted for about a third of my total spam volume) falling off the lists of spammers who actually check for deliverability.

Bad news for Spamhaus?

The anti-spam operation Spamhaus, based in the UK, is being sued in an Illinois court by an individual named David Linhardt, who is listed in Spamhaus’ Register of Known Spam Operations (ROKSO) database. Spamhaus has been responding like this:

… Spamhaus, which as a British organization not subject to Illinois court orders is continuing to list Linhardt’s IP addresses on its SBL spam blocklist as usual … the Illinois ruling shows that U.S. courts can be bamboozled by spammers with great ease. Additionally, as spamming is illegal in the United Kingdom, an Illinois court ordering a British organization to stop blocking incoming Illinois spam in Britain goes contrary to U.K. law which orders all spammers to cease sending spam in the first place.