Spam

Link: "Spammer" Protests Innocence.

Houston....errr, London...we have a problem. You know all those lawsuits Microsoft has been filing against spammers? Well, it looks like Microsoft may have snared an innocent in its trap.

Simon Grainger has been targeted by Microsoft, but he says he's no spammer. Steve Linford of the Spamhaus Project is quoted in the article saying they saw spam from the domain back last year, but it ceased before Simon acquired it.

Earlier today, Microsoft released a statement on the matter:

We understand that Mr Simon Grainger, against whom proceedings were brought by Microsoft last week is protesting his innocence, claiming that he is the victim of mistaken identify or third-party interference with his systems. Whilst at this stage we have not received a formal indication of a substantive defence on behalf of Mr. Grainger, we wish to impress that the proceedings last week were instituted against a background of misuse of a domain name registered in Mr. Grainger's name. In the event that there is persuasive evidence supporting Mr. Grainger's assertions, we would be very happy to consider it and team up with Mr. Grainger to discover the true identity of the perpetrators of the misuse complained of which may have left as its victims, Microsoft and its customers as well as Mr. Grainger. Until then, it would not be appropriate for us to comment about a legal matter which is the subject of court proceedings. Though we can't comment further on the individual court case, Microsoft is committed to addressing the spam problem on behalf of all consumers.

This really roasts my nuts. The complete lack of compassion for what may be a horrendous error is mind-boggling. Sure, the matter needs to be clarified before they drop charges, but couldn't the arrogant bastards at least have shown a little concern?

Gawwd ... I hate frickin' lawyers. (Well...most of them...)

This is an Administrative Message from EarthLink. It is not spam. From time to time EarthLink will send you such messages in order to communicate important information about your account.

So, my new cable Internet service is less than two weeks old, and already the marketing onslaught begins. Last night I received an email "Special Services for EarthLink Cable Internet Customers." The message is trying to upsell me to various services, with no otherwise necessary or useful information.

The quoted paragraph appears at the end of this message. It's a good thing Earthlink added that. We wouldn't want customers to misconstrue this useless, unwanted marketing crap as spam.

See, it really isn't spam. Yes, it is commercial email, but because I have a business relationship with Earthlink (I'm a cable Internet customer) they have a right to contact me. Nonetheless, just because it's not spam doesn't mean it isn't useless, unwanted marketing crap. Just because they have the right to send me this crap doesn't mean it's desirable or advisable.

To make matters even worse, Earthlink does not offer a way to opt-out of this crap. Therefore, it appears the only way to make this stop would be to break my business relationship with them: cancel my service. I'm considering doing that.

What a horribly arrogant and offensive business practice. No wonder Earthlink needed to add a disclaimer to the end of this annoying email. It's a pity that nobody at Earthlink had enough of a clue to realize that if their marketing wasn't so offensive, they wouldn't need the silly disclaimer.

Do not adjust your set. The wobbly letters you see in the graphic are part of the new Microsoft Hotmail/Passport registration procedure. When you try to register for an account, you'll get a graphic image such as the one above, and you need to type what you see back into the form. That's easy for a human to do, very tough for a computer.

This means that spammers will no longer be able to run automated signups, to amass the hundreds (thousands?) of accounts necessary to do a DAV spam run. Thanks, Microsoft.

Now, about that header forgery problem ...

Link: Toward a Spam-Free Future

Microsoft has launched if not an all-out war, then at least a significant publicity blitz against spam. Last week, Microsoft announced a number of lawsuits against spammers. Today, the Wall Street Journal published a letter from Bill Gates attacking spam.

The focus of these actions has been spam received by Microsoft customers. What about taking care of the spam that originates on Microsoft networks? Earlier this month I described a serious Hotmail problem that is being exploited by spammers to send unwanted email.

The noted article by Bill Gates has what may be some good news on this front.

[...] spammers set up many different email accounts to avoid detection, and, once detected, they move to other services. To put an end to this shell game, we are taking steps to prevent spammers from creating fraudulent email accounts in bulk.

The Hotmail vulnerability involves scripted sending of spam using the DAV protocol. That's only half the problem, because Hotmail limits accounts to 100 messages a day. A spammer can't do much damage with one account.

So, spammers need a significant number of Hotmail accounts to do their dirty deeds. Hotmail, unfortunately, lets them do that. Spammers have scripted the signup process as well, allowing them to gather hundreds (thousands?) of bogus accounts to originate spam. If Microsoft secures the Hotmail signup process so that it no longer can be automated, this vulnerability will be reduced significantly.

