Stopping comment spam, 2014 edition

I’ve been blogging for nearly 15 years, so I’ve seen my share of frustrations over the years. The toughest source of frustration for me to shake has been spam. I have actually had spambot traffic knock my site offline in the past–here’s what I did about that–so suffice it to say that if a computer can’t keep up with it, there’s no way a human can keep up with filtering the amount of spam even a moderately popular blog receives. I’ve used two plugins to augment WordPress’ built in antispam capabilities. Read more

Stopping spambots cold with Botblocker

I’ve been absolutely getting pounded lately with spam comments from spambots–to the tune of one spam comment per minute. That’s filling up and slowing down my database and consuming CPU resources that I want for human readers.

So I resorted to installing Botblocker. All I can report right now is that it seems to be working–no spam comments for several hours.

I can’t guarantee it will work forever, and I’ve got Akismet to hide whatever spam gets through, but so far my server seems less busy and more happy, which is good. Things had gotten so bad for a while that I was getting timeouts when trying to post, which is ridiculous.

Have you noticed your inbox is lighter lately?

The FBI nailed Alan Ralsky.

Ralsky’s reaction? “I’m not a spammer. I’m a commercial e-mailer.”

In other news, Marion Berry doesn’t go to strip bars. He goes to erotic clubs.Ralsky, if you’re not familiar with him, is one of the more prolific spammers in the world. And while some people sympathize with him since sending spam seems to be the only way he can make a living, the fact is that spam hurts everyone. It wastes your time–the lost productivity dealing with spam has been valued at anywhere from $9 to $22 billion–and it hurts your ISP too.

I know someone who administers mail servers for one of the largest cable companies in the United States. The upgrades to its mail servers cost six figures when they have to do it. This past week he described the situation with spam and worms as “SETI@Home in a DDoS attack against mail.ispname.net.”

If you want to know why broadband Internet access doesn’t cost $5 a month, you can blame people like Ralsky.

Defenders say Ralsky didn’t break any laws. But according to various anti-spam laws, you disguising the origins of your mail is illegal, and Ralsky has been guilty of this. To me, this rings of jailing Al Capone for tax evasion. Another question to ask is whether Ralsky has hawked pornography to underage children and whether he has ever hawked prescription drugs. If he had set up a table on a streetcorner and done either of those things, he would have landed himself in jail. If it’s illegal on the streetcorner, it ought to be illegal online. Especially because if he were doing it on the streetcorner, he’s only using a small parcel of public land. When he does it online, he’s utilizing thousands of computers that don’t belong to him.

I was glad when thousands of people signed Ralsky up for every junk-mail list they could find. It told a lot about his character when he remained defiant afterward. Filling his mailbox with junk was wrong, yet he saw nothing wrong with filling out e-mail boxes and he continued to do so.

Someone else will rise to take his place, but it will take time to learn his tactics, and in the meantime, anti-spam tools will get better.

The reason spam works is because somebody buys stuff from it. It might be one out of a thousand, or one out of a million, depending on who you believe. But it doesn’t take much more effort to blast out 3 million messages than it takes to blast out 3 thousand. It’s an attractive business because someone who’s unable or unwilling to do other work can get started with little or no expense, using equipment he or she probably already owns. It’s safer than, say, trying to sell stuff on Ebay. If I list a big pile of stuff on Ebay and it doesn’t sell, I owe listing fees–probably around 30 cents–on each item that doesn’t sell. Plus I’m stuck with that item and out whatever I paid to get it. But if I blast out a bunch of spam and nobody bites, I haven’t really lost anything, except maybe my ISP suspending or discontinuing my service.

The courts need to make an example of Alan Ralsky. Meanwhile, the FBI needs to go find a few of the other big fish in this pond and do the same.

Beware Nigerians seeking computer equipment

It wasn’t really a 419 scam, but I think I came a little too close to falling for another Nigerian scam this week.

Some time back, I listed some computer equipment on Craigslist. Not really high-dollar stuff, but stuff I’m not using, and while I’m not in desperate need of the money, it would come in very handy. And Craigslist is a lot less hassle than a garage sale.I listed it about a month ago, and interest was ice cold. Then yesterday I got a message from someone named Anna Gray asking if I would agree to sell it to her. Interesting way of putting it, but at the time I didn’t really take much note. I was just excited at the possibility of turning a computer that was just taking up space into 50 bucks.

