Thursday, December 29, 2005

Iframes in Yahoo Groups

SpamHuntress wrote about this problem yesterday. She found that Yahoo allows iframe tags inserted into Yahoo Groups by an administrator.

Since originally posting, we have been working on showing it was also possible to insert an iframe from a user submitted message, not only administrator inserted code. Here are my examples showing the iframe vulnerability in a message posted by a user by email and from the Groups interface.

This is not a new problem. Some people believe the real weakness lies with internet browsers. In a way it does, but then you could say the real vulnerability is the existance of the iframe tag itself. But iframes when used properly can be useful. They aren't really necessary for website design, but they aren't going away. If you use AdSense you are probably using iframes and don't even know it. Do you want to tell Google they can't use iframes anymore? The real solution is to filter user submitted content. That doesn't prevent all malicious uses of iframes, but what spammers and scammers do on their own site is a different problem.

Similar iframe vulnerabilities can be found in other forum software, but Yahoo is a large service that I think can give users a false sense of security. They may believe they are on a trusted site while under the domain. Yahoo should do whatever they can to protect their users. They do prevent javascript from being run from a message so they clearly understand that user content can be dangerous. They just missed this one. Hopefully they fix it soon.

Wednesday, December 28, 2005

Most Spammed Posts

Comment spam on Blogspot appears to be improving. 356 (since November 4) up from 303 comment spams 35 days ago is not bad. That is an average of only 1.5 spams a day for over a month. It is still hard to tell if this is due to the holidays, Blogger cooking something up, or finally spammers getting smart. Since SpamHuntress says spam has increased on her blog, things are looking good for Blogspot users.

It also seems that Blogger has fixed the moderation hole. I haven't had any spam slip though moderation in a long time.

And I am not required to approve my own comments to my blog anymore which is nice. I always thought that was a bit stupid.

I am sure you are all eager to see how my posts are scoring in the most spammed game. There has been a rise in casino spam lately so my posts on that topic have really jumped ahead. I am limiting the results to those with 8 points or above, last time it was five but there were a bunch of players that suddenly reached that level and the table got to big.

+722Casino Online On-Line Spam (part 2)7/07/2004
+120Lots of Comments11/05/2005
16Google's Spamdexing Service10/08/2005
+512Casino-Online-On-Line Spam7/06/2004
+412Casino Online On-Line (part 3)7/08/2004
+111How Not To Fix The Blogspot Issue10/26/2005
+110New Spam Fighters8/30/2005
8More about BeTheDealer7/08/2004
8BeTheDealer and DirectedMarket7/08/2004

Gmail Spam Recipes

If you have turned off your Web Clip bar in Gmail you are missing out.

You know they show Web Clips (RSS feeds), Sponsored Links, and Gmail Tips. But did you know they also post Spam Recipies?

Each time I see one I find it funny since the reason they are targeting me with them is because so much of my email is either tagged [Spam] or discussing spam. Well today I discovered they get a lot more frequent when I open my Spam folder. Pretty much every thing in the web clip bar was a spam recipie.

My favorite is Spam Fajitas. But there are lots of others to choose from: Spam Skillet Casserole, Vineyard Spam Salad, Savory Spam Crescents, Spam Primavera, Creamy Spam Broccoli Casserole, Spam Hashbrown Bake, Ginger Spam Salad, and Spam Breakfast Burritos.

I am sure Hormel would be happy to know they are getting lots of exposure in Gmail, but if I were them, I would ask not to show SPAM recipies in the spam folder. Fixed

Manni got the DNS issues worked out and now things should be back to normal.

I am going to keep my mirror blacklist going just in case, but it is best if you use the one on the main site. It is more up to date since mine updates from it a few times a day.

Tuesday, December 27, 2005 DNS Issues

Manni announced on our WikiForum that was back and fully operational on the 23rd. Someone forgot to tell my DNS server because I still can't access it normally. It seems that due to some setup issues only one of the three name servers chongqed uses has our subdomain records right. So if you are lucky enough that your query is served by one of those two, you can't reach our subdomains. We are narrowing down the name server problem though and hopefully will have it fixed real soon.

But the good news is that is working again so even if you can't reach it, my mirror blacklist is now being updated again. So far today I have added probably at least ten different spammers with lots of domains. I plan to work to add more than we have been lately to make up for the blacklist being down for so long.

Monday, December 26, 2005

New chongqed Wiki

For anyone else going through chongqed wiki withdrawal, we now have another one to hold us over till Manni gets the main one fixed. I set it up mostly as a way to experiment with MediaWiki, but plan to use it as a spam collecting honeypot of course. So to avoid confusion I will be calling it our honeypot wiki.

I have been trying out the MediaWiki antispam features; there are more than I realized. But I have only been able to make one of them work so far. It is an important one though.

$wgSpamRegex allows you to ban whatever you want. On our wiki it was suggested by PForret to use it to block CSS Hidden Spam. His rule blocked div tags which worked since that is what spammers are using for now, but they could use many other tags. That means we should concentrate on the style attribute instead.

My rule blocks tags with style attributes that could be used to hide spam:

$wgSpamRegex = "/\<.*style.*?(display|position|overflow|visibility|height)\s*:.*?>/i";

I think that covers everything except font-size and color, but those aren't the best for hiding spam and are more likely to be useful for nonspam purposes than the others. If I am missing any others let me know.

More powerful rules and discussion at the honeypot wiki.

