Category Archives: Enemy of the Spammers

Posts about Spam, Spammers, fighting Spammers, and exposing malicious activity.

One Regular Expression

Posted by in Enemy of the Spammers 
i.?[:punct:]?.?f.?.?.?r.?.?.?a.?.?.?m.?.?.?e

That should find most iframe phrases when used in a SQL query, which I won’t lay out here (fairly easy to do with phpMyAdmin, it’s literally a copy and paste procedure in the “search” form just change the mode to the proper setting). I tested it against over a year and a half of my archives with some purposely planted and obscured iframes and it has no false positives. This will find any iframe obscured via methods found in attacks on Weblogs.us and it’s users. It may be advantageous to remember this for when Iframe-B-Gone is ready.

-John Havlik

[end of transmission, stay tuned]

Tagged: ,
Updated:

Mtekk Iframe-B-Gone

Posted by in Enemy of the Spammers

Seems that the events of early last month did not stop. More and more WordPress users are having issues with malicious iframes being inserted into their blogs. Until now, there were no automated detection and removal tools. Iframe-B-Gone, it’s quick, it’s dirty, but it should do the trick. I’ll get a build up sometime this upcoming weekend, after Beta 3 of Breadcrumb NavXT.

What to expect from Iframe-B-Gone:

  • Scanning of the wp-posts and other WordPress database tables for Iframes.
  • Support for regular expressions for custom “evil” tag detection.
  • Notification of locations and option to not delete selected “results”.

Note that fixing hacked themes is beyond the scope of this plug-in, for that manual searching and removal is necessary, and those familiar with a the terminal shouldn’t have a difficult time figuring out the quick way of searching for stings in files contained within a folder.

-John Havlik

[end of transmission, stay tuned]

Tagged:
Updated:

Sammy’s Banished

Posted by in Enemy of the Spammers

Sammy Kamkar, the one who over a year ago unleashed an exploit on MySpace that caused anyone who viewed his profile, or his friends’ profiles to automatically request to be his friend. MySpace filed a civil suit against Kamkar, who plead guilty and is now banished from the Internet for a classified amount of time. The plaintiffs claimed that they are “committed to protecting our community from any abusive misuse of the site.”

Frankly, after reviewing the code and reading the explanation of his method, the hack only worked for IE and certain versions of Safari. In reality the exploit was of both the browsers and MySpace, his code should never have executed in the browsers. News Corp. should go after Microsoft as they are equally responsible for this exploit. Regardless, it’ll be interesting to see how they will go about keeping him off the Internet.

In other news, Boston needs to get a brain. Overreacting to the ten or so PCBs with LEDs attached and a black plastic bag protecting the batteries was idiocy. If the police can’t tell the difference between a bomb and a LED sign, how are they supposed to do their job? Seriously the media needs to stop spreading misinformation and disinformation before the people revolt against them, oh wait that’s already about to happen (the Internet, YouTube, p2p, etc).

-John Havlik

[end of transmission, stay tuned]

Stupid Phishers, I’m No Idiot

Posted by in Enemy of the Spammers

Today someone claiming to be part of the Chase-Security Support Service sent me an e-mail claiming that they ‘discovered’ recent activity on my account and that I had to log-in to my Chase Online account to resolve the issue. Funny how they ‘knew’ that I ‘have’ a Chase card, which I don’t.

Hovering over the hyperlink, which they tried to discreetly insert a bit of cover code so the average moron would think it was valid, but instead of going to https://chase.com or some related URL the hyper link pointed to some adsl-numbers link and then the cover http://chase.com/… Knowing that this was definitely a scam, which Thunderbird warned of, I clicked the link. Firefox displayed the address as http://jaew.us/login.htm with additional variable passing in the address, defiantly a scam. I tried the https version, and got an access forbidden.

I have taken the liberty of contacting JPMorgan Chase, notifying them of this scammer, which wants your name, credit card number, mother’s name, social security number, and CVV2. After collecting this information, which I provided fake information such as 123 12 1234 for the social security number, and [Expletive] You Scammer as my ‘name’, I was sent to Chase’s real website, which is not entire secure as it redirects https traffic to its http server.

-John Havlik

[end of transmission, stay tuned]

Updated: