I’ve noticed an increase in a couple of types of blog spam while I’ve been away.  I’m not sure whether this is because the spammers are targeting likely periods when people won’t be watching or if it’s just more annoying to me to have to despam things remotely (usually over dialup or when I’m pressed for time).

The first one is the old-fashioned link-filled comment.  Because of the way EE works it’s hard for spammers to completely automate the process.  What I saw appeared to be manually generated and used URL-shortening services to get around keyword bans.  In one instance they hit a particular post 47 times, with a frequency of about one per hour before I added their URL-shortening URLs to the blacklist.

The other type, which usually happens during the wee hours of the morning, is of the account-creation variety.  Some dingleberry will create an account with a name like “prom dresses” or “bathroom vanities” and then put a link in the profile to a spam link farm with the advertised goods.  These are almost invariably created with invalid email addresses, so I can spot them in the morning just by the presence of the combination of a new member notification and a bounced email in my Inbox.  Occasionally the spammer will pick a valid address so I don’t get a bounce, so I’ve taken to reviewing all new member accounts and deleting any that have spam links (and what constitutes a spam link is entirely at my discretion).  I also added some verbiage to the member agreement to explain this.

As I wrote the above a new idea occurred to me regarding the timing.  When I’m away I’m usually not checking the referrer spam report and regularly updating my .htaccess and blacklist blocks, so maybe what I’m seeing with the comment spam is just the result of deferred maintenance.

Regardless, spammers suck.

The recent Risks digest had an interesting item about a bug in Firefox that ended up causing a woman to discover that her fiancé was visiting dating sites behind her back.

He was pretty diligent about clearing his browsing history and the cache to prevent her from finding out, but this bug gave him away quite by accident.  He had made sure to never allow Firefox to store his password for the dating sites, but it turns out that under the “Saved Passwords” page you can access a list of sites which it will never save passwords for (in response to you pressing the “Never for this site” button).  This turned out to be his undoing, as the list turned out to be shared between user accounts.

At least she has a little bit of a sense of humor about it.  Check out “Step 9” in the “Steps to Reproduce.”

This privacy flaw has caused my fiancé and I to break-up after having dated for 5 years.

Basically, we share one computer but under separate Windows XP user accounts. We both use Mozilla Firefox—well, he used to use it more than I do but now we don’t really use it.  The privacy flaw is this: when he went to log-in under his dating sites (jdate.com, swinglifestyle.com, adultfriendfinder.com, etc.), Mozilla promptly asks whether or not he’d like Firefox to save the passwords for him.  He chose never, obviously.  However, when he logged off his user account, and I logged onto my Windows XP account X amount of days later, I decided to use Firefox because hey—it loaded everything much more
efficiently, was better to work on with website designs and is a lot more stable than IE7beta2.

Firefox prompted whether or not I’d like it to save my password for logging into my website.  I chose never and changed my mind.  I went into the Password Manager to change the saved password option from Never to Always and that’s when I saw all these other sites that had been selected as “Never Save Password.”  Of course, those were sites I had never visited or could ever dream of visiting.

Then I realized who, how and what…  and sh*t hit the fan.  Your browser does not efficiently respect the privacy of different users for one system.

Reproducible: Always

Steps to Reproduce:
1. Create 2 unique user accounts (for steps sake, let’s call the two accounts Joe and Mary) in Windows XP Home.
2. Logout and sign-in under Joe.
3. Open Firefox and go to an e-mail site or to jdate.com or wherever.
4. Attempt to log-in to the site so that Firefox will ask whether or not you want your password saved.
5. Choose not to save the password.
6. After successfully logging in and having selected the “never save password” option, logout.
7. Log-in as Mary and open Firefox.
8. Browse, browse, browse… but you don’t really have to.  Just go to “View Saved Passwords,” click on the tab that will show you sites to never save passwords for, and you’ll see whatever painful site Joe denied to save a password for.
9. Break-up with fiancé.

Firefox should be respecting every single area of privacy per user on one system.  It’s not doing that…  I’m going to submit this as Major because not everyone shares one computer, but it should really be considered Critical.

So, guys, let this be a lesson not to mess around on a tech-savvy woman.  Or at least don’t do it on her computer.

A while back I installed OpenSuSE 10.1 on a PC to use for a backup system.  I was impressed with how polished the installer and the desktop were in this version, especially compared to the previous versions I’d worked with (9.2 and earlier). 

It got me to wondering if Linux might be ready for certain desktop uses.  The real test of a system is whether I’d give it to my mother.  Her needs are pretty simple.  She reads email, plays her favorite Mahjongg game, downloads and prints pictures, and occasionally (if she’s feeling adventurous) shops on Amazon.com. 

So, taking those one at a time:

• Email—I’ve already got her using Thunderbird on XP, so moving to Thunderbird on Linux would be pretty transparent.
• Mahjongg—This one is more problematic.  This particular one is her favorite, and it’s based on DirectX.  However, I see that it’s supported via Wine (a Windows emulation layer for Linux).  This one would have to be investigated to verify the function.
• Handling photos—she downloads pictures from her camera or gets them via email and then prints them on an HP inkjet printer.  This is one where I’d have to investigate further, but I’ve seen that KDE has gotten some good automatic USB mounting features (it will autodetect the USB camera and automount a filesystem, then pop up a window with the pictures, just like Windows does).  Printing should work, too.  I’ve used HP inkjets with Linux in the past.  And the printer interface on the desktop has been much improved.
• For Amazon, and other online tasks, I’ve already got her using Firefox, so that should also be pretty transparent to her.

Of course, Firefox doesn’t (out of the box) support all the same plugin and formats as IE, but it can get pretty close.  I’ve even noticed that there’s an ActiveX plugin for Firefox.  Whether this is a good thing I’ve yet to decide, though (ActiveX can be a serious security hole, especially for novice users who don’t understand the implications of a dialog requesting permission to install various plugin).

She’s located in the country, so she uses dialup, but that’s no problem for Linux, either.

I guess I’d have to put together the system myself and tweak everything to make it as Windows-like as possible before letting her loose on it.  I’d also have to document everything so she knows how to do each task.

Ultimately, what I’m looking for is a system that I don’t have to worry as much about being compromised when one of her friends sends her a virus-infested email and where she doesn’t have to run as an admin just to play a game (although I think Kyodai may have fixed that recently).  A well-configured Linux system is generally more secure than a comparable Windows system, if for no other reason than it’s less of a target.

Given what I know today, I would not suggest Linux to even the average Windows user if I was expecting the user to administer the system themselves.  However, with the right configuration ahead of time, it might be useful for the novice or nontechnical user who only performs a limited number of tasks.

I’ve also toyed with something like the Mac Mini, but their stupid ad campaign is so annoying that I’m not sure I want to give them any of my money right now.

All of this comes to mind because I’m contemplating getting her a new system for Christmas (her current one is three years old, which is ancient in PC terms).  There are some pretty good deals out there on PC’s that could handle her needs, but I’m wary of dealing with Windows anymore.  Being her (remote) tech support means that the system has to stay up for long periods of time without fiddling (including getting behind on fixes, since I don’t quite trust autoupdates, and she won’t install them herself; however I do have it set to download them in the background when she’s online and then catch up with them when I go back home).

Hmm… decisions, decisions.

If I click a button marked “Save and Exit,” there’s no need to pop up another dialog asking me if I’d like to save the changes.  One would think that the “SAVE” in “Save and Exit” would be sufficient to indicate intent.

I started seeing a large number of attempted REFERER spam links in my logs over the past few days of the form <valid website>/images/online/<spamvertised product>.  If you take off the “/images/online…” part and just look at the root, they all appear to be valid, normal, websites (one was even for a Minnesota state representative).  The interesting thing is that if you look in “/images” you’ll find something called “99.php”.  That file is a spammer/cracker console.  It appears that all of these servers have been pwn3d by a Russian hacking group and this PHP script is a tool they’re using called “c99drink.” 

So far, out of the random sample of 7 or 8 links that I checked, the output of 99.php shows that each system belongs to iPowerWeb.  It would appear that they have some sort of systemic problem that allowed the crackers to gain access to the system and install their toolkit.

Here’s what c99drink looks like on a typically infected server:

This appears to be a relatively new toolkit, as I could find no hits for it on Google.

