The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/july15,2003.

Permlink | Top

Is it just me, or does it seem as if spammers have declared war on the entire internet? Depending on whom you ask, spam accounts for anywhere from 40% to 80% of all email traffic worldwide. I certainly can believe those numbers. Every morning, I wake up to see 50 or more emails sitting on the server. After weeding out the pitches for v 1 a g r a, 100% SUPER DUPER HARDCORE pr0n, bodily organ enhancements, and desperate pleas for assistance in moving enormous sums of money for Munbhadi Khalahari, son of the late, unlamented dictator of Lower Mandibia, perhaps five or six of those emails are real messages.

Every other news article on the internet these days concerns spam. Articles about the contents of spam. Articles about spammers. Articles about antispammers. Articles about filtering. Articles about legislation. Articles about spam installing viruses that send even more spam! Go to news.google.com and plug the word "spam" into the search box and see for yourself.

Why do spammers continue to send their garbage in such staggering amounts? Because, unfortunately, some people are stupid enough to buy from them. As Paul Myers once said, "Spammers exist because people buy from them. It typically takes from 1,000 to 10,000 spams to make one sale. If you buy from a spammer, you are PERSONALLY responsible for the next 1,000 to 10,000 spams sent... Including the porn spam sent to your kids."

It's like the drug war, as long as someone is stupid enough to buy what they're peddling, it will never be stopped and the so-called "War on Drugs" will never be won. Unfortunately, there is no way to pass a law against stupidity, no matter how nice the world would be if we could. What's really sad is that the fact that even if you do try to buy whatever is being pitched, often it is nothing but a scam.

The problem is so bad now, that companies that send legitimate email in large quantities are finding it extremely difficult to do so. Between spam filtering services, ISPs unwilling to host large mailing lists, inboxes crammed full so full of spam that legitimate email bounces, and the perception that all email marketing is spam, it's becoming hard to make a buck using the internet's "killer app". Online merchants find it next to impossible to find people willing to voluntarily receive legitimate marketing emails.

Stop rolling your eyes. There is such a thing as legitimate email marketing. Email should be the perfect way for businesses to keep past customers coming back over time. Let's take Barnes & Nobles for instance. I bought a couple of books from their online store several months ago. On the buying page, there was the ubiquitous "I would like to receive updates...." option.

Since B & N was courteous to leave that box unchecked by default and declare in clear terms that the address would not be provided to anyone else, I checked it to see what would happen. To date, no one but Barnes & Nobles has ever used that particular email address. About once every two weeks, they send an email announcing several books that have been discounted.

That's an ad, yes, but who cares? I like books, I'm a customer, and sooner or later a book I want will be among those discounted. That is how email marketing is supposed to work. Unfortunately for companies who would occasionally like to lure a former customer back to the web site, the overwhelming majority of people will leave that box unchecked. Even if people believe the web site's promise never to provide their email address to anyone else, who wants to agree voluntarily to ads in their email when they already receive dozens of unwanted ads a day?

Chris Pirillo declared recently that the age of the email newsletter is coming to an end. Considering that his business was built around, made famous by, and continues to exist because of the different Lockergnome newsletters, that's a chilling statement.

It's not something that I particularly want to hear either. I like my newsletter. I like the fact that thousands of people are signed up to it, all of their own free will. I like ranting at the world. To judge by the relatively small amount of flame mail I receive each week, many of you agree with my rantings. But, because of scumbag spammers, things are taking place that have the real potential to make email unusable for people like me who distribute email to thousands of people for legitimate reasons.

You know what's really cute in all this? Supposedly, there are really only about 150 or so major league spammers in the world that are responsible for well over 90% of all spam. The rest are people dumb enough to spam from their own ISPs or web site email servers or businesses new to the internet who don't know any better. Think about that for a second. A mere 150 or so people, ruining the internet experience of hundreds of millions of people.

Of course, I would never advocate violence of any sort, :-) , but if the likes of Alan Ralsky and Ronnie Scelson were to come face to face with a gang of armed network sysadmins.....

Links:

http://www.pirillo.com :: Chris Pirillo
http://www.talkbiz.com/spamwars.html :: Paul Myers' Spam Wars article
http://www.lockergnome.com/issues/daily/20030703.html :: The end of email newsletters
http://www.wired.com/news/infostructure/0,1377,57613,00.html :: Most emails are scams

Permlink | Top

Program: Mailbox Guard
Author: Piotr Walczak
Platform: Windows 9x, ME, NT, 2K, XP
License: $29.50 $24.50 [$5.00 off for SpywareInfo visitors until July 22, 2003]
Purchase: Click here to purchase

Mailbox Guard lets you see your mail before you receive it. It detects viruses, spam, and obscenity in your mail and even ranks the risk for you, in four categories:

VIRUS - active malware; viruses, worms, trojans, spyware etc.
SPAM - all kinds of unsolicited mail.
X_Rated - messages with adult only contents X and R rated.
Bad Language - messages with foul, obscene, explicit language.

