Tag Archives: the mallet

calm, still no storm… weird…

still calm, still a few “false positives” which are easily dealt with, and forwardable almost immediately… ‼👍 but no “bitcoin sextortion” spam since 191202… and the record is currently held by 1LfYcbCsssB2niF3VWRBTVZFExzsweyPGQ, who i last heard from on 191127, who spammed me four hundred eighty-seven times

spam assassin has, apparently, figured out a regex (or something) for capturing bitcoin addresses, so after 191127, there have been no bitcoin sextortion spams that have NOT been labeled as ***SPAM*** by spam assassin, which makes them a lot easier to filter out.

but it’s weird, because, even though it has been almost a week now, waking up in the morning and NOT having two or three DOZEN spam messages to process makes me nervous that something else may be happening to all of those messages, and, potentially, legitimate messages, as well, and i have no clue what may be happening to them, because nobody other than me is even aware of the fact that they’re not there any longer. 😕

we started the panto. it’s Jack and The Beanstalk… i don’t remember whether this is the first panto we did, or the second panto we did, way back when we first started doing pantos, 17 years or so ago… but it’s largely the same script: different actors but the same characters… and no simon, but he hasn’t been involved since he got drunk, did something which he wasn’t supposed to (sexual harrassment? stealing stuff? something that only drunk people do… 😒), and was banned from the palladium, a few years ago. we did the first four of 20 performances, last weekend, and only missed one music cue: half the band started a half a measure before the other half of the band, and none of the singers came in at the right point, but we recognised it almost immediately, and kiki said “wait, can we start that again?” and everybody came in on cue when we tried it again… and there was one place at the end of the panto, where the giant chops down the beanstalk, and the ogress (represented by a puppet) falls from the castle in the sky, along a zip-line, to the back of the palladium. but, this time, the doors to the castle opened, but no ogress came out… so we just continued, where the ogress (this time, the real actor) then “falls” back up to the front of the stage, and has a few lines… and then the puppet ogress decided it was time to fall… 🤣

but, all in all, the panto is going well.

/8 blocks

i now have three /8 blocks in my email filters.

25.0.0.0/8 in the UK, 53.0.0.0/8 in germany, and 133.0.0.0/8 in japan.

the “standard” email filters, built on “and/or” and “contains/does not contain”, break down when you’re dealing with 16.75 MILLION addresses.

they break down because you can’t just filter on 25. which appears in the middle and end of IP addresses, in message ID numbers, and, occaisionally, in the body of the message.

the result is A LOT of false positives: email which i can’t forward to the correct recipient, because it will get filtered AGAIN

which is quite annoying. 😒

so, with the help of my friend robert, i built a regular expression to handle it:

\D25\.\d{1,3}\.\d{1,3}\.\d{1,3}\D

finds non-digit character followed by “25.”, followed by three repititions of one to three digits, interspersed by periods, followed by another non-digit character.

technically, this regex could be adapted to accomodate any IP address, which means that, theoretically, i have a whole new, easier, and faster method of processing spam. 😈

the next step is to learn how to search for a specific range of digits… 😈

ETA 191127 i discovered that you can’t specify a range of digits with a regex. for that, you need a script, which is too much work. also, i determined that i DON’T need the white space character at the beginning and end of the regular expression, because, sometimes, the IP address is surrounded by parentheses, square brackets, or both.

ETA 191128 i changed it from white space character — \s — to non-digit character — \D — because some IP addresses are surrounded by parentheses or square brackets, but some are surrounded by white space characters. the only thing \D doesn’t capture is an empty string, so the IP address can’t be the first thing in the line of text.

and, even with the \D, this regex, modified to capture 27.16.0.0/12 in china, captures 2.2019.11.27.23.41.02, which is part of the message ID on a LEGITIMATE message. 😖😒😠🤬

this is why i’m rerouting these messages, rather than summarily deleting them, which is my inclination… summarily deleting what i think is spam has come back to bite me in the ass often enough that i don’t do it any longer. 😒

spammers spamming spam! 🤬

just as a reminder, this has been posted at the Hybrid Elephant Contact Us form:

PLEASE NOTE: This contact form is solely for the use of Hybrid Elephant customers who need to get in contact with us. Every message that is sent with this form includes a unique IP address in the header, which identifies the computer from which the message was sent. If you use this form to spam us, all you will accomplish is to put your IP address on the list of IP addresses which are PERMANENTLY BANNED from accessing Hybrid Elephant for any reason. Please DO NOT USE THIS FORM to send us advertisements or solicitations. It WILL NOT WORK! You have been warned!

