WTVN Radio • Columbus, Ohio • Sunday morning from 8 until 9

Is this information useful? If so, consider
making a contribution, please.

Sunday, October 19, 2003

Random thought:

Are you fed up with spam yet?

I am and I have been for a long time. Removing the sludge has been an ongoing project for me and I've tried a lot of products over the years. As much as we might wish for some sort of legislation that would work against spammers, it's unlikely. Unlike most telephone solicitors, spammers seems to be dishonest, thieving, sleaze balls who are already breaking enough laws (fraud, for example) that they'll not be bothered much by another small threat.

People who are outspoken opponents of spam occasionally receive thoughtful, well-reasoned, intelligent comments from spammers. Here's a fine example:

I might be inclined to take this clown seriously except for a couple of minor things -- spelling, grammar, and punctuation are all so laughable that it's hard to believe the writer is older than 10 or has an IQ above 75. Somebody who can't figure out the basics of English isn't likely to get very far in a legitimate business, so spamming is probably "Mister 47's" best choice. Bank robbery would probably be too taxing for his limited intellect.

At the left is a copy of the spams that "SpamPal" caught in a 24-hour period. Nearly 160 messages.

TO OBTAIN THIS LIST, I ALLOWED ALL SPAM TO BYPASS GOODBYESPAM.COM FOR 24 HOURS SO THAT ALL OF THE MESSAGES WOULD BE DIRECTED TO MY "SPAM" BOX BY SPAMASSASSIN AND SPAMPAL.
FOR A LARGER VIEW OF THIS DISGUSTING LIST, CLICK THE IMAGE.

How to slow the river of sludge

First, understand that legislation is not the answer. Technology is the answer. The big spammers can be identified and if the world's ISPs would cooperate by refusing to accept mail from open relays and known spam IP addresses, the result would be immediate and dramatic. Because that's not going to happen anytime soon, you're on your own.

I use several traps to squash the roaches as they try to get into my computer.

My current creep catchers

I haven't yet found a single solution that catches or eliminates most spam in a way that works for me. My situation is somewhat unusual in that I have several addresses that collect administrative messages for clients. These are the "addresses of record" connected with website accounts. Some registrars offer "privacy" for these addresses, but I feel that administrative addresses should be public. Because spammers have no ethics, they raid registrar information for addresses. That means I may get 30 or 40 copies of a given spam that's been sent to the admin addresses I maintain. All of these show up in the same mailbox. On any given day, the ratio of good messages to sludge is probably 1:100.

For a lot of people, SpamPal would serve well. SpamPal is an open-source application that is free and uncommonly effective. At installation time, the user is offered several initial settings that range from cautious to aggressive. More spam will get through if you choose to be cautious; more valid messages will be tagged as spam (not discarded, just tagged. NOTE: SpamPal assumes some knowledge of how e-mail works.

I have SpamPal tag potential spam with "**SPAM**" in the subject line. I then have my e-mail program sort any spam that gets through into a special "spam" mailbox. The trouble with SpamPal is that all messages must be downloaded to be examined. If I'm away from the office and on a slow dial-up connection, I don't want to have to download 200+ spams (typical overnight results) just to read the 50 or 100 valid messages that have arrived.

So in front of SpamPal I have GoodbyeSpam.com. This is the on-line service that I've mentioned from time to time. Instead of having to download messages, I can connect to GoodbyeSpam's website and examine messages the service has identified as spam (in the trash) and additional messages that the service hasn't been able to rule in or out (in quarantine) before downloading the mail. This process takes less than a minute, even if the trash contains 200 messages because I can tell at a glance why GoodbyeSpam thinks a message is spam. It's right virtually all of the time, but occasionally a good message will find its way into the trash. In that case, I whitelist the sender's address, dump the rest of the trash, and move on.

THIS IS THE KIND OF SPEW THAT GREETS ME EACH MORNING. THIS IS JUST THE "TRASH" (NO GOOD MESSAGES HERE) A SIMILAR, BUT SMALLER, LIST WILL DISPLAY MESSAGES IN QUARANTINE.
TO SEE AN ANNOTATED VERSION OF THIS LIST, CLICK THE IMAGE AT THE LEFT.

