June 14, 2002
I know, I know, it's been over a month since the last issue went out. I've been so busy that I've fallen behind on a lot of stuff. I've caught up with most of it now, including an upgrade of both the newsletter software and the message boards. If anyone has any problem with either, please let me know.
Edit: June 14, 2002
The support forums were upgraded from YabbSE 1.3.0 to 1.4.0 without a hitch. Unfortunately, the YaBBSE developers saw fit to include an activex script on the new version of the message board.
Thank you. One of my readers posted at Yabb's forums about this and one of the developers more or less explained how to get rid of it.
For those running or thinking of running YaBBSe, line 1179 of /include/subs.php is where the script function is laid out and <yabb msn> inside the <head> is where it is called from inside the template. Delete that function in the /include/subs.php file and upload it, then remove that part of the template and that's that. :-)
Something else that kept me busy was a complete redesign of the web site. Nearly every page on the site now checks out as valid html. If you haven't seen it lately, I think you'll be surprised. Take a look around.
If you are using a Netscape 4.x browser, you'll notice two things. First, you can read the text, which is a change from before. However, you'll be reading it in plain text. The cascading style sheets used to design the site cannot be properly rendered by this browser. It is also prone to crashing when trying to display newer CSS properties, so I've rendered it incapable of even trying.
There are some other notable changes on the site. I've added two search forms. One is powered by Google and searches spywareinfoforum.info, spywareinfoforum.info/newlsetter, and google.com. The other is powered by spychecker.com and lets you enter the name of a product to see if it is known to bundle spyware into it (see below). Take a look.
I'm planning to add a new section soon. If you surf through my site, you'll notice something that is sadly lacking. There are no descriptions of the various spyware / adware systems out there. When discussing these programs, I usually just link to another site that has information on it. Soon I'll have that information available on my site. The name is SpywareInfo after all.
I mentioned weeks ago that I had been interviewed by reporters from some very large news outlets. One of these interviews has finally gone to print. "Gnat or Parasite? Angst Over Adware" by freelance reporter John Biggs appeared in the June 6, 2002 New York Times. I'm quoted a few times in this excellent article.
"The problem with most adware, Mr. Healan said, is that its makers know that users of popular software like RadLight usually click past the warnings and license agreements during software installation. It is that strategy that most outrages him."
"'They are parasites on the body of the Internet,' he said of the purveyors."
Free registration is required to read it (I know, real lame). Some people dislike being forced to register just to read an article. Certainly the people who made this site do. The fact that it is free makes one wonder why they want the information.
Also quoted in that article was Avi Naider, CEO of Whenu, the maker of SaveNow. I found Mr. Naider's comments to be extremely amusing, for what is written there seems to greatly contradict Whenu's claim that it does not track the browsing habits of its users.
"Yet some adware programs do not announce their presence at all: they simply hide on the hard drive or redirect Internet browsers, serving up advertisements and generally wreaking havoc."
"These are the programs that give adware a particularly bad name, said Avi Naider, chief executive of WhenU, the company behind SaveNow."
"Mr. Naider defends his product as a tool that serves up advertisements a few times a day based on the sites that users visit and the search strings they enter into their Internet browsers." - emphasis added
I said in the last issue that I was going to activate an idle domain and use it to host this newsletter's online version. I have since done that. The permanent home of the Spyware Weekly can be found at http://www.spywareinfoforum.info/newlsetter/. This domain is hosted free thanks to the good people at http://www.zortera.com.
Each issue will appear simultaneously on the main index page, your email inbox (for subscribers), and also in the appropriate archive location. For instance, this issue's permanent location is http://www.spywareinfoforum.info/newlsetter/archives/june-2002/06142002.html.
I've also gotten around to making an archive of the older issues, though I warn you, it's crude. I'll get around to making something prettier soon. Be warned, most of the graphics on the older issues are linked improperly. Something else I need to get around to fixing. (sigh)
X-Cleaner detects adware, malware and spyware programs while cleaning your system's history. A free version is available if you prefer to "try before you buy". Check it out!