This is a great program, especially if you have kids around while you are checking your email. Like other spam filtering programs, Mailbox Guard flags emails that may be spam. Unlike most other programs, it also flags email that contains foul language, pornographic material, viruses, and spyware.

A complaint that I hear all the time is that huge, obscene, pornographic images pop up in spam when it is being deleted, often while the kids are within view of the monitor. You don't even have to open the email for this to happen! Thanks to the preview pane in Microsoft Outlook and Outlook Express, this can happen even if you are just selecting the email to delete it. Mailbox Guard flags the message as spam and as pornographic and lets you delete it from the email server without ever downloading it.

Read the entire review

Every week, SpywareInfo arranges a discount on the programs best suited to keep your private life private. This arrangement lets us pay the bills to keep SpywareInfo running without having to sell ads to the likes of DoubleClick and X-10.

We do need your input, as the discount is for your benefit. What commercial privacy software would you like to see featured here at a discount? Drop us a note and let us know.

Links:

http://www.spywareinfoforum.info/downloads/mbguard/ Mailbox Guard review
http://www.spywareinfoforum.info/email2.php Suggest a product

Permlink | Top

As bad as spam is for the average person, consider how bad it is for people who have to give out their address to people over the internet. If you have had internet access for very long, you know that it is a very bad idea to leave your email address on message boards, newsgroup postings, and web sites. Why? Because web crawler robots (spambots) controlled by spammers will detect the address on the web page or newsgroup posting and add it to their database.

The use of these email harvesting spambots has made it very difficult for web sites to conduct business, particularly for those who must publish a contact address for their site visitors. According to the FTC, the majority of email addresses posted to web sites are harvested by spammers.

Last year, after allposters.com spammed email addresses harvested from the SWI message boards, I decided that enough was enough. It's time we stopped living in fear of these cyber terrorists. After the allposters.com spamming incident, I started The Harvester Project, a project whose goal was to send spam harvesters home with fake email addresses they couldn't use.

The original project had members creating a directory on their web sites filled with pages and pages of fake email addresses mixed with random text. This had the unfortunate consequence of causing a lot of bounced emails, and occasionally one of the randomly generated email addresses turned out to be real. It was a trade off, but the harm to the spammer was much worse than the harm to anyone else.

However, I have discovered a far more effective way to do this, and The Harvester Project now has a new direction. All members and future members, listen up.

The new purpose of this project is to trick spammers into revealing their IP addresses when they are harvesting email addresses from web sites. This is done by using server-side scripting to convert the IP address of the spambot into an unrecognizable string of letters and numbers, and then creating an email address with it. This email address is hidden from visitors using CSS code.

For example, let's say my IP address is 127.0.0.1 and I arrive at your web site to harvest your email address. The script would take my IP address, encode it, add a random number to it, then create an email address similar to the following: "MTI3LjAuMC4x@spywareinfo.org". The email address is hidden from most web browsers, but my spambot software will see it and record it.

Each spam sent to my spywareinfo.org web site will reveal the IP address of the spammer that harvested that particular email address. Each of those IP addresses will be added to the blacklist maintained here. As you can see, I have already caught a few spambots.

It is worth noting here that the CAN-SPAM bill making its way through the US Congress would make it illegal to harvest email addresses. If that is the case, then this list could put a few people in jail, where they can make the acquaintance of several "friendly" new roommates.

If you are already a member of The Harvester Project, delete all those pages full of fake addresses. You don't need them anymore. If you are a member and haven't been listed yet, it is because I lost quite a few emails from people that signed up before I could list them. Check to see if you are listed as a member, and if not, send me an email.

To answer the most obvious criticism, "what if spammers simply purge all spywareinfo.org addresses from their lists?" That's a legitimate concern, but most won't know there is a reason to do so. If you are willing to help with the project by letting a domain of your own be spammed, you can substitute spywareinfo.org with your own web site's domain, and then forward the spam to me as you receive it.

I also need some help from you. Are you an ASP or Perl coder? I need a Perl script and an ASP script that does this same thing (the PHP script I wrote is here). The Perl script doesn't have to be made for the current page. It can be "included" using SSI, ASP, or PHP. I don't know ASP and don't have it available on my server, so you'll have to test it to make sure it really works as it should. Send me an email if you're interested.

