Tag Archives: spam

interesting

the past few weeks (maybe as much as a couple months) i have been getting anywhere from 4 to 24 “porn spam scam” emails per day — you know the ones, where the guy claims to be a “hacker” who has “taken over” your computer, is emailing you “from your own email address”, doesn’t speak english too well, and demands some random amount in bitcoin to prevent him from revealing your “pornographic indiscretions” to “everyone on your contact list” (😒) — and i have been reporting EVERY! SINGLE! ONE! to their upstream provider, and to the bitcoin abuse web site… but for the past couple of days, i have noticed that the constant stream has dropped off considerably: two days ago, i received two messages, yesterday i only received one, and, so far, today, i haven’t received any.

i also noticed that, a few days ago, i started seeing specific SpamAssassin rules that are targeted towards the porn-spam-scam racket (bitcoin address recognition and “from:” address spoofing are the two big ones), but considering the massive influx of porn-spam-scam messages over the past couple of months, i would have expected a much more gradual drop-off.

anti-spam, anti-fraud information

the past couple of months i have been getting an inordinate amount of spam that goes something like this:

Hello!
I’m a member of an international hacker group.

As you could probably have guessed, your account X was hacked, because I sent message you from it.

Now I have access to you accounts!
For example, your password for X is X

Within a period from July 17, 2018 to October 3, 2018, you were infected by the virus we’ve created, through an adult website you’ve visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we’ve gotten full damps of these data.

We are aware of your little and big secrets…yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one…

Transfer $800 to our Bitcoin wallet: 14bXUoPwruptLamUfKTuMW39Qy1q4ohX9w
If you don’t know about Bitcoin please input in Google “buy BTC”. It’s really easy.

I guarantee that after that, we’ll erase all your “data” ?

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

You should always think about your security.
We hope this case will teach you to keep secrets.
Take care of yourself.

please note: THIS IS FAKE NEWS!

whoever it is that sent it DOES NOT have access to my, or anyone else’s email account, despite what they may want you to think.

how do i know this? i have received at least 10 messages which are almost exactly identical to this one, down to the inconsistent english, carriage returns, and even the supposedly unique bitcoin wallet ID. the only significant difference in all of these messages is in the headers, which most people never see.

i want to go through this message, statement by statement, and show you exactly WHY it is fake news, and you shouldn’t buy into their scam.

first,

I’m a member of an international hacker group.

no you are not a member of an international hacker group. if you were, you wouldn’t have to tell me so. you are, in fact, a skript-kiddie who thinks he can make money by using other peoples’ code to mess up my internet: you are a vandal and a criminal, and i WILL track you down and turn you in, because it’s easy-peasy. 😠

As you could probably have guessed, your account X was hacked, because I sent message you from it.

any real hacker can tell you that you don’t actually have to have access to the account that’s on the “FROM:” line in your email, in order to make it look like you have access to that account. the fact is, i can send email to anybody i like, put whatever email address i like on the “FROM:” line, and 98% of the time, it will go through to the recipient without any difficulty. this is because the “FROM:” line is one of the easiest parts of the email to spoof. i have sent email that looks like it was coming from Bill Gates, and, if you didn’t know that i was sending it, and you have no way of looking at the email headers, you would think it was Bill Gates, and not me.

but you would be wrong.

then:

Now I have access to you accounts!
For example, your password for X is X

this password (which i have “X”ed out) is an authentic password from me, but because i have kept a list of every password i used, and where i used it, i KNOW that it is AT LEAST five years old, and has been superceded many times by more potent passwords. nevertheless, i also KNOW EXACTLY where i used this password last, so the first thing on my list is to write to the administrators of that place, and let them know that they’ve experienced a security breach.

then, just to make sure, i CHANGE MY PASSWORD AGAIN!!! just because they don’t really know anything is no reason not to be cautious times five… 👍

once again:

Within a period from July 17, 2018 to October 3, 2018, you were infected by the virus we’ve created, through an adult website you’ve visited. So far, we have access to your messages, social media accounts, and messengers. Moreover, we’ve gotten full damps of these data.

surprise! i KNOW that this is fake news, because i KNOW that i have not visited adult web sites. EVER! this may be a little more difficult for some other people, but for me, it’s a no-brainer: you are much less likely to be infected with a virus if you don’t visit adult web sites. the “full damps” of these data are imaginary.

not only that, but starting on 10 july — which is before the alleged “infection” — i was not even near my computer, much less using it, for at least a week, and i haven’t even had any social media accounts or messengers since about a week later. FAIL!

and, just as an aside… what are “full damps” anyway? i would have called them “downloads”… i have never heard the word “damps” used to mean “downloads”… do these people even speak english???

if you actually do visit adult web sites, you may be taken aback by this claim, but keep in mind the first part of the message, where they claimed to have access to my email account: they were wrong then, so the probability is quite high that they are wrong now, as well.

