Archive for the ‘Junk mail’ Category

Punished for a fake identity on the net

Tuesday, July 8th, 2008

From Slashdot: “Recently a MySpace user, Lori Drew, was charged with a felony for the heinous crime of pretending to be someone else on the Internet. Using the Computer Fraud and Abuse Act, Lori was charged for signing up for MySpace using a fake name.”

I have used fake identities and fake information to sign up for user accounts since I have been on the internet. Thanks, but I don’t like spam in my inbox or my snail mailbox giving me “offers” from your business associates. You can continue sending it to Howie Feltersnatch at 1313 Mockingbird Lane somewhere in Ohio.

I really don’t give a flying fuck if IMDB wants to sell my personal info in order to allow me the privilege of posting a review saying that some movie sucked.

I really don’t give a flying fuck if Myspace or Youtube or Facebook want me to provide personal info they can use or sell in return for the privilege of showing me advertisements.

If Meijer’s required me to let them photocopy my driver’s license for the privilege of buying groceries from them, I’d give them a fake ID just out of principal. When stores want me to sign up for a “shoppers card” so they can track me just for the privilege of being able to pay normal prices instead of the inflated ones, I sign up with a fake address and the name Seymoure Butts. Out of principal.

If they don’t like that and don’t want my business and want to ban me – fine, I’ll shop somewhere else. If they don’t ban me, then I’ll patronize them and continue to flout their bullshit and intrusive policies.

But if they want to have me arrested, then we have a serious problem.

The Social Security Number problem solved (sort of)

Wednesday, May 14th, 2008

The Social Security Administration doesn’t accept paranoia as a criterion for granting a new card, but it recognizes cultural objections and religious pleas. One stratagem: Contend that your credit has been irrevocably damaged by a number-related snafu, or that you live in fear of a stalker who knows your digits.

Once you switch your SSN, never use it. Then use the fake one of 078-05-1120. It’s a specimen number from the Eisenhower era. No need to give your correct number to the cable or phone company. They don’t need it. Period. Of course it’s possible that someone else has used this number already, but so what.

The only people who need your SSN is your employer because they have to make the contributions. Your bank doesn’t need it – they, as well as your mortgage company , broker, etc., can use a Taxpayer ID # to create 1099s and such for the IRS. And health insurance companies have no shittin’ business with your SS#, not to mention the galactic stupidity of putting it right on your ID card.

When someone asks me for the last 4 digits of my SSN, I ask them to use another secrity key. if they can’t, I don’t do business with them.

Anyway, using a SSN+address for authentication is as ridiculous as using a username+IPAddress alone for online banking.

I wonder why more companies/organizations don’t realize this, and any step to educate them is a step in the right direction.

The answer is easy: They do realize it.

They just don’t care because the current system minimizes their financial losses by transfering those losses to the individual who has his/her identity “stolen”.

Making any changes would cost money which reduces profits.

Any changes that improved the situation could be used to find them responsible when/if their new system is defrauded.

So, fixing the system is, from the individual company’s point of view, all loss and no gain.

What are politicians doing to fight spam?

Tuesday, January 23rd, 2007

Arrests don’t seem to happen that often. Do a google for “spammer arrested”, and most of the hits are about the Buffalo spammer. He was arrested back in 2003 to much fanfare. However my mailbox still gets some spam even after filtration. Do you think maybe there is more than one of them out there? Hello?!

I’m guessing spammers spam because they know the chance of them being caught is zero. Yet, this is a criminal racket just like any other criminal racket. If some serious money is put into law enforcement, then spammers might finally get the shakes. Apart from pump-n-dump stocks (get off yer asses SEC), spammers aren’t hard to catch. Consider Mortgage spammers. If you reply to a Mortgage spam (I am told) you will later be called by a seemingly unrelated mortgage agency. They have bought your contacts off the spammers. Everything can be traced, and if we have the feds seed spammers with 1-use-only phone numbers, buying stuff and tracking it just like they do any other illegal contraband, of course they can bust it. Make receiving spammed contact details an offence too. The recipient must be reasonably confident that the leads they received are not spam. Harder to prove, but if there is a reasonable chance of prosecution buyers of spam harvests will become shyer and the market dry up. Lets make it a legal requirement that ISPs have to report spamming users to the feds.

Let’s get beyond “fines” for offenders – fines for any profitable business are merely an operating expense. What really scares company directors is jail time. This has been used in Los Angeles to force companies to comply with laws they’d otherwise have simply paid out. If a spammer thinks there is a 0.0001% chance of him being caught (and then let off with a warning), they will do it. If they think they probably can’t sell their harvest, have a 50% chance of being caught, and will definitely go to jail, they won’t – it’s just that simple.

