The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Tuesday, February 28, 2006

My court hearing was held today

Transcript is now up and available. Here's my favorite part:

Q:  So you ran a traceroute on

A: No, I ran a traceroute on the kiddy porn
site Sexylolitas and the result came up listing

I'm sorry, what kind of lawyer points out to the court that his client was providing service to a child pornography site? I'd forgotten all about that myself until Harristhal brought it up.

Anyway, the gist of it all is that Harristhal is arguing that I put myself into North Dakota jurisdiction by a) answering emails from a lawyer in North Dakota, and thus involving myself in a court case there, b) by telling fellow spam-fighters that I expected to be sued by someone from North Dakota, and by c) sending traceroute packets there*.

Oh, my second-favorite part:
Your Honor, this is an unusual context.  I recognize
that. The internet is a new creature.

Maybe the internet is a new creature to you, Mr. Harristhal, but the state of North Dakota entered the 21st century with the rest of us.

Anyway, nothing to do now but wait for the Judge's decision.

Labels: , , ,

Monday, February 27, 2006

New host cloaking technique used by spammers

As reported in the other day, spammers have used a technique we haven't seen before to hide their servers.

(Correction: I hadn't seen it before. Apparently it's been around for years.)

A bit of background: Spammers learned long ago to send their spam from different service providers than the ones hosting their web pages. The idea is that the service provider hosting the web page won't terminate for spam sent from a different provider (see haven spam). However, over the years, service providers have become educated on the issues of haven spam and will now terminate web sites which are advertised via spam. For this reason, spammers take extra steps to hide their web sites. The most common method is via a click-through page hosted on another throw-away account. The bottom line here is that spammers very much want to hide the location of their web sites to prevent their disconnection.

So this brings us today to a new technique reported by Stephen Satchell of last Thursday. It reads almost like a mystery novel, involving cloaking, promiscuous interfaces, stolen IP addresses, and tunneling. It gets a little tricky, so follow the bouncing ball:
  • The spammer obtains a dedicated server at the victim service provider. The server shares a subnet with other customers.
  • The spammer runs a special daemon program on the dedicated server. The daemon places the network interface into "promiscuous mode" so that it will snoop on all network packets, spying on the local subnet.
  • The daemon determines which IP addresses on the local subnet are not in use. It also determines the addresses of the network routers. One or more unused IP addresses are commandeered for use by the spammer.
  • ARP (Address Resolution Protocol) responses are sent from the daemon to the routers, binding the unused IP addresses to the server. This allows the spammer's server to "steal" those IP addresses. The daemon does not answer ARP requests from any other source, so the stolen IP addresses remain invisible to all other systems and diagnostic equipment.
  • Finally, GRE and IPIP tunneling (a method used to connect two private networks together) is used to connect the stolen IP addresses to the spammer's real servers hosted elsewhere.
The end result is that the spammer has created a server at an IP address which not even the owners of the network are aware of.

There are a number of ways you can protect your own network from from this exploit:
  • Give each customer their own subnet.
  • Null-route unused IP addresses in your network space, or otherwise make sure that there's a legitimate server somewhere that will claim them.
  • Monitor your local network for interfaces transmitting ARP responses they shouldn't be.

Update: See the comments for a minor correction from Stephen Satchell. The perp server doesn't wait for ARP requests from the gateway routers, but preemptively sends ARP responses.

Update (June 2006): Other suggestions: Seth Breidbart informs me that tcptraceroute to port 80 should at least find the approximate location of the machine.

See the comments for other suggestions sent in by readers.

Sunday, February 26, 2006

Spammer Adam Vitale busted

Sun Sentinel reports that the secret service has busted Todd Moeller of New Jersey and Adam Vitale of Florida on spamming charges. For more information, see Sun Sentinel article Two men are accused of sending spam e-mail and sheriff's department mug shot.

Wednesday, February 22, 2006

Sony planning blog spam?

Here's one for the books: Sony BMG allegedly ran an ad in looking to acquire interns who would log onto the internet and spam social networking sites with "word of mouth" promotion of Sony properties. has a brief discussion on the issue in their online forums.

The original listing has been removed, but the text of it was archived in a usenet post in "Is a major record company planning a blog comment spam run?"

Tuesday, February 21, 2006

Setting the record straight on car dealership spam. had a rather poor and uneducated article last week about a car dealership which spammed.