Read on to learn how you can join this project

Links:

http://www.ftc.gov/bcp/conline/pubs/alerts/spamalrt.htm :: FTC report on email harvesting
http://www.spywareinfoforum.info/harvest_project/spambots.txt :: Spambot List
http://www.spywareinfoforum.info/harvest_project/members.php :: List of Member Web Sites
http://www.spywareinfoforum.info/harvest_project/join.php :: Join the Project

Permlink | Top

If you have PHP enabled on your web site, you can have 100% protection from automated email-harvesting spambots with DB Master's PHP form mailer. This script hides your email address in the PHP coding, and cannot access the address by any means, not even by viewing the source.

If you have ASP enabled on your web site, you can have the same 100% protection using DB Master's ASP form mailer. As with the PHP script, this ASP script also hides your email address in the ASP coding.

If you have neither ASP nor PHP available, then you must have a terrible web host. You are not left out however. Robert Graham has created a tool on his site that will use various methods to convert your email address into an unreadable mess of symbols and numbers which spambots presumably cannot interpret as a valid address.

Using this method, there is no need to use a graphic of your address, as most browsers should be able to interpret the gibberish properly. I recommend saving the page to your hard drive so that you can use it even when not connected to the internet.

The page is at http://www.robertgraham.com/tools/mailtoencoder.html

Unfortunately, this last method is not foolproof. Some spambots will still be able to read the address, although why a spammer would believe an address harvested like this will be useful is a mystery. However, it should keep the overwhelming majority of spammers away.

Links:

http://www.spywareinfoforum.info/newlsetter/rd/25 :: DB Masters PHP Form Emailer
http://www.spywareinfoforum.info/newlsetter/rd/25 :: DB Masters ASP Form Emailer
http://www.robertgraham.com/tools/mailtoencoder.html :: Robert Graham's Email Encoder

Permlink | Top

By all signs, it would appear that both CAPPS II and TIA are being hung out to dry by the Senate Appropriations Committee. Both projects have been denied the money they would need to operate successfully.

Computer Assisted Passenger Prescreening System (CAPPS II) was the controversial plan to have airlines perform full background checks on all passengers, and share their findings with the government if anything "suspicious" turned up. Total Information Awareness (TIA) was to be a database of information collected about American citizens.

Last year, a presidential initiative known as TIPS suffered a similar fate. TIPS was an idea any dictator would have approved of. Citizens spying on other citizens, informing on those they didn't like.. that they felt were being suspicious. Children watching parents, parents watching neighbors, plumbers watching postmen... Thankfully, enough politicians remembered that this is the USA and not North Korea and the project died.

Two years ago, Al Quaeda attacked the United States with the hope of destroying the freedoms they hate so much. While they obviously have no hope of destroying the country, turning America into a police state would have been a great victory for them. For a while, I thought we were going to let them win. Now, I think things just might turn out all right after all.

Links:

http://dc.internet.com/news/article.php/2234511 :: Senate Cans CAPPS II Funding
http://wired.com/news/politics/0,1283,59606,00.html :: Funding for TIA All But Dead

Permlink | Top

Corporate executives are becoming increasingly aggressive about spying on their employees, and with good reason: now, in addition to job shirkers and office-supply thieves, they have to worry about being held accountable for the misconduct of their subordinates.

Even one offensive e-mail message circulated around the office by a single employee can pose a liability risk for a company. Not only that, but a wave of laws including the federal Health Insurance Portability and Accountability Act of 1996 and the anticorruption and corporate-governance Sarbanes-Oxley Act of 2002 have imposed new record-keeping and investigative burdens on companies. Not complying with some laws can result in the personal liability of officers and directors.

As a result, employers have stepped up their surveillance of employees, often using stealth techniques to peer deep into their computer use. As of 2001, more than a third of all American workers with access to computers, or 14 million in all, were being monitored in one way or another, according to the Privacy Foundation, a Denver research group; with added pressure on executives to oversee their employees' electronic activities, experts predict that those numbers will grow.

Read the rest of this article at the New York Times

Links:

http://www.spywareinfoforum.info/newlsetter/rd/27 :: New York Times - New Kind of Snooping Arrives at the Office

Permlink | Top

As many of you know, for some reason, the newsletter software has been activated early in the morning for the past few days. I honestly don't know what is causing it. I think a process is running on the web server at that time each morning and it is setting off the script. Looking at the logs, I see that it is sending a blank email to the first 600 subscribers. Thankfully, my own address is part of the first 600 or I wouldn't know anything about it.

This strange behavior has forced me to do something that I was considering anyway. I will be deleting the subscriber database after the newsletter goes out each week. There are 7,200 subscribers now, and I don't feel comfortable having that large a mailing list being stored on an internet server.

Effectively immediately, I will be storing the mailing list on my home computer, protected by PGP encryption. That means that the link at the bottom of each newsletter that allows you to remove yourself from the list will not work. As soon as I figure which file I need to edit, I'll be removing it entirely.

