The Musings of Chris Samuel

I’ve just spent a bit of time fixing up a fairly simple bug that was preventing Rich Boakes’s “Worst Offenders” plugin¹ from working in current WordPress versions (basically it was assuming it had created a submenu somewhere it wasn’t) and merged my branch back into trunk to check the content of comments for a list of bad words. No release yet, this is just in trunk, but if you are feeling adventurous you can go into your WordPress’s wp-content/plugins directory and do:

svn co http://plugins.svn.wordpress.org/worst-offenders/trunk/ worst-offenders

Of course make sure you’ve nuked any earlier version of Worst Offenders first!

1. This plugin classifies your Akismet spam queue by various criteria to let you do bulk deletes for comments matching various criteria [back]

Update: removed the link to the SpamAssassin announcement as the link isn’t permanent!

In case you’ve not noticed – SpamAssassin had a nasty Y2K10 bug which had been fixed months ago but the fix never got pushed out into a release or updates.

Those of you using SpamAssassin to filter your mail may want to watch things a bit more closely than usual; it seems that current versions still include the rule known as FH_DATE_PAST_20XX, which adds 2-3 points to any message with a 2010 date in the headers. Surprisingly enough, such dates have suddenly become common, with the result that SpamAssassin may be generating more false positives than usual.

The fix is now included in the updates pushed out by sa-update, run it with -D to get debug output and check you’ve picked up 895075 or later. You’ll see it say:

[4096] dbg: dns: 5.2.3.updates.spamassassin.org => 895075, parsed as 895075

If you’re running Zimbra then you’ll need to fix this manually, in the VPAC install (5.0.x) I changed a line in /opt/zimbra/conf/spamassassin/72_active.cf from:

header FH_DATE_PAST_20XX Date =~ /20[1-9][0-9]/ [if-unset: 2006]

to:

header FH_DATE_PAST_20XX Date =~ /20[2-9][0-9]/ [if-unset: 2006]

The other alternative is to set the score of the rule to 0 in your local.cf file:

score FH_DATE_PAST_20XX 0.0

Then go hunting for legitimate email in your spam folder (I’m lucky enough that none got picked up).

Got a spam in my spamtrap today with the subject:

Privet & Confidential

I bet it’s a hedge fund..

This got caught by the spam filters:

To speed up the process, you are required to call us at our free toll free number (+61) 731-235-996 to verify your Commonwealth Maestro Card.

First time I’ve seen a phishing attack that uses (presumably VOIP) phone numbers (in this case allocated to GoTalk in Brisbane, they own 0731230000 to 0731239999 according to the search you can do here) rather than a web site (though I suspect it’s been around for a while).

US-CERT has a form for reporting security incidents – I wanted to report a .gov system that had been hacked and used as part of a phishing scam but cannot because it won’t accept my Australian phone number! Sigh..

The email to the technical contact in WHOIS will have to be sufficient then.

Bookmarking this useful information from Russell for future reference. I’ve just installed the RSS Footer plugin as recommended by the post that Russell links to.

Got to love the anti-spam Captcha on the sign up for the Quantum Random Bit Generator Service..

(Thanks Don)

I read on PLOA that Michael Carden briefly tried to open his blog for comments, only to find:

The WordPress UI balked at deleting 194,000 (okay, I ignored it for a while) comment spams. I had to dig in as admin and run a fun sql query on the database to delete all 47 meg of them.

I guess I’ve got a couple of suggestions for Michael to make his life a little easier should he decide to try again.

1. Akismet has an option to “Automatically discard spam comments older than a month“, that might help (though it’d be nice to be able to adjust the time).
2. Run, do not walk, to Rich Boakes most excellent Worst Offenders plugin. This will both group comments for deletion based on various criteria but also (if you have permission) add Apache “Deny From” rules for the offending IP addresses. It’s also worth bumping the number of IP addresses it can ban up, Donna’s blog is up to over 8,000 at the moment!
3. There are also tools like Bad Behaviour to try and catch bots before they get to you and if you are a member of Project Honeypot then there is the http:BL WordPress Plugin to check and block IP’s listed as baddies there.

Anyway, I hope that helps some people out.

Thanks to Jeremy for this one!

“Spamtrap” is an interactive installation piece that prints, shreds and blacklists spam email. [...] The paper is recycled after the spam email has been shredded.

“Spamtrap” – watch the video

For those of you who control your Apache server driving your blog and who would like to easily block the incoming tide of spam with the fake user-agent “-- WordPress/2.1-alpha3” then all you need to do is to add the following to your .htaccess or central Apache configuration.

BrowserMatchNoCase "-- WordPress/2.1-alpha3" spambot=1

That should then cause the spammers to bounce off with a 403 “go away” error. You can also lather, rinse, repeat for other spam user-agents you would prefer not to let into the house..

On another point, a couple of them (one each in Brazil, Holland and Israel) had a fake SMTP server listening on port 25:

220 ESMTP service ready
help
250 ok
quit
250 ok
quit
250 ok
bye
250 ok
^]
telnet> quit
Connection closed.

Very odd!

Update: Also see Fight Blog Spam with Apache.