I wasn't going to mention it in this blog, but there was an excellent letter to the editor yesterday: Spoutin' Off: E-mailed spam ads are like no ads at all. It covers the issue very well, and straightens out quite nicely.

Sunday, February 19, 2006

News shorts

Mayor of Seattle is spamming. See Email Battles article CAN-SPAM Abuse: Seattle mayor spams Chicago non-constituent.

Seattle times reports on Yet Another anti spam software company. This one will bear watching.

Heis Online reports on an initiative to stop cell phone SMS spam. This is also covered in PC Magazine in Carriers Pledge To Stamp Out Wireless Spam and in Wireless Week article Verizon Goes After More Spam

Cell phone spam hits Malaysia

A company in Malaysia spammed thousands of cell phone users with Chinese New Year greetings, and then charged them all about S$1 for the message. See TheStar online article SMS spam causes outrage

Friday, February 17, 2006

Harristhal & Allison affidavits.

I received copies of the Harristhal and Allison affidavits today in the jurisdiction hearing in the defamation case. Harristhal's affidavit came to 129 pages! All I can guess is that he's charging Reynolds by the word.

It included a complete copy of one of David Ritz's depositions, even though David is not a party to the defamation suit. It included a large number of items taken from David's disk and other sources which are not even remotely relevant to the issue of jurisdiction.

Well, anyway, my response is online by now, I think I answered fairly well.

As for Allison, he basically includes excerpts from my web site and says they "target" North Dakota somehow, and he includes a couple of usenet posts and claims that I "directed" them to the servers.

Labels: , , ,

Friday, February 10, 2006

9 percent of blogs are spam blogs

Interesting article in Podcasting News. Dave Sifry of Technorati says that 9 percent of all blogs are spam blogs ("splogs"). Read the article for more information and learn how bloggers are combatting it.

Tuesday, February 07, 2006

BMW falls foul of Google ‘web spam’ rules

Meanwhile, the Financial Times of london reports that BMW's entire web site has been removed from all search engine results due to web spamming.

This is a very good sign, as it shows Google's commitment to fighting web spam and hopefully by extension, blog spam.

Monday, February 06, 2006

Fake forum sites as a cloaking function for spam

While tracking a piece of blog spam to its source, I was led to the site Since the site looked like a real discussion forum, my first thought was to contact the admins of worldcinemadvd and let them know that their web site was being abused by one of their advertising affiliates. But a second look roused my suspicions. The discussion forums seemed disjointed, and somehow "wrong". A quick google search showed that the contents of the web site had been simply copied from Further browsing at worldcinemadvd shows a number of threads with titles like "Why are you stealing threads from the dvd forums?".

It's possible that is also part of the link farm, but as far as I can tell it looks legitimate.

Mary Hodder of Napsterization who alerted me to this particular spam site tells me of a conference two weeks ago at which someone who operates such link farms bragged of making a hundred million dollars a year doing it. This is a huge business. There are actually two competing conferences which are held every other month just for this industry. The way it works is that entrepeneurs grab up domain names in huge quantities. They grab everything in the dictionary, every misspelling, and every expired domain they can. The web pages contain no original or useful content other than advertising. You've probably seen these in the course of your daily surfing.

Update: Google informs me that was removed from their servers in January.

Yet Another Final Ultimate Solution to the Spam Problemtm

Microsoft is proposing yet another solution to the spam problem. They call it Penny Black. The proposal is similar to various e-postage proposals (in which the sender is required to bundle a small amount of e-cash in the header of the email; the recipient can choose to refund the e-cash to friends and other non-spammers, while spammers wind up spending real money on each message they send.)

In the Microsoft proposal, the sender's expenditure is measured in cpu cycles instead of money. When a recipient does not trust the sender, it sends the sender a computationally-expensive puzzle to solve (typically breaking a one-way hash). If there are 86,000 seconds in a day, and the puzzle takes ten cpu-seconds to solve, a spammer would be limited to sending 8600 spams per day.

The idea is actually not original to Microsoft; see the Hashcash web page and corresponding Wikipedia entry.

Excersize for the reader: find two things wrong with this proposal. See the FUSSP web page for hints.

Approaches to fighting blog spam

Blog spam (sometimes known as comment spam), for those not familiar with it, consists of comments, pings, and trackbacks added to popular blogs in order to "leach" some of the high page rank from those blogs. The idea being that when the search engines crawl the blog, they'll pick up the links in the comments and those links will have their page rank boosted.

