HomeSite Help - General Blog
Skip navigation Home | The Bookstore

We're moving!

This whole site is being moved to a shiny new server - as are all my sites, in fact. Apologies for the bumpy road ahead, but at the end of that road things will become fast and smooth.

Once the site at the new server is ready, this message will automatically disappear!

Meanwhile, you can see how the move is progressing at the status page.

2002-08-02

Hiding from viruses - Intermezzo

[Spam prevention 3] Well, of course viruses aren't spam, strictly speaking, though mails with a virus are equally unwanted and unsolicited. I've found you'll need to hide your email address from viruses just as you need to hide your email address from spambots. Here's what happened:

Vacation

On 19 April, I left for a short vacation with my parents in Northern Germany; I came back late on 1 May. Of course, since I'm subscribed to a number of rather busy mailing lists, I expected a few thousand emails. What I didn't expect on retrieving my mails on 2 May was the number of emails with 83-92K attachments that turned out to be viruses! It slowed down downloading all emails, of course, and since local phone calls aren't free here in the Netherlands, added considerably to the cost of retrieving my email. In all, I found well over 250 mails with the KLEZ virus, nearly all to the same address, and even exceeding the amount of spam to that same address. I'd never seen so may before. What had happened?

I decided to watch things for a while to get a clue, expecting the amount would go down in a month or so. It didn't (far from it), but I did get a clue: the KLEZ virus (at least variants 'E' and 'H') uses any email found on the infected system to mail itself to, uses another email address found on the infected system to use as "From:" header and can use its own SMTP routine to send itself out (so you'll never know from where it was actually sent); the 'H' variant may occasionally also attach another file found on the infected system. And these variants find the email addresses not just in address books as most viruses that mail themselves out do, but email addresses found in (text or HTML) files on the infected system as well. Subjects are "random" but may also use strings found on the infected system. The subjects gave me the first clue: I saw things like "Stephen Le Hunte", "SCROLLING", "Cellspacing" and "Marginheight". I also noticed the name "bloo" as the supposed sender. All this looked awfully familiar; these things were definitely related to web development, and (Stephen Le Hunte, bloo) even to installations of HomeSite...

The cause

Since I began writing VTML Tag Editors in late 1997, I put a copyright statement with an email address in each file, as well as in all the HTML documentation I wrote about VTML. The files were downloadable from HomeSite Help, and were later included in several versions of Allaire HomeSite (4.01, 4.5, 4.5a, 4.5.1), all with the same copyright statement with my email address. Since there are roughly one million users of HomeSite, these files must be present on a few hundreds of thousands of machines. And there were some 150 files with my address on each of those machines... It would only need a small percentage of machines to be infected to "generate" a steady stream of emails from virus/worms like KLEZ!

OK, so I knew where it came from. But not whose machines were sending these mails, since KLEZ cleverly prevents that. Nothing I could do... but watch. I expected the frequency to taper off soon, but that didn't happen either. So on 28 July I gave up and stopped retrieving all email from the address that was getting nothing but spam and (more) KLEZ, and did a closer analysis of the KLEZ mails. I've published the analysis results, with graphs for your amusement. You'll also find my theory about why the amount of KLEZ mails suddenly increased in April, and why KLEZ will probably be with us for at least some more months - backed up by the numbers shown in the graphs.
Here's a small preview to whet your appetite:

The moral

Do you write software? Then no doubt you'll leave contact information in source, and/or in documentation. In these days of viruses finding email addresses on an infected system text files, not just address books, don't make your contact information your email address. Use a website address; on the website, you can then provide a form or an email link (properly obfuscated or hidden from spambots) so humans will still be able to contact you, but viruses won't...
2002-08-02 12:50

2002-03-28

Hiding from spammers - part 1

[Spam prevention 2] In order to prevent and deal with spam, it's very important to keep your email organized. A good approach is to have multiple addresses but strictly limit which address you use for which purpose. That way, if one address gets spammed, it's much easier to get rid of without impacting the rest. Here's a good strategy to get organized:

A secret address

The first thing you need is a brand-new, clean email address, that you're not going to give to anyone except a few services that will hide this address from the world. If your provider lets you create new addresses that's fine, or you may consider another provider or even a service that lets you create free addresses and access them from a normal email program. It would also be useful to make this address invulnerable to dictionary attacks, especially if you use a free email service: well-known domains are an easy target. (If you choose a 'normal' name at a free service, you may even find you start receiving spam immediately since the address was pre-owned and dropped by the previous owner.... And make sure you opt out of any mailings and promotions!)

