A couple weeks ago, one of my Twitter accounts was followed by a spammer. This is not unusual; a huge percentage of Twitter accounts are spammers. The thing that caught my eye—though perhaps not quite as the spam machinery intended—was in the bio: “dip me over and fuck me doggystyle. Whatever you want I will try it (NO ANAL).”
Let’s say I am so naïve that I believe an actual person has set up this Twitter account, and has invited 267 other people to do her doggystyle; do I find her more enticing because her “Whatever you want” is qualified? Especially given that the qualification excludes a pretty mundane practice—am I to infer that she’s up for (in lieu of listing several other possibilities that would likely get the blog undesirable search engine attention, I’ll just say) bloodplay? I just don’t know.

I occasionally mean to make reporting on the email spam we are rejecting a more regular feature, but then I occasionally mean to do a lot of things that never happen. So, here is another installment of a category I have just dubbed “Spiced Ham.” (note: according to Hormel, it is mere speculation that SPAM is a portmanteau of/for “spiced ham”)
Very little spam actually gets through the defenses of forcedperspective.org. We are able to achieve this relative impregnability primary through the use of the zen.spamhaus.org DNS Black list (I note in reviewing earlier spam observations that this is a reversal from the strategy of four years ago, which relied primarily on IP block banning. While we still ban many, many blocks of IPs, we have gone away from that as a primary defense because of the increasing usefulness of Zen and the very high levels of false-positives we were seeing). For instance, since Sunday, 49 of the 59 spam attempts we have blocked were by virtue of Zen. Of the rest, 3 were refused because the domain of the envelope From address did not exist, 1 because the domain of the envelope From address did not resolve (an interesting distinction), 1 because it originated from res.rr.com (this also would have been caught by Zen, but I preemptively block res.rr.com), and the rest were from countries I’ve banned (2 from India, and one each from Germany, India, Singapore, and Spain). We are able to get away with banning so many countries (65!) by virtue of two facts: first, we don’t get a lot of international traffic; second, (aside from Korea, China, and Bangladesh) banned countries get a soft (4XX) failure, instead of a hard one. This applies to all the other non-Zen blacklisting we do, too. Spammers almost never try again; legitimate senders almost always do. It really amounts to selective manual graylisting, because I choose to monitor what is being blocked in order to see if there are any false positives. I believe automated graylisting would probably work nearly as well, but I dislike the idea of delaying such a large proportion of the legitimate mail we get.
While a bunch of the search-engine traffic that hits the blog is because of my long-ago article Who is johnsmitsvt?, I have not seen spam attempts to that address in quite some time. This week, the only address that I am nearly certain has never existed on the system is elliott, which seems to have taken over as the new johnsmithsvt.
Updated to add: another thing I can recommend is creating an SPF record for your domain. It may be only a coincidence, but we have not experienced a back-scatter spam attack since we created one (with a default-discard (“~all”, not “?all”)).

In the grand tradition of johnsmithsvt, we’ve started seeing spam for mmskuramoto. None of it has been allowed into the system, since it’s coming from a blacklisted IP, so I don’t know what flavor the spam is, but the attempts were surprisingly well-behaved: most spammers treat the 451 we return to blacklisted IPs the same as a 5xx error (they retry maybe once, maybe fifty times, right away, then give up); the mmskuramoto sender backed off the retries very nicely. So nicely, in fact, that I got the originating IP whitelisted and the alias added, just so I could see what the spam was. Unfortunately (or not, probably), they gave up after 14 tries, just a couple hours before they would have gotten through.
For those who care, the blacklisting setup has been modified somewhat since the johnsmithsvt post referred to above: all country-based blocking is done with zz.countries.nerd.dk, but most of the blocking ends up happening because of a bunch of Class A and B size blocks (virtually anything in apnic or south america). We still use zen.spamhaus.org, combined.njabl.org, bl.spamcop.net, dnsbl.sorbs.net, and dnsbl.jammconsulting.com, and they contribute (especially zen), but it’s mostly the huge swaths of net that are blacklisted.

Here’s how many spam attempts we blocked here at fp last week. I don’t expect to publish these regularly, but I find the numbers interesting.

Click to continue »

I recently started tracking the addresses to which spammers are trying to send, and the number of addresses that have never existed in the domain, to which spam is being directed, surprises me. Most notable in this illustrious group (because I get why folks would try info, sales, admin, and the like) is johnsmithsvt. A quick Google indicates that it’s showing up in other folks’ rejection logs, too. Why? Is there some rootkit/worm/whatever that receives its orders at that address? The next message for that address that makes it through my RBLs (sbl-xbl.spamhaus.org, korea.services.net, combined.njabl.org, bl.spamcop.net, china.blackholes.us, dnsbl.sorbs.net, and dnsbl.jammconsulting.net (I have the last two set to return 4xx errors, since they’re awfully aggressive, and that gives me time to whitelist the senders, where appropriate)) will end up in my inbox, so I can see whether it’s just garden-variety spam or something more inimical.
Update: Garden-variety spam. For a variety of pharmaceuticals. I can’t imagine why they’re using that address.