So why isn’t this happening?

1 – It’s not an issue for politicans. I can just about guarantee that the “older crowd” in Washington doesn’t use email often as most of them don’t implement technology to do their jobs even though they should. Our government is wasteful and inefficient enough as it is – use the technology that’s there. The problem is most politicians don’t know enough about technology, but want to create laws governing technology and this fangled gadget called “the internet”. I want to see politicians debating about spam! and so…

2 – The money isn’t budgeted for law enforcement. With some Elliot Nesses on Spam, I would imagine that we can crack this, but how do we let the politicians know this is an issue for us?

Messagelabs spam filtering service SUCKS!

Thursday, December 21st, 2006

Upon attempting to send an email to someone at my place of employment, it got bounced. Here is the message I received:

xxx.xxx.xxx.xxx failed after I sent the message.
Remote host said: 553-Message filtered. Please see the FAQs section on spam
553-at http://www.messagelabs.com/support/ for more
553 information. (#5.7.1)

This is the third time I’ve seen messagelabs used as a 3rd-party spam filtering service by businesses and have blocked legit messages from both my domain and my former employer’s domain. So I decided to investigate a bit further and figure out why I’m being blocked this time.

First, let’s follow Messagelab’s guidelines found here.

Let’s go down the checklist:

Ensure your mail server is not open relay – http://www.abuse.net/relay.html.

I entered my domain name here and my server passed this test just fine.

Check if your sending IP is on any black lists. A good place to check this is http://www.dnsstuff.com. This will be able to show any 3rd party lists that may have received spam from your mail server.

Next, I checked DNSstuff per their guidelines and there was two entries, both from SORBS.net, which stated:

Netblock: 75.21.160.0/19 (75.21.160.0-75.21.191.255)
Record Created: Wed Sep 13 05:17:29 2006 GMT
Record Updated: Wed Sep 13 05:17:29 2006 GMT
Additional Information: [SBC Supplied Dynamics List - 18/8/06] Dynamic/Generic IP/rDNS address, use your ISPs mail server or get rDNS set to indicate static assignment.

So SORBS blocked a huge list of SBC customers from sending email if they decided to use their own server for sending email. Fine, this doesn’t affect me because I already use my ISPs mail server for sending email. However, SBC doesn’t allow sending of mail anyways unless you configure your mail server just right and I don’t really feel like jumping through the hoops. This is to prevent virus infected Windows machines from clogging the internet up with even more spam. So yes, I use my ISPs SMTP server for sending mail from my domain, so this doesn’t affect me.

If your internet line is provided by DSL or Cable that shares IP’s with residential users, please ensure your mail server sends to your ISP’s smarthost instead of direct to the internet. This reduces the potential of your email as being mis-detected as coming from a Trojan infected home user machine.

Confirms what I have just stated – doesn’t affect me.

Ensure the email you are sending does not contain any spam content (ie. forwarded spam or ‘spamvertised’ URL’s).

I’ve sent emails to the same user with the same content and rarely with any URLs whatsoever. In fact, the email that got filtered only had one URL in it, but it’s been in my signature for years. My mail signature:

--
"How much time do we have?"
Linux user #309094
Machine IDs 195080, 243403, 243404
counter.li.org

Ensure your mail server is configured correctly.

I have run several tests on it including the tests from messagelabs and I’ve passed all tests with flying colors.

Ensure you have no virus infected machines on your network that are being used to send spam through your mail server.

I use Linux and have checked for rootkits for shits and giggles.

Ensure you have no exploitable web scripts on your web servers that could be abused to send spam. The most commonly used one is php contact scripts which spammers can easily abuse the php mail() function to send what they want.

I’ve tested all PHP scripts on my web site and I do not have any php mail() functions other than for registration of this blog. However, all outgoing mail for new registrations on this blog are approved by me first before being sent, so this is not an issue.

Make sure any ‘opt-in’ newsletters contain an ‘opt-out’ link to be certain users can easily unsubscribe.

I do not send out any newsletters, nor do I ever plan to.

Last, but not least:

What does “553-Message filtered” mean?
This means that your email has met certain characteristics which make it appear to be spam. Please refer to the above suggestions and try sending the email again. If the email continues to be rejected with the “553-Message filtered” message, please contact your recipient and request that they add you to their approved senders list.

For the record, I sent no attachments either. My message, verbatim:

Subject: Hi!

Just thought I'd drop you a line and say "hi". Hope you're having a good
day!

:)
--
"How much time do we have?"
Linux user #309094
Machine IDs 195080, 243403, 243404
counter.li.org

Now I seem to remember a few worms sending out email with the subject of “Hi!”, but have spam filters really become this strict or stupid? I sent the same message with the subject “Howdy” and it appears to have gone through just fine.