An 'invulnerable' (statistically speaking) name will simply be a string of random letters and numbers. The form below can generate one or more for you; a generated string will be 8-32 characters long (also random). You can add a few dashes, dots or underscores as well: the result will be a valid email address that is practically impossible to guess.

The generated random string will appear below; you can use this (or several) to generate an email address that's safe to dictionary attacks. You can also insert dashes, underscores and dots for a valid email address. The resulting string goes before the @.

 

Use the 'permanent link' below this post to bookmark it so you can easily find this form back later.

A limited-access address

For family and friends you probably want a 'friendly' address that they can actually remember. It should go to a limited number of people only; tell them not to pass it on unless with your permission - and keep track of who has it. If your provider lets you easily create (and drop) multiple addresses, that's fine, but even then you should consider a service like Pobox. Does your provider use a spam filter? Pobox provides that: for a small fee you get three addresses with spam filtering (if you want) and more. If an address gets spammed, you can easily drop an address and create a new one (that's why you need to keep track of who you give your 'friendly' address to!) Pobox will redirect mail to these addresses to your own address: that's the first use of your secret address. (If you change that, you simply give the new address to Pobox to redirect to.) Your email program can see if a mail was originally sent to your pobox address, so it's easy to filter all that mail into a 'personal' folder.

Software and service registrations: throw-away addresses

If you download trial software, register purchased software, or sign up for a service, you usually need to give an email address. Remember that I mentioned that some companies may sell their lists? Even if they don't, they may be taken over by another company that is not so scrupulous with their database. Here, the strategy is to use a unique address for each registration: if it gets spammed, you not only know where it came from (complain to that company!) but you can just throw it away again since it was used for one thing only.

This is where Sneakemail (which I mentioned earlier) comes in. You create a free account with them giving your secret email address. With your account you can now create any number of throw-away addresses. Each address is randomized (much like my little randomizer tool above does), and you add a label that makes it easy for you to know what it's for, and you can even add notes with extra information (like why you signed up, a password, whatever you like). Each address can just let everything through, but you can also set up filters, so that mail from known spammers gets thrown away, and mail from unknown addresses is held until you release it. If someone writes to you at that address, you can simply reply to it, and it goes back through the Sneakemail system: your correspondent never gets to see your secret address.

It's very easy and quick to create an address on the fly: if I'm going to download some software, I just open an new browser window, create a new Sneakemail address, and copy and paste it in the download registration form.

Mailing lists: more throw-away addresses

The same applies here as with software and service registrations: create one unique address for each list you sign up for. If you are already subscribed to a list, create a Sneakemail address and subscribe with that; once that is complete and mails start arriving through your new address, unsubscribe your old address. Email addresses used for mailing lists are more vulnerable to spam than regsitration addresses, since many lists are archived on the web. But with Sneakemail it's easy to filter mails from those who spam (once); and if it really gets out of hand: create a new address, subscribe with that, unsubscribe the old address, and throw the old address away. If, like me, you have many mail list subscriptions, converting them all will take some time - but it's time well spent.

Keeping track - securely

Email boxes, online services, mailing list subscriptions, almost all require passwords for access or to manage your subscription. If you're using separate addresses for everything, as outlined above, this only multiplies. I'm using a nice little shareware application to keep track of all my accounts, passwords, and related information: Password Keeper from Gregory Braun. All information is stored in a password-protected and encrypted file, so your data is safe from prying eyes. Highly recommended.
2002-03-28 08:02

2002-03-27

How does a spammer get email addresses?