Because I have an extensive whitelist on file at GoodbyeSpam, at least 90% of the messages in quarantine are also spam. If I have time, I identify words in the subject line that tell me the message is something I don't care to look at and add those words to the reject filter. If I don't have time, I just block the messages so that they won't be downloaded. Then I approve any valid messages that are in quarantine, whitelist the senders' addresses, and continue.

I use GoodbyeSpam on my 3 most active addresses. SpamPal is active on all of my addresses. And for any blinn.com, technology-corner.com, 610tech.net, et cetera addresses, there is one more line of defense: SpamAssassin, a website-based spam killer that my Internet presence provider (Akashik.net) offers. SpamAssassin uses several analysis tools to rank messages. I can then establish a point value that, if exceeded, means the message is probably spam. Any message that passes through SpamAssassin arrives with special information that allows me to sort it into my special spam mailbox. SpamAssassin tags messages it thinks are spam with "*SPAM*" (1 asterisk on each side to differentiate between it and SpamPal.

The result is that the few spams that manage to get through GoodbyeSpam (or for those spams not checked by GoodbyeSpam) SpamAssassin and SpamPal give me the information I need to dump the crud into a special mailbox. I've never found a good message in the sludge box, but I do at least glance there at least once per day just to be sure I'm not deleting a message I want to keep.

In early October, GoodbyeSpam's Jeff Schwartz let me know about a new feature. "We’ve just a new feature to GoodbyeSpam: Consensus Blocking," he said. Normally, if you receive an e-mail that GoodbyeSpam can neither approve nor block based on the rules you've established, the program quarantines the message. "However, if you enable Consensus Blocking in the program's preferences panel, GoodbyeSpam will look to see what other users have done with that sender, domain, or master domain. If there’s a consensus that it’s a spammer then GoodbyeSpam will transfer the message to Trash instead of to Quarantine." Schwartz says his test suggest that this will reduce the average number of quarantined messages by 30 to 50%.

	HERE IS THE LIST OF QUARANTINED MESSAGES. ONES MARKED "*SPAM*" WILL BE CAUGHT WHEN THEY REACH MY E-MAIL PROGRAM, BUT I STILL EXAMINE THEM TO SEE WHAT NEW WORDS I SHOULD CONSIDER BLOCKING SO THAT SIMILAR MESSAGES WILL BE DIRECTED TO THE TRASH BIN. CLICK THE IMAGE FOR A LARGER VIEW.
	FROM THE LIST AT THE LEFT, I FOUND SEVERAL NEW WORDS OR PHRASES THAT I DECIDED WOULD BE GOOD TO ADD TO GOODBYESPAM'S "KILL" LIST. I FORCE ALL THE WORDS TO LOWER CASE FOR CONSISTENCY; IT DOESN'T REALLY MATTER.
	HERE I'VE ADDED THE NEW WORDS TO MY LIST OF WORDS TO BLOCK

Isn't this a lot of trouble?

Yes, and I resent it. It does take time to set up these defense systems and to maintain them, but it takes far less time to do that than it does to have to deal with each piece of spam individually. I've been using GoodbyeSpam.com for close to a year now and I still regularly make additions to whitelist and blacklist files, and modifications to the "reject" or "approve" text lists. This isn't a program that you'll set up and never have to touch again. Spammers may be little more than slime, but some of them are intelligent enough to change their techniques in a way that lets them break through. And those who aren't too bright aren't bothered by any ethical considerations, so they just steal what the smarter ones dreamed up.

SpamPal and SpamAssassin likewise need maintenance, but the results are worth the effort. I'll never see another Nigerian bank scam; any offer to add or remove inches from any part of my anatomy; any offer for real, generic, or herbal drugs of any sort; or any messages from anyone offering pornography, multi-level marketing, auto warranties, home loans, mortgages .....

SpamCop: Sitting peacefully in the donut shop

With the gantlet that faces inbound mail at my place these days, no more than 1 or 2 spams ever make it to me in any given 24-hour period. In most cases, these are just some run-of-the-mill spam that somehow dodged all the hammers, spears, and clubs. If I have time, I'll examine the spam to determine why it got through my defenses. Then I make the appropriate changes. If it's a particularly egregious piece of slop, I use SpamCop to report it.

Your solution?

