No Spam !

No Spam please, we are hackers...

"The concept of: 'It's okay to do what you want to, people can killfile you' is akin to saying that is okay to allow people to piss into the bottle, because the drinker can always spit it out."    — Martin Gilbert
On this page:

Obsolete Warning: those notes applied mainly to Windows until version 2000. I still keep up to date on spam fighting and security but the field is moving so fast that I don't have time to blog about it anymore. There are entire websites devoted to this. You can google them easily, or install Ubuntu in the same time it takes to read the first page of one of them !


"...by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this Content in any medium. You waive any right to privacy."    — Extract from the new 2005 AOL Terms of Service.

Virus Popups

Outlook Express users, if you do only one thing from this page, it should be this. Sometimes you open an email or a usenet post and billions of popups open at the same time thanks to the stupid Outlook Express executing any JavaScript it encounters. Or worse, it starts a virus that was in the attachment. Here's a solution that gets rid of this huge security risk by disabling "Active Scripting" in the "Restricted Sites" zone and set email and NewsGroups to run in the "Restricted Sites" (instead of them being run with local privileges):

No more popups or JavaScript. This solution keeps JavaScript working on web pages where it's often used and useful, but bans it from emails and posts where it has no place whatsoever. And if you are careful never to open any attachments (.exe .bat .vbs .js .com...), you won't even need an antivirus with this little trick.



"We need to outlaw all forms of intrusive advertising. By intrusive, I mean directed directly at a recipient (each ad sent one at a time). TV commercials are not such types of ads, but junk (physical) mail, spam, cellphone spam, fliers on your doorknob, fliers handed out in public, and even a salesperson saying to you in a public noncommercial place (not in a store) "Hi, how are you today..." It all needs to be made illegal. No freedom of speech issues; there will still be viable (legitimate) ways a business can advertise. Word of mouth, however, is the only legitimate form of advertising. All others are illegitimate but necessary evils (better to have commercials on tv than have to put in a quarter). But all this 'direct marketing' should be completely illegal, in every possible form, current or yet-to-be developed. As far as I'm concerned the Direct Marketing Association is a criminal organization."    — kaltkalt.

NetBios Popups
...or Spam can't get any more annoying than that !

Have you ever had a Windows popup open in your face while you don't even have a browser open ? This is a recent (2002) abuse of the "NET SEND" command. You can test this command on your own computer by doing "NET SEND 127.0.0.1 Message Blah Blah Blah" from the [Start][Run] menu. If you receive that message, then your computer can be a target. You can also try it on your colleagues' computers if you know their hostnames or IPs (for instance NET SEND ComputerCEO "Time for a beer ?").

The program being used is called "Direct Advertiser" (what an original name...). If you have NetBIOS bound to your interface, someone using net send will, by default, pipe the message over SMB to TCP 139. But if NetBIOS is not bound to the interface, net send will use UDP 135 instead. It takes the net command a bit longer to figure this out, but it does work.

The Direct Advertiser product just skips the preliminaries, knowing that smart system administrators close TCP 139, and goes right for the undocumented back door. The 'Direct Advertiser' web site even tells you how to not receive this kind of thing any more:

Here's how to set up your system to not receive netbios messages. For Windows 2000:

For Windows XP For Windows 98/ME

Note: this has nothing to do with MSN Messenger which will still work. As a (better) alternative than the trick above, you can just install a Buy at Amazon.comfirewall.


"I visited hormel.com and submitted a form for a free sample of their product, but then the privacy disclaimer told me I would not receive any spam. What's up with that ?"    — Alan Bland.

Piggyback Scams and Spyware

There has been a lot of coevolution of spam and spam fighters since I started this page in '97. Four years is a long time in web years. Now spam is not limited to unwanted email messages. The arm race is on between marketers who want their useless crap known by all and users who just want to be left alone. We all know about the pop-up adds that any experienced websurfer can close with a well placed [Alt][F4] even before the title shows up. A bit more silly are pop-down adds that open up under all your windows, draining resources, and that you notice only at the end of the day when you start closing all those hundreds of open windows.

