Tuesday, June 27, 2006

Action shot

I don't have many pictures of myself around the web, so I thought I'd share one from the recent EU Spam Symposium. Here I am talking about spam trickery:

Friday, June 23, 2006

Proposed uniform naming scheme for spammer/phisher content trickery

This post is a proposal to rename all the tricks in The Spammers' Compendium to a uniform scheme that means that tricks can be referred to easily by spam filtering products, that includes information about the purpose and technology used in the trick, and preserves unique naming for each trick.

I'd love to hear comments on this.

Each name consists of three ! separated parts: a purpose, a name, and a technology. The purpose is the reason for the trick (for example, the trick is used to obscure a URL, or to insert innocent words). The name is derived from the current TSC perjorative name. The technology identifies the way in which the trick is coded (for example, with HTML or MIME).

For a single name there could be multiple tricks using different technologies (e.g. some tricks might be implemented using HTML or CSS), or for different purposes (words might be inserted to fool a Bayesian filter or break a hash).

I propose the following purposes for a trick:
  • BWO (Bad Word Obfuscation) Making it hard for a filter to parse potentially bad words (e.g. Viagra)
  • GWI (Good Word Insertion) Adding words likely to confuse a statistical filter
  • HB (Hash Busting) Inserting randomness designed to make message hashing hard
  • TA (Tokenization Avoidance) Preventing a filter from tokenizing a message
  • UH (URL Hiding) Hiding a URL so that a user is fooled into clicking an incorrect link
  • UO (URL Obfuscation) Making it hard for a filter to identify a URL and check it against a black list
  • WB (Web Bugs) Inserting a beacon that tells the spammer that a message has been read
The following technologies would be recognized in the naming scheme:
  • CSS Use of CSS
  • HTML Any HTML without using CSS
  • Javascript Use of Javascript for trickery
  • MIME Manipulating of MIME
  • Plain Plain text
For example, the original Invisible Ink trick written using HTML would be referred to as GWI!Invisible!HTML and a CSS variant would be GWI!Invisible!CSS. Names would only be generated for tricks actually seen in the wild.

With such uniform naming it would be possible to analyze spams and phishes (perhaps even specific Perl recognizers for each trick could be written) and then trends built up over time to see how individual tricks and individual classes of tricks are changing.

Currently, TSC contains 55 tricks, although I'm not sure that all of them are suitable for renaming. Here's my proposed naming of the current state of TSC:

The Big Picture TA!BigPicture!HTML
Invisible Ink GWI!Invisible!HTML and GWI!Invisible!CSS
The Daily News GWI!BigTag!HTML
Hypertextus Interruptus BWO!Interruptus!HTML
Slice and Dice TA!SliceNDice!HTML
Lost in Space BWO!Space!Plain
Enigma UO!Enigma!HTML
Script Writer TA!Script!Javascript
Ze Foreign Accent BWO!Accent!Plain
Speaking in Tongues HB!Tongues!Plain
The Black Hole BWO!BlackHole!HTML
A Numbers Game BWO!Numbers!HTML
Bogus Login UO!BogusLogin!HTML
Honey, I Shrunk the Font GWI!ShrunkFont!HTML
No Whitespace, No Cry TA!NoWhitespace!Plain
Honorary Title GWI!Title!HTML
Camouflage GWI!Camouflage!HTML
And in the right corner HB!RightCorner!Plain
A Form of Desperation GWI!Form!HTML and BWO!Form!HTML
It's Mini Marquee! GWI!Marquee!HTML
You've been framed BWO!Framed!HTML
Control Freak TA!ControlFreak!Plain
Don't Cramp My Style GWI!Style!CSS
The Microdot BWO!Microdot!CSS
WYSI_not_WYG UH!WYSINotWYG!Javascript
Ultra See Engima
Internet Exploiter UH!InternetExploiter!HTML
Style Wars: Episode 1 Included in other tricks
The tURLing Test UO!TurlingTest!Plain
Flex Hex BWO!FlexHex!CSS
Sound of Silence WB!Silence!HTML
Blankety Blank BWO!BlanketyBlank!HTML
Doing the Splits BWO!Splits!Plain
But is it art? BWO!ASCIIArt!Plain
Absolute Zero Same as Control Freak
Spell Breaker BWO!Splelnig!Plain
About Face BWO!AboutFace!HTML
Catch a Wave TA!Wave!HTML
Treasure Map UH!TreasureMap!HTML
You cannot be serious UO!Mcenroe!HTML
The Matrix TA!Matrix!Plain
Sticky Fingers BWO!StickyFingers!Plain
Floatation Device TA!Floatation!CSS
The Small Picture TA!SmallPicture!HTML
Chop GUI TA!ChopGUI!HTML or perhaps HB!ChopGUI!HTML
Big Header-ed ? Not sure of the purpose of this perhaps TA?
The Rake BWO!TheRake!CSS
Now you see it; now you don't BWO!Copperfield!CSS
Slick Click Trick UH!Caption!HTML
Whiter shade of Pale TA!Pale!HTML

