A few months ago I signed up at barnesandnoble.com so I could download some free audiobooks. I of course gave them a uniquely generated email address so I could track if they sold my email address to other companies. I registered, confirmed my account, got my downloads, no problem.

Then I started getting B&N’s weekly newsletter. After a couple weeks, I decided I didn’t want it. So I followed the unsubscribe link, which had my email address embedded into the URL. I go to that page in my browser (Safari 3 under OS X), my email address is already filled into their form, hit the unsusbscribe button and wham! “We were unable to process your request. Please try again.”

Ok, maybe they’re having tech problems. Try again a few minutes later. Same error message. So I checked out their Privacy Policy, and sent a nice email to them at privacy@barnesandnoble.com.

Good morning,

A few weeks ago I created an account at the Barnes & Noble web site so I could download some of your free audiobooks. That “purchase” worked just fine. I was able to register my account and I received the download instructions in an email message. The email address I used was the same one I am using to send you this message.

Now I am receiving your weekly email newsletter. I read it, and decided I don’t want to receive it. So I clicked on the opt-out link. (link redacted)

But when I try to submit that link I am told the attempt was unsuccessful. “We were unable to process your request. Please try again.”

It seems to me that if you can allow me to create an account with a long email address, which is entirely valid, you’d allow me to unsubscribe that email address from your promotional mailing list. Please investigate your system, and fix it to allow people with long email addresses to unsubscribe. Thanks very much for your help, Michael

I received no response at all from Barnes & Noble.

Two weeks (and two newsletters) later I sent the note to B&N again. And again, no response at all.

If you’re going to have a privacy policy, you need to follow it. Part of that is actually monitoring the email address you give to the public if they have privacy concerns. A complaint has been filed with the Federal Trade Commission.

(Update: I tried submitting the opt-out form with Firefox, which apparently ignores the maxlength field on an input form. And apparently I’ve been opted out. Regardless, B&N needs to actually have someone assigned to do something with their privacy email address. I doubt I would ever shop at bn.com again.)

If you're new here, you may want to subscribe to my RSS feed. This allows you to read my newer articles without having to visit the site again. Thanks for visiting! Mike

I’ve blocked these domains for spamming.

2009iiisconferences.org
2010iiisconferences.org
ICTconfer.org
smartpowercall.info
requestserv.com

Back in May 2006 I wrote abut why I use tagged email addresses. Just today, I found yet another company violating their privacy policy. On October 31, 2007, I registered with BlogFlux.com. Their current privacy policy says:

Your email is only used for contacting you about Blog Flux updates….Your email will also not be distributed to anyone for any purpose….Blog Flux maintains a strict “no-spam” policy. Your e-mail address will not be sold to a third party.

In the past 14 months, I’ve received a handful of messages (well, three) from BlogFlux. Each message clearly identified who they were, each had an opt-out link at the bottom, and each message was related to my BlogFlux account. Today I received a message from “Lesley.” She’s somehow affiliated with LoadedWeb.com. LoadedWeb.com has nothing on their web site about who they are, who’s running the site, their affiliations. LoadedWeb.com also does not have a privacy policy at all. Google searches show that LoadedWeb.com several years ago was a web host.

BlogFlux.com’s privacy policy refers people to their contact page “[i]f you have any questions about this privacy statement, the practices of this site, or your dealings with this Web site…” Unfortunately the contact.php page has no contact info on it at all. That’s the same URL they give in the footer of the site.

Looking at the message headers, I would guess that BlogFlux and LoadedWeb are probably owned or operated by the same people. Their IP addresses are on the same block. (204.11.52.70 and 204.11.52.71). That address is registered to enthropia.com. Their web site looks to be ancient, not updated since 2003?

I’d have to say avoid using BlogFlux.com, or LoadedWeb.com. It is probably just a couple guys doing cool web stuff from their basement, but it feels very random. I don’t think I’d trust them with my personal data or information.

Yesterday morning I received a comment spam attempt that had its URL link to a wiki page at the Berkman Center for Internet & Society (at Harvard University). Before approving the comment, I checked out the wiki page. It was full of spam links. I checked out the wiki’s Main Page. A handful of spam links, all gambling related. I sent an email to the generic email address for the Berkman Center. This morning, out of curiosity I looked at the wiki again. Still full of garbage.

Looking through the history of the site’s Main Page, it looks like the wiki was set up on January 3, 2007 at 4:45pm, and last legitimately edited on February 28th. The first spam appeared on April 28th. Since then, the spammers (drugs vs. casino/gambling) have been fighting over the site.

I realize that my notification about this site was sent two days before a major US holiday, but the fact that this site has been allowed to be abused for over a year and a half is frightening. Obviously, this wiki has been forgotten after some long lost project. Did it’s administrator graduate? Did the project not get funding? Regardless, someone must be maintaining the hardware and site. Somewhere there’s a log file needing to be watched. Groups like the Berkman Center need to set a positive example for secured web systems.

Starting on November 10th at 10:29am (EST), running through this morning at 6:30am, I have received dozens of comment spam attempts across most of my WordPress blogs. They all followed the same basic format:

Deneen Carrillo | aejqtb@lobhyi.com | IP: 94.102.60.151

5wj9j1bdvd74zbcv

A real looking name, an obviously fake email address (usually with a non-existent domain name, which should immediately flag the comment as spam if WordPress or Akismet were intelligent), an IP address from 94.102.60.151 94.102.60.152 or 94.102.60.153, and 16 random letters or numbers.

