Posts Aboutspam
siteground's braindead spam-filtering
We have a customer of ours who pays us both for e-mail/web hosting as well as our anti-spam/anti-virus relay service, Swirbo. Swirbo is a service that filters mail by having mail for a domain sent to it first, via MX records, and then relayed to its final destination.
Recently, this customer began reporting that she was unable to receive e-mail from certain people. Some investigation yielded this information from Swirbo, while attempting to deliver a legit e-mail message from someone on aol.com:
Jun 14 10:50:10 mta1 postfix/smtp[5285]: 90D0D834038: to=
, relay=redacteddomain.com[1.2.3.4], delay=3, status=bounced (host redacteddomain.com[1.2.3.4] said: 550 SITEGROUND Faked AOL, so you must be spam. (in reply to RCPT TO command))
Google and Greylisting
We'd have a recent spat of complaints from our Swirbo customers regarding their inability to receive mail from certain Google apps -- i.e. if you invite someone to view a blog, or docs.google.com document. Today I got an example of the actual error they are getting:
Technical details of permanent failure:
TEMP_FAILURE: SMTP Error (state 13): 450: Recipient
address rejected: Greylisted for 5 minutes
Anyone see a problem? The error we returned was 450, yet Google seems to think it was a permanent failure. Here's a bit from the SMTP RFC (2821):
Blacklists: What they are and how to avoid them
If you thought that anti-spam protection for your incoming mail would alleviate your e-mail problems forever, think again – another issue that can cause more than a few headaches are DNS BlackLists (DNSBLs), sometimes also called RBLs (Realtime Black List). DNSBLs are not a new idea, but their usage is increasing rapidly. In short, a DNSBL is an innovative use of DNS to provide access to lists of IP addresses (or other info). These lists are created on varying criteria -- for example, the IP address was caught sending spam, or it's owned by a company known for supporting/sending spam. Or perhaps the IP address hosts a mailserver not following the rules, or a web/proxy server that has been compromised in such a way that it could be used to send spam. In this way, common sources of spam can be compiled into these lists and checked by a mailserver before accepting mail. If you show up in the blacklist, your mail is rejected.
As the spam-war has escalated, DNSBLs have become a double-edged sword. They have probably saved SMTP from being utterly inundated with spam to the point that it's useless. However, blacklists have also been forced to get increasingly aggressive. It's not uncommon for an organization to find itself blacklisted, even if it didn't overtly send spam (that it knows of). If your organization becomes the unlucky member of a DNSBL, you’ll find that most (if not all) of your email is rejected by the outside world because you’re now considered a spammer. The worst part is that you may have no idea why you were blacklisted and no idea how to get de-listed!
ACS SEO
Early this year, we posted the story of a spammer that left a comment spam on our site -- circumventing the spam protection (Wordverify) manually.
This week, their director of marketing contacted me asking to try to clear up the situation and convey their side of the story. I told him I wouldn't amend the original post (barring for any inaccuracy), but that he was welcome to e-mail me an explanation. In the interest of fairness, here it is:
Large Botnet Attack
So, the inspiration for writing this script was so that I could quickly and effortlessly visualize some of the stats from my webserver logs on the fly. The reason was that I have noticed a huge influx of comment-spam attempts on my personal blog, this blog, and the Nashville Metblog.
I have access to the logs on the first two, and it was obvious from casual inspection that each attempt was coming from a different IP and network: i.e., it is coming from a botnet. I suspected that the spam influx on all these hosts was from the same botnet, and it appears that I was right. Out of 3-400 unique IP addresses making the spam attempts on those first two sites, around 200 of them had hit both servers. And lest there was any doubt, compare these two graphs of the comment-spam attempts per hour:
Vigilantism
Blue Security, the geniuses that made news a while back advertising their intent to create a network to DoS spammers, are back in the news again.
The reason is hardly surprising. Blue Security themselves were the result of a massive DoS attack. How did they respond? According to this NANOG post, by switching their DNS to their Typepad-hosted blog. So, rather than deal with the consequences of their abuse of the Internet, they made it someone else's problem -- namely Six Apart's: you may have noticed that both Typepad and Livejournal were down yesterday as a result of the DoS.
The Battle Continues
Well, yesterday's foolproof method of defeating trackback spam is today's old news. Seriously no less than 24 hours after I proclaimed victory, I have started getting trackback spam that defeats the validation method by maintaining a list of the links, rotating out the URLs as it spams them -- on the same page as their ads, or whatever content they are pimping in their spam.
For now I can just blacklist this IP, but a botnet will soon be employed to do its dirtywork. Because trackbacks are a process that by definition is automated, it's particularly difficult to stop, since any turing-test type validation is out of the question.
Eliminating (Most) Trackback Spam
Well, wordverify has taken care of almost all comment spam, except for human spammers, of course.
However, trackback spam, since it is by definition automated when working properly, cannot be eliminated with that method. I had the simple idea to write a plugin that, upon receiving a trackback ping, would snag the referring URL and make sure it actually links. If not, the trackback would be rejected. This is slightly in opposition to the spirit of trackbacks, according to some, since some people believe you should be able to send a trackback without actually linking. I am not necessarily in agreement, but I think the elimination of this possibility is a small price to pay to eliminate spam.
Advantage Consulting Services: Spammers
Earlier today, I posted about spam received in a blog comment that was clearly posted by an actual person. In that post, I mentioned tracking down (not hard in this case) and calling the company that appeared to be behind the spam, Advantage Consulting Services. Surprisingly, "V. Patel" called me back.
I told him I was interested in their company's product and started off just asking him questions about SEO in general, followed by some leading questions about how linking might affect pagerank (hint hint). CentreSource deals quite a bit with SEO, though with legitimate "white-hat" vendors (naturally), so I had a fair idea of what I could ask to probe for nefarious practices, but he pretty much kept it legit. Eventually I cut to the chase and explained why I was really calling, I asked him if he spammed the blog. To my further surprise, he said yes, and that he was "sorry". Yeah, well, I'm sorry too, pal.
The company name is Advantage Consulting Services (www.acsseo.com redirects to this URL). The website is actually a nice-looking website, and it comes across as being a legitimate SEO company (of which there are many). What's even funnier is that they have an entire section devoted to ethics, where they note:
We recognize that your website represents both your integrity and ours - and we strive to give you the best results while maintaining the highest of industry principles. We use industry best practices and ethical standards to ensure that your search engine optimization and marketing processes are achieved through honest means.
It doesn't get much more ironic than that, folks. "Your Integrity Is Your Integrity", they say at the top. I wonder how "Abrams California Health Insurance" might feel about the "ethics" involved in Advantage Consulting Services spamming on their behalf. Unsurprisingly, nowhere in their Processes page do they mention comment spamming.
It'd be funny if it wasn't so infuriating.
The transcript of our conversation is below. It's not terribly exciting -- I was admirable in keeping my composure while finding ways at the end to say "spam is bad" without swearing. Ladies and gentlemen, meet the new friendly face of the comment-spam inundating your blog, "V. Patel":