This list is an order of discovery. It's interesting to see the rise of UH (URL Hiding) tricks as phishing has grown.

Thursday, June 22, 2006

How I love my HP-16C

A while ago I bought an HP-16C calculator on eBay. It wasn't cheap and there was no manual; the calculator itself works fine and is in almost mint condition. Since then I've fallen in love with the device.

You probably think I'm nuts to be using a calculator that was discontinued in 1989 and only 203 bytes of memory. And I had to pay extra to get a PDF version of the scanned original manual.

Perhaps I am crazy, but here's why I love this little machine:

1. RPN. You either love this or hate it. This is my first RPN calculator and for me RPN is the right way to use a calculator. I read a short introduction to RPN tricks (of which there are very few, but filling the stack for repeated operations is one and using LST x to prevent the stack from moving is another).

2. The industrial design of HP calculators is pure art. They are the right size for your hand, the keyboard is clearly marked, keys are spaced far apart (which avoids fat fingers like mine) and the keys give good feedback on being pressed. And the calculator is slightly slanted so that when it's on the desk it's easy to type on.

3. Floating point with fixed display of decimal places. Just right for balancing your check book.

4. Hex/Dec/Oct/Bin modes plus the nice 'show' feature which can display a number in one of the other bases for a few seconds without changing base. Very handy when debugging.

5. And my favorite thing... the HP 16C is 128 mm wide and 79 mm deep. Notice anything interesting? 128 ENTER 79 / is... 1.62. Or the Golden Ratio. No wonder I love that thing so much.

Tuesday, June 20, 2006

Everything should be an RSS feed

Everyday I use Mozilla Thunderbird to read mails and a variety of RSS feeds. But I find myself hopping over to various web sites for different bits of information. It's finally occurred to me that everything should be an RSS feed.

Here's what I want to be able to aggregate and display in one UI on my computer:
  1. The balance of each of my bank and credit cards accounts updated every 60 minutes
  2. The weather in various cities world-wide updated hourly
  3. The Euro/Dollar exchange rate updated daily
  4. The GPS coordinates of every member of my family updated every five minutes
  5. The number of voicemails I have waiting for me updated every five minutes
  6. Recent news items containing my name from Google News updated daily
  7. All those lovely news headlines I can't live without updated every hour
  8. The values of a variety of stocks updated every fifteen minutes
  9. My Google AdSense balance updated every day
  10. Web site statistics for my web properties updated daily
  11. All my frequent traveler miles updated daily
What distinguishes some of these things from standard RSS feeds is that they contain one item. For example, the Euro/Dollar exchange rate need only contain the latest rate (or at least I'll configure my client to show me only the latest).

Basically I want one page, that's my entire life.

Call it MyLife.com.

Friday, June 09, 2006

Double quote bug fix for signature

A while ago I wrote about Shoehorening Keep State into GNU Make. A reader has identified a bug in the code that I presented that causes the code to keep regenerating a target even though the commands have not changed.

