Allow disabling a keyword pattern

General discussion re sg.

Allow disabling a keyword pattern

Postby warrenn » Tue Sep 04, 2007 1:12 am

The problem is that I used an address like this:

newsgroups.10.warren

And now I'm getting spams with random addresses like this:

xyznewsgroups.10.warren
blahnewsgroups.10.warren
...

Obviously the spammers are just putting garbage in front of the address.

I know that I can use watchwords and prefixes to disable these kinds of addresses, but I don't want to do that to all my addresses. I have many addresses out there that I have not yet received any mail. Adding a watchword would render those addresses invalid. It's just the newsgroups.10.warren address that's affected.

So I was wondering if there's a way to have some sort of pattern match in a keyword? That way I could create an address like this:

.*newsgroups.*.10.warren

and then set the remaining messages to 0. That would eliminate any email getting through where they just added a random string to an existing address.

However, I don't think you could just enable regex patterns in a keyword since sometimes people use regex characters in their keyword. Doing regex parsing on them might produce unintended results.

One way might be to have an untrusted keyword list. It would act the reverse of the watchwords. Any address with a keyword matching pattern in the untrusted keywords would be discarded. In my case, I could add ".*newsgroups.*" to the untrusted keyword list to discard all the spam emails.
warrenn
 
Posts: 12
Joined: Tue Sep 04, 2007 12:58 am

Postby SysKoll » Tue Sep 04, 2007 4:26 pm

Warren,

We could implement what you suggest, but then we'd have to field problems regarding people using it incorrectly. Pattern matching can be tricky.

How bad is your problem? How many addresses did the spammers create?
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

Postby warrenn » Tue Sep 04, 2007 5:17 pm

SysKoll wrote:Warren,

We could implement what you suggest, but then we'd have to field problems regarding people using it incorrectly. Pattern matching can be tricky.

How bad is your problem? How many addresses did the spammers create?


I think I have about 10 or so addresses like this. They didn't all come at once. Every month or so another one will be created and I'll have to disable that new address.

The more I think about this, the less sense it makes to change the keyword. It might make more sense to have something like anti-watchwords.

I was trying to play with the regular expressions to see if I could come up with something that would match everything except newsgroups. I was thinking something like this:

^.*\(newsgroups\)\{0,0\}.*$

but that didn't work. I can't figure out a regex to match everything except for a given pattern.

Maybe the watchwords list could be specified in a way which says that some words must not appear. Like a '-' in front means the pattern must not match (like 'grep -v'). For example, say my watchwords were these:

goodstuff
funstuff
-newsgroups

Then addresses which contained goodstuff and funstuff would go through, but any addresses containing newsgroups would be discarded.
warrenn
 
Posts: 12
Joined: Tue Sep 04, 2007 12:58 am

Postby vellire » Tue Sep 04, 2007 7:41 pm

I had this problem crop up just today. My very spammiest address is "freecycle" (not that I was surprised!) and today I received a phishing attempt to the prefix "|freecycle". I would be very happy to block creation of any address which includes the string "freecycle" - the untrusted keyword idea sounds perfect.
vellire
 
Posts: 27
Joined: Tue Jan 27, 2004 7:42 pm

spammer created sg address

Postby ScottF4 » Mon Sep 10, 2007 3:10 pm

I also received spam from a spammer generated sg address

from "+nehogjackpot+username+f02cc39c6c.fiwkargermediamug#kargermedia.com@spamgourmet.com" <+nehogjackpot+username+f02cc39c6c.fiwkargermediamug#kargermedia.com@spamgourmet.com>
reply-to +nehogjackpot+username+f02cc39c6c.fiwka ... ourmet.com
to nehogjackpot.username@antichef.com
date Sep 10, 2007 6:59 AM
subject Software (nehogjackpot: message 1 of 10)
mailed-by spamgourmet.com

Several interesting things;
The original address was phonehogjackpot.username@spamgourmet.com, the spammer switched to a different domain

The original address was created 2/13/2005 and has 5974 deleted messages. Since I haven't used this address in over 2 years, the spammer must be mining his own (or a rented list) for sg addresses.

Is there any significance to the form of the from address? Could this have been created on the sg site or is merely the reuse of the original return address?

Scott
ScottF4
 
Posts: 30
Joined: Sat Dec 03, 2005 5:46 pm

Postby josh » Mon Sep 10, 2007 7:54 pm

I think someone just took all the spamgourmet addresses in their list and messed with them. They definitely weren't created on the site.