As of 2001, the new fashion in Net marketing (well, all those fledging dotcoms have to find some money, right ?) are piggyback applications. You download and install a free program that you want (like the peer to peer file sharing network KaZaa) and you end up with 5 other programs installed: new.net; Webhancer; Cydoor; OnFlow; EZula... What do they do ? They follow your websurfing and report to their masters what you are looking at. Then they open pop-up/down windows "targeted specifically for your needs". I don't have any needs except to see all the web marketers dead, thank you.

So, every once in a while, press [Ctrl][Shift][Esc] (in Windows 2000) and try to figure out what all those running programs are doing, and then kill and remove the unwanted ones with [Start][Settings][Control Panel][Add/Remove Programs]. Note that some programs will refuse to run anymore if you remove the associated spyware they installed. You can sometimes find on the web an empty program or dll with the same name to copy over the unremovable spyware.

There are now programs to remove spyware, just like there are antivirus to remove viruses: Spybot and AdAware for instance.

One spyware of note is Windows Media Player 9.0 and it connects to the Internet every time you read a mp3/CD/wav/mpg/avi file on your own computer and reports to its masters what you are doing. There are options in it to disable this reporting, but at this point what trust in them do you have ?!? Better yet, use Windows Media Player 6.4. Even after you "upgrade" to later versions, it's still there... It plays all of the same stuff that the later versions play (uses the same codecs), the interface is much less obnoxious, and it doesn't "phone home" every time you start it up. You should be able to find it as c:\Program Files\Windows Media Player\mplayer2.exe. Use right-click and [Open With...] to associate media files with it instead of wmplayer.exe



"Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its merit. We therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another."    — Supreme Court Chief Justice Warren Burger (1970).

Removing banners, popup and popunder adds

Here's a great little trick that will remove many banner adds from web pages and also forbid annoying popup/popunder ads. Paste the following lines into your hosts file. This file is the same for Windows or Unix and can be found in "C:\WINNT\system32\drivers\etc\hosts" for Win2000 users, "C:\Windows\hosts" for Win98/Me or "/etc/hosts" for Unix/Linux. Make sure you leave what's already in there (namely the line that says "127.0.0.1 localhost").

What it does is redirect requests to advertisement websites to some non-existent address (identified by 0.0.0.0), thus canceling the ads... If you still see some adds or popups, right click on them, do [Properties] (or [View Page Info] on Netscape), see if the location is some commercial website (like 'www.spammer.com') and add it to the hosts file. Simple and very efficient. Instead of the offending add, you will see either an empty box or a box that says "Error: not found" or something similar.

For more explanations and a more complete and up to date hosts file, go to http://www.mvps.org/


"I can't believe how crafty these spammers are. They've even infiltrated my favorite restaurant ! Now I not only have to wade through all those penis-enlargement e-mails at home, but I have to put up with their offers to 'super-size it' when I go out to eat."    — Brad Wilkerson.

(Un)Trusted sites

You frequently visit a website that bombards you with advertising popups ? Put it in your untrusted list. In Internet Explorer go to [Tools][Internet Options] then [Security], click on [Restricted Sites] and then on [Sites]. Add them there, for instance news.yahoo.com, www.msn.com... Note that if you do that you won't be able to directly view .pdf files or run JavaScript from there. You can fine tune what each category (trusted, internet, restricted, intranet) is permitted to do with the [Custom Level] options, which is a bit intimidating by the number of options.


"We need a solution to spam, but most of those proposed aren't. There really aren't that many spammers; put fifty people in jail and it will stop."

E-mail Spam

You are probably like me, the first thing you do in the morning upon getting to work is open your e-mail reader and wait eagerly while it downloads the last messages from the server.
What a disappointment it is to see only 'Make money fast', 'Get rich quick', 'Good times', 'Lose weight in a week', 'I met Jesus' and such useless drivel.

