Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: spam

Scammers gonna scam

It’s been a while since I’ve thought about our resident snake oil salesman, Gregory D Evans… and there’s be far to much seriousness on the blog recently. So here’s a little deviation from your usual programming. Sorry!

I’ve been noticing, as many have I’m sure, a lot of spam messages on the Twitters over the last few months. I’ve been a good little worker and reported them as spam, every little helps after all. However I thought it was about time to name and shame (like he’s not already shamed). Still, it’s worth a few seconds to make a screenshot and share it for prosperity.

I guess hot girls like Hackers!

The levels of spam have reduced (maybe due to people reporting them repeatedly, maybe due to dwindling funds), but you can usually pick up a few by searching on the phrases “AM I HACKER PROOF is a” and “Gregory Evans is one of the”. The posts forward to an amazon.com page together with an affiliate link (using several affiliate link tags – diabetescure-20, worldmixmasal-20, neoopt06-21, twitterservice-20). You can find the same affiliates posting LocatePc spam as well on occasion.

I’m not one to judge on how people do business, but this kind of thing doesn’t really strike me as something an honest and professional Information Security company would take part in.

Just before I go here’s a quick some food for thought… the @gregorydevans account now has over 27,000 followers. Wow that’s amazing, much more than most… he must he really famous and well-respected! Of course, this rise all happened in the last month. From zero to spam follower hero in a month! I’ll leave that one for you to think on 😉

Lets give the man the benefit of the doubt… after all, he’s the world’s number 1 hacker. Still seems strange that the @amihackerproof account seems to have a similar arc in followers! The stats are unfortunately a little lacking, as the stats are only tracked from March 23rd 2012.

Lazy ass spammers

lazyspam, originally uploaded by ChrisJohnRiley.

Wow… I knew spammers where lazy, but come on, at least TRY a little!

Strange twitterings from the BBC

Earlier today I was catching up on some tidbits of world news from various sources when I stumbled across something that caught my eye. BBC World News offer a twitter feed of their latest headlines. I sometimes browse the list to see whats going on in the world and to reaffirm my opinion that we’re all doomed. Today however a specific article in the list caught my eye.

“It’s Time To Legalize Cannabis.”

This snippet of news, and the associated link didn’t really fit with the other news. For starters the capitalisation and use of the American spelling of legalize (legalise). There was also the fact that a majority of other news snippets started off with BBC Business News, whereas this didn’t. By using Twitters search function I could also see that the exact same tweet had been sent out on a regular basis for at least 10 days (possibly longer). The last thing that made me think this wasn’t really a tweet from BBC_News_World was the from label under the tweet


Whereas all other tweets come from Twitterfeed, these are the only ones that report to come from twitRobot. Very strange.

By pulling up the link on a test system the bit.ly link took me to a Facebook cause with the same title at the tweets posted through the BBC Twitter feed “It’s Time To Legalize Cannabis”.


By pulling up the bit.ly statistics I could see that this link had been actively used since the end of September and had been clicked over 665 times. It also showed the original creator of the link as a user called therealtwitter. This appears to be the name used when Twitter automatically shortens a URL in a post for the user. So no tracking information there unfortunately.


More detailed information can be found on the bit.ly info page for this link. Including breakdown of clicks by country and clicks by referrer. By looking at the referrer stats it’s evident that this bit.ly link is also being sent out through email and IM.

Although the Facebook cause at the end of the link appears benign at first appearance, it certainly warrants further investigation into why this link is spreading through the BBC Twitter feed (possibly without their knowledge). This cause could be something as simple as a person trying to drum up members for their cause. Then again it could just as easily be a phishing site designed to steal logon credentials, or perform attacks against the users browser. Further work is needed to see exactly whats behind this.

If I receive response regarding this I’ll certainly post a followup. Until then, watch out just incase.

Stop spoofing me !!!

I’ve been fighting the good fight against spammers for a few months now on and off. Not the usual fight however. This time my domain is the problem, as some nice spam-bot out there on the web has taken a liking to my domain and wants to use it as the source of it’s evil advertising campaigns. It’s annoying really, as every time this spam-bot emails to the wrong address, I end up getting the bounce message. A couple a day in July, turned quickly into a few hundred a day in August. This weekend I finally had the chance to sit down and do some research on what I can do to make this spam-bot go away and start spoofing some AOL addresses again. The answer I came across was SPF.

Ok, I guess people now are saying WTF is SPF when it’s at home. SPF is “Sender Policy Framework”, and it’s aim (if used) is to provide a way for servers receiving email to check if the sender is who they’re supposed to be. This is achieved through the use of a TXT entry on the name-server used for your domain. This TXT entry tells the receiving server what IP address you’re emails should originate from, and if they don’t match, then dump the email on the floor. In the short-term, this may not solve my problem 100%, but if even 1 spam gets stopped because I’ve added this SPF entry, then in my view it’s a job well done. Maybe it’ll even force the spam-bot to move on to another domain without the SPF set.

How do you do this you say… well it’s easy. The details are discussed on the SPF homepage and include everything you’ll need to understand how it works and what to add. You can also use a number of automatic SPF creators on the web, including the one at openspf.org. As an example, my SPF entry (which you can find by doing an nslookup on my domain) is .:

v=spf1 a a:remote.c22.cc include:aspmx.googlemail.com ~all

Looks complex… but once you break it down, it’s not that hard to understand.

v=spf1 – is the version number of SPF supported

a – means that all A records for my domain are permitted to send email

a:remote.c22.cc – sets the remote.c22.cc CNAME as permitted

include:aspmx.googlemail.com – tells the server checking to lookup the SPF record for gmail as well

~all – is the catch-all rule, that says these are the only servers permitted

See, simple really. Most domains will have a simple SPF like v=spf1 a ~all or v=spf1 ip4:x.x.x.x ~all if you only have 1 publicly addressable mail server. Mine is currently more complex as I’m testing various solutions. However in the long run it’ll end up just as an include to the Google servers.

spf-logo-medium Is SPF going to stop SPAM… NO, probably not. But it’s going to make things a little harder for the evil spam-bots of the world. After all, if the legitimate domains are protected using something like SPF (or Microsoft’s version SenderID) then the spammers will need to setup a domain to send spam from. With improved communication in the industry, these domains will be quickly blacklisted. Of course spammers can get new domains constantly (at a cost) or use DNS poisoning to force the SPF records to be blank on set servers. However, SPF isn’t meant to be THE solution. It’s just another piece of the puzzle. After all the only real solutions to spam are to make it so hard to do that it’s no longer worthwhile, or educate those people still STUPID enough to think, ooh I can help a deposed Nigerian president AND earn money…. Sign me up.

Right now I’m not sure how much spam this SPF is stopping. After all, I’m not sure how much is being spoofed. Still, if the servers support SPF checking then I’m sure it’ll be doing some good. My suggestion, if you’ve got a domain, then spend 5 minutes to set an SPF to protect others from spam that might be spoofed from your domain in the future.