We're looking at ways to block some of this, and, of course, there's always watchwords.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby sg-since03 » Tue Sep 25, 2007 7:11 pm

[/quote]I think someone just took all the spamgourmet addresses in their list and messed with them. They definitely weren't created on the site.[quote]

Josh, there's a new wrinkle; now spammers are parsing the user id itself.

OK, we've all been reporting "add-ons," as in
word-the-user-created.userid(@sg-domain) changed to
spammer-added-word~word-the-user-created.userid(@sg) .

This week I received email sent to a "brand-new" address, as in
word-I've-never-used.userid(@sg-domain) . The fiend knew enough about sg to send exactly three emails, the sg default.

[/quote]We're looking at ways to block some of this, and, of course, there's always watchwords.[quote]

Watchwords will stop this latest example - completely new, "spammer original" addresses. It won't stop what we've been discussing until now - spammer-modified user-created addresses.

As de552 pointed out in another thread ("Ongoing topic - spammer-generated sg addresses"), spammers can add to watchword-protected sg addresses just as easily as [they can add to] sg addresses unprotected by watchwords.

All I can think of is:
Create a long list of watchwords. Keep 'em short and truly weird - not something you'd type by accident or likely to be randomly generated, or something you'd normally use. Delete the watchword [from the watchword list] as soon as you use it. More work, but less spam.

Now all we need is an option to block spammer-generated trash from even showing up in the "Eaten Messages" list.

As always - thanks, Josh! ("SG forever...")
sg-since03
 
Posts: 46
Joined: Sun Sep 02, 2007 9:11 am

Postby SysKoll » Wed Sep 26, 2007 1:06 am

Ye gods. All of that to send spam to people who have proven they really hate it. Why?
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

Postby sg-since03 » Wed Sep 26, 2007 2:39 am

Ye gods. All of that to send spam to people who have proven they really hate it. Why?


If you could answer that, you'd be in another profession.
(Psychology? Sociology? Criminal Justice??)

I still like Warrenn's "anti-watchwords" idea.
("[/i]must not[/i] contain <someword>," expressed simply as "-watchword.")

PS I turned HTML back on in my profile, but obviously it isn't working. Any ideas?
Oh - not to leave you out, SysKoll - for all the SG you do, thank you.
sg-since03
 
Posts: 46
Joined: Sun Sep 02, 2007 9:11 am

Postby SysKoll » Wed Sep 26, 2007 3:10 am

I believe HTML is disabled at the BBS engine level even if the profiles say otherwise. I use BBcode. It's good enough. Make sure you enable it in your profile.
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

Postby Paranoid2000 » Fri Dec 07, 2007 10:53 am

SysKoll wrote:Ye gods. All of that to send spam to people who have proven they really hate it. Why?
Simple - spammers are stupid. ;)
Paranoid2000
 
Posts: 71
Joined: Wed Dec 15, 2004 10:48 am

Postby Jim27106 » Wed Dec 12, 2007 5:13 pm

I've gotten messages with the address truncated before (eg, Snickers.3.me@dfgh.net became Nickers.3.me@dfgh.net (capitalization for emphasis), but never what looked to be a deliberate generation of addresses.

I figured the stupid spammers had problems with their harvesting code.

I can't believe someone would deliberately try to make new spamGourmet addresses. Surely they know we know the first rule of spam is never to buy anything from a spammer.

I tell my students that if they see a spamvertised product and are interested I will find a source for that product from a non-spammy source. Even if it is breast enlargement.
Jim27106
 
Posts: 92
Joined: Sun Mar 05, 2006 8:07 am

Postby SysKoll » Thu Dec 13, 2007 2:31 pm

Jim27106 wrote:I've gotten messages with the address truncated before (eg, Snickers.3.me@dfgh.net became Nickers.3.me@dfgh.net (capitalization for emphasis), but never what looked to be a deliberate generation of addresses.

I figured the stupid spammers had problems with their harvesting code.


Yes, that's what it looks like. Got a few of them.

A few years ago, I also got spam to an email address that was given only to a magazine, and used in a printed letter to the editor. It didn't appear online. Moreover, the spam was addres had a big fat typo in the middle, so it had been typed in, not collected. So some spamers actually have (or had) people paid to type in addresses from print media.

Jim27106 wrote:I tell my students that if they see a spamvertised product and are interested I will find a source for that product from a non-spammy source. Even if it is breast enlargement.


Oh, I don't know. Half the girls in college start dressing like sluts as soon as winter is over. Do you really need them jailbait to be more provocative?
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 23 guests