this morning, i got spam from my response form (big surprise).

the difference, this time, is that the following message was included at the end of the spam:

IMPORTANT NOTICE: This message has been posted via a Contact Us form on your site. Contact forms are publicly accessible and they can be used for posting messages by anyone. We don’t use, hold or archive your e-mail addresses.

yes, contact forms can be used by anyone, but, particularly when an anti-spam message like the one previously posted is present, a concientious user of internet won’t use it unless that person is also a “Hybrid Elephant customers who need to get in contact with us”.

the message that you sent me was definitely NOT because of a need to contact me about something having to do with my business. 😒

and the fact that you say you “don’t use, hold or archive your e-mail addresses” is a moot point, because you ALREADY HAVE used my email address, and the fact that you have already used it means that, very likely, it is stored somewhere on your system, and probably gets backed up with everything else on your computer, which, for all intents and purposes, is “using, holding and archiving”… 🤬

so, the IP address from which this spam was sent is 85.203.22.215, which is part of the 85.203.22.208/28 range, located in monaco.

as of now, 85.203.22.208/28 (16 individual IP addresses) is no longer able to access my domains for any reason whatsoever.

thanks, spammer.

the message also contained references to wexxluxurycars dot com, which also goes on my block list.

thanks, spammer.

the IP address to which that domain name corresponds is 198.46.134.35, which is located in new york. because of the fact that it’s in new york, that IP address goes on my email block list, with today’s date, so that, in case i get an inquiry regarding it at some future point, i can state, unequivocally, that it was added to the list on that date, in case the person inquiring wants me to remove it…

which i will do ONLY if they can convince me that they are no longer associated with spam.

thanks, spammer.

and, of course, nobody is going to be seriously affected by all of this falderal (except, possibly, me), because the message was, doubtlessly, sent by a script that scans for “Contact Us” forms, and dumps meaningless spam into them automatically, without any one person having to do anything other than launch the script, which is why i’ve taken to blocking CIDR ranges outside of north america with no further warning. if people are going to be that careless with their own security, it’s up to people like me to take their security seriously, for them.

thanks, spammer. 🤬

random reminder

great swaths of the internet from the following countries have been permanently banned from viewing my web sites and sending me email, due to ongoing, egregious spamming activity:

albania
angola
argentina
aruba
australia
bangladesh
belarus
belgium
bosnia
brazil
british virgin islands
bulgaria
canada
chile
china
colombia
congo
denmark
denmark
egypt
finland
france
germany
guatemala
herzegovina
hong kong
iceland
india
indonesia
ireland
israel
italy
japan
kenya
latvia
lithuania
macau
malasia
mexico
moldova
netherlands
nigeria
norway
pakistan
panama
philippines
poland
romania
russia
serbia
seychelles
singapore
slovakia
south africa
spain
sweden
switzerland
taiwan
thailand
turkey
UK
ukraine
uruguay
viet nam

and more than a few from the united states, for good measure. 😒

spam is bad. stop spam on internet.

tee…

i’ve recently taken to blocking great swaths of IP addresses in foreign countries, which only send me spam.

she has HUGE… tracts of land…

i have undertaken this policy because using a utility that automatically blocks IP addresses from foreign countries costs money (😒) and using a utility would only work on hybridelephant dot com, and nowhere else.

so, i learned about CIDR, learned how to identify host countries based on IP addresses, and learned how to block IP addresses based on CIDR numbers…

now, instead of blocking a single IP address — which is pointless, because spammers know that a single IP address only works until the spamees figure it out and block it, so they move on to the next one — i block entire swaths of IP addresses: the most common are the /24 range, which blocks 256 (28) IP addresses, and the /16 range, which blocks 65,536 (216) addresses.

and i can block spam from those IP addresses on ALL of my domains, not just hybridelephant dot com. 😉

which brings me to the point of this post: i recently blocked the third IN A SERIES of IP addresses from bangladesh: now i have 185.222.56.0/24, 185.222.57.0/24, AND 185.222.58.0/24 blocked.

which, technically, means that i could block 185.222.56.0/23 and 185.222.58.0/24 with the same effect, because 185.222.56.0/24 plus 185.222.57.0/24 equals 185.222.56.0/23

i love that i am able to do this.

i also love that i am able to understand this as much as i do… which is not very much, but enough that i have been successful in reducing the amount of spam i get by a SIGNIFICANT amount, and not affected my legitimate mail in the slightest degree. 😈