The user agent strings varied widely:

• Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
• Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
• Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
• Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
• Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
• Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
• Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
• Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
• Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
• Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7

The bot also submitted every form on the page, including the search form and the submit box. Maybe a simple form should be created to auto-block anyone that submits anything to it. And the bot never downloads images or anything other than the page. Maybe a plugin should could check that a user downloaded some other content before allowing a comment to be submitted? Yes, this forms a horserace, but it may work in the short term.

I just got a spam from Dell.com, using busenetwork.net. I’m blocking the scum at busenetwork.net. And reporting it to Dell just in case it’s not really from them. Someone else got this as well. Searching through my mail logs shows I’m also getting other messages from busenetwork.net, regarding CareerTrack.

Any time a user has to do anything to stop getting stuff he didn’t ask for, it’s spam. Period. If busenetwork.net can show to me proof that I signed up for this, fine. But they can’t. Therefore it’s spam and illegal.

Comment spammers are definitely getting trickier, as noticed by Mark Ghosh in his article Comment Spam with more Kung Fu?. I’m starting to notice that the comment spammers are now starting to simply copy and paste an existing comment and submit as their own comment.

My guidelines for identifying comment spam that doesn’t get caught by Akismet:

1. If the “name” is not a first and last name, the comment is probably spam. It will at least get a closer look.
2. If the “name” is not a name at all (furniture, travel deals, SEO-anything) the comment is spam.
3. If the “email” is from China or Russia, the comment is spam.
4. If the “email” looks fake, the comment is spam.
5. If the site at the “URL” is not in English, the comment is spam.
6. If the site at the “URL” feels spammy (an entirely subjective opinion), the comment is spam.
7. If the comment itself has links to the poster’s web site, like an email signature, that signature will get removed from the comment. Plus if the signature URL is different than the “URL” field, the comment is spam.

If the comment passes all of these items, then I check my web server’s log files to find where the user came from. Look at this spammer:

75.101.138.119 – - [22/Sep/2008:21:35:36 -0400] “GET /2008/06/26/helo-bot-hostname/ HTTP/1.1″ 200 23602 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
75.101.138.119 – - [22/Sep/2008:21:35:39 -0400] “POST /wp-comments-post.php HTTP/1.1″ 302 1 “http://www.planetmike.com/2008/06/26/helo-bot-hostname/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
75.101.138.119 – - [22/Sep/2008:21:35:43 -0400] “GET /2008/06/26/helo-bot-hostname/#comment-15818 HTTP/1.1″ 404 19992 “http://www.planetmike.com/2008/06/26/helo-bot-hostname/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

They’re coming from Amazon’s Web Services (75.101.138.119 is ec2-75-101-138-119.compute-1.amazonaws.com). Hmmm, weird. They originally came to my site from nowhere, ie a bookmark or typing my URL into their IE 6 web browser. It only took them three seconds to read the page, enter their comment, and submit their comment. Not likely. This comment was spam.

After looking at the server log, if I’m still not sure if its a real comment, I generally, but not always, will approve the message but may remove the URL so there isn’t a link from the comment.

We’ve gotten past CNN and MSNBC spam. The newest round of spam theme (speme) is pushing ADT home security systems. According to the From field of the messages, “Certified ADT Dealer” or “Authorized ADT Dealer” is now spamming to sell ADT memberships.

All of the messages received at planetmike thus far have had both of these postal addresses listed:

3549 North University Provo, Utah 84604
11915 126th ave Kpn | Gig Harbor, WA 98329

The Utah address is apparently a mail center of some sort, based on the wide range of suites at that address. The Washington state address is in the middle of nowhere, but has been used in other spam messages earlier this month, see Email Spam and Scams Stink! for details.

The ADT spam give two of these links for online unsub requests

• techgetname.info
• technicalschoolfindname.info
• theforwur.info

These domains currently all resolve to 216.153.50.93.

ADT does not have a method to contact them from their web site that would not end up with my postal address, email and phone being besieged with marketing from ADT about their services. So hopefully they will learn of their rogue affiliate (or more likely, someone spamming and scamming in ADT’s name) when they get tons of complaints on Monday morning.

Visiting techgetname.info ends up in a redirect to payoutmedia.com. You also get a meta refresh to marketleverage.com. According to their web site, “Market Leverage is an internet affiliate marketing network.” Javascript on their site is served by cetrk.com. They also link to marketleveragenews.com. That Whois info (which has an invalid state listed, and the domain should be shut down by ICANN) refers to precisionplay.com. What a tangled web of spam.

On May 1st, I zapped my 30,000th comment spam. Yesterday was the 40,000th. Here’s a chart of the count, recorded daily.

And here’s the daily rate, with a peak since May 8th (the end of the last storm) at 160 on June 6th, and a low of one on May 19th.

This morning I received a string of bot spam attempts from some idiot spammer using the following as his HELO command (yes, including the braces):

HELO {bot_hostname}

Luckily Postfix rejected the conversation immediately.