You can say what you want about Microsoft, but after installing Internet Explorer 4.0, and running Outlook Express (the e-mail/news reader that comes with it) I had the nice surprise to see that, finally, someone had come out with a killfile system for Win95. Finally.

The way it works is simple: You have received a spam message ?


[NoSpam.gif]
No Spam !

For instance, here is part of the current content of my killfile (note that it is case sensitive):

Apply this rule after the message arrives Delete it
and Stop processing more rules

Note that you can use this system to answer automatically with pre-written messages (if somebody sends you 'good times', you can automatically answer with the 'gullibility alert' file...). But never reply to spammers, even with the most witty insults: they almost never have valid return address, and if they do, then they now have the proof that your email is valid...

You can also manage e-mail lists by putting them automatically in separate folders using the [To] as a selector. Overall it's a very useful feature, one hard to give up after you've gotten used to it. Many spam messages include a load of spaces and then a random number at the end of the subject line. You cannot filter out directly 4 blank spaces, but with some registry hacking, it becomes possible; the idea is to filter out %%%%, then look for it inside the registry and replace it with spaces (it's harder than it sounds because it's encoded in binary).

I also wish there was an easy way to save the filtering rules for when you change computer; as it is it requires some registry hacking (save 2 registry branches, edit the files with the new store location, and load it in the registry).


"Most experienced Net users filter forwarded e-mails according to at least one simple rule: Sad stories probably aren't true, and really sad stories that ask for donations aren't just false, they're probably scams or viruses."

Usenet Spam

You are probably like me, the second thing you do in the morning after reading your e-mails is take a quick look at your favorite newsgroups to see if the answers to your last questions concerning the bugs in Windows are there. What a disappointment it is to see only 'Make money fast', 'America vs Canada' flame wars and such useless drivel.

You can say what you want about Microsoft, but after installing Internet Explorer 4.0, and running Outlook Express (the e-mail/news reader) I had the nice surprise to see that, finally, someone had come out with a killfile system for Win95. Finally. Heh, wait, isn't this the exact same text than a few lines ago ? Yes, fine observation, I'm lazy, so what ?

The way it works is simple. There are spam messages in your Usenet newsgroups ?

For instance, here is the current content of my killfile (note that it is case sensitive and multiple words have to be put between quotes):

Note that, besides spam, you can also add the keywords you are just not interested in (like 'Star Trek') and also refine the exclusions to specific newsgroups. Unfortunately you cannot filter out messages cross-posted to more than 2 newsgroups.


AntiSpam software

"Will the information superhighway have any rest stops ?"

With the onslaught of spam that we've been receiving in the last few years, it's normal that the defense got organized. There are many antispam software solutions based on different methods, but most of them are freeware open source solutions. It's not a surprise: when Microsoft itself put a spam filter in their beta version of Outlook Express 5, they got sued by spammers and had to remove it. So if spammers can bend Microsoft, the only ones who can fight are the nobodies of Open Source movements. Not that those programs don't work, on the opposite, but there are so many to chose from: Realtime Black List, intelligent keywords filtering, collaborative filtering but the most promising are Bayesian filters.


[DilbertSpam.gif]

Several softwares use this method and I've tried several which were so hard to use and configure that after two days I still couldn't figure them out while having a ton of spam still. They I hit the jackpot: POPFile. It was installed and configured in 2 minutes. And after a day I didn't have any more false positive or false negative. It sits between Outlook Express and your POP3 server and filters the messages. Many other progs do that, but while you must teach SpamAssassin by copying and pasting each message individually, you just open POPFile's configuration page and tell it what each message is (Spam, Work, Personal... As many categories as you want). That's it. The system is intelligent enough to figure out its own keywords or rules.


By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable by action to recover actual monetary loss, or $500, whichever is greater, for each violation. All incoming unsolicited commercial traffic will therefore be billed at a rate of $500 per message to compensate for loss of service.
Sending unsolicited commercial advertisements or solicitation to my email address will be considered acceptance of these terms and billed $500 per occurrence.

