Once again, this site has been the victim of scumsucking spammers. If these guys weren’t so loathsome, I would admire their tenacity and creativity. It really is amazing to see how much brains and brute force they devote to their misguided mission. But unfortunately, the net pollution they cause eliminates any admiration for them. For geeks like me, the game can actually be fun to a point, as it keeps us on our toes. But eventually it becomes not worth the trouble.
My latest surrender in this battle was the “Mail Story” feature. Each article here used to have a link that readers could use to email it to someone who might appreciate it, along with a short personal note. That seemed like a fairly safe feature to anyone who didn’t think far enough outside the box.
But along came the infamous Bulgarian twins with a new scheme. They’re well-known for flooding sites with comment spam and referrer spam. But the trick they hit me with was apparently a new one for them.
Email spammers typically like to use somebody else’s server to do their dirty work. One of their favorite techniques in the past was hijacking open SMTP relays. But as site administrators have gotten wise and closed their relays, and as blacklists have started blocking those servers administered by morons too clueless to close them, spammers have moved on to trickier techniques.
The “broadband zombie” has become popular. Broadband customers who are too clueless to know what’s actually running in their always-connected machines are providing literally millions of hosts for spammers, who exploit the many holes in Windows to install spambots on machines which pump out spam while their owners are sleeping.
Yet another trick is finding a website which provides a form to send email to somebody, and exploiting a loophole in the code to use it to send spam. There are many well-known email cgi scripts which have weaknesses that can be abused, and my server logs show frequent hits from spammers trying to see if I have any of the exploitable scripts.
Until today, I could laugh at all the spammers’ attempts to exploit my server. My SMTP relay is airtight. I’m not running Windows, or any buggy CGI code. But, thinking outside the box, the Bulgarians realized that the “Mail Story” feature could be abused. If anyone had asked me if my website had a feature that let anybody use it to create an email message and send mail to anybody they pleased, I would have said “Hell No! That would be an open invitation to spammers!”
But DUH! The “Email Story” feature does exactly that, as long as the spammer doesn’t mind having my drivel appended after his spam. He (or his spambot) simply fills in the victim’s address and puts his spam in the space for a personal message. Et voila! My server becomes a zombie pumping out spam with some totally unrelated musing following the spam.
The frustrating part about this is that it’s not really a case of the spammers exploiting something that was “broken” and could be fixed. They’re simply using an existing feature in a way that nobody ever thought about. And, now that I realize the “Mail Story” feature is an open invitation to spammers who don’t mind sending my musing along with their spam, I’ve disabled it. I later learned that, instead of disabling it completely, I could restrict it to registered users, but I’m not sure if that’s worth the trouble. It’s not really a big deal, because that feature didn’t get used very often, but it sucks when people have to start turning off services because they can’t prevent spammers from abusing them.
In a similar surrender, my college buddy Jeff recently announced that he had been forced to disable comments on his site because of all the spam comments. That kind of crap is one reason why this site only allows comments from registered users. That definitely keeps out the spammers, but it also discourages casual comments from random visitors who drop in and are tempted to say something, but don’t want to hassle with registration (which may be good or bad depending on what they had to say).
The really annoying thing about this is that the actual benefit to the spammer from most of this crap is really very little, yet it inflicts major inconvenience on the victim. It’s like the guy who breaks out your car windshield to steal the loose change from your dashboard. In the case of email spam, the response rate is pathetically low. In the case of the comments that were plaguing Jeff (and even me at one point, before I patched a Geeklog hole), the payback is even less. The spammers don’t actually expect any live humans to follow the links that they spew into people’s blogs, guestbooks, etc. They just hope that Google will count all these links to their site and increase their page rank. They pollute zillions of sites in the probably futile hope that their own site will appear a little higher in a search. But it doesn’t cost them anything, and they don’t care how many people they piss off. Spammers deserve to die a slow painful death.