Tuesday, December 20, 2005

AdSense for Typos

In October I posted about Google's spamdexing service. I then found a post at 90% Crud saying basically the same thing way back in January 2004.

Now SearchEngineWatch has a similar post calling for reform of the AdSense For Domains program. This article concentrates mostly on typo domains which are against Google's AdSense policy. There seems to be no problem with typos when using Google's DomainPark (spamdexing) service. Server Troubles

Well, several days ago I posted that was in the process of moving and not working right, things have only improved a little since then. My email is now working again. And Manni is closer to figuring out what is going on.

Since we have been down I have setup a mirror of the latest copy of the blacklist I have (December 6, but not a lot had been added since then) in case anyone needs it. And I have set up a cron job to update the mirror daily once the site gets working again. You can add that address as a backup location. I don't have the bandwidth the main site has though so use the main one when possible.

I am also working on some content for For now it is just a bunch of antispam RSS feeds I like. I will be expanding it, but not yet sure with what. I have been thinking about setting up a honeypot wiki. Spammers are learning not to mess with's wiki, will they be smart enough to avoid I doubt it.

Friday, December 16, 2005

Safer Browsing

Firefox is safer than Internet Explorer, but it could be better. Here are a couple extensions to do that. Both require Firefox 1.5, but you should be upgrading to that anyway.

Google has just released Safe Browsing, a Firefox extension that will warn you when you are on a suspected phishing or spoofing site. It sounds like it can do some of this based on "advanced algorithms" that look at the page content, but I am not sure how successful that will be. But if you turn on Enhanced Protection, the extension will query Google's blacklist. Even with the blacklist it still missed a clear eBay spoofing site in my test.

Another way to make browsing a little safer is FormFox. When you hover the cursor over a form submit button a tooltip popup will tell you the address the form will be submitted to. And if the form is not being submitted to the same address the page comes from, it will also warn you. It seems to warn sometimes when it shouldn't though, but seeing the submit address is the important part.

Since Google's Enhanced Protection sends the URL you visit to Google for checking, it is a minor privacy issue, but that is why it is not turned on by default. It is no more loss of privacy than if you use a PageRank utility. And I think it is far better to send a little data to Google about your browsing than being tricked into sending your registration data to a scammer. You still have to be careful of course, but any help is better than none. It sounds like Internet Explorer 7 is going to have something similar, but that is still months away.

I hope they keep up on this blacklist better than they have on their tools in the antisplog war. With Microsoft going to have a similar function for IE, and Google being a big backer of Mozilla I would think they will have to keep it up to date. I wonder if this extension will be the basis of similar protection built into Firefox 2.0.

For now, Google's extension is only available for users in the United States. Their FAQ says this is due to licensing issues and they are working on it.

Thursday, December 15, 2005 Server Move

Manni has been in the process of moving to a new server. It is finally going through now so if you find you can't access or our subdomains it should be fixed soon. Right now I can access the main domain, but not the wiki which is kind of annoying since that is where most stuff happens.

Friday, December 09, 2005

Gmail Adds RSS Feeds

Today Gmail added an RSS feed headline to the top of the inbox in Gmail. Apparently some people already had it for a while, so I guess it came out of testing today. It is kind of interesting I guess. I found some interesting articles from its news sources I would not likely have seen otherwise. But really, it a very sneaky way to get users to view and maybe click on text ads. Occasionally they aren't "Web Clips," they are "Sponsored Links." They are clearly marked, but I found myself looking at them more than I look at the sidebar of targeted ads in Gmail's message views. Good job on that Google.

It comes with some default feed sources and you can select from a bunch of other major news and entertianment sites. You can also add custom feeds. I think I will stick to Google Lens for most of my feed reading. But for news and entertainment sites that I normally wouldn't read I think it will be interesting.

Saturday, December 03, 2005

AdSense Extortion

Dirk has a post about AdSense Extortion from a news article on (in German). It looks like this scammer was slowly increasing the AdSense revenue for the bloggers' sites through click fraud. He then requested half their AdSense income or he would increase the click fraud so much Google would notice and suspend the blogger's account. If you are a victim of this or any other AdSense extortion attempt notify Google.

Thursday, December 01, 2005

Gmail Adds AntiVirus Scanning

This is good news.

Well, actually it is very surprising now that I think about it. Why didn't we already have it!!! Gmail has been running in beta for over a year now. Did Google not think antivirus was a priority? I know that by labeling it a beta they can get away with whatever they want, but no antivirus is just stupid. I always assumed they had scanned my email for viruses. I am sure I am not the only one.

Up till now they just blocked sending any executable. That solved part of the problem, but that didn't block macro viruses in documents. And it was pretty annoying when you wanted to send an executable, even inside a zip file.

Update: There are some complaints about this new feature discussed in this article at Computerworld.

The first one, which at first seems unimportant is that scanning can't be turned off. The article explains why that could be a problem for some people. Of course, it is a worse problem for virus writers so I don't have a big problem with it. Do other major mail providers allow you to turn off virus scanning?

Second problem is pretty annoying, they aren't going to quit blocking executables. For the average email user that is not a problem and will help prevent spreading unknown viruses. But it is really annoying for me and many others.

The last big complaint is that Google isn't saying what antivirus technology they are using. Assuming they have not created their own scanner, people want to know what vendor they are using. I am interested in knowing too, but it doesn't make any difference. Each different implementation may have weaknesses, but how does knowing solve anything? You should already have your own antivirus scanner that you are happy with.