One or more of these spam catching programs might be what you need to regain control of your own mailbox. And there are other applications that fall into several broad classifications:

• Challenge/response: GoodbyeSpam does this. Any new correspondent who sends you a message must respond properly to a message from GoodbyeSpam. While I like this approach, I've turned off the challenge part of the program. It sends the wrong signal if you're in business and routinely receive mail from people you don't know. Additionally, it's important that -- when you use a challenge/response program -- that you pre-load your address book. If you don't, you'll probably find that the service will offend some of your friends. These systems deal with spam on a remote server.
• Server-based mail analyzers: SpamAssassin is a good example of this kind of application. Unlike GoodbyeSpam, SpamAssassin doesn't hold your mail on the server; it marks spam and allows you to sort suspected trash into a special folder.
• Local mail analyzers: SpamPal is the best example of this kind of application. The mail is analyzed on your computer, marked if it appears to be spam, and then sent on to your e-mail application.
• Reporting mechanisms: For those who enjoy tracking down the spammer creeps and trying to get their websites shut down, you can't beat SpamCop. The trouble is that today's spammers are not the clueless folks who used to be responsible for spam. Today's spammers know very well that they are a low form of scum and they have banded together to run their slime-shops from countries with governments that don't care what you're doing as long as you pay.

No cats

Everyone who makes an attempt to kill spam has my respect and admiration, but nobody has yet come up with a "silver bullet" -- nor is anyone likely to. It would be unfair to rate the applications I've talked about; each works to some degree individually. Together, they're a strong safety net. Some people may feel that maintaining the disparate applications is too much trouble; others may not have the knowledge they need to understand how to make the best use of the applications and may be unwilling to take the time to learn; still others will be willing to invest the time needed to understand the problem and to develop a personal strategy to deal with it.

Those in the first two groups will fail to cleanse their systems of spam. Those in the last group will see a dramatic reduction in the amount of spam they receive, but they will need to continually modify and fine-tune the applications to keep up with the problem.

Burning Down the House (again)

Last month, I told you about Burning Down the House by Eliot Van Buskirk. If you're interested in audio and computers, Eric's is the book you should have. We continue our conversation with Eliot today.

Just about everyone has heard of the MP3 format, but there are other options. Each format has a "codec" (compress/decompress) algorithm that determines how much of the quality is sacrificed to conserve space. I asked Eliot to talk about some of the current formats ...
REAL AUDIO: Eliot Van Buskirk 4:11 q-all these projects • Prophet 52520-cut 5

It appears that the big recording companies and their syndicate (the Recording Industry Association of America) is finally beginning to develop clues about consumers. Some on-line music download services, such as Apple's iTunes service, are proving that large numbers of people are willing to pay for the music they download. Eliot Van Buskirk told me about technology that makes it easy for individual users to create a link that allows anyone to make a CD from files you offer, but he wondered why the music industry hadn't used software like this years ago ...
REAL AUDIO: Eliot Van Buskirk 2:54 q-sony sonic foundry acid now. • Prophet 52520-cut 6

For more information about these topics, see http://www.burningdownthehouse.net/.

Technology corner rating for BURNING DOWN THE HOUSE
	TEN CATS: This is an outstanding book that covers the basics of recording and tells you how do to what you want to do with open-source (usually free) software.

Nerdly News

VeriSign sells Network Solutions

VeriSign says that it will sell its Network Solutions division to Pivotal Private Equity. Under the terms of the agreement, VeriSign will receive approximately $100 million: $60 million in cash and a $40 million senior subordinated note. VeriSign will also retain a 15% equity stake in Network Solutions. The transaction is expected to close in the fourth quarter.

The timing is "interesting" (not to say "suspicious") in that VeriSign was sued and then agreed to drop its advertising scheme that temporarily replaced the standard Internet "404-page not found" error messages. Other registrars were incensed and nearly everyone who knows anything about data transmission, spam control, and the like blasted VeriSign for a decision they said was not beneficial to the overall network.

As a registrar, VeriSign competes with organizations such as Register.com, Tucows, and GoDaddy. As the administrator of the database for com, net, cc, and tv domains, VeriSign is in a unique position. Other registrars felt that using the database of the 4 large top-level domains to serve up advertisements for a competitor was unfair.