We are aware of your little and big secrets…yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

i admit that my tastes are quite weird, but the fact that you “saw and recorded” me doing those things is a lie: i don’t even have a webcam, or any kind of device that could record me doing stuff that i don’t even do in front of my computer anyway.

once again, if you have a webcam on your computer, it may be a good idea to cover it with a piece of tape when you’re not using it, but the fact is, people who write you out of the blue and claim to have access to your computer, are lying, more likely than not.

now we come to the real reason people send out spam like this:

Transfer $800 to our Bitcoin wallet: 14bXUoPwruptLamUfKTuMW39Qy1q4ohX9w
If you don’t know about Bitcoin please input in Google “buy BTC”. It’s really easy.

yeah, bitcoin is really easy to hide your transactions and make them more anonymous, but if the person who is asking you to send them bitcoin for stuff that they have been lying about, then it is also harder for you to get your money back when you figure out that you have been lied to… which is why it’s always a good idea to make sure that the information you have been given is NOT a lie before you make your transaction.

in this case, they’re lying about the virus, the adult web site, the visual and audio recording, and the amount of data they claim to have collected, so i am confident that, if i were to look up their bitcoin wallet address, there’s a good chance that it, too, will have been shut down for fraudulent activity. yes, it is possible for that to happen, and in cases like this, it is fairly frequent.

ETA: i’m wrong about this one. the bitcoin wallet at 14bXUoPwruptLamUfKTuMW39Qy1q4ohX9w is active, showing 17 transactions (at this time) worth 1.95616527 BTC, or, $12,949.81 USD at this time… all the more reason to realise that THIS IS A SCAM!!! if you’re interested in reporting scam bitcoin wallets, you can do so here, as i have.

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

this “timer” is more impetus for you to act immediately, without checking any of the above mentioned information for inconsistencies. i know that it’s not true because i have received several messages like this, over the past two months, and nothing has ever happened to me, my “data” has not been mailed to my contacts (as will be seen in the next statement), simply because 1) they don’t have any of my contact information, and 2) they don’t have any data.

they’re just trying to scare me, and it’s not working.

Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

see? they’re threatening to send “all your messages and videos” — which they don’t have — “to all your contacts” — which they also don’t have — unless you send $800 to a bitcoin wallet which no longer exists.

by this time, you are EITHER freaking out and reading up on converting regular money to bitcoin, or you, like me, are laughing out loud, and wondering why other people are so stupid.

because, if you think about it, $800 is a fairly small amount of money to extort from someone who is willing to give it to you without doing their homework… so what is preventing them from saying your data has been erased, but, actually has been put into a separate category of data that can be used to extort more money from you, at a later time?

of course, if they don’t have any of that data (as in my case) i have nothing to worry about, but for people who might have data like that, who knows what they may do, even if everything else is a lie?

finally, a LEEEETLE TINY BIT of common sense, to finish things up:

You should always think about your security. We hope this case will teach you to keep secrets. Take care of yourself.

basically, if it’s on internet, it’s not a secret. if your computer is on internet, there’s a remote chance that something like this really may happen to you at some point, if you also keep your secrets on your computer. thus, the logical conclusion is that if you keep your secrets somewhere other than on your computer (or your tablet, or your cell phone), you won’t have any problems deleting the message when you get spam like this.

for those of you who may remember the screed i wrote about how to report spam: if you receive a message like this, that would be a good place to start. 😉

how to report spam

i use this spam policy, along with maintaining robust global email filters, running SpamAssassin, and blocking IP addresses that are used for abuse. the result of using these procedures has resulted in my having to get this far MAYBE as many as 10 times in a day, and some days i don’t have any spam at all. YOUR MILEAGE WILL VARY! and, remember… the more you do it NOW, the fewer spam messages everyone gets down the road!

this is written from the perspective of a person who uses an email client and a web browser. if you ONLY use a browser (if you use webmail), there may be extra, intermediary steps that are not written down here.

the first thing you need to know is how to extract headers from your email messages, which is different depending on how you get your email.

