Journal of PlanetMike

Wow, I’ve just received my first batch of comment spam from a real “person” (if spammers are to be considered people.) It’s all from the IP address of 121.35.151.27, which is in China. The first hit was this morning at 2:03am. “121.35.151.27 – – [13/Mar/2007:02:03:31 -0500] “GET /journal/2007/02/08/powered-by-wordpress-directory/ HTTP/1.1” 200 5080 “http://www.google.com/search?q=powered+by+wordpress&hl=en&newwindow=1&start=20&sa=N” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
”

So, he started out by googling for “Powered by WordPress.” Then he actually visited my web site (the home page, another blog entry, my jokes listing, a few jokes, back to the blog, submitted comments on several entries, then left at 2:48. So, he spent 45 minutes on my site, for no real purpose. I guess this is the next wave of things to fight against.

This clickstream would have defeated Bad Behavior. And Akismet missed all of the comments as well. A human would have gotten past a CAPTCHA or math question. Hmmm, adding all of ChinaNet to the firewall? That would only work until the spammers use infected Windows machines as proxies, so it looks like they are surfing from the US.

Pascal van Hecke recently caught some spam that was sent to a unique email address he gave to Performancing.com. Read the details. One problem is he used a very simple tagged address that could be easily guessed. For example, I would guess that his MyBlogLog email address is mybloglog.com[at]vanhecke.info. So what’s to stop the spammers out there from bruteforcing popular domains at other domains? For example, amazon.com@whatever.

That’s why I use a bash script to create unique email addresses when I register at a new site. The script uses the MD5 function to create a unique 32 character email address. Then it adds the address to my mail server’s virtusertable file. Here’s the script:

#!/bin/bash
domain=example.com
password=pick-a-strong-password
ts=`date`
echo $ts
echo $password
echo $1
echo $password $1 | md5sum –
echo $password $1 $ts >> listing.txt
echo `echo $password $1 | md5sum – | cut -c 1-32`@$domain
echo `echo $password $1 | md5sum – | cut -c 1-32`@$domain >> listing.txt
echo >> listing.txt
echo `echo $password $1 | md5sum – | cut -c 1-32`@$domain pm-list >> virtusertable-list.txt

This is much safer than simply using “their domain name”@”your domain name.” See Bruce Schneie’s Crypto-Gram Newsletter for May 15, 2003 Unique E-mail Addresses and Spam for similar thoughts.

In the last 3 weeks, my spam-only domain at Gmail has collected 216,031 pieces of spam. I’m interested in selling the domain. If you’re interested, email me privately.

Wow. Seeing is believing. After nearly three days, my catchall account in the Google Domain Appliancehas caught 67,930 messages; and has 3,185 messages in the Inbox. The amazing stat is at the bottom of the mailbox: “You are currently using 864 MB (42%) of your 2048 MB.” Looking through the messages, it looks like the attachments on the spam are using a giant hunk of the space. It looks like I’ll need to clean out the Spam box much sooner than 30 days, or mail coming in will start to bounce.

I wonder if there’s an easy way to chart the mail volume coming into a Gmail account? I could download the mail with POP, but that seems like a waste, and an uphill battle.I thought about turning this mailbox into an automagically updating WordPress blog, but I’m not sure why. Would making all this data be useful to anyone? I see mostly true non-existent user error messages, but there are a few vacation messages, spam complaints, and other backscatter. Thoughts?

If I tag the Inbox messages as spam, will that affect other users of Google’s mail appliances, or just this one account? I don’t want to mess up any one else’s email.

(Now up to 68,123 spam, 3,187 Inbox, 866MB used)

I just logged into the catchall account for the domain I added to Google’s Web appliance. Spam to the old box in my office has slowed to a trickle (only 61 messages last hour, down from 1,237 for the same hour yesterday). In the Google Web Appliance, there are 2,596 spam messages caught, 12 missed that ended up in the Inbox. In 3.4 hours, that’s a rate of 649 spam per hour, 12.7 per minute, or roughly one spam every 5 seconds.

I’m using 10MB of space. So far. So extrapolate that out, I’ll be at 2,160MB in 30 days. The size limit appears to be 2,048MB. So I’ve got a shot to fill the box up.

Back in May (see Gmail Collection) I detailed my results in sending a spam-only domain’s email to a new account at Gmail. I just logged into that Gmail account, there are 55,460 messages in the inbox, using 402MB. All but three messages are from January to May 2006 when I stopped forwarding mail. In the spam mailbox are 353 spam messages that came in over the last 30 days. And then there are three messages that came in after May 11 that were missed by the filters at Gmail.

So I’ve just decided a more accurate test is called for, and one that won’t cause my local server’s hard drive to fill up every month or so is to move the domain over to Google Apps for Your Domain. Once I updated the DNS, it looks like things are working. It’ll be interesting to see how the spam traffic changes as the DNS update propagates. I’ll keep you informed.