Category Archives: the mallet

Rule #3

Rule #3 states “Spammers are stooOOpid.”

if you need an example of rule #3, i have one for you:

the spammer sent mail from a computer called… get this…

UCEBOX.CO.ZA

😝😂🤣🤪🤦😠🤬

for those of you who still don’t “get” it, not only is the computer in south africa, home to all things shady and illegal, but “UCE” stands for “Unsolicited Commercial Email”… in other words, “spam”.

it’s as though they’re saying, “fuck yeah, we’re so gawd-damned proud of the illegal spam we send, that we’re going to name our computer after it, and nobody will care, even if they do notice!”

people should have to take an intelligence test before being allowed into the human race.

seriously.

spam update

i have now, officially, blocked IP address ranges in the following countries:

afghanistan
albania
angola
argentina
aruba
australia
austria
bangladesh
belarus
belgium
bhutan
bolivia
bosnia & herzegovina
brazil
british virgin islands
bulgaria
cambodia
canada
chile
china
colombia
congo
cote d’ivoire
croatia
czech republic
denmark
ecuador
egypt
el salvador
estonia
finland
france
georgia
germany
ghana
greece
guatemala
honduras
hong kong
hungary
iceland
india
indonesia
iran
iraq
ireland
israel
italy
japan
jordan
kazakhstan
kenya
kyrgyzstan
latvia
lithuania
luxembourg
macao
malaysia
mexico
moldova
monaco
mongolia
morocco
myanmar
netherlands
new zealand
nigeria
norway
pakistan
panama
paraguay
peru
philippines
poland
romania
russia
serbia
seychelles
singapore
slovakia
south africa
south korea
spain
sweden
switzerland
taiwan
tajikistan
tanzania
thailand
Trinidad & tobago
turkey
UK
ukraine
uruguay
USA
uzbekistan
vietnam

the big winners are china, russia, and india, and the runners up are spain, uzbekistan and kazakhstan…

and the good ol’ united states of ‘merica makes an appearance, as well.

before i started blocking whole swaths of IP addresses, the CPU usage on my server was between 75% and 100%, pretty much always. since i started blocking IP address ranges, my CPU usage is between 2% and 5%… which means that my web sites respond more quickly.

a side benefit is that, often, the same IP address ranges that are used by spammers, are also used by crackers, skript-kiddies, and other miscreants, so by absolutely blocking them (using both the IP Blocker and the Global Email Filters) i kill two birds with one stone. 😉

the down side is that i’ve been catching a few false positives, which are messages from people within north america, but, through no fault of their own, sent their messages at EXACTLY the right time, so that the date in their message ID gets caught by the rule that’s supposed to catch IP addresses… 😖

but, honestly, there have been fewer than 10 false positives in the last 6 months (they tend to come in spurts: i’ve caught 3 today, but haven’t seen one for months), whereas, if left unfettered, i would have received, easily, 100 times that many spam messages PER DAY, so, in all, i’m almost ready to make my list available to anybody else who wants to cut down on the people who send you spam… 😉

calm, still no storm… weird…

still calm, still a few “false positives” which are easily dealt with, and forwardable almost immediately… ‼👍 but no “bitcoin sextortion” spam since 191202… and the record is currently held by 1LfYcbCsssB2niF3VWRBTVZFExzsweyPGQ, who i last heard from on 191127, who spammed me four hundred eighty-seven times

spam assassin has, apparently, figured out a regex (or something) for capturing bitcoin addresses, so after 191127, there have been no bitcoin sextortion spams that have NOT been labeled as ***SPAM*** by spam assassin, which makes them a lot easier to filter out.

but it’s weird, because, even though it has been almost a week now, waking up in the morning and NOT having two or three DOZEN spam messages to process makes me nervous that something else may be happening to all of those messages, and, potentially, legitimate messages, as well, and i have no clue what may be happening to them, because nobody other than me is even aware of the fact that they’re not there any longer. 😕

we started the panto. it’s Jack and The Beanstalk… i don’t remember whether this is the first panto we did, or the second panto we did, way back when we first started doing pantos, 17 years or so ago… but it’s largely the same script: different actors but the same characters… and no simon, but he hasn’t been involved since he got drunk, did something which he wasn’t supposed to (sexual harrassment? stealing stuff? something that only drunk people do… 😒), and was banned from the palladium, a few years ago. we did the first four of 20 performances, last weekend, and only missed one music cue: half the band started a half a measure before the other half of the band, and none of the singers came in at the right point, but we recognised it almost immediately, and kiki said “wait, can we start that again?” and everybody came in on cue when we tried it again… and there was one place at the end of the panto, where the giant chops down the beanstalk, and the ogress (represented by a puppet) falls from the castle in the sky, along a zip-line, to the back of the palladium. but, this time, the doors to the castle opened, but no ogress came out… so we just continued, where the ogress (this time, the real actor) then “falls” back up to the front of the stage, and has a few lines… and then the puppet ogress decided it was time to fall… 🤣

but, all in all, the panto is going well.

/8 blocks

i now have three /8 blocks in my email filters.

25.0.0.0/8 in the UK, 53.0.0.0/8 in germany, and 133.0.0.0/8 in japan.

the “standard” email filters, built on “and/or” and “contains/does not contain”, break down when you’re dealing with 16.75 MILLION addresses.

they break down because you can’t just filter on 25. which appears in the middle and end of IP addresses, in message ID numbers, and, occaisionally, in the body of the message.

the result is A LOT of false positives: email which i can’t forward to the correct recipient, because it will get filtered AGAIN

which is quite annoying. 😒

so, with the help of my friend robert, i built a regular expression to handle it:

\D25\.\d{1,3}\.\d{1,3}\.\d{1,3}\D

finds non-digit character followed by “25.”, followed by three repititions of one to three digits, interspersed by periods, followed by another non-digit character.

technically, this regex could be adapted to accomodate any IP address, which means that, theoretically, i have a whole new, easier, and faster method of processing spam. 😈

the next step is to learn how to search for a specific range of digits… 😈

ETA 191127 i discovered that you can’t specify a range of digits with a regex. for that, you need a script, which is too much work. also, i determined that i DON’T need the white space character at the beginning and end of the regular expression, because, sometimes, the IP address is surrounded by parentheses, square brackets, or both.

ETA 191128 i changed it from white space character — \s — to non-digit character — \D — because some IP addresses are surrounded by parentheses or square brackets, but some are surrounded by white space characters. the only thing \D doesn’t capture is an empty string, so the IP address can’t be the first thing in the line of text.

and, even with the \D, this regex, modified to capture 27.16.0.0/12 in china, captures 2.2019.11.27.23.41.02, which is part of the message ID on a LEGITIMATE message. 😖😒😠🤬

this is why i’m rerouting these messages, rather than summarily deleting them, which is my inclination… summarily deleting what i think is spam has come back to bite me in the ass often enough that i don’t do it any longer. 😒