There is one other part to the Hotmail spam problem: they allow forged headers, including headers that are supposed to provide an audit trail. Microsoft should address this problem too. They should stop allowing spammers to forge headers such as the From: header. They should get rid of the silly, non-standard audit headers such as X-Originating-IP: and use a trustworthy Received: header to indicate the mail source.

I am holding out hope that Gates' message means Microsoft is going to give this problem the consideration it deserves.

Link: UT Singles Out Site that Seeks Single Longhorns.

White Buffalo spammed 57,000 email users at the University of Texas. UT responded by blocking them. White Buffalo sued, but lost.

I gave my three cheers for the good guys winning, but there are some aspects of this story that trouble me.

First, blocking a source that's generating spam can be justified to protect your users or facilities. According to the story, UT went beyond that and blocked email in the other direction: from their users outbound to the spammers. A block such as that cannot be supported on either grounds: protecting users or protecting resources. It sounds like the intent was punitive. Now, I enjoy spanking spammers as much as the next guy (maybe more so), but not at the expense of disrupting users' email.

Another thing that bothers me is the implication that UT allows some organizations to spam. The article cites Dell and MasterCard. What isn't clear, however, is whether the email from those companies is solicited. Or, maybe the email was just sent to people with whom they have an existing business relationship. In either case, that's not spam, and White Buffalo would be barking up the wrong tree.

Finally, I find it disturbing that White Buffalo believes that UT email addresses are public information and subject to spam. That information ought to be able to be kept private, and it should not be repurposed into marketing fodder.

These are some of the big red flags that went up when I read the article. I wish the reporter had spoken with somebody familiar with spam issues so that they may have been clarified. (via spamNEWS)

I recently discussed a Hotmail vulnerability that is being exploited by spammers. I've been seeing spam from this source for about three months. Two days after the article was posted it dried up.

So, I'd like to say thanks for reading my blog, and thanks for opting me out of your spam, scumbag.

I recently blogged an article pointing out a problem that is allowing spammers to relay junk email through Hotmail. Like so many Microsoft problems, it's caused by bad system design: deploying a feature without considering the security ramifications. I thought it was pretty bad when I first saw it. Unfortunately, the more I learn the worse it gets.

On Saturday night I blogged an article discussing a Hotmail vulnerability that is being exploited by spammers. The problem has been getting progressively worse over the past three months, without Microsoft doing much (apparent) to stop it.

The article has been circulating a bit since. The next morning, the article was linked on Slashdot. Later that day, The Inquirer posted an article. Maybe with the heightened visibility, Microsoft will finally address the DAV spam problem.

I want to make one clarification. The problem is not a bug in the protocol implementation, but rather flaws in the overall system design. Microsoft is allowing anybody to relay email (with forged headers, no less!) through the Hotmail servers. It appears the only limit is that the account cuts off after 100 spams/day, but that's not much of a limit when the spammer can easily generate thousands of accounts.

Not everybody is seeeing this problem. Some people have questioned whether this is a problem, based on the small amount of DAV spam in their mailbox. The headers on the DAV spam I have look very similar. I believe what I'm seeing probably is the work of one spammer. If you are on that spammer's list then it's a problem. If you aren't on that list then it's not much of a problem--yet! If Hotmail allows this vulnerability to persist, you know other spammers are going to jump on the bandwagon.

Link: An Overview of E-Postage. (826KB PDF)

I recently blogged a pointer to John Levine's critique of challenge-response anti-spam systems. There is another bad anti-spam technology people have been talking about lately: e-postage. John has just posted a new paper that highlights its many problems.

The idea behind e-postage is to turn the economics of Internet email around, from recipient pays to sender pays. If you can do that, then you've just obliterated the economic foundation that underpins spam.

It turns out, however, that e-postage suffers from many flaws. I think John's arguments regarding the scale of the infrastructure required to support e-postage and users' attitudes toward micropayments are very compelling.

The arguments about failures in the system--the "Postage Games" section--seem less so. That's unfortunate, because I believe that's one of the most critical problems with e-postage systems. System failures can negate the value of the system (i.e. spammers get around it), or even cause great harm (i.e. spammers swindle money from innocent victims, a few e-stamps at a time). Since this paper is a work-in-progress, I think these concerns may be better reflected in a future version.

A new--but not well known--Microsoft vulnerability is being exploited by spammers, creating even more junk mail in your inbox.