The would-be buyer wanted to use a money transfer. “Aren’t you in St. Louis?” I asked immediately. My whole reason for using Craigslist was to avoid shipping and money hassles. Women are rightly nervous to meet strange men for transactions (and when they aren’t, they probably should be), but I’ve handled several transactions like this lately. Standard procedure is to meet in a public place that’s as convenient as possible for both of you. I generally take my wife so there’ll be a female present. If you’re a woman and can’t take another person with you, make sure you have a cell phone with you, and to make sure the other person knows you have it, make sure the person sees you casually talking on it as you arrive (even if you’re faking it). The ability to quickly dial 911 heads off a lot of trouble.

“No, I’m not in St. Louis,” she responded.

Well, so much for that.

She said she would pay me using Moneygram. She would send them the money, and then when I shipped the item, I would provide Moneygram with the tracking number, and I would get the money.

I would later find out that’s not how Moneygram works, but I’m getting ahead of myself.

Knowing it could easily cost more to ship the computer than my $50 asking price, I asked my would-be buyer if she was willing to pay the shipping. She said she would send me a FedEx ticket. Then she said she would send me the money via Moneygram. She asked me every 30 seconds if I’d received the confirmation e-mail yet. “No,” I said. “But I’m in no particular hurry.” It wasn’t like I could ship the laptop immediately anyway.

She informed me that Moneygram was having technical difficulties and begged me to be patient. I found it odd that she was able to ask and receive an answer so quickly. Usually when a company is having technical difficulties, their customer service is slow too. I didn’t think anything of it yet.

Then I got busy and didn’t write back right away. She got just plain rude. “Are u there? BUZZ!!! BUZZ!!!”

Obviously she wasn’t willing to extend me the same patience she expected of me.

Once I got less busy, I got back to her. I’d received an e-mail message claiming to be from Moneygram, and I’d received a shipping label from Fedex, and told her.

“Take the package to Fedex tonight and give the tracking number to Moneygram and you’ll get your money,” she said.

I told her I was busy that night. Which I was. I’d had plans for a week and I wasn’t going to cancel them over a $50 computer–especially now that I was going to have to go to the trouble of finding a box and packing materials for the thing.

“I guess it’ll be OK if you ship it first thing in the morning,” she said.

Umm, well, I didn’t know what time I would be in, and I had to be at work first thing in the morning. Besides, if I had to drive it to the Fedex station, I was looking at a 45-minute drive.

“Take it to the closest Fedex. But if there isn’t one, you’ll have to take it to the station. First thing in the morning.”

How considerate. But that wasn’t the first thing that came into my mind. Actually the first thought that came to mind is a not-so-pleasant one-syllable word.

I told her I’d do my best, thanked her for her help and her interest, and reminded myself that I was being paid to free up some clutter from the house. Emily would like that. And if I spent $10 of it on her, she’d like it even more. So I put it out of my mind and told myself I’d print off all the paperwork that night, when I went in search of a box.

And aside from telling Emily I’d sold the computer, I did put it out of my mind until late that night.

Emily had a box and packing material ready for me. It wasn’t perfect, but we could have done a lot worse. So I packed it all up, then I went to the computer and printed off the paperwork. The Moneygram e-mail said I would have to provide them with a tracking number, full name and address, and either a driver’s license or social security number before they would free the money.

I didn’t like that. I didn’t like it at all. Nobody needs that information.

Making matters worse, the e-mail included a tracking number on the cash. I followed the link in the e-mail, punched in the tracking number, and it said it had no information on the tracking number.

The e-mail from her containing the Fedex shipping label also contained a customs form. She asked me to print and sign three copies. Customs? That seemed odd.

I printed the label. It had a declared value of $1. While the computer isn’t worth much, it’s worth more than $1. A DEC VT100 terminal is worth more than $1 to someone who needs it. I started to realize I wasn’t dealing with a very honest person here.

Then I printed the Fedex shipping label. The address looked odd to me. It registered when I pulled the label off the printer.

Nigeria.

It all made sense now. The unorthodox English. The belligerence. Demanding information they shouldn’t need. Classic symptoms of 419 scams.

Another rude one-syllable word came to mind. This time I said it out loud a few times. Someone in Nigeria had my name and address!

Mind you, not everyone in Nigeria is a crook, but suddenly I had a whole host of reasons to be suspicious.