[Spam prevention 1] It's blatantly obvious that the best thing to do to prevent spam is to make sure spammers don't get your email address. Simple solution: don't use email - but for most of us that's not an option. So how does a spammer get an email address? There are many ways that you should be aware of; they:

  • harvest email addresses from newsgroups
  • harvest email addresses from web pages
  • harvest email addresses from domain registration databases
  • use a dictionary attack
  • write or buy programs to do any of the above
  • don't bother with a program; just buy a list

In newsgroups, you can simply use an address that doesn't go anywhere (make sure it doesn't!), or disguise it with a comment that humans can read, but robots won't know how to interpret. Web pages are a little more complicated, since there are so many possibilities; for instance, if you subscribe to a mailing list, you may think your address is reasonably safe there - but many mailing lists are archived on-line (not only by the list owner, Google groups may do it as well), and these usually display the posters' email addresses: so there is your email address out in the open, ready for the harvesting robots to pick up. Other notorious sources are guestbooks; if you must use an email address, use the same type of disguising you'd use for a newsgroup - or better yet: don't sign a guestbook that requires an email address. You may also have your email address as an email link on your own website. The address you give for a domain registration is harder to hide: the registrar will need to be able to reach you - and you can't change the email address without having a working address in the first place.

If you can choose an email address (at least the part before the @) be aware of dictionary attacks: all the spammer needs for this is a domain name, which is then combined with lots of known words and known names: anything that doesn't bounce is likely a "real" address - and that could be yours, even if you've never even used it yet! So choose something that's hard to pull from a list of words and names, and don't use a simple number at the end either: such addresses are vulnerable, too.

Spammers can buy lists, and not only from other spammers or spammer services: some legitimate companies may sell their lists as well. If you sign up for any service (and that includes web mail services!) be very careful to read the whole form - and the privacy statement as well: even if you agree to get notifications from that service, their privacy statement may state they can give (or 'give') your address to third parties without giving you the option to opt out of that. Make sure you opt out of everything you don't want! And when you go back to change options - check all of them again: some forms 'reset' your opt-out to opt-in...

In the next issue of Spam prevention I'll give you some techniques to deal with those situations where you need to use your email address and can't be sure it will never be given away, sold, or harvested.
2002-03-27 17:15

[Spam prevention] All Sneakemail buttons can be admired on the Sneakemail promotion page now!
2002-03-27 14:43

[Spam prevention] I've done a series of buttons for Sneakemail and sent them off to the SneakePostmaster General. Had a lot of fun making them, too. I picked one to use on this page in the resources column. I'll write something later about Sneakemail - it's more than bedtime now!
2002-03-27 00:42

2002-03-26

[Spam prevention] Turns out that one service I wanted to tell you about with regards to spam prevention provides a few huge banners to link to them - but no standard-size buttons. Sent off an email, saying I could make my own button and donate it, if that was OK. Their support being what it is, they answered quickly, and said yes, that's OK, and we'll make a 'donated' section on our 'promotion' page. Off for a while, I'm in graphical design mode...

Oh, what service? Sneakemail of course! More later ... (when I've done a button).
2002-03-26 09:28

2002-03-25

[Blogs] Since it's my birthday today, I now give this blogging subsite to myself as a little birthday present. I'm going live now, by adding a note to the HomeSite Help home page.

Keep your eyes peeled for some "real" content in this General Blog in the next few days; to start with, I'm going to tell you what I've been doing to fight spam. Half the battle is prevention, and I'll have some tips for that, too.
2002-03-25 17:08

2002-03-24

[Blogs] First post in the General blog. This should work immediately, since all templates (including the one for the archive) have been defined already.
2002-03-24 16:12

about

Blog about general matters - if and when they come up: Things that simply catch my eye, and things that may keep me from working on the site or tools. Not about a new cafe around the corner, though: always things that I hope should be of interest to webmasters one way or another.

archive

2002-03-24 - 2002-03-30
2002-07-28 - 2002-08-03

links

Blogs index

Site Blog
Tools Blog

resources

This page is powered by Blogger. Isn't yours?

SpamFighting

Pobox
Sneakemail
SpamCop.net

tools

Samspade.org
Password Keeper

© Copyright 2002-2008 Marjolein Katsma. All rights reserved.