  1. once you’ve extracted the headers, go to this URI:

    https://www.iptrackeronline.com/email-header-analysis.php

    leave wherever you have extracted the headers — the “message source” — open, because you’re going to need to copy more of the message, later.

  2. for now, paste only the headers into the form, and click “Submit header for analysis”.

    the analysis is WAY more information than you need, but the information you DO need is right near the top: under the header “Email header analysis report” will be a table that contains “All valid IP Addresses found in the header”, and usually the top one (or, possibly, two) will have an asterisk (*) next to them, which is the “Probable originating IP address”.

  3. copy that address. if it’s two, copy the first one, do the next steps, and then come back and copy the second one and do the next steps for that number, as well.
  4. now, go to this URI:

    https://centralops.net/co/DomainDossier.aspx

    paste the IP address in the “domain or IP address” field, check the following three boxes:

    domain whois record
    network whois record
    DNS record

    and hit the “Go” button.

    then, i find that it’s easiest to use the “Edit” -> “Find In This Page” function of my browser, to search for every instance of the commercial at symbol – @ – which is used in email addresses.

  5. now, go back to the message source, where you extracted the headers (remember that?)

    select and copy the entire message, including the headers. now you can close the message source.

  6. select the message in your inbox, and choose “Forward”.
  7. this will open a new message, with the message you’re complaining about inside a forwarding header. select everything EXCEPT the forwarding header, and delete it. then paste the message source that you copied in where the other stuff used to be.
  8. then, go back to the web browser, and find every email address for the IP address you’re complaining about, and put them into the “To:” line of your new, forwarded message.

    SOMETIMES the information will tell you something like “Report abuse only to…” or something like that. you can do that, if you want to, but frequently the “abuse” address is disabled, and the other addresses aren’t, so i’ve found that it’s a good idea to send email to EVERY address, whether or not it says to.

    if your search at iptrackeronline.com came up with two “Probable originating IP addresses”, now is the time to go back to step 3), copy the second IP address, and continue from there.

    you’ll end up with a forwarded message that contains the raw, text-only message, which is addressed to at least two, and sometimes as many as 9 or 10 email addresses.

  9. if you’re REALLY hung up on privacy, at this point, you can search for YOUR email address using the “Edit” -> “Find” feature of your email client. if you do this, replace every instance of your email address with an X to make it obvious that you haven’t done anything except remove your address from the header. seriously, if you do this, and mess around with the headers too much, eventually someone will complain about it, and YOU’RE supposed to be the one who is complaining, here.

FINISHING TOUCHES:
i usually like to mark my new message “Urgent”, and i also like to get a “Return Receipt” (which is not available on all email clients). i also like to insert the words “ABUSE VIOLATION” in the subject line, prior to the original, forwarded header, so that they know that you’re complaining, and not just sending more spam.

if you (like me) run your email through SpamAssassin, or something like it, you may have a special header section that gives you reasons why this particular message is (or is not) spam. sometimes this will include things like URIBL_BLOCKED information, which gives you the URIs that are used in the message, which are blocked by various spam lists. if you get an identifiable URI, you can use the “Edit” -> “Replace…” feature in your email client to replace these URIs with human-readable, but machine-invisible equivalents, which will further attest to the fact that you’re complaining, and not just sending more spam.

——

it is important to remember that all of this information is time sensitive: if you don’t get around to reporting spam until two or three days later, it has considerably less effect than a report that is made as soon as the spam message is received. generally, if more than 12 hours has passed, i just trash the spam and continue with my life.

about half of the reports i send produce some kind of response. about half of the responses i get are automated, either telling me that the message has been received, or telling me that it has not been received for one reason or another. a few of them are, actually, human responses, usually saying that they’ve forwarded the message to their client (the spammer), or saying that there’s nothing they can do about it. this is where requesting a return receipt is helpful: if you get a return receipt, there’s a good chance that someone at least saw your message. even if the return receipt says “not read”, you know that it’s a good address, and that someone saw your complaint, even if they didn’t do anything about it.

step 9) is important if they say they have forwarded your message to the spammer, because if you have not replaced all of the instances of your email address with an X, then the spammer now has your email address, surprise! they can do whatever they like with it, which usually means sending you more spam. in extreme cases, they send a SHIT-TON of spam (like, 500,000 messages) or try to send you viruses or malware, so it’s really important to do ALL nine steps.

believe me, speaking from personal experience, cleaning up after a 500k message bomb is no fun. 😕

in the case of someone who says there’s nothing they can do about it, that’s the point where i go back to the IP address that i complained about originally, and put the /16 or /24 into my IP blocker (depending on how egregious the abuse has been).

also, i put commonly used words and phrases that typify abuse (things like “ALMIGHTY GOD” and “flight simulator” and “Pílula” and “电子邮“) into my global email filters, and update them with new information frequently.

occasionaly — VERY occasionaly — i get a response such as this one, which makes all of this rigamarole worth while.

also, why i only accept plaintext email (and why you should, as well)

spam spam spam spam spam spam spam spam spam spam MALLET!

i never get tired of this… 😎

[#RNZ-396-23469]: ABUSE VIOLATION: RE: PAYMENT INVOICE
From: Namecheap Legal & Abuse Team <[email protected]>
To: you know who
Date: 180520 12:37 am
Spam Status: Spamassassin
Hello,

Thank you for your report.

While the gaushmedical.us domain name is registered with Namecheap, it is hosted with another company. That is why we cannot check the logs for the domain and confirm if it is involved in sending unsolicited emails.

However, it seems the domain name is blacklisted by SURBL. Since we consider SURBL to be a trusted organization, we opened a case regarding the domain name. Please allow about 48 hours for our further investigation.

Thank you for letting us know about the issue.


[#RNZ-396-23469]: ABUSE VIOLATION: RE: PAYMENT INVOICE
From: Namecheap Legal & Abuse Team <[email protected]>
To: you know who
Date: 180521 08:19 pm
Spam Status: Spamassassin
Hello,

Please be informed that as a result of the investigation, the domain gaushmedical.us was suspended. It was null-routed and locked in our system, so the spamming activity should end once the propagation is over.

Thank you for letting us know about the issue.


whois gaushmedical.us
Domain Name: gaushmedical.us
Registry Domain ID: DC3FBD2D4DC1743DE92E082A91D15BEDE-NSR
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2018-05-22T03:18:40Z
Creation Date: 2018-05-15T06:56:45Z
Registry Expiry Date: 2019-05-15T06:56:45Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C29C72D760FD14C7FAD8D886E1C016E55-NSR
Registrant Name: New Oru
Registrant Organization:
Registrant Street: Hertzstr. 4
Registrant Street:
Registrant Street:
Registrant City: Heidelberg
Registrant State/Province: Heidelberg
Registrant Postal Code: 69126
Registrant Country: DE
Registrant Phone: +49.8635999192
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Registry Admin ID: CBBCDFB2B18654CFC972C6274C0858A93-NSR
Admin Name: New Oru
Admin Organization:
Admin Street: Hertzstr. 4
Admin Street:
Admin Street:
Admin City: Heidelberg
Admin State/Province: Heidelberg
Admin Postal Code: 69126
Admin Country: DE
Admin Phone: +49.8635999192
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID: C3200FE79814B420EB1FA838AEBEF9060-NSR
Tech Name: New Oru
Tech Organization:
Tech Street: Hertzstr. 4
Tech Street:
Tech Street:
Tech City: Heidelberg
Tech State/Province: Heidelberg
Tech Postal Code: 69126
Tech Country: DE
Tech Phone: +49.8635999192
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: blockedduetospam.pleasecontactsupport.com
Name Server: dummysecondary.pleasecontactsupport.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-05-22T04:57:32Z <<<

😂

spam

as of today, these are the TLDs i have blocked from sending email to my server, because of spam:

  • .bid
  • .date
  • .faith
  • .fun
  • .live
  • .online
  • .party
  • .stream
  • .trade
  • .website
  • .win

if your web site is under any one of these TLDs, you’re not going to be able to communicate with me over email, so you might as well give up now. it’s not going to work.

ETA: 180520 add to the previous list:

  • .club
  • .top

… give it up, folks. ๐Ÿ˜

why i only accept plaintext email (and why you should, as well)

a couple days ago, a friend mentioned the fact that i only accept plaintext email, and asked if HTML email was against my religion. i said “yes”, and this is why i don’t accept rendered, HTML-formatted email. it is a story with a moral at the end, so pay attention.

today, i got an email that said it was from “DHL Customer Support <[email protected]>” and the subject line was “DHL Shipment Notification”…

keep in mind that the “From:” address is one of the easiest things about any email message to forge. among the other easy things to forge are the “Subject:” line, the “To:” line, and the body of the message, which is one of the reasons it’s not uncommon to get spam from “yourself”.

the spam i got contained the following message:

Notification for shipment event group “Delivery Exception” for &email&;
Dear Customer,

This is a notification that your package has experienced an exception, kindly follow the link to update your address: https://www.dhl.com/address_update

however, because of the fact that i only accept plaintext email, this is what i saw:

<p align=”LEFT”><span style=”font-size:12px;”><span style=”font-family:times new roman,times,serif;”>This is a notification that your package has experienced an exception, kindly follow the link to update your address:</span> <strong> </strong><font color=”#0000ee”><strong> <a href=”https://chicagoturfpros.com/wp-includes/css/dhl/[email protected]”><span style=”font-family:times new roman,times,serif;”>https://www.dhl.com/address_update</span></a></strong><span style=”font-family:times new roman,times,serif;”> </span></font></span></p>

for those who look carefully, particularly at the bigger sections of the text, you will discover that there’s a link — a href= — and the target of that link is chicagoturfpros.com…

BUT the apparent target of the link is actually dhl.com. this is compounded by the fact that SOMEONE has taken a lot of time and care to make it look like the dhl.com web site, even though it isn’t.

180513 badware
180513 badware

if i accepted rendered HTML-formatted email, i, very likely, would not have seen the fact that, instead of going to dhl.com, i was actually going to chicagoturfpros.com — WHICH IS EXACTLY WHAT THE SPAMMERS WANT TO HAPPEN!

because of the fact that the link also includes my email address, there is also the very strong probability that: 1) i would have clicked the “update address” button without noticing that i’m giving my personal information to “chicagoturfpros.com” or whoever is controlling their web site, and 2) even if i didn’t click the “update address” button, my email address is now a part of the web log for “chicagoturfpros.com” (or whoever is controlling their web site), which means that, even if they didn’t get my personal information, they have what is now a “valid” email address, with which they can, then, send me more spam.

because of the fact that i DO NOT ALLOW rendered, HTML-formatted email on my computer, they (whoever “they” is) don’t get ANY information from me.

which is precisely why you should NEVER allow your email client to render HTML-formatted email.

if you have a regular email client, not accepting rendered HTML-formatted email should be as simple as going to the settings and deselecting “Use HTML by default” or whatever your email client has (this is one of the differences in all email clients). if you use IMAP (web mail) you may or may not have that capability, so your mileage may vary. i very strongly recommend that you use an email client which is compatible with IMAP, and reply from that, even if you do use web mail. it makes things a hell of a lot easier, especially when you’re dealing with spam and identity theft.

i realise this is a lost cause, and that pretty much everyone sends, and receives HTML-formatted email by default, these days, but identity theft is still a MASSIVE problem, and it’s only being made worse by the default preponderance of HTML-formatted email. if you don’t want to have your identity stolen, ONLY ACCEPT PLAINTEXT EMAIL. it won’t guarantee that your identity won’t get stolen, but it will go a long way to make it a lot more difficult to do so.

this has been a public service announcement.

ETA: wordpress is concerned enough about my security that, yesterday, it sent me three notices concerning the fact that the link i provided above, which isn’t even a link, but just a text representation of what the link looks like, is a security risk, and offered to delete the page for me. THAT’S why i only accept plaintext mail. 👍

for further information, read In Apple Mail, Thereโ€™s No Protecting PGP-Encrypted Messages which gives a contemporary example of why HTML-formatted email is evil.

Rule 3

an example of Rule 3, spammers are stooOOpid…

at 3:24 pm, today, this happened:

180501 stupid crack attempt
180501 stupid crack attempt

at 3:26 pm, today, i blocked 88.99.0.0/16 from accessing my web site.

you may not fit the definition of a spammer, but you are definitely stooOOpid. is it possible that you are a machine? you have not done your owner a favour, you know.

meta spam

i got spam the other day.

big surprise…

i reported it to the upstream provider, as i usually do. one of the upstream addresses to which i sent a report was [email protected]

today i got a return receipt from that address. it said “Не прочтено” which means “not read”.

seriously, i wonder why a company as big as Rostieliekom would maintain an “[email protected]” address and not have it respond to an abuse report. 😕

dear OVH

dear OVH,

i have been reporting, and blocking spam from your network for at least 5 years. i have at least 500 different addresses that you have used to hide behind, so that when the spam-reporting gets too extreme, you just start a new, incomprehensible email address… yes, i’m talking about [email protected] and [email protected] and [email protected] and [email protected] and EVERY FUCKING thing in between…

through my moderate poking around, i have discovered that most of these addresses are for Florent Demuynck, Stephane LeSimple, Falco Schmutz, Grillion Alexis, Tarik Benammar, Edouard Vanbelle, Benjamin Ficheland, Laurent Allard, and others (some of whom may or may not still be employees of OVH), and/or their boss, Octave Klaba.

today, for the first time, i have actually blocked someone from OVH for trying to login to this blog… YES, MY BLOG has been probed by 158.69.223.8.

this is a warning: if i EVER catch you or any of your minions poking around my web again, i will block you so fast that it’ll make your head spin.

i’m on to you OVH. don’t push me, or you’ll feel my mallet! 😠

hey, check it out…

so i got another 2,500 spam messages starting this morning, but i FINALLY figured out where the settings are on my server that let me do things like filter spam that all has the same subject line, but different senders, and how to block all messages that have a sender from a certain IP-address-range, or from a certain country…

no help from my host provider, naturally… i’m seriously getting the impression that, despite the fact that they’re home office is in great britain, they hire people from india, russia or south america to do tech support, and english is NOT their primary language… and if i have more than one question per response, they only answer the last one, and totally ignore all of the others. it took me four days and a great deal of consternation to get them to delist my IP address from hotmail, which is something, if i were to do it myself, would take about half an hour. 😒

spam spammers spamming

i am digging my way out from under an inundation of spam messages which arrived between around 1:00 am and around 4:00 pm yesterday. all told there were around 10,000 messages, but they were arriving in 10 to 12 message batches, about 500 every five minutes or so, and only started to decrease around 3:30.

but, at the same time, i sent two LARTs to the spammer’s upstream provider, yesterday, and today i got confirmation(!) that they had disabled their Luser’s email capabilities. i realise that they may just be blowing me off, and the gap will very quickly be filled with another spammer, but it’s good to know that my mallet is still quick and strong… 😎

ketchup

i isolated 10 “good enough” tracks from the raw files, but none of them were more than 6 minutes, and i wanted at least one that was 10 minutes or more, so i’m going back to fort worden next tuesday to try it all again. i’ve also bought a recording device of my own, which should make things more interesting, if nothing else.

i woke up the other day and tried to log in to my email account and discovered that everything was offline, and when i went to the host provider to determine why, i discovered that my account had been suspended because they received a spam complaint about me… except that, when i looked at the complaint they received, i recognised it immediately as one that i had sent to an upstream provider a couple of days before, and what they had done was forward it to the upstream provider on the “From:” line, instead of reading the headers to determine that they were, in fact, the people responsible… and, because of the fact that i NEVER receive spam complaints, they arbitrarily suspended my accounts, instead of reading the headers to determine who was actually responsible. 😕 since then i have received about 10,000 spam messages, in 1000 message increments, from people whose php servers have been compromised such that, simply by reading the headers and knowing where to click, i can actually see the spammers online interface on the compromised server…

but I was the one whose account was suspended for spamming. if it weren’t for the fact that i’m still recovering from my bout of changing host servers every few months, a few years ago, i would seriously consider switching, but… in spite of everything, the host server i currently use has been better than any of the others that i have found, for the price.

by the way, here is the place to get your email headers analysed, and here is the place to get information about the IP numbers you’ll get from analysing your email headers. basically it’s the same thing that spamcop used to do. i suppose there’s a way to automate it so that i don’t have to go through all the steps to figure out who gets the LARTs, but i like getting my hands dirty, because i know it’s being done correctly this way. 😏

i have a gig next saturday with the fremont philharmonic at “dudefest” and another gig on sunday at the peace arch in blaine with the sousa band. i’m probably going to spend sunday night in bellingham… depending…

by the way…

just because i no longer have an address @spamcop.net DOES NOT indicate that i am any less than totally annoyed by spam messages that get sent my way.

an example could be found this morning, when i woke up, logged into my email client and discovered that i had over 1500 individual messages “From:” myself which were HTML formatted messages in brazilian portugese (indicating that, in reality, they were not “From:” myself), and, as i sat there and watched, another 500 messages appeared and were downloaded within the space of 5 minutes…

they all appear to have originated on cloudapp.net, which is owned by microsoft. it was set up on a “host” that is called zpx09.cloudapp.net, but it doesn’t have a whois or mx entry, which doesn’t surprise me a great deal, but what does surprise me is that there appears to be a script interface at http://zpx09.cloudapp.net/caminho-ranger-32.php which looks like this:

150722 spam script interface

great… now i can send my own spam. unfortunately, but not surprisingly, there is no indication to who the script belongs, but my guess is that if i write to microsoft, they will, eventually, take the script down and ban zpx09.cloudapp.net, if nothing else…

and while i was writing this, another 700 messages came in… time to block brazil, again. 😕

ETA: as of 6:00 pm there are 1500 more messages, for a grand total of over 3000 in a 12 hour period… and microsoft doesn’t even seem to care… ๐Ÿ˜

spam comment update

i adjusted the settings on my Limit Login Attempts plugin again, so that the first attempted login as “admin” (or anything other than the correct login name) results in a 720 minute (12 hour) block, and the second attempted login results in a 672 hour (28 day) block…

and STILL i have an estimated 5 attempted logins per day, and about half of them are blocked for 28 days… ๐Ÿ˜ฎ

and, not only that, but two IP addresses — both from baghdad — have been blocked a total of 18 times (one has been blocked 10 times, and one has been blocked 8 times) since i installed the plugin, about 6 months ago.

and, so far, nobody has guessed the correct login name. ๐Ÿ˜Ž although there have been some fairly obvious attempts, and some attempts — like “QhYQFvutnN” and “DouglasSevy” — that make me wonder what is really going on…

note

the only user other than “admin” that i have blocked since 141208 has been “QhYQFvutnN” which is really bizarre… i wonder what makes… you know, never mind. forget i said anything.

chuckle…

now that i am not so reliant on spamcop, i’ve bumped up my spam-fighting in some other ways that are proving to be rather interesting. the most recent item in this ongoing battle is that i have installed a plugin that limits login attempts for people whom i have not granted credentials to login. basically you get two attempts, and if your guesses are wrong, you are blocked from accessing the blog for an hour. at that point, you have two more tries, and if you fail those, you’re locked out for 2 days…

i figured that this wouldn’t be a problem for people who actually know the password, and it would be another major roadblock for people who think they can guess it (hint: don’t even bother).

i installed the plugin two days ago, and i’ve already gotten four five IP addresses that have been blocked for 2 days… it’s actually kind of amusing to watch — i get an email every time someone fails to login, so i get to watch as they try and fail and get blocked… ๐Ÿ‘ฟ

and, to be honest, i am not sure that 2 days is long enough… i think i’ll wait and see, but i’m thinking that 30 days is more like what i am trying to achieve here… ๐Ÿ‘ฟ

do not send email via spamcop.net to contact me any longer!

effective IMMEDIATELY, my email address is NO LONGER @spamcop.net…

there has apparently been a pretty extreme change of attitude at Cisco (the owner of spamcop), resulting in two things that are very bad, both for me, and for the internet at large. the first is that they are no longer providing email service @spamcop.net, and the second is that they are arbitrarily deleting “false-positives” — a message that appears to be spam, but actually is a legitimate message — without allowing me to check and forward those messages which are legitimate.

the result is that i am NO LONGER receiving email @spamcop.net they SAY that they will forward “legitimate” mail for one year, but they also say that they will delete any mail which appears to be spam, according to their “Cisco reputation system”, which i know to occasionally find false positives among people who occasionally email me… so i HIGHLY RECOMMEND that, from now on, if you want to contact me personally, you send mail to salamandir at hybridelephant dot com (ganesha at hybridelephant dot com is still good for business related issues),

it’s been more than 10 years… it’s the end of an era. ๐Ÿ™