This bug occurs if the commands for a target have a double-quote in them. For example, if you have something like:

@compiler -D_DEBUG="YES" foo.c

foo.o will be regenerated every time the Makefile is run. This is because the keep state code echoes the current state of the command to a file and echo strips the double-quotes around YES.

The fix is simple: escape ". Here's the updated code for signature with the fix in it:

include gmsl

last_target :=

dump_var = \$$(eval $1 := $($1))

define new_rule
@echo "$(call map,dump_var,@ % < ? ^ + *)" > $S
@$(if $(wildcard $F),,touch $F)
@echo [email protected]: $F >> $S

define do
$(eval S := $*.sig)$(eval F := $*.force)$(eval C := $(strip $1))
$(if $(call sne,[email protected],$(last_target)),$(call new_rule),$(eval last_target := [email protected]))
@echo "$(subst ",\",$(subst $$,\$$,$$(if $$(call sne,$(strip $1),$C),$$(shell touch $F))))" >> $S

Monday, June 05, 2006

Gallows humor from inside Enron

As people work through the Enron emails that are part of SpamOrHam there are a few gems showing up. Many people inside the company sent email assuming that the messages were private or would never be seen. After FERC made them all public we've all been able to see inside this, now infamous, company. A new feature of SpamOrHam lets people reading the messages flag them as funny.

Three such examples of gallows humor from inside the company are the following (I've deleted headers etc. and am just showing the body of the message).

The first message describes a fictional company called 'Kenron':

Today we offer vast diversified product range, including office space in many major US and European cities, second hand computer equipment, and useless IT Helpdesk promotional gimmickry. In fact we have the largest stock of nearly new Compaq and Sun computers in the world. These products give customers the flexibility they need to lose all their money and achieve into the highly sought after status of suing our ass in a class action.

It's difficult to define Kenron in a sentence, but our senior executives have been described as "incompetent", "arrogant" and " a bunch of thieving bustards" by many top tier financial institutions. We falsify commodity markets so that we can deliver physical commodities to our customers at a ridiculously unsustainable price. It's difficult, too, to talk about Kenron without using the word "screwed." Most of the things we do have never been done before, like going from a market capitalisation of nearly $90 billion to $199 in the space of a year!!!!

We believe in the economic benefits of secret, underhanded insider trading, and we play a leading role in ripping off our investors. We initiated the wholesale bandwidth markets in the United States, and we are helping to build similar markets in Europe and elsewhere. Shame we lost billions in doing so :-(

Every day we strive to hype up our share price to unrealistic highs, with the sole purpose of suckering the investor community and lining our own pockets. Our passion has enabled us to completely mismanage risk. No wonder Misfortune Magazine surveys have named Kenron the most innovative company in America for six years in a row. Our emloyees think Kenron is such a wonderful place to work, thousands are leaving every day to spread the word around the world.

Knron's four business units -- Wholesale Services, Energy Services, Broadband Services and Transportation Services -- ARE NOW CLOSED.

Another tackles the important topic of explaining Enron to your children:

How to Explain Enron to Your Children:

Feudalism - You have two cows. Your lord takes some of the milk.

Fascism - You have two cows. The government takes both, hires you to take care of them, and sells you the milk.

Communism - You have two cows. Your neighbors help take care of them and you share the milk.

Totalitarianism - You have two cows. The government takes them both and denies they ever existed and drafts you into the army. Milk is banned.

Capitalism - You have two cows. You sell one and buy a bull. Your herd multiplies, and the economy grows. You sell the milk and retire on the income.

Enron - You have two cows. You sell three of them to your publicly-listed company, using letters of credit opened by your brother-in-law at the bank, then execute a debt/equity swap with an associated general offer so that you get all four cows back, with a tax exemption for five cows. The milk rights of the six cows are transferred via an intermediary to a Cayman Islands partnership secretly owned by the CFO of the publicly listed company who sells the rights to all seven cows back to your listed company. The annual report says the company owns eight cows, with an option on one more, and that these and certain other cow-related activities give milk, both realized and unrealized/notional, at an annual run rate of 1.54 billion gallons

Finally there's an Enron-related 419 scammer:

Dear Friend,

Good day to you. I may have to trouble your sense of personal achievement and reward for an opportunity properly taken advantage of.