Sometime in the next week or two, I will be writing some custom scripts for the web site that will handle subscription and removal requests. In the meantime, if you would like to unsubscribe, reply to this newsletter and let me know and I will delete your address. Remove the contents of the newsletter before replying!

Permlink | Top

As I said earlier, I was already considering taking the mailing list offline. This odd behavior by the software is simply forcing me to make the decision. The reason for taking the subscriber list offline is because a very foolish person put it at risk of being stolen last Friday.

As many of you know, I use Invision Power Board software for my message board. Friday, someone published instructions on how to hack into this software by exploiting a security bug he had discovered. While he did bother himself to report the exploits to IPS first and waited for them to issue a patch, he published the details of the exploit immediately afterward. IPS had no time to warn their thousands of users that they needed this patch.

One of the exploits included a way to access the MySQL database server. That just happens to be where your email addresses were stored. Fortunately, my site was not hacked, as I learned of the situation early on.

This person, owner of a web site advertising itself as providing security consulting services, put my message board and my entire web site at risk, put your personal information at risk, and put at risk several thousand web sites whose owners could not possibly be expected to know that a critical patch was released early Saturday morning.

There was no reason or logic in releasing that information so soon. Releasing detailed instructions on the proper way to exploit a security hole without giving the thousands of web sites using the sofar time to update was negligent and irresponsible. Unfortunately, claiming credit for discovering the exploit and drawing attention to his security consulting business on the heavily read Bugtraq mailing list appear to have been more important than common sense to this individual.

You may have noticed that I have not named this person or his business. I don't intend to do so. He'll receive no free publicity here. While I would love to publish his address and let you, the people he placed at risk, tell him just what you think about it, to do that would be as immature and irresponsible as what he did.

As I stated in my ZoneAlarm article last week, I don't stand for companies refusing to patch bugs in their software. Most people agree with me on that. That article generated a lot of feedback, including a response from ZoneLabs, which unfortunately I couldn't read. I was dumb enough to delete that email accidently while clearing out spam. I have no idea what the message said and I don't even know who sent it, other than it came from "someone" at ZoneLabs.

I understand the need for publishing the fact that an exploit exists. Otherwise, people will not know they to need to update. I understand the need for publishing just enough details about the exploit to keep others from spotting it independently and thinking they are the first to discover it. What I do not understand is deliberately and needlessly endangering thousands of people for the sake of claiming credit and getting a little free advertising.

Surely these people understand that the very hackers that would exploit these sorts of vulnerabilities are among to first to notice them when they are newly published. Last year, the YaBBSE software that I used previously was hacked. It was hacked using an exploit that was published less than an hour before the incident occurred. The hacker was some kid using Google to search for the copyright and version message at the bottom of the message board, and Google led him right to me.

Thankfully for me, he was looking for neo-nazi web sites to deface, and my board didn't interest him. He was even nice enough to warn me about the bug and the work around to fix it until the developers could patch it. He also emailed my login and password to me, just in case I had any doubts about how real it was.

To anyone that discovers a security exploit, try to be responsible about it. Alert the maker of the software about the problem and give them time to fix it and inform their users before publishing it all over the internet. Yeah, I know, it's free publicity and I supposes it's "cool" to receive the credit for discovering the problem, but try to keep the following scenario in mind when deciding what to do with the information.

You park at a shopping mall and leave the keys in your car. Someone walking by discovers this, and reports it to security. Would you want mall security to call out your name over the public announcement system and asked you to come to their office where they can quietly explain what's happened? Or would you rather they broadcast all over the mall that the owner of the red Honda with the $3,000 worth of stereo equipment has left his keys in the ignition?

Links:

http://www.invisionpower.com/ :: Invision Power Services
http://www.spywareinfoforum.info/articles/zonelabs/ :: SWI - ZoneAlarm flaw is a bunch of hooey

Permlink | Top

Do you like SpywareInfo and this newsletter? Then please tell a few friends about it! We are trying to come up with ways to increase the number of visitors to the web site and the number of subscribers of this newsletter.

Recently I signed up for RecommendIt's service, also used by Scot Finnie and Fred Langa. When you use RecommendIt's service to send a link to a friend or family member, you can also choose to enter a contest with a grand prize of $10,000.

The privacy policy of the site looks solid and I did ask around if anyone had heard anything bad about it before I signed up for it. You can use their service to recommend SpywareInfo to someone you know at http://www.recommend-it.com/l.z.e?s=881459

Of course, you don't *have* to use RecommendIt's site to send a friend a link to the site. Just sending an email will also do the trick.

Links:

http://www.scotsnewsletter.com Scot Finnie's Newsletter
http://www.langa.com/newsletter.htm The Langalist