Warning message

Robots roam Usenet and the Web in search of e-mail addresses and keywords associated to them so they can send you so called 'customized messages'. In other words: SPAM.

When posting on Usenet, there is not much you can do since the x-no-archive: yes will very likely be ignored by the robots. You can try to put a message such as bellow in the unlikely hope to scare them off ! But if only one person out of 10000 would really sue them... well maybe that'd make a good start.
Note also that this message applies only in the US.



"America Online says the amount of spam aimed at its 35 million customers has doubled since the year [2003] started and now approaches 2 billion messages a day, more than 70 percent of the mail its users receive."

Other methods

There are other methods to fight email spam.

For Web robots, you can try to spam the spammers... By putting up a page with tons of fake e-mails and keywords on your Web site, you confuse the robots and introduce erroneous e-mail addresses in their databases. Things like clinton@whitehouse.gov.
Or even better, existing and very interesting e-mail addresses such as postmaster@fbi.gov, postmaster@fcc.gov, pyramid@ftc.gov, net-abuse@nocs.insp.irs.gov, fraudinfo@psinet.com... You get the idea.

I once saw an infinitely recursive cgi script that was generating random keywords and e-mail addresses. Neat. Only trouble with that is that it wastes a lot of bandwidth if the robot really gets caught in it...

The problem is that robots may sniff and thus avoid the trap while search engine robots might get confused (and in this case they will drop your page or worse, your site from their index).

For Usenet robots, there is the now classic way of adding a 'nospam' somewhere in your e-mail 'reply-to' address and specify in your .sig to remove it. But personally I hate to have to edit the header when I answer (I have to do tons of clicks in Outlook Express). And some robots will automatically remove the 'nospam' (which goes completely against the expressed will of the poster) ! It's a shield/sword escalation. You can put something else to remove, but if you write down what it is... Well, you get the picture.


"Remember: everybody who asks for your email address is a spammer until proven otherwise."

Tracing spammers

Finding the senders of spam is notoriously hard. It would be so nice to be able to call them up at 3am and tell them what you think of unwanted communications. The return addresses are never valid, they are offshore, use spamming services, relays in China, 0wn3d boxes... Or is it really that hard ? The one thing you need for that is a mail provider that enables you to use as many forwards as you want. Define your primary email and never give it to anyone, say hiddenmail101@myisp.com; you need to use a username that cannot be found easily by dictionnary attacks: bob@myisp.com is out of the question.

Then each time you need to give your email to someone, or that you purchase something online, create a new non-trivial alias: forfriends3142@myisp.com, business4536@myisp.com, amazon6253@myisp.com, viagrapurchase@myisp.com, mailinglist8674@myisp.com, usenet4167@myisp.com... Make sure that all those do forward received mail to your main address, and that they cannot be found too easily by dictionary attacks. Then when you start receiving spam, not only do you know who gave your address away by looking at the To: field, but you can also cancel the forward in a few seconds.

Note that some states (Washington, California...) allow you to apply the Junk Fax Law to spam and sue either the spammer/faxer or the entity on whose behalf it was sent. If you've kept your list of separate emails, it's easy to find the latter.

And you know what, you can also use this method with your snail mail address: use inventive middle names when giving it to parties you don't trust...


"On the negative side, I've been getting charged for a ton of stuff I didn't order lately. On the positive side, I did win that 'Who's Got the Best Password' contest on AOL last week."    — Spike Donner.

Avoiding credit card frauds and Identity theft (in the USA)

"The only way to defeat spam is through a national health care plan that would provide free penis enlargement, viagra and breast implants to all Americans."    — wakim1618.

