Spoutin' Off: Malware, spam still a pain in the software

By Michael Rau

October 2, 2006

Okay, enough already!

I’m drowning in spam, it keeps getting worse, I see no relief in sight, and I’m terribly ticked-off.

If you’ve been reading this column for awhile, you know that my ongoing crusade against spam and other malware is a recurrent theme. It’s not that I want it that way, but the problem just keeps getting worse and I’m feeling a bit powerless to do anything else about it.

For those of you keeping score, my daily spam count is now up to around a thousand pieces. I use the junk filtering system in Thunderbird to redirect those to a separate folder, and I would estimate that the filter is around 99.5% accurate. But that other 5% can be problematic, so I still cull through those emails designated as spam to make sure I’m not losing anything important.

If you’ve ever sent me an email (thanks!), you know that I use a CGI-based form located on this column’s companion Web site to acquire these. The script, called FormMail, is broadly used and has always served me well – that is until recently.

One common method employed by spammers to gather email addresses is through the use of “bots. These are applications that automatically surf the Web from site to site, scanning for any text matching the correct format for an email address (anyname@myurl.com). When it finds them, it copies and stores them. These are then added to the spammers master database, and presto – that address starts receiving all the usual detritus you’d expect.

Some programs will also take the URL from that email address, and start generating random names, inserting them before the “@”, and then sending spam out under those names to and from the URL which they’ve hijacked. In that case, the mail administrator (me, for some of my clients) also receives those.

Webmasters have used the FormMail system for years now so that they wouldn’t have to include actual email addresses on their pages, thus protecting themselves from these bots. Apparently, it’s not working anymore.

Within to HTML code of a Web page using this form, there is one place where the email address to which to form is sent is inserted. It now seems that the current generation of bots is sniffing through the HTML code, rather than the page text, and is thus finding those email addresses.

When I discovered this had happened with the companion site FormMail page, I immediately changed the email address in the code, and guess what… Within 12 hours, I was getting spam at the new address I’d inserted.

The bots are winning and it’s getting pretty scary.

I’m exploring practical solutions and will let you know what I figure out. In the meantime, my email page is still functional, so let me know if you have any ideas.

I bring this up for a couple of other reasons.

The first is a recently released report that says private users are much more responsible for the proliferation of spam and other malware than professional users. This indicates to me that, while the pros are learning how to recognize and deal with malware, private Internet users aren’t.

So if you want to claim I spend too much time harping on this topic and scolding people about their online habits, I’d say the evidence indicates that I obviously don’t.

The second reason is an incident involving the courts and my friends at online watchdogs, Spamhaus.

Recently, a judge in Illinois entered a judgement against Spamhaus on behalf of a known spam operation called e360insight. I learned about this judgement in a most interesting way – via spam.

While sifting through my junk box, I came across an email that said the sender was Steve Linford with Spamhaus. Having corresponded with them before, I assumed this email was mistakenly shuttled to my junk file. But no – It turned out to have been sent using a fake email address through aliased IPs associated with known spam operations.

Now that takes some stones. You have a known spam operation sending out what amounts to a news release, touting its success at being a spammer using spam as the vehicle.

How ironic.

I’ve since received more copies of this, sent to various email addresses that I administer, from various fake email addresses.

It turns out that the judgement against Spamhaus was based on the fact that they ignored the lawsuit and the court entered a summary judgement based on the fact that they didn’t show up in court.

In a statement, Spamhaus pointed out that as a company doing business in Britain, a court in the United States had no jurisdiction over them. They went on to challenge e360insight to file the same lawsuit in Britain and see how far they’d get with it (not far – the Brits are much less tolerant of spammers than we are).

I just can’t seem to say this enough. Stop opening spam! Stop aiding and abetting one of the most prolific criminal enterprises in operation today.

Just say no!

Michael Rau is a mass-communications consultant in Virginia Beach. To send feedback or view past columns, go to http://dailypress.asoundidea.com.

Copyright © 2006, Daily Press