As I mentioned previously, some dingleberry spammer decided it would be cool to use my domain to generate random addresses for the From address when sending crap to people from his botnet.  In addition to the “enlargement” products being hawked in the original spam run, I started seeing stuff for “pharma” and Rolexes.  There were two distinct ways of handling the addresses, as well.  The original run used ones of the form “First Last” <madeupcrap -at- aubreyturner.org>.  The later runs (Rolexes, etc) used the same pattern but appeared to use a different domain for the From and instead used my domain for the Reply-To address.  I also observed that all spams that targeted a single domain appeared to use the same address on my domain.

Anyhow, I finally decided to throw in the towel and disable the catch-all on this domain.  Fortunately, it turned out that I didn’t have very many addresses on this domain that I needed to keep.  The majority of my contacts have been done using a different domain, so I was able to disable the catch-all and add the 20 or so emails that I wanted to keep.  Now, any email for a non-registered address will simply be rejected during the SMTP connection, so it won’t get a chance to bounce to me.

Should I have to turn off catch-alls for the other domain I now have a list of valid emails for that domain and a handy script that can read it in and produce correctly formatted forwarding entries.  The only pain will be having to enter the 500 or so addresses into the web control panel’s forwarding page.  I’m hoping I don’t have to do that, though, as I like the flexibility of creating a new address on the fly when needed.  That set of 500 addresses represents over 6 years of e-commerce, newsletters, mailing lists, newspaper registrations, etc.  It was very helpful in that you immediately know that the L.A. Times is the one that sold your address to the spammer, as it came in on that particular address.  It’s also funny when phishers send a PayPal account verification email to your old Gradfinder email address (at least before I canned it, since those bastards also sold my email to a bunch of spammers). 

At over 200 emails per day, I finally just had to do away with the catch-all.  From skimming all the crap that bounced to me, I was a bit surprised to see how many people still use “out of office” autoresponders.  Although on further thought, the original reason for discouraging their use has kind of faded, as spammers no longer seem to care where responses and bounces go and don’t use valid info anyway.  So now the innocent Joe Job victim gets to find out that Geoffroy from some company in France is “absent du 25/08/06 au 15/09/06.”

I also saw a few that required me to validate that I was a human and not a spambot.  Given that it was sent by a spambot, I guess it did its job.  But if I’d really sent a message to such a person, I would not complete a validation form.  I’d just write that person off as someone who doesn’t want email and find some other way to get in touch.

The final irony of the situation, though, is that I started receiving spam at the made-up addresses.  It would appear that somewhere out there someone is running some kind of collection scheme and adding the received addresses to a list of spam targets.

I felt kind of like I was in a giant email-based pinball machine. 

I’ve been kind of taken aback by the vehemence of some of the comments from customers about the recent troubles that Dreamhost has been having.  To hear some of these people, it sounds like they’re losing thousands of dollars per minute when their sites are down.  But if that’s the case, I’m really curious as to why they’re betting their business on a shared hosting plan. 

Even at the rate I’m paying (I’m on the “Code Monster” plan, and was migrated there from my original plan, so I’m not paying the full rate, but it’s still about $20/month), I’m not going to get too torqued about occasional downtime.  But perhaps I’ve not had as bad an experience as some of the other customers.  I’ve been with them since April, 2000, and I just haven’t had the same kinds of problems that others are chronically complaining about.

In my professional life I’ve worked on “industrial strength” websites.  These sites have hosting bills in the range of $100K to $200K PER MONTH, depending on complexity and transaction load.  And those kinds of charges still only get an SLA with 99.5% uptime (a little over 40 hours per year downtime, due to scheduled maintenance windows).  But you do get professional admins who you can page at 3:00am if the site is down, DBA’s who know what the hell they’re doing (usually), backups, enterprise class hardware with techs who are available to come onsite 24/7/365, load balancing, clustering, and so forth.

If you’re going to bet your business on a web hosting system, you’d better be prepared to spend real money.  If you expect 99.999% uptime (FYI, that’s five minutes per year downtime),  you need clusters of clusters across multiple datacenters with redundant databases and hot-failover (just to name a few buzzwords).  That $15/month you’re spending for shared space on a single PC running Debian Linux just isn’t going to cut it.

Just curious, but does anyone else find the selection logic in MS Word absolutely infuriating at times? It’s so damn helpful that it’s unusable , at least with the mouse. It seems to want to find words and phrases in the selection, but it sucks at it. I have to resort back to the keyboard to select just the word or sequence that I want to highlight.

What tripped my trigger just now was trying to reference XML elements in a document through the use of a different font. The stupid highlighting logic absolutely insists on adding a space to the selection after the right bracket. That’s annoying, but not nearly so annoying as what it does with dashes in the selection.

For example, consider that I just want to select the element itself, which has a dash in the name: (Bold text represents Word selection)
    blah blah-blah <element-name> blah blah

Stupid Word decides to highlight it as follows if I use the mouse (dragging from the “e” in name back towards the “e” in element):
    blah blah-blah <element-name> blah blah

I have to use the keyboard every damn time this comes up if I just want to select the “element-name” and there’s a dash earlier in the sentence.

It seems to me that the first, most important, rule of user interface design should be don’t presume to tell the user what he’s doing (in other words, leave my damn selection alone!).

It appears the botnet Joe Job has started again.  This time it’s “enlargement” products they’re hawking.

I’ve gotten 180 bounces since about 6:00pm yesterday.  At this rate I may be forced to disable my catch-all, but it’s going to be a major PITA.  I’ve probably got over a hundred aliases in use, and they aren’t individually registered.  This means that I’m going to have to grovel through all of my previously received and sent emails and pull out the addresses I used and create explicit forwarding entries for each one.

Update 1:  Got five more just in the two minutes it took me to write this entry. 

Update 1a:  Up to 226 as of 3:39pm.

Update 2:  All of the spams link to various nonsense domains that contain “information” about something called “Man XL.”  The scammer behind this nonsense is an entity calling itself “WW3 DISTRIBUTERS LLC.”  Should you receive such an email, beware clicking the link unless you want to see Prasad’s “business” (if you were unfortunate enough to have clicked, you’ll know what I mean by that).

Update 3:  Internally, all of these sites have a frameset that pulls the main frame content from http://www.cabaretmarin.net.  Hitting that address causes a redirect to http://barbarises.net/ms/?bb, which then redirects to http://barbarises.net/ms/index.php?k=<garbage>.  That appears to be a “campaign” tracking link (i.e. this particular batch of redirects through cabaretmarin.net seems to share this “k” value).

I did a random check of several of these “.info” domains that are in the emails.  The all have similar information (i.e. same name, address, email) and were registered just a few days ago via RegisterFly.  Here’s an example:

Registrant ID:tuJCnDTXYin4eSHs
Registrant Name:patrice pennetier
Registrant Organization:pennetier
Registrant Street1:rue notre dame, 21
Registrant Street2:
Registrant Street3:
Registrant City:tubize
Registrant State/Province:NA
Registrant Postal Code:1480
Registrant Country:BE
Registrant Phone:+1.3292313108
Registrant Phone Ext.:
Registrant FAX:+1.3292313108
Registrant FAX Ext.:
Registrant Email:[email protected]

Information on “barbarises.net”:

Domain Name:barbarises.net

Registrant:
Mike Vester
      Allensteiner Strasse 24
      47237

Administrative Contact:
Mike Vester
      Mike Vester
      Allensteiner Strasse 24
      Duisburg 47237
      Germany
      tel: 49 7161 3079405
      fax: 49 7161 3079405
      [email protected]

Technical Contact:
Mike Vester
      Mike Vester
      Allensteiner Strasse 24
      Duisburg 47237
      Germany
      tel: 49 7161 3079405
      fax: 49 7161 3079405
      [email protected]

Billing Contact:
Mike Vester
      Mike Vester
      Allensteiner Strasse 24
      Duisburg 47237
      Germany
      tel: 49 7161 3079405
      fax: 49 7161 3079405
      [email protected]

Registration Date: 2006-07-14
    Update Date: 2006-08-31
  Expiration Date: 2007-07-14

  Primary DNS:  ns1.buckraming.com         220.179.67.133
  Secondary DNS:  ns2.buckraming.com         220.179.67.133

The cabaretmarin.net domain appears to have been registered via a privacy service, though, which is not surprising as this is the first real link in the chain to his spam site:

Registration Service Provided By: Registerfly.com
Contact: [email protected]
Visit: http://www.registerfly.com

Domain name: cabaretmarin.net

Registrant Contact:
  RegisterFly.com – Ref# 19298483
  Whois Protection Service – ProtectFly.com ([email protected])
  +1.8458183604
  Fax: +1.8456984014
  P.O. Box 969
  Margaretville, NY 12455
  US