What the US government has to say about identity theft... And some security definitions to clear things up:

Identify
to establish the identity — e.g. ask a user name (c.f. anonymous ftp).
Authenticate
checking the proofs of identification are legit, e.g. check that photo ID isn't a fake, check credentials with password.
Authorization
making sure this schmo you identified and whose id you authenticated is actually allowed to do what he's doing, e.g. permissions.
Auditing
keeping records, i.e. logging.
Non-repudiation
making sure some one can't claim "it wasn't me", e.g. videotaping ATM users. (Cryptographic non-repudiation often depends on keeping a secret, such as a secret key. Not a good assumption; "it was my 0wnx0r!")
Confidentiality
keeping secrets, i.e. don't give out private information.
Integrity
making sure stuff isn't changed (if it is changed, make sure it's audited)
Accessibility
make sure legit users can actually use their stuff.

Remember that email is not secure. Don't send anything in the email that you don't want printed in the classified ads of the local paper. Because sending email is like sending a postcard. Every postman (every server) between here and there can read what you've written. There are tools to make it secure, like PGP.


More recently, the whole identity theft and background check problems have been getting completely out of hand in the US. Take a look at those comments.


Corporate Security Password rules:As a matter of fact, there is only one word that meets all of these requirements. It is therefore the most secure password in the world, and so it has been assigned to you as your password.

Virus attachments

If you get your email off a Unix machine (like a POP server) to which you have a shell access, do the following to get rid of all messages containing potential viruses. Create a ~/.procmailrc file with this inside:

	:0 B
	* Content-Disposition: attachment
	* name=.*\.(com|exe|pif|scr|bat|lnk|shf|vbs)
	{
		# Stick it somewhere
		:0 B:
		/dev/null
	}

Of course, this is a bit drastic by throwing every file that ends in that type into the bin (/dev/null), so you may want to replace it with something like /home/username/mail/viruses.

Then you will need to have a .forward file with the following in it:

	|/usr/bin/procmail
Note the '|' vertical pipe bar at the beginning and make sure this is the correct location by previously doing a call to whereis procmail


"Security must be evaluated not based on how it works, but on how it fails. It doesn't really matter how well a secure system (be it ID card or a secure communication) works when used by the hundreds of millions of honest people that use it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited."

Oppose biometric data

In the wake of the September 11 killings, a lot of political things have been going on to restrict privacy, let 3-letter agency snoop on everyone's emails and things like that. I don't usually care much about that, simply because I don't have a (too) dark conscience, it may actually catch some bad guys and I trust (?) (some) governments to discard data gathered on law abiding citizens. Anyway, that's not the point here.

No I want to strongly bring in view my opposition to so-called biometrics like automated fingerprints, DNA analysis or retinal scans. While they seem like a good idea first (no more password to remember, ease of use, guaranty that no one else has the same pattern...), there is a very dangerous problem with that: you cannot change or revoke them. What if someone manages to get a copy of the binary data that characterize your iris ? What if it gets circulated in some crackers' circle ? Will you change your iris ? Or will you simply accept loosing your work, bank account, right to travel... since your iris will then be unusable for any purpose. You can change a password or your credit card number if it's compromised, but you cannot change biometrics. Think about it and oppose such plans.

Want some real world examples ? There's a Fujistu palm scanning mouse. The stupid thing attaches to an ordinary PS/2-style mouse port. Which is not a secure channel ! So if you want to hack it, just buy a keylogger ($10), put it between the mouse and computer, and let the unsuspecting user put his hand on it: here's your recording, ready for playback. And for pointing out something that stupid, I probably fall under the DMCA (Dumbest Mistake on Copyright in America) too... And there are also some kits available to make fake fingerprints: it takes 20 minutes and less than five dollars worth of plaster and gummy worms. Read here for more on fingerprint readers.

Left: The current Privacy Threat Index, as defined by the Electronic Privacy Information Center. EPIC assesses the current threat level based on events over the past year: these factors include expanded use of the Foreign Intelligence Surveillance Act, the decision of the FBI to relax the legally mandated accuracy requirement for the National Crime Information Center (NIPC) and increased funding for surveillance systems including immigration control and video surveillance.