What really yanks my chain on stuff like this is the fact that companies even feel the need to use a 3rd party spam filtration service to begin with. If they’re using and maintaining their own mail server, then why not configure their own spam filtration system? It takes just a few minutes and doesn’t cost the company a dime. They’ll spend all sorts of time and money on securing their mail server and then the time and money on the initial system itself (*cough* Microsoft Exchange *cough*), and then not take a few minutes to set up the mail server or a second machine to do their own spam filtration. What gives? Look, I don’t know how much you’re spending on 3rd party spam filtration services, but here’s some free advice – stop doing it. It’s not secure by nature.

Here’s a free, easy solution that takes only a minimal amount of time to set up. Before the messages hit your email server, route them through a Linux mail server for filtration. Something like SpamAssassin with Postfix would do, or even just setting up Postfix to work as a spam filter on its own with the following configuration lines would work wonders (copy and paste if you’d like):

header_checks = regexp:/etc/postfix/header_checks

smtpd_helo_required = yes
disable_vrfy_command = yes

address_verify_map = btree:/var/run/postfix_address_verify

non_fqdn_reject_code = 450
invalid_hostname_reject_code = 450
maps_rbl_reject_code = 450

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_recipient_access hash:/etc/postfix/recipient_access
reject_unknown_recipient_domain
reject_unknown_sender_domain
reject_unknown_hostname
reject_unknown_client
reject_unverified_recipient
reject_unverified_sender
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_non_fqdn_hostname
reject_invalid_hostname
reject_rbl_client relays.ordb.org
reject_rbl_client list.dsbl.org
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client combined.njabl.org
reject_rbl_client bl.spamcop.net
reject_rhsbl_sender dsn.rfc-ignorant.org
reject_rhsbl_sender bogusmx.rfc-ignorant.org
reject_rhsbl_client dsn.rfc-ignorant.org
reject_rhsbl_client bogusmx.rfc-ignorant.org

Think to yourself how messagelabs likely filters spam. It appears that they’re using SORBS, a freely available spam database, for filtration and probably a few on the list above, so why not cut out the middleman and just do it yourself? They’re all free to use for anyone. Some are better than others, but shouldn’t you be the judge of which ones to use? I have found that SORBS is not the best choice for spam filtration both personally and through professional colleagues, but to each their own I suppose. At least then you have the ability of tweaking things, if necessary, to suit your business needs rather than leaving your business in the hands of others…who also may or may not be responsive to your business needs.

No monthly fees, no tweaking of rules, no fuss. Just config and forget. Wasn’t that easy?

FTC CAN-SPAM

Tuesday, May 16th, 2006

uce@ftc.gov

“Consumers forwarded more than 1.8 million of their spam e-mail messages to the FTC.”

Ever since I heard about the FTC’s spam address I forwarded all my spam to it, (what made through my filters at least) even after hearing detracting opinions about it. Good to know my contribution to the effort of fighting spam is put to use…or is it?

Microsoft unveils “adCenter”

Friday, May 12th, 2006

Search isn’t the only place where adCenter will place advertising. In the future, Microsoft said, it expects to launch ads in e-mail, the Spaces blogging program, on mobile applications, in Office and on the Xbox.com Web site.

That’s wonderful! If there’s one thing I enjoy about watching television, it’s when my favorite program cuts to commercials and there’s a guy with an annoying voice repeating everything. Damn, I just get elated at the prospect of someone soliciting products & services to me non-stop.

Yeah, I also like it when I’m trying to read an article and a 20mb flash application kicks up on top of what I’m trying to read telling me about Toyota’s specials. That sure is awesome.

I love turning on the radio because I’m not looking for music, I’m looking for annoying talk about some product I’m missing out on. There’s nothing like nodding your head to a good advertisement of a Fat Bastard impersonator trying to get you to come to Bub’s Bar & Grill.

And now you want to make my mobile device throw random messages at me. Hey, maybe you can interrupt my personal telephone calls with advertisements from an annoying sounding person! That would be great.

And advertising in my productivity applications! And my games! That’s just … great , it really is.

But why stop there? What boundaries does my personal life have yet that you have failed to knock down and ignore? What about the novels I read? Can they have advertisements that cover up the words until I read them? Or maybe you could make software that injects product placement into scripts and storylines?

In fact, I love advertisements so much, you can tattoo me and inject electrodes into my head so all I do is think about Microsoft and how badly I want the XBox 360. Yes, I would finally be able to die happy!

If you hadn’t noticed, I was being sarcastic.

Over-advertising

Wednesday, April 12th, 2006

In the not-so-distant future, you’ll get up, in the morning… your alarm will ring out a company jingle, and remind you that you were 5 min late to work yesterday — if this keeps up, it’ll be reflected in your performance review.

You’ll get out of bed, and your coffee pot will let you know that the local supermarket is having a sale on a new brand of coffee filters that you would, probably, like – considering your habits.

Your stool will be analyzed by your commode, and you will be informed that: 1) Your doctor’s office would like to schedule an appointment to check on your hemorrhoids, 2) There’s a sale on hemorrhoid cream, at the corner chemist’s, and 3)

Your health insurance premium just went up by $0.25/month, due to your increased risk of developing colon cancer.

With this joyful news, you step into the shower, where you will be able to learn about a new sign-up special at the local health-club, to assist you in dropping those extra 2.3 kilos that you picked up, over the holiday.

Looking in the mirror, you will be able to catch an ad for a new hair-color which will help you to look younger, by hiding that gray (see it, there — left temple, *three* new white hairs!).

…and on and on.

Ad infinitum, ad nauseaum

Sendmail flaw

Monday, March 27th, 2006

A new flaw in Sendmail has been announced, but apparently it’s very difficult to exploit. From the web site (rapturesecurity.org) that first reported the Proof of Concept code and instructions:

—snip—
step 1)
connect to sendmail server say something like
helo me\r\n
mail from: myemail@hotmail.com
rcpt to: root data

step 2)
wait for server to say go ahead
send about 32767 characters inside a header
note what time it is

step 3)
wait until you get:
451 4.4.1 timeout waiting for input during message collect

step 4)
note what time it was when that message happened

step 5)
youll be dropped back into smtp command mode, now there is a static pointer inside sm_syslog thats your attack vector, youll need to recreate the collect timeout and race into sm_syslog
resend the helo crap

step 6)
wait for server to say go ahead
send about 32767 characters inside a header
and wait the time delta from the earlier 2 measurements

step7)
send more header data (so that its now greater than 32768 bytes)

hopefully sendmail will now race and crash inside sm_syslog because:
a) we just sent sendmail into sm_syslog due to the fact that we sent > the max amount of header data
b) we have a timeout (SIGALARM, longjmp thingy) that should be pending about the same exact time that we entered sm_syslog
—/snip—

Also posted is a Proof of Concept to test if you are vulnerable. This needs a lot more work, and is not an exploit, but is a start:
http://rapturesecurity.org/jack/sendmail_tester_thingy.tar.gz

How to solve consumer identity theft

Tuesday, March 14th, 2006

I think the identity theft problem could be solved fairly easily if we persuaded Congress to pass legislation stating that whenever a company (or government branch) loses person’s private information then that person is owed, say $1,000. I think banks would get serious about the public’s privacy pretty damn quick. Now all we need to do is get Congress to pass this legislation, which is clearly pro-consumer and somewhat burdensome to big-finance…

Uh… okay. I guess I’m living in fantasyland.

Nevermind.

Identity theft will remain a problem until the Credit reporting companies are forced at gunpoint to put in place controls to limit it and allow the owner to “lock” their credit report from any reading or reporting. The Credit companies make a crapload of money off of the illigitmate credit reports that are pulled on every person thousands of times a day. I typically find from 10 to 30 illigitmate credit report requests in my credit report every year from companies “phishing” for people to send pre-approved credit card offers and refinance requests, etc.

Let me lock my credit report down so that it reports only “CREDIT REPORT LOCKED BY OWNER” and identity theft will drop drastically. If you can not apply for new credit under someone’s name it makes stealing their identity nearly worthless.

It’s an industry problem that the industry refuses to fix because they profit from it.

Yet another credit card database breach – 17 million customers

Friday, March 10th, 2006

Once again, another large database full of names, phone numbers, addresses, and other personal information was stolen.

The transactions in the database span from 1998 and 2003, which was a period at the height of iBill’s success. It is thought to be an inside job – someone simply took the (approximately) 4.5 gigs worth of data and walked out the door with it to be sold on the black market.

From the article:
“Secure Science’s James says the 17 million database entries he found is prime data for spamming, phishing attacks, pretext phone calls and even possible hacking of vulnerable computers at the IP addresses listed.

Because the information didn’t include Social Security, credit-card or driver’s-license numbers, no U.S. laws require iBill or the companies for which they provided billing to warn victims. A year after the FBI first learned of the larger leak, they have also failed to issue any public warnings.”

This, I think, is absolute BULLSHIT. If there is a security breach at a place that has my personal information stored, you’re damn right I want to be notified. This type of corporate irresponsibility needs to be looked at and corporations need to be punished.

I’ll be posting ways to take care of consumer identity theft in the near future…stay tuned.