Administrative Contact:
  RegisterFly.com – Ref# 19298483
  Whois Protection Service – ProtectFly.com ([email protected])
  +1.8458183604
  Fax: +1.8456984014
  P.O. Box 969
  Margaretville, NY 12455
  US

Technical Contact:
  RegisterFly.com – Ref# 19298483
  Whois Protection Service – ProtectFly.com ([email protected])
  +1.8458183604
  Fax: +1.8456984014
  P.O. Box 969
  Margaretville, NY 12455
  US

I think I previously mentioned that I get a lot of bad user attempts against my sshd.  Most of them were coming from PC’s in China, but I got one from somewhere in Oklahoma last night on Cox’s cable internet service.  I’ve reported it to Cox’s abuse department, although I don’t have high hopes of getting a response or of them taking action.

This is what it looks like:

Sep 2 02:49:35 dominion sshd[22218]: Illegal user sifak from ::ffff:68.12.255.97
Sep 2 02:49:37 dominion sshd[22220]: Illegal user slasher from ::ffff:68.12.255.97
Sep 2 02:49:39 dominion sshd[22306]: Illegal user fluffy from ::ffff:68.12.255.97
Sep 2 02:49:41 dominion sshd[22308]: Illegal user admin from ::ffff:68.12.255.97
Sep 2 02:49:43 dominion sshd[22310]: Illegal user test from ::ffff:68.12.255.97
Sep 2 02:49:45 dominion sshd[22312]: Illegal user guest from ::ffff:68.12.255.97
Sep 2 02:49:47 dominion sshd[22314]: Illegal user webmaster from ::ffff:68.12.255.97
Sep 2 02:49:52 dominion sshd[22318]: Illegal user oracle from ::ffff:68.12.255.97
Sep 2 02:49:54 dominion sshd[22404]: Illegal user library from ::ffff:68.12.255.97
Sep 2 02:49:56 dominion sshd[22406]: Illegal user info from ::ffff:68.12.255.97
Sep 2 02:49:58 dominion sshd[22408]: Illegal user shell from ::ffff:68.12.255.97
Sep 2 02:50:00 dominion sshd[22410]: Illegal user linux from ::ffff:68.12.255.97
Sep 2 02:50:02 dominion sshd[22412]: Illegal user unix from ::ffff:68.12.255.97
Sep 2 02:50:04 dominion sshd[22414]: Illegal user webadmin from ::ffff:68.12.255.97
Sep 2 02:50:08 dominion sshd[22502]: Illegal user test from ::ffff:68.12.255.97
Sep 2 02:50:12 dominion sshd[22506]: Illegal user admin from ::ffff:68.12.255.97
Sep 2 02:50:14 dominion sshd[22508]: Illegal user guest from ::ffff:68.12.255.97
Sep 2 02:50:16 dominion sshd[22510]: Illegal user master from ::ffff:68.12.255.97
Sep 2 02:50:18 dominion sshd[22512]: Illegal user apache from ::ffff:68.12.255.97
Sep 2 02:50:24 dominion sshd[22602]: Illegal user network from ::ffff:68.12.255.97
Sep 2 02:50:26 dominion sshd[22604]: Illegal user word from ::ffff:68.12.255.97
Sep 2 02:50:59 dominion sshd[22806]: Illegal user admin from ::ffff:68.12.255.97
Sep 2 02:51:01 dominion sshd[22808]: Illegal user admin from ::ffff:68.12.255.97

That IP reverse-resolves to “97.255.12.68.in-addr.arpa domain name pointer ip68-12-255-97.ok.ok.cox.net.”, which appears to be somewhere in Oklahoma, although the actual contact for Cox is in Atlanta:

Cox Communications Inc. COX-ATLANTA (NET-68-0-0-0-1)
                      68.0.0.0 - 68.15.255.255
Cox Communications Inc. OKRDC-68-12-0-0 (NET-68-12-0-0-1)
                      68.12.0.0 - 68.12.255.255


Given the frequency and pattern of the attack, it appears to be automated.  Unfortunately, any little pissant PFY can run this sort of thing, since the attack tools are pretty much automated (hence the term “script kiddie”).  Fortunately, none of the accounts in the attack tool’s dictionary are on my system (and even if they were, they’d have non-default passwords).  Still, I’ve often wished for an ICMP HACF packet that could be sent back to an attacker’s sytem.