A movie production company added me as a contact through Flickr last night. I looked through the pictures on their account, and noticed the labels were quite odd. The shots were awkwardly titled using the name of their latest motion picture. Say the movie is called “Gronky”, and its big star is “Intellectually Bankrupt”. A photo’s title would read, “Intellectually Bankrupt signing an autograph - GRONKY”. It took me about two minutes before I realized that this was sophisticated spam. I subsequently sent an email to Flickr’s abuse address regarding the offender.

I respect the brilliance of this subversive advertising as it probably wasn’t just a random spamming. The marketers may have targeted their message because my profile lists me as a fan of one of the stars of their movie. I can’t believe that Flickr would sell profile data in bulk to guerilla marketers, however, the scenario is plausible. Either way, the movie production house is now a dirty spammer who must be destroyed at all costs.

I think I finally stopped the spambots that were attacking my site. In addition to Wordpress comment spam, I was getting Gallery comment spam for the first time ever. Here are the iptables rules that I’m using to block the bots from my server. I manually verified all of these before adding them over the course of the past month or so.

I’ve been getting a massive torrent of comment spam directed at my server recently. What’s the best way to automatically fight it using Wordpress 1.x? I _really_ don’t want to upgrade to 2.x. I tried this in January and realized that it was going to be a massive hassle for an installation that is as custom as mine. I know that Typo require javascript in the browser to execute which combats these automated HTTP POST scripts that are running on botnets. Is there a plugin like this for Wordpress? I really don’t want to disable anonymous comments.

This morning, my entire Media Wiki installation was repurposed as a link farm by some spambots. As a result, I had to revert all the changes, protect all the current entires and forbid edits from anonymous users from now on. Some of the links that were added by the spammers were made to be invisible to avoid detection by the sysop (me). Google actually penalizes sites that attempt to hoodwink an increased Pagerank score these days. So, why do spammers continue this exercise in futility? Argh….

I was infinitely proud of this last hack on OS X that seems to work. I wanted to send email from an arbitrary wireless or wired IP address from Mail.app. So, here’s what I did… I issued this command to route port 25 from suudsu to hudge!

sudo ssh -L 25:localhost:25 hoyhoy@hudge

Hudge is where involution.com is hosted and runs a mail server. So, I redirect my Powerbook’s port 25 to hudge, and configure Mail.app to use localhost as it’s outgoing sendmail server over an encrypted link via SSH I’m syncing my Powerbook to Gmail’s POP access (over SSL). Involution.com’s mail (*@involution.com) that is not stopped by Spamassassin, Bogofilter, DCC, or my custom virus notification and unreadable character set filters is forwarded to GMail if it’s not something that was sent from within gmail, and mails sent to hoyhoy@example.com are forwarded back to hudge which implicitly creates a backup. Also, I setup Mutt to BCC sent mail to GMail so it’s included in the archive. The only one that I haven’t figured out is how to make Mail.app BCC sent mail to Gmail, and how to make GMail send it’s sent mail back to hudge. I know there’s ample sendmail foo to be messed with, and I imagine it’s possible to replicate based on the fact that it knows when an email is coming from the Mail.app MUA and tony@involution.com, it is safe to mirror that to my user account on hudge. Similarly, I think I can actually hack Eric S. Raymond’s “fetchmail” program to download emails that I sent from GMail over POP3, and only grab any email that I didn’t send to myself, and archive it on hudge. These are automatically in Mail.app because it syncs to GMail POP3, and sent email is part of what’s downloaded. So, basically, I’m left with emails I sent from Mail.app only being in Mail.app, and email sent from GMail only going to Mail.app and not hudge, but everything else is mirrored everywhere. I used to keep Outlook running on Windows too, but I’ve since stopped being part of that whole scene about four years ago. I transferred all of my Outlook email over to Berkely format and use pine to look through it, on the rare occassion I need an email from before 2002. If only I could somehow get all of that imported to GMail, but that’s another story. Someone needs to write a GMailFS driver to where I can simply drag .eml files or entire mbx files and have them import.