Musiccity.com has released a new version of Morpheus. The new version 1.9 of the popular peer-to-peer file sharing program sports some new features, including a multi-network instant messenger client. As with the last few releases, it also includes a new version of the Wurld Media adware which it began bundling with a few months ago.
When Morpheus first started bundling Wurld Media into it's P2P program, there was an immediate negative reaction and the lack of disclosure landed it's new companion on several spyware / adware removal lists. Morpheus appeared to be aware of the reaction, for the next version made Wurld Media an optional install. In version 1.9 however, the installation is not optional. Even worse, when installing this version, it asks for some personal information, obstensibly for use with its new messenger client. Why does an instant messenger need my zip code, age, and sex?
This new version of Wurld Media can be removed via add / remove, though you may have trouble seeing its entry at first. You'll find it near the bottom of the list as "your cash rewards". I would assume that Morpheus works without it, but I didn't test for that.
In my opinion, this version of Wurld Media is adware and not true spyware, though its privacy statement makes me a little uneasy. Still, it is unwanted adware which in past versions reportedly spawned irritating popup ads. That in itself is enough to make me say "no".
As of yet, none of the major spyware / adware removal programs target this new version, although Lavasoft is examining it right now. Anyone interested in viewing the installation log of Morpheus and the removal log of Wurld may download it from my site.
For unknown reasons, there is a widespread re-infection of a known hijacker trojan which is now hijacking people to a new site, www.istarthere.com. The trojan can be identified by looking at MSCONFIG's startup tab for an entry labeled gshp which loads a file named zzgshp.vbs. This same file (along with another named winsys.vbs) has also been known to hijack people to www.loading-lolita.com and www.globesearch.com.
Ad-aware targets this hijacker now.
Three new adware systems came onto the scene recently. Netzany, Adbreak, and WinAd were recently reported to myself and to Lavasoft. Details on Netzany and Adbreak are a little hazy. Adbreak may or may not be a trojan also known as floid.dll according to Doxdesk.com. WinAd seems to be little more than a popup generator. A user found it sitting in his Windows system directory and when loaded into memory it kept spawning popups for a pornographic web site.
Netzany and WinAd are removed by Ad-aware and Netzany is also removed by Spybot S&D as I understand it. Lavasoft is working on adding Adbreak to Ad-aware's reference file.
At least two of the hijackers that I've had to deal with in the past are now being classified as trojans and removed by anti-virus software. Many of you will recognize the filename "openme.exe". This is the one that sets itself to load by modifying system.ini to read "shell=explorer.exe openme.exe". It is also known as Troj/DSS-A. The other one is js/noclose.
I'm am very pleased to see the anti-virus companies targeting these hijackers and I hope it's a trend that continues. The openme.exe trojan is also removed by Ad-aware.
Do you find SpywareInfo useful? Then help me keep it running with a small contribution
via PayPal or Amazon. All contributions are greatly appreciated.
After the last issue went out, I had an interesting experience. The mail server that I use to send this newsletter out got blacklisted by Spamcop.
Apparently someone signed up for the newsletter with the intention of forwarding it to Spamcop as spam. This is a pretty childish thing to do. One of the companies whose wallet takes a hit because of my site carried out this foolish prank. Sadly, this silly prank became a very serious matter because of the flawed methods in use by Spamcop.
You'd think that there would be some sort of safeguard against such false accusations. You'd think that complaints of spam would be examined before an entire IP address is thrown onto a blacklist. You would think that a responsible, supposedly legitimate service would not blacklist someone on the basis of three, unverified complaints from the same person. Sadly, you would be wrong to think that.
Not only did a staggering three complaints from the same person get my mail server blacklisted, the blacklisting was automatic.
From Spamcop's web site:
How can I get removed from SpamCop's blocking system?
The short answer is that you cannot.
SpamCop automatically handles blocking and unblocking of ISPs. If SpamCop continues to receive reports of spam originating from the networks you are responsible for, those networks will continue to be blocked. If not, then you will be unblocked by SpamCop automatically after one week.
So, we have an organization accepting complaints from anonymous sources, not verifying the complaints, and automatically blacklisting whole mail servers as a result. Worse, if they're wrong, there is nothing you can do for an entire week!