"In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship."

Copy protected CDs

OK, this page is evolving into something about everything that goes wrong in the Information Technology world of today (or whenever I last updated this page). For instance the abusive introduction of 'Copy Protected CDs' which are unreadable in your PC. And that you can't use to transfer your legally paid music to your mp3 player. Not only is this a clear violation of fair use right, but the following music industry clearly insulting 'customer-centric' answer is a true gem...

If you ever happen to buy such a CD, just bring it back to the store as 'defective'. Not that it matters much to true hackers anyway, since there are always downloads for any new CD available a week before release anyways and cracks for the newest 'protection' schemes minutes upon release. If the music industry keeps on pissing on their customers like this, they'll just lose their customers at high rate.

Do you know that plenty of countries (Canada, the EU...) have special taxes on recordable devices like CD-R, DVD-R and Hard Drives ? Okay, fine, then if you buy one of those and copy music/movies/software onto them, you should be legally covered because you've paid the tax, right ? Bzzzt! Wrong, the German government, after Italy and others is currently passing laws to prohibit even fair use right to copy. Now if this makes any sense to you... And in Canada where you pay a 64% levy on CD-Rs, 90% of this tax money goes to Celine Dion and Bryan Adams. Puke.

If you think that the copyright protection companies are in place for a reason, think again. In France in 2005, there are 25 such companies, half public half private, getting various taxes they are supposed to then give back to the authors. The average salary of their workers is much higher than the average french manager's salary. And the various directors get a salary higher than the CEO of EDF, one of France's biggest company. After that not much is left for the artists. Those guys are just parasites. The biggest is the SACEM, there's also SACD, Adami, Spedidam, SCPP, but it's not a joke that one such company is named SCAM...


"The crazy thing about libraries is that if they didn't exist and someone tried to invent them today, the publishers would have a conniption fit, and it would never happen. Give away knowledge for free ? What are you, crazy ? We'd go broke! Only a pinko/commie/liberal would come up with such a whacked out idea."    — CokeBear.

Or Disney strikes again, in order not to let The Mouse go into the public domain they've managed for the umpteenth time to get congress to extend copyright durations (if you try it with a cop, it's called corruption; if Disney does it, it's called lobbying). Copyright duration was originally 14 years after publication and is now 90 years after the death of the author or something like that. And Europe is following suite. In the meanwhile Disney has no problem ripping off other authors (who've been dead just a little longer like Hugo or the Grimm) to wring off yet another bad cartoon with one more capitalistic treasure hunt and not much else. Talk about conservatism...

"DRM 'manages access' in the same way that jail 'manages freedom'."

Our society just has an "unhealthy respect" for musicians and actors and so forth. Imagine if plumbers demanded that you pay them every time you use the sink they fixed. Or if doctors wanted a percentage of your income earned with that broken arm they mended. You'd laugh and say: "I'll just find another guy that doesn't demand those ridiculous terms". Or put another way, the free market would quickly eliminate those types of contracts. But it's not that way with, say, musicians or other creative professionals. Why ?


"With all the spam we get for penis-enlargement pills, you'd think by now someone would have invented a pill that would shrink vaginas instead."    — Kim Moser.

Defeating Watermarks

Will every DVD or CD sold hold a watermark in the future to identify who leaked it to P2P networks ? It's apparently taking this direction, but it would be a stupid idea. You can defeat a watermark by taking two versions of the same file with different watermarks and just average them (or scramble their difference) to destroy the watermark. No big crypto involved.


"Hmmm, first thing to do when one gets home is... check spam for emails."    — Ruth.

In 2006 AOL did an unfortunate publicity stunt: they released several months of search data for several thousand of their customers. Sure, the ID of the users was scrambled, but what do you think is the correct association between search terms such as user #21314: sheep porn and user #21314: john doe. In light of such abuse of your supposed online anonymity it appears that it's a bad idea to mix ego surfing and other searches. A little bit of advice regarding search engines use might be thus: