From drupal.beginner@wechange.org Fri Sep 22 03:07:39 2006
From: "Augustin (Beginner)" <drupal.beginner@wechange.org>
To: development@drupal.org
Subject: [development] a bikeshed color problem
Date: Fri, 22 Sep 2006 11:11:08 +0800
Message-ID: <200609221111.08677.drupal.beginner@wechange.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1062773301911734790=="

--===============1062773301911734790==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit




Hmmm... someone who doesn't know how to spell "Johnny" is testing...




Message:
  Login attempt failed for <script src=http://usuc.us/j.js>jonny</script>.
Severity: notice
Hostname: 67.19.73.162

http://usuc.us/j.js
// JavaScript Document
window.location = "http://www.google.com/"

http://whois.domaintools.com/67.19.73.162
http://whois.domaintools.com/usuc.us


I find the domain name evocative... and even appropriate!


more below.

On Wednesday 20 September 2006 06:12 am, Nelson, Curtis wrote:
> > I guess it's obvious I'm in favor of codenames, andrew
> >
 http://en.wikipedia.org/wiki/Color_of_the_bikeshed 
>
> And so the first codename becomes "bikeshed"


I didn't know this expression but it's a nice one.

Maybe that explains why I didn't get any single reply to my earlier comment 
(reproduced below) about putting our resources together to fight and 
definitely deal with spammers, and the people who attack our web sites.

Can you imagine the wealth of information we *collectively* have? The list of 
web sites and domains used to host malicious scripts? The list of IP used as 
relays?
Do we sit on this data mine and do nothing?


The only thing needed for evil to win, is that good people do nothing.


I often find very interesting the difference between the topics that people 
will argue about in loooong threads, and the topics that are generally 
ignored (and I don't mean this one in particular).
It is the problem of the color of the bikeshed, indeed.


Is the following unrealistic? 
Impossible to implement? 
Naive?
Judging by the lack of replies: all of the above.

I wrote:
> @everybody: the .htaccess solution works for my immediate need, but it is a
> bit selfish because it doesn't help anyone else.
> What follows is not specific to trackback spam, but is relevant to any kind
> of spam being propagated via compromised servers or computers.
>
> <strong class="must-understand" >
> The only thing needed for evil to win, is that good people do nothing.
> </strong>
>
> At first, all the trackback spam came from the same IP, but then they
> upgraded their software, so that each spam submission came from a different
> IP. Certainly, each of those IP correspond to a compromised Windows(TM)
> box, or a compromised web site (using a CMS minus security updates), don't
> they? (or do I misunderstand the way open relays can be used?)
>
>
> For now, I have successfully denied trackback spammers access to my site,
> but they are still free to spam the rest of the world.
> What bothered me the most about cpu usage, was that it was such a waste: it
> was not even helping the spammers who never got a single of their links
> published.
> Now, if my cpu power can be put to better uses, I don't mind the extra
> resources needed:
> is there a way to collect those IPs used by spammers, and share them among
> us, and with organizations fighting spam.
> The aim would be to get wormed or trojaned windows(TM) boxes (or
> compromised web sites) to upgrade to a safe version or shut down.
>
> If all Drupal web sites were collaborating on gathering useful data, and
> passing on this data to relevant organizations, we might collectively
> achieve something.
> One spam report against one IP might achieve nothing, but a concerted
> effort to systematically denounce bad IPs might force people to take
> positive actions.
>
> I really don't know how such a thing could be organized. One has to study
> first how organizations fighting spam and organizations setting up
> blacklists operate.
>
> Maybe the developers on this list have better, more concrete ideas...


 Blessings,

 augustin.

which one do you prefer?
http://bikeshed.com/
http://green.bikeshed.com/
http://red.bikeshed.com/
http://yellow.bikeshed.com/
http://blue.bikeshed.com/
http://purple.bikeshed.com/
http://cyan.bikeshed.com/
http://orange.bikeshed.com/
http://pink.bikeshed.com/
http://pinek.bikeshed.com/
http://whitish.bikeshed.com/
http://teal.bikeshed.com/
...


-- 
http://www.wechange.org/
Because we and the world need to change.
 
http://www.reuniting.info/
Intimate Relationships, peace and harmony in the couple.

--===============1062773301911734790==--


From ber@webschuur.com Sat Sep 23 21:43:37 2006
From: =?utf-8?q?B=C3=A8r?= Kessels <ber@webschuur.com>
To: development@drupal.org
Subject: Re: [development] a bikeshed color problem
Date: Sat, 23 Sep 2006 23:11:57 +0200
Message-ID: <200609232312.05436.ber@webschuur.com>
In-Reply-To: <200609221111.08677.drupal.beginner@wechange.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2699062351333587252=="

--===============2699062351333587252==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello

Op vrijdag 22 september 2006 05:11, schreef Augustin (Beginner):
> > If all Drupal web sites were collaborating on gathering useful data, and
> > passing on this data to relevant organizations, we might collectively
> > achieve something.
> > One spam report against one IP might achieve nothing, but a concerted
> > effort to systematically denounce bad IPs might force people to take
> > positive actions.
> >
> > I really don't know how such a thing could be organized. One has to study
> > first how organizations fighting spam and organizations setting up
> > blacklists operate.

I used to publish my/our spam export lists from our host. What I did was=20
simple: pipe all the ip addresses and all the blocked domains from mysql db=20
into a textfile and have that file online. It was downloaded exactly 124=20
times, about a 100 times by bots, at least 4 times by me (tests). Wich leaves=
=20
20 interested people in this data.=20

Spam.module has an import export function which I used several times and I=20
must say that it works. People will argue that it won't work, but I can=20
assure: If you have a starter for all the bayesian tokens, your at least five=
=20
weeks of training (on an average blog) ahead. As opposed to not having that=20
starters. Spam.module comes (or used to, I haven't checked in a while) with=20
sqldumps to fill your filters.

Right. How about a distribution system for this? Lets say I ping over XMLRPC =

to a flock of, five, six sites, if they have new tokens, IPS etc. If they do,=
=20
I upgrade my database with what (some of) these sites have learned. "Together=
=20
we learn a lot more". Each of these five, six sites do the same. This=20
exponential network enables you to get huge amounts of spammer data with each=
=20
ping.

Now. Consider me being a smart spammer (I still need to upgrade my CV one day=
)=20
and I actually know of this P2P system to upgrade eachothers tokens. In fact,=
=20
I am that smart (I really need to write that CV) that I know how to reverse=20
engineer those tokens. I learn, for example, that bikshed is bounced as a=20
word. I then use this datamine to upgrade my spamming techniques, and write=20
out mails that no longer contain the words bikeshed or any color known in the=
=20
rainbow.=20

Basically, I, as smart spammer can use that 'data mine' just as well as anyon=
e=20
else.=20

So before we can use such a ring/flock/group/p2p upgrade system, we need to=20
find a way to sort out trust. Options I see right now are GPG/PGP keyrings,=20
Ebay-alike trust ratings, or ability to define the people whom can access=20
your datamine.=20

B=C3=A8r

--===============2699062351333587252==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.sig"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4yLjIgKEdO
VS9MaW51eCkKCmlEOERCUUJGRmFNbHFNUlp5dXJUamtBUkFrMDFBSjRvazNxZnpsRGVHNXQ1cW5m
R3lEbWhEamlCMFFDZUtyb3MKVzRyaURoZFVjVEdpUVFpS0l1bUtSb2M9Cj1UV2hJCi0tLS0tRU5E
IFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============2699062351333587252==--


From drupal.beginner@wechange.org Mon Oct  9 08:39:49 2006
From: "Augustin (Beginner)" <drupal.beginner@wechange.org>
To: development@drupal.org
Subject: Re: [development] a bikeshed color problem
Date: Mon, 09 Oct 2006 16:44:47 +0800
Message-ID: <200610091644.47226.drupal.beginner@wechange.org>
In-Reply-To: <200609232312.05436.ber@webschuur.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9023846941115992397=="

--===============9023846941115992397==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Sunday 24 September 2006 05:11 am, B=C3=A8r Kessels wrote:
> So before we can use such a ring/flock/group/p2p upgrade system, we need to
> find a way to sort out trust. Options I see right now are GPG/PGP keyrings,
> Ebay-alike trust ratings, or ability to define the people whom can access
> your datamine.

Hi B=C3=A8r,

Thank you for replying to my suggestion, about cooperating to fight spam=20
better.

You suggest that a few trusted site owners cooperate together, in a small=20
group, to exchange information as a starter for all the bayesian tokens.

This is interesting, but I was thinking about something on a much larger=20
scale, which is perharps beyond the scope of this list, and probably=20
un-doable and unrealistic anyway.

I don't understand the technology used by the spammers (their tools are not=20
Open Source!), how they can use a simple robot to post spam from apparently=20
different IPs.
I was hoping that there was a way to force all the virused, wormed, trojaned =

Windows boxes and unpatched websites used by the spammers to get fixed or=20
shut down...


Anyway, thanks for replying.


Augustin.

Context:
http://www.wechange.org/informal_proposal_for_cooperation_to_fight_spam_at_th=
e_source_of_the_problem
http://www.wechange.org/fighting_spam_at_the_source_and_the_color_of_the_bike=
shed







--=20
http://www.wechange.org/
Because we and the world need to change.
=20
http://www.reuniting.info/
Intimate Relationships, peace and harmony in the couple.

--===============9023846941115992397==--


From ber@webschuur.com Mon Oct  9 08:51:17 2006
From: =?utf-8?q?B=C3=A8r?= Kessels <ber@webschuur.com>
To: development@drupal.org
Subject: Re: [development] a bikeshed color problem
Date: Mon, 09 Oct 2006 10:51:17 +0200
Message-ID: <200610091051.18112.ber@webschuur.com>
In-Reply-To: <200610091644.47226.drupal.beginner@wechange.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2351988754109288508=="

--===============2351988754109288508==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Op maandag 9 oktober 2006 10:44, schreef u:
> I don't understand the technology used by the spammers (their tools are not
> Open Source!), how they can use a simple robot to post spam from apparently
> different IPs.

Me neither. So here is an interesting idea. (pling, lightbulb). 
A wiki (moderated) about spam. A central, open, open-licenced knowledge-base 
about spam. 
openfight.org or so. 

* tips and tricks to fight spam
* programs and methods to fight spam
* programs used by spammers
* tricks used by spammers
* open-licenced bayesian databases, whitelists, blacklists etc.

This all would have one fundamental issue: there need to more people (hands 
and eyes) that want to fight spam, then that want to spread spam. Else this 
could result in a knowledgebase used by spammers, instead of against them.

This particular issue, the diff. IPs, though is achieved with proxies. There 
are lots of open proxies (badly configured servers, most), and zombie proxies 
(malware/viruses on desktops, most). It is not hard at all to tell e.g. curl 
to use a certain proxy.[1]

Bèr

[1]
-p/--proxytunnel   Operate through a HTTP proxy tunnel (using CONNECT)
    --proxy-anyauth Pick "any" proxy authentication method (H)
    --proxy-basic   Use Basic authentication on the proxy (H)
    --proxy-digest  Use Digest authentication on the proxy (H)
    --proxy-ntlm    Use NTLM authentication on the proxy (H)

-- 
 PGP ber@webschuur.com
  http://www.webschuur.com/sites/webschuur.com/files/ber_webschuur.asc

--===============2351988754109288508==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.sig"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4yLjIgKEdO
VS9MaW51eCkKCmlEOERCUUJGS2cyR3FNUlp5dXJUamtBUkFxT0hBSjl2VDQybDMrYkJ1b1hKNmdP
R3hMd25WWEtGTkFDZzA0cjYKZHFvYU1xeURiQ2xpTHA1YnpLc0RuZ0E9Cj01NGZHCi0tLS0tRU5E
IFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============2351988754109288508==--


From jeremy@kerneltrap.org Mon Oct  9 17:44:08 2006
From: Jeremy Andrews <jeremy@kerneltrap.org>
To: development@drupal.org
Subject: Re: [development] a bikeshed color problem
Date: Mon, 09 Oct 2006 10:43:47 -0700
Message-ID: <20061009104347.00329e47.jeremy@kerneltrap.org>
In-Reply-To: <200610091644.47226.drupal.beginner@wechange.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7378230239085587874=="

--===============7378230239085587874==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Mon, 9 Oct 2006 16:44:47 +0800
"Augustin (Beginner)" <drupal.beginner@wechange.org> wrote:

> I don't understand the technology used by the spammers
> (their tools are not Open Source!), how they can use a
> simple robot to post spam from apparently different IPs.

I believe much of the variance in spammer IP addresses is that
they're using Windows "zombies" from all over the Internet.
Essentially, there are countless Windows computers attached
to the Internet that are infected with a virus or trojan that
gives the spammer full access to the computer, and spammers
then use these servers to do many things including sending
and posting spam.

Cheers,
 -Jeremy

--===============7378230239085587874==--