Archive for October, 2004

Paypal Scam

Got a Paypal scam e-mail tonight. I have to admit, it was a nice effort. It included several warnings to check the URL in your browser’s address bar, and looked very authentic and believable, except for this bit (emphasis mine):

You will be guided through a series of steps which will require you to enter personal information, such as credit card number and/or bank details.

Of course, I’m always extremely skeptical and cautious about such things, and even without the very fishy line above, I was suspicious. By using Mail.app’s View Raw Headers option I was able to look at the HTML source. All of the images were linked from the real Paypal site, and all of the links (privacy policy, Paypal security center, update mail prefs) were valid Paypal links… except for the payload (“You MUST click the link below…”) URL, which used the %00 password-in-url hack that affects IE users who aren’t patched up to date.

At any rate, I poked around the Paypal site for a few minutes, and found an address where you can forward such emails to help Paypal research them. The address is spoof@paypal.com. If you get any of this crap, take a moment to forward it along, especially if it slips past your spam filter (as it did mine). I was impressed when five minutes later, I received and email from Paypal (probably auto-generated, but still) that included a quoted copy of what I’d sent them, along with thanks and an assurance that it was a spoof. My only suggestion is that they make this information more prominent, such as a homepage “Need to know if a Paypal email is authentic?” link.

Morentries Plugin Update

Steve Schwartz has created an updated version of my moreentries plugin that adds a series of links for each additional page of posts, like at the bottom of the page on Google. It supports both text and image links. I think this is just fantastic… this is a feature I’ve had requested, and just never got around to implementing. Go check it out!

First Bot Ban

Once nice side effect of the recent spam attack I suffered is that it got me poking around in my logs and stats. My hosting provider iPowerWeb offers stats via awstats, which isn’t the greatest but it works. While looking at my stats, I noticed My Most Frequent Visitor had over 3800 page requests this month, while the #2 visitor had less than 500. My Most Frequent Visitor had also sucked down over 90 Meg, while #2 had only around 15 Meg. I became quite interested in My Most Frequent Visitor.

MMFV was identified only by an IP address – 38.144.36.16. Wonder who that is? :

% host 38.144.36.16
16.36.144.38.in-addr.arpa domain name pointer news.allresearch.com

Pluging news.allresearch.com into the browser yielded a refused connection, so I tried www.allresearch.com. Bingo. From the home page:

AllResearch, Inc. was founded in 1998 to provide research, media analysis, and strategic intelligence services for a variety of different markets.

We offer a broad range of products and services to assist various entities with gathering relevant intelligence from the online world. Utilizing cutting-edge proprietary technology, we are able to view and understand the online world in ways never before possible.

Huh. It seems that slogging through my bandwith at 7 times the rate of any other visitor is a proprietary and cutting-edge technology. Who knew? While the marketroid-speak above isn’t perfectly clear, the menu of services certainly brings things into focus, which such items as Webclipping, TrademarkTracker, Online Peer Group Analysis, and Law Enforcement. I’m being stalked by The Man! (and I’m not the only one.)

But why is The Man (aka My Most Frequent Visitor) visiting so much more freqently than everyone else? A grep or two through my access logs reveals all. It seems that once an hour, The Man pulls my RSS feed. Okay, no problem. But then, The Man pulls every one of the posts in my feed. On the one hand, this is stupid because my feed is full content. On the other hand, this is really stupid, wasteful, and hateful because The Man requests the full content of all 10 posts in the feed every hour! Even when the feed hasn’t changed, The Man is re-reading all 10 posts. The Man must have The Bot, even though The Man’s user agent string is "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)". While I bet The Man probably does use IE, I doubt he’s using it once an hour to pull all my posts by hand. Bad, Sneaky The Man!

Far be it from me to criticize The Man, so here ends my tale. On a completely unrelated note, check out the newest addition to my .htaccess file:

RewriteCond %{REMOTE_ADDR} "^38.144.36.16$"
RewriteRule .* - [F,L]

Interestingly, I seem to be seeing a “403 Forbidden” in my logs now, once an hour, every hour, like clockwork.

Beat

I am beat. Even though I’ve been promising myself I’d write a real post one night this week, tonight just isn’t going to be the night. I’m only posting this because I challenged dugh to a month of solid blogging after he created the week-long October Blogging Challenge. Which makes this a lame cheat. The first rule of the Blogging Challenge is don’t blog about the Blogging Challenge, and all that rot.

I could sit here and write the rant I’d planned about the sad state of windows “freeware” (yes, those are air-quotes, please make exagerated hand motions when you read them), but that will have to wait until tommorow. Beat, I tell you.

And yes, the comments are still down (see prior post, I’m too lazy to link it tonight). I’ll try to install the blacklist plugin this weekend. If you’re really feeling sorry for me and my abused comment system, email me (link on the right somewhere).

For now, I’m going to fire up the TiVo and watch Smallville, even if they did write out the best character they’ve ever had last week.

SpamWars: The Spampire Strikes Back

So here I was, idly checking my Bloglines feeds and lamenting the fact that I had nothing to blog about tonight. Silly rabbit, be careful what you wish for. Poing! New Mail. No, wait… 6 new e-mails in the 5 minutes since the last automatic check. That never happens. Must be comment spam on the ol’ blog.

Indeed. Not only that, but all of the spam comments showed up in my inbox as new comments, not spam attempts. This means my anti-spam measures have failed. Several months ago, I suffered a severe spam onslaught, which lead to my disabling comments for three weeks. When my comment system returned, I had implemented several changes to help stop the spam. I even kept the details to myself to slow the spammers from catching on. Looks like they’ve caught on.

My countermeasures included rejecting all items without a referrer, and changing the default value in a hidden comment form field used by the Blosxom writeback plugin. Nice try. Tonight’s spammer is much more sophisticated. Each post came from a separate IP address. Referrer is present and correct, and the User Agent string looks innocuous, although I’d bet it’s a bot. The posts came in groups of three, and for each group of three I can see a single IP address GETing the original post plus other pages (archive links, etc); however the two “sniffer” IPs are different.

These little weasels deserve all seven levels of Dante’s Inferno and a couple of new ones I just thought up. For now, I’ve shut off comments. Looks like I’ll be setting up the blosxom port of the MT blacklist very soon. Sorry for the inconvenience, feel free to email me in the interim. Unless you are a spammer… you may feel free to (Extremely violent and anatomically questionable recommendation censored).