Categories
Ireland

Phishing in Irish

Well, this is a surprise. One of my .ie email addresses got a very targeted phishing email. It was so specific that it was actually written in Irish! It wasn’t directed at me, but at a list owner address at linux.ie.
I wonder if the spammers know how many Irish people could actually read their email easily? It’d certainly be easier for most people to read in English.

Aire

Tá mé an tUasal Patrick KW Chan an Stiúrthóir Feidhmiúcháin agus Príomh-Oifigeach airgeadais Hang Seng Bank Ltd, Hong Cong.
Tá mé togra gnó brabúsaí leasa choitinn a roinnt le leat;
Baineann sé leis an aistriú suim mhór airgid.
Fuair mé do tagairt i mo cuardach a dhéanamh ar dhuine a oireann mo chaidreamh gnó molta.
Má tá suim agat i obair liom teagmháil a dhéanamh liom mo trí r-phost príobháideach (mrpatkwchan52@yahoo.com.hk) le haghaidh tuilleadh sonraí

Dearbhófar do fhreagra túisce chun an litir seo a mhór.

An tUasal Patrick Chan
E-mail: mrpatkwchan52@yahoo.com.hk

I suppose it was bound to happen now that Google translates text into Irish. Well done to Gmail for marking it as spam!

Categories
Web

Gooochi talks to /bc/123kah.php

This is weird, a huge number of POST requests started to hit the Shite Drivers website a few days ago. The requests came from lots of IP addresses and all requests went to the non existent /bc/123kah.php

The payload was an array that looked like this:

Array
(
    [showed] =>
    [clicked] =>
    [version] => 2.6.2.4
    [id] => c3b342beb6ad7adf39499e7a38f93c09f681611d
    [tm] => 1266855758
    [aff_id] => gooochi
    [net_id] => gooochi
    [safe] => 1
    [exceed] => 2505,2507,2582,2597,2602
)

So I presume it’s the Gooochi malware referenced in this search for that word. Strange that the infected PCs hit my server though.

The traffic was never overwhelming but I decided to put a stop to it with a simple deny from all in a .htaccess file. Much better than having WordPress serve up a 404 page.

I mentioned the 123kah.php file on Twitter and I’m not the only one to see these odd requests. I guess even malware has bugs! (which is all the more reason to keep your anti-virus software up to date if you use Windows)

Categories
WordPress

Win a trip to Disneyland

I’ve got good news, and I’ve got great news! The good news is for spammers. The great news is for you.

The good news is that in 3 simple steps you too could win a trip to Disneyland:

  • Visit one of those sites that lists this blog as a dofollow blog (BTW – it doesn’t dofollow anymore)
  • Click on a link to my blog.
  • Have a great time in Disneyland!

The great news is that you can send those spammers to Disneyland too! Just take a look at the code in disney.txt and copy it into your wp-config.php (Put it right at the top of the file!) or into an auto_prepend file.

The $bad_referrers array is a simple list of offending sites that send you the most spammers. Add them in and when the spammer comes visiting they’ll be whisked off to Disneyland for a magical tour of the castle. (Hopefully they’ll meet an ogre who’ll take a fancy to them and lock them in the tower or something!)

I use my Comment Referrers WordPress plugin to tell me where comment authors come from but sometimes if they’ve browsed around my site (and the referrer is gone then), I search my logs for their IP address.

Yes, the above could be done with .htaccess mod_rewrite rules but this is more portable and I redirect to a Pretty Link shortcut so I can easily count the hits. No matter what I did I couldn’t get it to exclude the hit to the shortcut and it would redirect continuously.

Update! I added rewrite rules to send the spammers off. I’m sure these rules can be improved so leave a comment if you have any tips.

RewriteCond %{HTTP_REFERER} .*theseomizer.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*seomizeme.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*revolutioners.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*rishabhsood.net.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*011831068587400451950.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*backlinkmagic.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*www.online-utility.org/webmaster/backlink_domain_analyzer.jsp.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1011238.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*courtneytuttle.com/blogs-that-follow/.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1006727.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1003675.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*rasimcoskun.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*smartpagerank.com.* [NC]
RewriteRule ^(.*) http://disney.com/ [R,L]

And in other news, Stephen Cronin created the comment warning plugin to warn visitors who come from predefined urls like the dofollow lists above. Nice!

Categories
Web

reCAPTCHA Fail

recaptcha

I had to refresh twice to get a string I could read and type. Captcha anti spam checks suck.

Categories
WordPress

Why you should limit login attempts

limit-logins

Some idiot at 213.155.4.184 hit all my websites over the last few days trying to login to my blogs. He fired off hundreds of automated requests probing and searching and testing my admin login. Each request had a different password. I use difficult to guess passwords but seeing the attempts was disconcerting.

I went searching and found the Limit Login Attempts plugin. After installing, a new page appears under Settings with a wealth of options:

lockout

I’m glad I did install it, it caught the same guy when he hit this blog a few hours later! You should probably install it too.

PS. Matt asked me to explain how I recorded those requests. There is a WordPress plugin that sends an email when a POST request is made but I threw this code into a file and load it with the “auto_prepend_file” directive in my php.ini (saves adding it to every installation of WordPress on my server)

if ( ( isset( $HTTP_RAW_POST_DATA ) || !empty( $_POST ) ) && $_SERVER[ 'REQUEST_URI' ] != '/wp-cron.php?doing_wp_cron' && $_SERVER[ 'SCRIPT_NAME' ] != '/wp-comments-post.php' && substr( $_SERVER[ 'REQUEST_URI' ], -10 ) != '/trackback' && substr( $_SERVER[ 'REQUEST_URI' ], -11 ) != '/trackback/' ) {
    mail( "MYEMAIL@gmail.com", $_SERVER[ 'HTTP_HOST' ] . " POST request: " . $_SERVER[ 'REMOTE_ADDR' ], "URL: {$_SERVER[ 'REQUEST_URI' ]}\nPOST: " . print_r( $_POST, 1 ) . "\nCOOKIES: " . print_r( $_COOKIE, 1 ) . "\nHTTP_RAW_POST_DATA: $HTTP_RAW_POST_DATA" );
}

Categories
blogging

How not to advertise a blogging event

blog advertising

Don’t search for your event topic and spam the blogs you find.

At least make the effort to look up the blog author’s name and send them an email. I would have gladly plugged Kinsale Arts Week if they had been polite. Big Bad Fail.

Categories
Humour

Please help the World Health Organisation

I received a nice polite email from a man asking for my help last week. He was a bit cryptic but he replied this morning saying he works with the World Health Organisation.

Help the World Heath Organisation

Hi Donncha O Caiomh,
there is something to talk about , i want your assistance coz i work with W.H.O ( world health organisation ) and i bought some goods in state and i am in finland here for official purpose.
Will you kindly send me your address so i can send the goods to you and also maybe when am through with my official assignment i will come down there and collect the goods bought.
Pls kindly reply me so as to know what to do.
THANKS
JUNIOR BENRICHARD.

Oh the poor guy! He’s stuck in Finland and needs goods delivered? As I was about to reply with my full address, I remembered getting another email from him. He had contacted me about a post I wrote. That was last week when I was on holiday and I still haven’t got around to clearing out my inbox. I went searching and here it is:

electric car info

hi
yea i drive an electric car. i work with the car construction company. if you wanna know, kindly send me 3000usd via western union and i will get back to you as possible.
you can call me on +2348029479959. am junior by name.

Oh what a talented guy! He works for W.H.O. and for a car company! I don’t know if I want to know about electric cars that much. I mean, $3000? That’s a lot of money!

Oh, and Ben, since you’re subscribed to my blog, please get in touch again. The Irish Police want a word with you.

Edit (10/08/09) Ben has been in touch again:

Hi donncha, how r you nd everything, am off state and i some1 wanna send some money to my credit-card so as to collect and use it to pay my childs school fee. pls send me you details so as to send you the money nd you will only help me to western it to my child coz she is totally inneed of it.
am looking forward to see your reply
JUNIOR BENRICHARD.

Categories
blogging

John, my personal spammer!

With apologies to anyone named John. Spammers are getting more clever at spreading their links. Now legitimate website owners are using software tools that allow them to enter keywords of their choice to a create a list of related blogs with comment forms. Many of these applications list blogs that pass Google Rank to the websites of visitors. That’s why I stopped doing the “dofollow” thing several months ago. Since then the number of spam comments has gone down slightly. Cookie for Comments stops the spam bots dead but the human spammer scum still get through.

Next time Akismet marks a legitimate looking comment as spam (or you get a comment from someone who was supposedly christened Austin Texas Photographer by his parents), check your logs. Look up the IP address of the visitor. You may find something like this. Note the lack of a referrer, an old Firefox user agent and then “bsalsa.com” is in the UA of the next request for a post. Bsalsa make a Windows toolkit that this software obviously uses. They’re fans of Borland Delphi apparently!

"GET /2006/11/04/cork-cinema-listings/ HTTP/1.0" 200 43366 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12"

"GET /feed/ HTTP/1.0" 302 84 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"

"GET /2006/11/04/cork-cinema-listings/ HTTP/1.1" 200 12089 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) (Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11); .NET CLR 2.0.50727)"

When my blogs were dofollowing, I’d get loads of spam comments every day. The tools used fire off a request to the blog to examine the links on that page. They highlight dofollow links so the user knows their spam comment will generate Google Juice for their site.