How do I stop it? I’ve tried all kinds of Apache rewrite rules, applying various patches to awstats, etc, etc. Nothing seems to work. Anyone got any ideas?

Someone managed to get an evil spam through the old filters tonight. Here’s a little analysis of what this “person” was trying to do. Anyone care to run key.exe on their box to see what happens?

Wednesday night, I had to rescue a friend’s Windows 98 computer from Spyware oblivion. I was amazed at how far behind the times I had gotten in terms of spyware/adware removal with Windows and Internet Explorer. I hadn’t realized what nasty, evil stuff was on the Intraweb these days. When I first started working on the machine here’s what I noticed:

• Internet Explorer’s start page was about:blank, but some site appeared that continually popped up windows.
• IE Default Search was set to some dll on the hard drive
• HKLM/Software/Microsoft/Windows/CurrentVersion/Run, RunOnce, and HKCU/Software/Microsoft/Windows/CurrentVersion/Run had lots of suspect entries like "Winad.exe" and "Winclt.exe"
• Win.ini had a suspicious Run entry.

Now, whenever faced with this situation, I usually do the following. First, I run Windows Update about two to three times to upgrade IE and get all the Critical Updates. This particular box hadn’t been updated since like 1999. So there was something like 21 Critical Updates from The Vole to apply. After that, I then delete spurious entries from the various Run and RunOnce Keys from the Registry, run Ad Aware, delete suspect entries from Start Menu->Startup, and run sysedit to peruse autoexec.bat, config.sys, win.ini, and system.ini. This is what I _knew_ already going into the situation which is substantially more than most people.

To my surprise, all that couldn’t remove CWS which was causing Internet Explorer’s about:blank to download from some very questionable web site and I think _REINFECT_ the box by executing arbitrary code. Thankfully, the reinfections stopped ocurring after the Windows Update, but IE was still hopelessly infected with various toolbars and a nefarious about:blank redirect.

I had vaguely remembered that SpyBot was supposed to be a halfway decent program in the same vein as AdAware. So, I downloaded and installed it. It managed to find and remove loads of stuff that AdAware missed all without incident. It even forced a reboot of the box, and axed a bunch more malware that was immutable after Windows had loaded it into memory on boot-up.

I had never heard of HijackThis until googling for the specific problems I encountered over the course of cleaning this box. HijackThis informs you of every modification done to the Registry (post-install) that could be harming your system. It can then fix or delete any or all of the items that it finds. HijackThis managed to find even more malware hiding in the depths of the Registry that was missed by AdAware and Spybot. I promptly removed these items which were mostly extraneous IE toolbars and cruft.

After all of that, IE’s default page was fixed, however, Winad and Winclt remained in the process list. It seemed to me that these two processes were a very lame imitation of the famous Xerox/Motorola “Friar Tuck/Robin Hood-hack”. When you kill Winclt, Winad starts a new Winclt. When you kill Winad, Winclt starts a new Winad. Of course, when you delete the Winad entry from the Registry Run key, this process manages to rewrite it again within seconds. In addition, the executables were loaded into memory and immutable. So, they couldn’t be deleted when Windows was booted, and Spybot couldn’t manage to axe them during it’s boot-up removal process. My solution to this was to reboot and hold down F8 when Windows restarted. Boot into “Command-line Only Mode”, and do a
deltree c:\progra~1\winad~1.

Finally, I reran Spybot, HijackThis, and Adaware yet again, and purged the remaining malware in the depths of the OS. When I was done, the machine appeared to be clear of all the spy/ad/malware that had infected it, however, without reimaging the box, there’s no way to be 100% sure. After all, every executable is now suspect to having been tampered with.

I can’t imagine an ordinary member of the populace being able to fix problems like these. It’s amazing to me that Microsoft would allow such insanity to occur on its operating systems. I don’t see how normal trusting people can be expected to maintain a Windows system that is inherently insecure.