Security

Over the past few weeks, there has been a spam run directed at the SOSDG's role accounts. We've used the chance to greatly improve our spam detection methods and blocking patterns. I did notice through much of this, that there is an interesting pattern seen on some of the IPs with reverse DNS:

208.66.70.241 => roa.roadpurple.com 208.66.70.242 => roc.rockpurple.com 208.66.70.243 => purp.purpleyard.com 208.66.70.244 => purpl.purplemice.com 208.66.70.245 => fas.fastpurple.net 208.66.70.246 => may.mayotwo.com 208.66.70.247 => sou.sourmayo.com 208.66.70.248 => abo.aboutmayo.com 208.66.70.249 => fir.firemustard.com 208.66.70.250 => get.getmustard.net 208.66.70.251 => big.bigmustard.net

In that chunk, we see the first part is the first 3-5 characters of the domain name pasted in front of the domain name.

208.75.188.70 => forces.finderforces.net 208.75.188.71 => fun.finderfun.com 208.75.188.72 => pent.finderfun.net 208.75.188.73 => type.findertypes.com 208.75.188.74 => find.findertypes.net 208.75.188.75 => keep.keeperfinds.com 208.75.188.76 => keeper.keeperfinds.net 208.75.188.77 => rate.ratingfinds.com 208.75.188.78 => rating.ratingfinds.net 208.75.188.79 => run.runningfinds.com 208.75.188.80 => running.runningfinds.net 208.75.188.81 => ship.shipfinds.com 208.75.188.82 => finds.shipfinds.net

Above, we see the spammer uses a variation of that, sometimes using part of the domain first word, sometimes the last... Sometimes part of the last only.

As much as the idiot spammers may think this helps them avoid filters, in reality, its just flagging the domains for us to find easier.

I've noticed an increased amount of people visiting my blog with the FunWebProducts string in their User-Agent. This little piece of adware/spyware comes in the form of a toolbar and bundled with some applictions.

I'm debating blocking users with the FunWebProducts tag in their user-agent out of principal, and direct them to another site so they can learn how to get it removed...


Thoughts anyone?

Okay, so i've gotten completely sick of those stupid referrer spams. Lately I've been seeing more and more spams with embedded comma characters with multiple sites in the referrer field. So, with a little bit of work, I figured, why not write a mod_rewrite apache rule to block them.



Pretty simple, and works with a properly configured .htaccess file.

So, a lot of people have asked me over the past year or so how I manage to prevent getting so much spam from China without needing to outright block all of China's IP space either in iptables/firewall or DNSbl lists.

Well, I'm about to give you our secret.

The Chinese govt dislikes us (the SOSDG) - alot. We tend to host sites that their govt does not want its people seeing (Falun Gong anyone?).

So, what does any great opressive govt do to sites that are on its banned list? They filter out all of our IP space in their network so their users can't get to our servers.

This does have an interesting side effect though - the filter blocks more then just HTTP traffic (port 80 tcp). SMTP connections are blocked as well. Spammers in China can no longer reach our servers at all.

So, if you want to cut back on spam from China without having to implement blocklists or filters your customers may not appreciate, host a site that pisses the Chinese govt off on your mail servers. I've seen them block new IP ranges hosting Falun Gong sites in under 12 hours.

Easy because it requires no major changes on your end. Fun because you get to irritate everyone's favorite oppressive country and waste their time.

So, it seems Richard Scumville finally discovered my blog (~6 months after the fact). So, what you think of it, Dick? Going to write a 4 page diatrabe about how me writing a blog is a sign of me being scared?

Mwahaha.

/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:44 -0500] "GET /bruns/ HTTP/1.1" 200 9569 "http://www.google.com/search?q=marc+wigle&hl=en&lr=&start=20&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:44 -0500] "GET /bruns/templates/default/img/somerights20.gif HTTP/1.1" 200 1836 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:44 -0500] "GET /bruns/serendipity.css HTTP/1.1" 200 1739 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/templates/default/img/background.png HTTP/1.1" 200 674 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/plugin/pngbehavior.htc HTTP/1.1" 200 1013 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/templates/default/img/emoticons/smile.png HTTP/1.1" 200 556 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/templates/default/img/back.png HTTP/1.1" 200 468 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/templates/default/img/s9y_banner_small.png HTTP/1.1" 200 4101 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/templates/default/img/forward.png HTTP/1.1" 200 477 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

Congrats to Robert Braver on winning a $10 mil judgement against spammer Robert Soloway!

PDF Of Judgement

Why am I doing a followup post to DollarTrader vs. Matt from SORBS?

Well, because I feel like it.

So, its time to do my most favorite game - break down and blow apart a spammer's claim!

William claims to have lost 6.5 million dollars because of the SORBS listing of his IP address. Some of you are probably wondering what that wild laughing coming from my post is right now - well, thats me trying to compose myself after reading the above link.

But, back to the point...

1. Why is a company that supposedly is making 6.5 million USD in a day hosting their website on a shared web server without their own dedicated IP address? Shouldn't they have an IT department, dedicated servers either in their facility or a co-loc place?

2. He claims to have lost 40 someodd customers because of this - shouldn't a company that makes 6.5 million USD a day have other means of contacting their customers then just e-mail?

3. Why is a company that supposedly is making 6.5 million USD a day letting their 'CEO' make legal threats? Multi-million dollar companies usually have a whole team of highly paid lawyers to make legal threats.


And some good points from Matt himself:

Even funnier was it aparently was an order to 'sell' stocks that was
delayed/refused.... I figure 2 things...

1/ It has to be a mighty big trade to loose $6.5m on one delayed sell
2/ knowing the reliability of email to base a $6.5m time sensitive
transation on email... well it's Doomed.. DOOMED I say!

Of course it was also funny that baing a $31b cap company (so say he) he
was phoning me and not his legal team.

I really like the part where William tells Matt that its against FCC rules to run your own mail server.