I was getting so sick and tired of them I contacted several spammers. Lindsay who commented on inphotos.org replied:

Hi Lindsay,

As a photographer, I’m always looking for other blogs to comment on but it’s hard to find interesting photoblogs that post anything other than photos. How did you find my blog? I didn’t see a Google search in my logs. Is it a special program?

Thanks,
Donncha

She was really helpful, even replying twice when I didn’t reply again:

I actually have a program called G-force fast blog finder. Basically, i put in some keywords and it searches ALL blogs with those keywords. THEN it tells me if those blogs do or do not have the “uComment iFollow” addon. Blogs that allow the “follow” tag are good for search engines if i post a comment with a link to my site.. SO basically, i get to look at photography blogs and comment on them while i help my website obtain some more links.

Basically, search engines rank your page based on a few things, one of them is link backs. Basically, a link from a site to my site is like a vote for my site saying it is good. So the more other websites link to my site, the better.. HOWEVER, some blogs and websites have the NOFOLLOW tag in them which does not let the search engines see it. Your site does allow the uComment iFollow.

We also created a link exchange program on our website. if you’re interested, it helps you too also have links for your site on other people’s site. If you go to my site here:
http://__________.com/catalog/links.php
You can submit your link and even a small picture to be displayed.
Let me know if you have any other questions

Lindsay

Yea. I Down loaded a program called fast blogger. They have a free trial and basically you add in search term and it searches all blogs for that term. It gives you lists of links to them and tells you if they are no follow or Ufollow IConment blogs. Basically, by findig blogs related to my webstie and blog and posting comments, it helps my website with the search engines when I post a link. It’s a win win situation. You get blog views and comments and the post gets a link back to third site.

If you are interested, I also have a blog. It’s at http://_____________.com/blog

Feel free to comment away and leave a link back to your blog.

We also have a link exchange. Basically you go to Http://____________.com/catalog/links.php

Click submit link and then we will add another link to our website. All we ask is you link back to us in return.

It’s basically everyone helping each other in order to get good page ranking for thief keywords

If you have any questions , Id be happy to answer.

Lindsay

Very helpful wasn’t she? Unfortunately it was the final straw. All links in comments are nofollowed again. Bloody spammers.

The spam comments continue but recently I’ve taken to changing the name of the person to “John”, removing their email and url and then allowing through the comment.

john the spammer

john the spammer

Thanks John!

Categories
General

Guinness, say hi to the Data Protection Commissioner

This morning, Diageo Ireland (the company behind Guiness) spammed me again, despite my repeated attempts to remove myself from their mailing list.

Thanks to Damien who pointed me in the direction of the Data Protection Commissioner I filled out the complaint form with the following. The Commissioner’s Guidelines for marketing by electronic mail are quite clear and Diageo obviously ignore them. Hopefully something positive will come of this.

On the 8th of April, 2007 Diageo Ireland sent me an unsolicited email regarding a “poker nights” promotion. It appears that someone signed me up, but Diageo never confirmed the invitation. I did not opt in to receive any mailings from them. I also unsubscribed using their subscription page. More details, including commentary about the unsubscribe process are here: http://ocaoimh.ie/2008/02/07/a-pint-of-guinness-flavoured-spam/

Unfortunately, on June 20th 2008, I was spammed by them again. http://twitter.com/donncha/statuses/839602319
I unsubscribed again.

This afternoon I was sent another email from Diageo with the text:
“CONOR,
BECAUSE WE
DON’T WANT YOU TO BE
LEFT IN THE DARK…
Give us a few minutes and we’ll give you so much more
GIVE US A FEW MINUTES
AND WE’LL GIVE YOU
SO MUCH MORE”

Unfortunately I suspect I’ll always get spam emails from them despite the fact that I never signed up for anything, don’t drink Guinness and unsubscribed twice already.

Regards,
Donncha O Caoimh

Categories
WordPress

Anti spam-blog plugin for WordPress MU

The very popular WP Hashcash plugin for WordPress has been modified to work on the WordPress MU signup page.

WP Hashcash is an anti spam plugin that protects blogs from comment spam. It does this with Javascript and is quite successful. I worked on it over the last few days and the plugin now offers the same protection on the WordPress MU signup form!

This is the first release of the code so handle with care. Grab the latest version (version 4.2 as of this moment) from the download page. Unzip it and copy wp-hashcash.php into wp-content/mu-plugins/ and visit “Site Admin” -> “WordPress Hashcash” to confirm it’s working.

Now logout and create a new blog, just to make sure everything is working ok. Occasionally some users will have problems registering, and those that have Javascript turned off won’t be able to create a new blog at all. That’s the downside of using this plugin unfortunately.

Keep an eye on the stats counter on the admin page. I want to hear how well this works on your site!