I am Mr. Michael Ramsey, a representative and an attorney to Kenneth Lay, the former chairman & CEO, Enron Corp. Industry: Energy & Natural Resources Home, is presently in jail and facing trial on charges of corruption and embezzlement of funds while in Power.He deposited Twenty one million U.S Dollars ($21,000,000.00) with me when he was in power as the chairman.

I am contacting you because I want you to deal with the Finance house and claim the money on my behalf since I have declared that the Funds belong to my foreign business partner. You shall also be required to assist me in investment in your country. I hope to trust you as a God fearing person who will not sit on this money when you claim it, rather assist me properly, shared in these percentages, 60% to me and 40% to you. When I receive your positive response I will let you Know where the Finance houses his and the document's to lay claims to the funds, which is very important. What I need is for you to indicate your interest that you will assist us by receiving the money on my behalf in Europe.For this, you shall be considered to be the
beneficiary to the funds.

The project in brief,is that the funds with which we intend to carry out our proposed investments in your country, is presently in the custody of a bank in Europe. I do not want the government of my Country to know about the money because they will believe I got the money from the sales of Enron stock when he was the Chairman of Enron & C.E.O.Once I have your details in full,the finance house will contact you for Release of the funds to your account As soon as payment is effected, and the amount mentioned above is successfully transferred into your account, I intend to use my own share in acquiring some estates abroad. For this too you shall also be the overseas manager of all our properties and you will be paid based on a certain percentage agreed on by both parties.

I guarantee you that this will be executed under a legitimate arrangement that will protect yoa from any breach of the law. Please get in touch with me urgently by E-mail:[email protected]

I am presently in LONDON.
Please, provide me the following:
1. Your Full Name
2. Your Telephone Number and Fax Number
3. Your Contact Address

Best Regards,
Michael Ramsey.

If you find more funny or touching emails then please click the 'Flag mail as funny' checkbox in SpamOrHam and I'll publish them.

Friday, June 02, 2006

Help fight spam; win a penis enlarger

Yeah, baby! I've just updated SpamOrHam with a groovy Austin Powers related competition. If you enter your email address when helping out on SpamOrHam the system keeps track of the number of classifications that you make and the longest stretch of classifications you make that agree with the machine classification.

The person who has the longest stretch of agreement with the machine classification will win three items related to Austin Powers including the (novelty item) Austin Powers Swedish-Made Enlarger.

The competition is fun and the prizes don't have any real value (although I will ship them anywhere in the world to the winner) and all three are unopened items in their original packaging. Once things start moving I'll publish a high score table showing the top users.

(Legal stuff: me, the site, etc. are in no ways associated with Austin Powers, New Line Cinema, Mike Myers, etc., etc. and you shouldn't assume that me giving away these prizes means that any of them endorse SpamOrHam)

Thursday, June 01, 2006

CAPTCHAs fool humans 20% of the time

Over at SpamOrHam I use a CAPTCHA from captchas.net to prevent malpeople from using bots to mess up the results of the web site.

There's only one problem with this plan.

People enter the CAPTCHA wrongly about 20% of the time.

Looking at the error logs for SpamOrHam shows that the site has offered 27,468 CAPTCHAs of which 5,326, or 19.39% have been entered incorrectly. I'm not tracking whether incorrectly means that the actual password was wrong, or if the person just didn't even bother to enter anything, but, nevertheless, a 20% error rate is very high.

And for me it manifests itself in complaints and people who give up on the site. That sucks, but it's the current only way to protect against bots attacking the site.

What's needed is a comparative study of the different ways of generating CAPTCHAs to figure out which ones are both effective against bots and effective against humans!