So, when I was supposed to be getting up at the crack of dawn to send a computer halfway around the world, instead I was doing research.

On Moneygram’s own site, I found this:

MoneyGram is not an internet escrow service or a shipment service. We do not email a confirmation notice to inform a person that a MoneyGram transfer has been sent to them for payment of an internet purchase. Do not believe that such an email is genuine even if it contains the MoneyGram name and logo. The MoneyGram service should not be used as an escrow service.

And then I found indication that some Nigerian scammers have an affinity for buying computer equipment, particularly Apple Powerbooks, off Craigslist, using Moneygram.

Of course, seeing as part of the process asked for my social security number, losing the laptop was the least of my concerns. Once she had my name, address, and social security number, chances are she’d be able to get lots of other things at my expense as well.

Needless to say, the computer is still in my living room and I’ve kept the digits to myself.

My Nigerian buddy sent me a number of messages in the morning asking me if I had shipped the laptop, and since I had expressed some doubt in my last message, took pains to assure me that all was well. I replied to the message that said all was well, quoting that paragraph I found on the Moneygram site and asking her to explain.

I never heard another word from her. Seeing as there was a point in time when she couldn’t go three minutes without hearing from me, maybe I should find that odd.

Unless it was a scam, of course. In which case, there’s nothing at all strange about this new silence.

Spam that infects your computer

This really isn’t anything new–I’ve long suspected spam was using ActiveX controls to infect computers with spyware and other unpleasantries, but now a spam message that infects your computer when you opt out is gaining publicity.The usual advice applies. Turn off the preview pane in Outlook/Outlook Express, if you must use a Microsoft program at all to read mail.

Install a spam filter. I used POPFile. Outclass allows POPFile to work with Outlook, even in Exchange Corporate Workgroup environments.

Consider getting a Yahoo mail account, or, if you ever happen to get an invitation, a Gmail account. They filter your spam for you and do a pretty good job, in my experience.

If spam gets through, don’t even open it. Tell me, why would any legitimate e-mail have a subject line like “Drugs online no prior prescription needed?” Or “Gen.eric Vioxx, Gen.eric Am.bien, Gen.eric Paxil, and more?”

And of course, get an antivirus program and keep the virus definitions up to date. Newer antivirus programs are even starting to detect and eliminate spyware, finally.

One person told me he reads and responds to all spam, because if he didn’t, he wouldn’t get any e-mail. If you or someone you know reads spam out of loneliness, that’s curable too. Install a spam filter and then fill the void by going to Yahoo Groups and look for an active group on something that interests you. I think every single time I’ve gotten interested in something or someone’s asked me a question, I’ve found a Yahoo group that pertains to it. The person is almost guaranteed to learn something, and chances of making some new friends are pretty high.

Bounty-hunting spammers

I missed posting a reference to the FTC bounty on spammers this week.

The FTC says a bounty is about the only thing that will work. In other news, the Pope is still Catholic.You can make spam illegal all you want, but the problem is tracking the people down. They’ve had years to practice concealing their origins. If you and I can’t track them down, then chances are law enforcement can’t track them down all that easily either.

Without inside information, you won’t track them down, at least not without going 1984 on everybody. And if there’s one thing that makes people scream louder than spam, it’s encroaching on their rights, whether those rights are perceived or real.

But the people with inside information don’t have much incentive to turn spammers in.

The question is where the funding comes from. Hopefully the fines levied against the lawbreakers will be enough to pay the whistleblowers. To me, it’s a very legitimate use of the money.

Of course, the direct marketing people are screaming and hollering that too much power is going to anti-spam groups. They would have less problem if they had taken a strong stand against spam in the first place.

I don’t think they’ll get much sympathy. At least I hope not. A few local business owners made headlines when they ignored Missouri’s Don’t-Call list and then were sued out of business. I didn’t have any sympathy for them. They knew the law was coming and what they had to do in order to comply. Besides, if I need my windshield fixed, do you think I’m going to wait for a telemarketer to call me in the middle of dinner?

Additionally, many of these spammers are breaking other laws as well. Since when is it legal to sell me Valium without a prescription? And if bigoea@yahoo.com is a licensed pharmacist, why is he resorting to spamming people at random to get customers? If you know of a pharmacy that’s hurting for business, I’d sure like to know about it because I’ll go there and so will everyone else I know who’s tired of waiting 30 minutes to get a prescription.

More than likely, the person hiding behind theat Yahoo address is either misrepresenting what he’s selling (fraud) or selling prescription drugs without a license (drug trafficking), and he may very well be guilty of breaking numerous other laws and needs to be put away anyway.

Tell me again why direct marketers haven’t done everything they possibly can to distance themselves from these people?

Giving the insider who turns the spammer in enough money to take a year (or five, depending on lifestyle) off work seems the best way to eliminate some of these lowlives who continue to clog our inboxes and our Internet connections.

Fighting spam two ways

I read a statement in a very right-leaning publication not long ago that made me really mad. It made the statement that government regulation is never the solution to a problem, and the problem of spam should be dealt with through software, not legislation.
This is a statement from a very clueless knee-jerk conservative. Don’t get me wrong; I’m conservative too, but I have a brain and I’m going to use it, even when I’m not towing the party line. Software does absolutely nothing to solve the problem of spam taking up 50% of the SMTP traffic coming in through my employer’s T1 line. That problem probably isn’t big enough to cost anyone a job yet. But is spam costing some people their annual keep-up-with-inflation raises? I think it could be.

Missouri has an anti-spam law. I think that’s a very good thing. Spam that doesn’t have a subject line that begins with the four-letter string adv: is illegal in Missouri. Spam with adult content that doesn’t begin with the eight-character string adv:adlt is illegal in Missouri. There are a few other regulations as well. The punishment? A $5,000 fine per message, not to exceed $25,000 per day.

I hope that amount is high enough to fund a decent-sized army of spam hunters in Jefferson City.

So if you live in Missouri, or work in Missouri, or there’s a decent chance that your mail server is in Missouri, or you can get your mail server moved to Missouri, or can determine that your spam originated from Missouri (you must be really

The problem with spam is that it costs next to nothing to do it. But if a spammer gets five complaints a day from Missourians, that amounts to over $9 million a year. Even the Alan Ralskys of this world may have difficulty with that bill. Spam has made some people multi-millionaires, but it’s hard to imagine Ralsky being able to foot that bill.

There’s a precedent in Missouri. Missouri had a no-call list before the embattled federal no-call list came into existence. There was a body shop not far from me that was literally sued out of business due to this law. A couple of poor-little-small-business-being-picked-on-by-the-government stories predictably showed up in the local press, but I’m still trying to figure out why he was picked on. He broke the law and couldn’t afford the consequences.

And that’s what we need to do with spammers. I won’t shed a tear, but I might throw a party.

In the meantime while I wait for Jay Nixon to sue some spammers out of business, I need a technical solution. Mozilla provides a mail client with built-in Bayesian spam filtering. It works pretty well. But there are situations where you may be pretty much forced to use Outlook in an Exchange environment, or some other product that doesn’t have built-in spam filtering. For those situations there’s POPFile, and if you need POPFile to work with Outlook in Corporate Workgroup mode, there’s Outclass. They work pretty well once trained. I’ve been using Outclass and POPFile for a number of months, and since I get between 30-50 spam messages per day, intermixed with legit stuff (of which I get several hundred a day), it probably saves me an hour or two a day, even when it classifies stuff wrong. But the latest Outclass has whitelisting, which will help that. (For some reason earlier versions of Outclass always classified mail from my boss as spam. I whitelisted him after I upgraded.)

The ultimate solution is 50 different states with 50 incompatible sets of regulations (such as some states requiring the exact string “[adv]” and others requiring “adv:”), making it virtually impossible to comply and still make a profit. Those who do manage will be so small as to probably not be bothersome. I’m not so eager for the Feds to step in simply because then it would be easier to be universally legal.

Slashdot just located another sleazy spammer

The Dayton Daily News ran a story today about another sleazy spammer. Naturally, it took Slashdot mere hours to dig up an address, based on clues from the article.
The guy leads a lifestyle even more over the top than that described by R. Collins Farquhar IV and Jacques Pierre Cousteau Bouillabaise de Raunche de la Stenche: Sleep until 1, work for five hours cluttering your inbox and mine while holding a brandy snifter and wearing a silk kimono and leather slippers, then go out for a night on the town.

If you’d like to, oh, I don’t know, send him a postcard from your hometown voicing your appreciation for what he does, click on the Slashdot link. Do a search for “Dayton.”

Don’t even think about DogDoo.com. That’s harrassment.

WordPress Appliance - Powered by TurnKey Linux