Tag Archives: spam

.gif spam

The .gif attachment spam has reached an absurd level – spam messages embedded in gif images in otherwise blank email messages. Often animated gifs. I’m getting *hundreds* of them a day.

So …

In /etc/postfix/mime_header_checks.regexp I’ve added:

/(file)?name=”?.*.(gif|GIF)”?/ REJECT Sorry, I can no longer accept gif file attachments, due to the unscrupulous folks embedding spam in images.

And then in /etc/postfix/main.cf I have:

mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp

I appear to be dropping one of these every 3-5 seconds.

I really hate spammers.

incommunicado no comment to make

Starting Tuesday evening, I will be incommunicado for a week, or as long as I can stand to be offline. I’ll be going way out into the woods, with no electricity, no internet, and probably out of cell phone range for much of the time, although I imagine I’ll find somewhere with cell coverage at least once a day.

I expect that when I come back, I’ll have roughly 15,000 email messages, of which perhaps as many as 20 will be something I actually want to read. Ok, I’ll be generous. 25.

I’ve been getting more and more spam lately, and nothing that I do to filter it seems to make any difference at all. I’m currently running SpamAssassin, a plethora of Postfix rules, and client-side Thunderbird filtering. Yet still, more than 90% of everything that winds up in my inbox is spam. I’m finally coming around to believing that email is worthless as a means of communication, but I don’t know what can replace it. I keep hoping that spammers will collectively realize that they are killing their golden goose, but clearly they aren’t that bright.

Also, I’ve noticed that the spammers who have succeeded in obfuscating their email so that it can get past my filters have finally reached the point where their messages are completely illegible. I have absolutely no idea what most of them are selling, or how to go about buying it if I did understand. And, I’m told, this makes up more than half of all the traffic on teh intarweb. While it’s reasonably clear to me that this is criminal, I can’t imagine any way that this could ever be prosecuted. 🙁

Slashdot comments

I don’t know why I read the comments on Slashdot. It just depresses me. How can people *be* so stupid?

Yes, most of the time I read slashdot at +5, so that I only get the top-level idiocy. But when the article is about me, I want to see what people had to say. I really should save myself the trouble.

Something like 75% of the comments were complaints about the fact that it was in PDF, or misinformed remarks about the font that I used. It’s not Comic Sans, by the way, but I fail to see why it makes so much difference even if it was. Folks need to get over themselves a little bit. Your font preferences are preferences. They are not scripture.

Of the few comments that actually had to do with the presentation itself, probably 2/3 of them completely missed the point. This was a lightning talk. That means that I had 5 minutes to convey a point. The fact that I left out technical details, glossed over some points, made tongue-in-cheek remarks, and told a few half-truths are a side-effect of the presentation medium. The more detailed version of the presentation will come over the next few weeks.

And for the morons who felt the need to make the “then go fix it” remark, if you had paid attention you would have noticed that I have fixed several of the things, and other folks are working on some of the others. And of course if you had been there, you would have heard that as part of the presentation itself.

You are not obliged to make comments on things that you don’t understand. It’s best to keep your ignorance to yourself.

Four strikes and you’re out

I have a “four strikes and you’re out” policy on spammers. That is, I have a process which watches my mail logs, and if a host sends four messages to invalid recipients at my domains, they get added to my firewall deny list. What amazes me is that this cuts my inbound mail from about 30 messages per minute to about 5 or 6 messages per minute. So not only is the overwhelming of all my inbound email traffic spammy, but 80 or 90+ percent of it is to completely invalid addresses.

Long ago, there seemed to be a lot of people selling lists of valid email addresses that you could send your junk to. Now, it seems sufficient to just make up addresses, in the hopes that a few in a thousand might actually work.

Can you imagine how much faster your network connection would be if there weren’t *millions* of pieces of worthless email travelling to completely bogus email addresses per second? And, of course, the return traffic of that message being rejected.

I know, I rant about spam all the time. It just makes me very angry that people are getting away with this, and that many of them seem to think that it’s a perfectly legitimate business practice.

Yesterday, at a customer site, I removed 572 items of spyware, adware, viruses, and other malicious code from a desktop machine. While it’s likely that some of these things were installed intentionally, most of them installed themseves as a side-effect of various pop-up windows, email messages, advertisements, and network-propagated garbage. This, too, is just not right, and should be labelled criminal. But, since there’s absolutely no way to enforce this, let alone regulate it, really the only thing that can be done is to make the operating system a little less open-arms-welcoming about what kind of garbage it is willing to install without out so much as a “if you please.”

Meanwhile, as I’ve been writing this, my mail server has rejected more than 50 messages that were identified as spam, as well as blocking more than 400 messages that were destined to completely invalid addresses.

Secondary MX

A week or so ago I observed that the sole purpose of my secondary MXes seemed to be to send me spam a second time after I had rejected it the first time. So I removed all secondary MXes from my DNS zone. This resulted immediately in a lower load on my mail server, and no obvious ill effects.

Of course, the purpose of a secondary MX is to take over if and when my mail server goes down. But since most mail server will keep trying for several days anyway, it seems pretty unlikely that this is going to ever be a concern. So I’ll leave them off for now, and put them back on when I get ready to move, in case there’s an extended outage.

Meanwhile, my hard drive is spinning a lot less, and is thus much quieter.

The spam continues

Since Sunday morning, mod_security has blocked 816 attempts to post spam content in the comments on this web site. Two of those have happened while I was typing this note. Additionally, I’ve received about 20 or 30 apparent “test” messages, where people posted harmless, but off-topic, nonsense, apparently in attempts to see if comments were enabled, or working, or if their address was blocked, apparently.

Almost all of these attempts were on the same small handful of topics (a card game and a diet pill) although there were also plenty for other topics like financial advice of one variety or another.

Are other people getting assaulted to this same degree? It continues to amaze me the enormous amount of time and money we spend combatting this kind of unethical behavior, which is all done in the name of the Great God Capitalism.

Come on, folks. Cut it out. It’s just annoying. and it is theft of services to advertise your product on my website, so it’s probably illegal. If you want to advertise on my website, just send me a cheque, ok?

Comment spammers are dumb

Over the last 48 hours or so, I’ve gotten upwards of 400 identical comments on my blog. Fortunately, comment spammers are really really stupid, so they were all identical.

I’ve got mod_security installed. I put the following block into my vhost block:

<LocationMatch comment>
SecFilterEngine On
SecFilterScanPOST On
SecAuditLog /dev/null
SecFilterDefaultAction “deny,log,status:402”
SecFilter “your[[:space:]]fat[[:space:]]ass”
SecFilter “poker”
SecFilter “phentermine”
SecFilter “craps strategy”
SecFilter “seend a card”
</LocationMatch>

This has blocked all attempts in the last 10 hours or so. And, when they change their tactics, you can alter the rules appropriately.

Hey, watch this!

I had a teflon tape moment (to borrow a metaphor from MJD) recently in discovering the watch command.

You know how you run the same command repeatedly, trying to see if it changed? Like ls -la file.name to see when it’s done downloading, or ps ax | grep foo to see if a particular process has terminated, or whatever. Well, turns out that the watch command does exactly that:

watch -n 10 ls -la file.name

Now, you were already aware of that, and have been using it for years, or it’s a completely new thing to you, and you’ll wonder why you never knew about it. Like teflon tape.

I now use this command several times a day, and can’t imagine how I put up with all that extra typing before. Right now, I’m using it to watch my firewall ruleset change as the spam pours in. The spammers seem extra busy this week.