On the Spamcop web site they claim that their system makes them the most accurate of the spam-fighting organizations. I think you can see for yourself how truthful this is. They even published a header from one of the complaints, clearly coming from my last newsletter, labeling it as a "spam sample". Considering that A.) it isn't true, and B.) it was never verified, that statement is libelous in just about any civilized nation on Earth.
I'll just be damned if I'm going to sit on their blacklist for a week watching my emails bounce. I had to send a cease and desist order to Spamcop demanding that the server be removed along with a promise that the next communication would be from my attorney. The owner of the hosting company sent emails. I asked the owners of the other domains on my shared server to send emails. I even asked the (then) 800 subscribers of this newsletter to send emails.
Two days later, the server was removed.
listed: Thursday, May 02, 2002 2:29:01 AM -0400
delisted: Saturday, May 04, 2002 9:45:02 PM -0400
A few days later, a Spamcop administrator posted to their newsgroups stating that any server blacklisted in error can be removed manually by contacting a certain email address. This apparently was a departure from their previous practice, so at least one good thing did come out this mess. Perhaps the fact that they blacklisted a site that would otherwise be an ally made them see just how flawed their system really is.
I'm all for doing away with spam. That's what my site is about. Why do you think I hate spyware so much? One reason is because you will get spammed if spyware sends your email address back to the spyware company. I don't like regular email. What do you think my view of spam is? I want spam - real spam - to be made illegal.
Spamcop, however needs to be removed from a position where it can interfere with the delivery of email unless they change their system. This guilty-even-if-proven-innocent attitude is outrageous and inappropriate for an organization based in the United States. Other services use different methods than Spamcop to decide what is truly spam. I hope these differing methods include verifying complaints before taking action. Wow, what a concept.
I'm not the only person with a legitimate email business that has been wrongly blacklisted. Since
I started looking into Spamcop's practices, I've found case after case of people being falsely blacklisted. Not spammers; people sending legitimate emails who suddenly found themselves on the list and had to wait a week to get off because there was no official appeal process. I've talked to a few people who author very large newsletters, and all have had run-ins with Spamcop or with similar organizations. There is an excellent article on this problem at talkbiz.com (another is on the way soon I hear). I see in the news where Spamcop has gotten itself sued by a very large company. Is it any wonder?
Many web hosts, upon finding one of their servers blacklisted would simply suspend the user's account. Thankfully for me, I picked an awesome web host for the .com server who realized something was wrong and contacted me. The owner even wrote an email to Spamcop in my defense. Ever since this nonsense happened, I've had a link to my host's main web site on every page of my web site as my way of saying "thanks". If you're looking for an outstanding host for your site, check out Dixie Internet Systems.
Finally, I'd like to thank those of my readers who sent emails to Spamcop and especially to those who braved the trolls and flamers of Spamcop's support newsgroups. I read through the threads in that newsgroup and was appalled at the ignorance and belligerence of these small-minded people. I was a spammer because Spamcop said I was, and no amount of actual evidence was going to sway them. Even when an administrator manually delisted the server, they continued to label me a spammer and continued to flame those trying to speak up for me.
Take control of your startup programs!
RegRun Security Suite 3.1 is the new
version of the award-winning startup manager that replaces Windows msconfig. Pick up your copy now!
On this page you will find a small program which allows you to search the Spychecker database right from your desktop. You type in the name of the software and it opens your browser to the appropriate page on the Spychecker web site. The results are the same if you use this program, use the Spychecker search form on my site, or search directly from the Spychecker web site.
The final word
An upcoming issue will be dedicated to showing you how to protect yourself from spammers so that you don't need to use dubious services such as Spamcop. It's really not that hard to stay pretty much spam-free. I haven't had spam touch my inbox in quite a while. This issue is already too large, so I'll save it for that issue, which I hope to have out in a few days.
The very next issue will be a special alert which everyone needs to look for. I am going to report on some very interesting news from the anti-spyware world. It's not quite ready for public consumption, but hopefully in a day or two I can let the cat out of the bag. Keep your eye on your inbox the next few days. I believe you'll find it worth the wait.