Spam is different. Your spam differs from mine. So the filter needs some time to get used to the messages and learn. The result should improve over time quite well.

• 9000 Spam Comments
• 1000 Ham Comments
• 100 Reports

Microsoft Outlook Notification for the xxxx@xxxx.xx

Support [xxxx@xxxx.xx]

Sent :Thu 15/10/2009 06:38

To xxxx@xxxx.xx

Attachment install.zip (12kb)

You have (6) New Message from Outlook Microsoft

- Please re-configure your Microsoft Outlook Again.

- Download attached setup file and install.

True, this mail usually is a bad one, but nevertheless it made me grin due to the fact that I was using Thunderbird and KMail for managing my personal mail flood. So I checked the mail headers and found out that it came from a spamhost somewhere in the net.

Just as I decided to ignore that message and train my spamfilter, I noticed the ZIP file attached. Sadly it came without a brief description of what it really does – so that part of work is left to me. But I am sure it is definitively not the new software for photo books by CeWe. Unpacking the ZIP File was an easy thing:

Listing archive: install.zip
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2009-10-15 11:38:42 ....A        28672        21167  install.exe
------------------- ----- ------------ ------------  ------------------------
                                 28672        21167  1 files, 0 folders

The contents is just a plain EXE file, which is getting a little more interesting as you can scan it for malware, but for now, ClamAV doesn’t report a positive match. So I have to take a closer look if I want to know.

Digging in that binary, I noticed, that it is just another container that does SFX – and as I got my Swiss Army Archive tool 7-Zip with me, it is an easy thing to unpack it:

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2006-01-21 22:17:57               2606         3072  .text
2006-01-21 22:17:57               5293         5632  .rdata
2006-01-21 22:17:57              53248            0  .data
2006-01-21 22:17:57                592          512  .tls
2006-01-21 22:17:57              18138        18432  .edata
------------------- ----- ------------ ------------  ------------------------
                                 79877        27648  5 files, 0 folders

And here we go – but who is who? I am using the magic numbers of the files to get an idea of what’s their purpose.

data: empty
edata: data
rdata: data
text: VISX image file
tls: data

Skimming through the files with a HEX Editor, the string “FuC1.FuC1.FuC1″ showed up quite often, which clearly indicates that the file is made from a script kiddie and won’t do anything good on our system…

So the best thing is just ignoring those messages and deleting them immediately.

It really is just a small number of god dammed hosts hammering our blogsphere. So it is just the blacklisting that keeps off most of the buggers making the other checks quite obsolete saving ressources.

At the moment of this writing the blacklist lists 215 IP Addresses which are hitting me and the other users regularly – But how many blogs do use the plugin? I cannot tell an exact number but it can’t be more than 25 sites by now…

Usually you’d use the htaccess file to get rid of various IPs on your site, but to be honest, there is no foolproof way of doing so regarding collateral damage. What if you have blocked innocent people? Using a blacklist you can easily offer a removal request form.

Regarding IP address lists, it is hard to maintain them. True, there are always some in your spam queue, but it’s not only you being hit by them. Spambots usually hit a ton of blogs – using a centralized blacklist cutting one’s losses got easier as more and more people report.

As those IPs are rather static, I have decided to set up a blacklist service for banning those IPs all over the server using a central service. The website for this blacklist service can be found on http://www.stargazer.at/blacklist including the possibility to file a removal request.

I have already activated the plugin on every blog run at this server. If you are interested in contributing or using the plugin yourself, feel free to leave a message and I will offer the plugin for download.

But however, I have to say that I’m quite satisfied with my little defense tricks I did back in June 2007 that kept my moderation queue clean until now. New year, new luck and the next round against those dirtbags. But there’s one thing for sure: I won’t run out of ideas that soon!

JSSpamBlock extends the comment form with a simple input field for checking if you’re human or not. As this function uses a hook which is also used by the dashboard reply-to-comment function, the latter one throws an error. Assuming that spambots are not authenticated users, I did a workaround on that.

Download here