VeriSign announced the decision to sell NetWork Solutions just weeks after the other registrars took legal action against the company.

More updates for Windows

The Windows update manager kicked in this week while I was in Tucson on a slow Internet connection from the Radisson Hotel for PowerPoint Live. Despite the long download time (about an hour at 21.6Kbps) I obtained and installed the updates.

According to CERT (Computer Emergency Response Team) at Carnegie Mellon University:

There are a number of vulnerabilities in Microsoft Windows and Microsoft Exchange that could allow an attacker to gain administrative control of a vulnerable system. The most serious of these vulnerabilities allow an unauthenticated, remote attacker to execute arbitrary code with no action required on the part of the victim. For detailed information, see the following vulnerability notes:

• VU#575892 - Buffer overflow in Microsoft Windows Messenger Service There is a buffer overflow in the Messenger service on most recent versions of Microsoft Windows that could allow an attacker to execute arbitrary code. (Other resources: MS03-043, CAN-2003-0717)
• VU#422156 - Microsoft Exchange Server fails to properly handle specially crafted SMTP extended verb requests Microsoft Exchange fails to handle certain SMTP extended verbs correctly. In Exchange 5.5, this can lead to a denial-of-service condition. In Exchange 2000, this could permit an attacker to run arbitrary code. (Other resources: MS03-046, CAN-2003-0714)

In addition, several other vulnerabilities may permit an attacker to execute arbitrary code if the attacker can convince the victim to take some specific action (e.g., viewing a web page or an HTML email message). For detailed information, see the following vulnerability notes:

• VU#467036 - Microsoft Windows Help and Support Center contains buffer overflow in code used to handle HCP protocol There is a buffer overflow in the Microsoft Windows Help and Support Center that could permit an attacker to execute arbitrary code with SYSTEM privileges. (Other resources: MS03-044, CAN-2003-0711)
• VU#989932 - Microsoft Windows contains buffer overflow in Local Troubleshooter ActiveX control (Tshoot.ocx) Microsoft Windows ships with a troubleshooting application to assist users with problems. A vulnerability in this application may permit a remote attacker to execute arbitrary code with the privileges of the current user. (Other resources: MS03-042)
• VU#838572 - Microsoft Windows Authenticode mechanism installs ActiveX controls without prompting user A vulnerability in Microsoft's Authenticode could allow a remote attacker to install an untrusted ActiveX control on the victim's system. The ActiveX control could run code of the attacker's choice. (Other resources: MS03-041, CAN-2003-0660)
• VU#435444 - Microsoft Outlook Web Access (OWA) contains cross-site scripting vulnerability in the "Compose New Message" form There is a cross-site scripting vulnerability in Microsoft Outlook Web Access. (Other resources: MS03-047, CAN-2003-0712)

Finally, there is a vulnerability in ListBox and ComboBox controls that could allow a local user to gain elevated privileges. For detailed information, see

• VU#967668 - Microsoft Windows ListBox and ComboBox controls vulnerable to buffer overflow when supplied crafted Windows message There is a buffer overflow in a function called by the Microsoft Windows ListBox and ComboBox controls that could allow a local attacker to execute arbitrary code with privileges of the process hosting the controls. (Other resources: MS03-045, CAN-2003-0659)

Let us know what you think about this program! Write to:
Bill Blinn --
(wtvn@blinn.com still works)
Joe Bradley --

Joe
(Photo by Sally)

Bill
(Photo by Scampi)

Privacy Guarantee:

I HATE SPAM and will not sell, rent, loan, auction, trade, or do anything else with your e-mail address. Period.

As if you didn't already get enough weather on the radio!

If you do not see a Weather Underground banner above and you use ad-blocking software, please set your application to allow images from "www.wunderground.com" to appear.

Annoying legal disclaimer
My attorney says I really need to say this: The Technology Corner website is for informational purposes only. Neither Joe nor I assume any responsibility for its accuracy, although we do our best. The information is subject to change without notice. Any actions you take based on information from the radio program or from this website are entirely at your own risk. Products and services are mentioned for informational purposes only and their various trademarks and service marks are the property of their respective owners. Technology Corner cannot provide technical support for products or services mentioned on the air or on the website.