A few months ago, another blog picked up the story of the lawsuit against me. This week, I heard back from that blogger informing me that ironically, the months-old post had attracted spam of its own. A comment was added that consisted of nothing but a link to an affiliate shopping page at If you go to the advertised site, there's nothing there but Google ads. (See my companion article about and cloaking.)

So what techniques are there to deal with this? If had been a legitimate site, the first step would have been to complain to its administrators about the actions of their affiliate. In this case, there's no point.

We can find out who the service provider to is (traceroute indicates that it's and complain. We can also complain to their registrar (, who also has a good anti-spam policy.) We'll see how this approach works.

Perhaps the simplest approach to preventing blog spam is to implement the requirement that the poster solve a captcha puzzle. Blogger supports this that I know of, and I suspect most blog software does.

You can always set comment moderation to require approval for each comment, but that has a number of disadvantages, not the least of which is the increased workload in maintaining the blog.

There are also automated tools to deal with the problem. Most blogging software has options to control the moderation of comments. One of the features offered by blog moderation software is the ability to blacklist specific domains so that comments coming from those domains or linking to them are automatically deleted. The particular blog in question is powered by Movable Type, which includes a feature called MT-Blacklist which is a collaborative moderation system for movable Type.

Originally developed by Jay Allen as a plugin for movable Type, MT-Blacklist aggregates the individual blacklists created by bloggers. The principal is similar to the communal moderation employed by Slashdot, Craig's List and other online communities -- if enough bloggers flag a domain as being bad, the MT-Blacklist software will add the domain to a global blacklist which is applied globally to all bloggers making use of the service.

MT-Blacklist was enough of a success that movable Type hired Jay Allen and incorporated MT-Blacklist into movable Type version 3. This has had an enormous impact on movable Type, virtually eliminating blog spam.

The approaches to fighting blog spam then, are threefold. First, more automated tools such as MT-Blacklist should be developed. Perhaps SPEWS or one of the other DNSBL providers could be convinced to include databases for known blog spammers, or perhaps a more global version of MT-Blacklist could be developed which could be used by multiple blog engines.

Second, service providers need to be educated that blog spam is as unacceptable as other forms of spam, and to develop policies against it. This will be an uphill battle, as no service provider wants to take actions against a paying customer.

Third, and most importantly, the search engine companies must stop indexing links from within blog comments. They should also adopt a practice of dropping spam sites from their crawl when they are discovered, and terminate advertising partnerships with such sites.

Sunday, February 05, 2006

AOL, Yahoo wide open to bulk e-mail, for a fee

Spam Daily News, USA Today, and the New York Times report that AOL and Yahoo are going to allow bulk mailers to bypass their spam filters by paying a small per-email fee. AOL and Yahoo are touting this as a method to verify sender ids and reduce spam. But who would be buying the rights to bypass spam filters in bulk other than spammers? Improved consumer protection or sell-out? You be the judge.

Friday, February 03, 2006

Microsoft lands in spamcop list

Microsoft sent out spam in violation of the CAN-SPAM act. Read all about it at Spam Kings: Illegal spam from Microsoft.

So much for Bill Gates' prediction that the spam problem would be solved by now.

"We have met the enemy, and they are us."

Progress on the jurisdiction hearing

Judge Racek, the judge in the defamation case, has granted our requests in the jurisdiction hearing scheduled for the 28th.

Judge Racek has granted our request that the hearing be an evidentiary hearing. This places the burden of proof on Reynolds to prove that North Dakota should have jursidiction. Reynolds had objected and wanted simply a motion hearing with affidavits and no oral testimony.

All direct testimony to be submitted in advance by affidavit -- no surprises allowed.

Witnesses may appear via interactive tv. Reynolds was hoping to force my witnesses and me to travel all the way to ND or not testify at all.

Labels: , , ,

Thursday, February 02, 2006

Verizon wins injunction against text message spammers.

Reuters reports that Verizon Wireless has obtained an injunction against Passport Holidays of Ormond Beach, FL after 98,000 spam text messages were sent on its behalf. Passport will also pay $10,000 in damages.

My only questions are how did it go so far in the first place, and why doesn't this fall under USC title 47 which would have allowed $500/message in damages?