point Index, January 2005



PGTS Journal
January 2005
 Click here for: PGTS Journal Main Page
Click here for: Next Blog Month
Last Updated: 17-Feb-2005 01:55 GMT

PGTS Blog: January 2005

14-Jan-2005 23:55

Ok, everyone else is doing it ... So I have decided to start a blog ...

It has been prompted by various feedback that I have received. Some of it is quite interesting ... However sometimes, people have asked me not to publish. I got a fascinating email, last year, from someone formerly associated with a spammer in Laurel Canyon last year ... but I did promise not to publish it.

In a blog I feel less constrained ... since the style is less "formal". However if someone has asked me to withhold their name, I will keep it confidential. I may mention first names however (tell me if you want to use an alias).

At the time of writing, this blog probably won't be up on The Internet for a few days or so (I am hoping to have it up by 2005-01-17). I have to write the blogging software (in perl of course).

So here goes my first blog ... Or a sort of a blog. I will try and stick to the subjects that I have been addressing in the feedback column (SysAdmin, programming tips for SQL, perl, postgres, oracle, awk and shell and occasionally lapse into diatribe about SPAM). Since it is an extension of the feedback column, it is, strictly speaking, more of a "flog" (feedback log) than a "blog" ... And sometimes I confess I do feel as though I am flogging a dead horse <ta-dum!> ... Which might be a good title for my first entry ...

Each entry will be inserted in a lifo (last in first out), or reverse chonological. There will be an index for each month (see below). The index is in chronological order.

Blog Entries:

Another Big Linux Rollout in Europe

Date: Sun, 30 Jan 2005 22:04:00 +1100

Czech Post: 3,400 Linux servers and 12,000 workstations deployed

i-Newswire, 2005-01-30 - Czech Post relies on APOST, a customized system used by 20,000 employees for all postal operations. APOST had been running on a range of operating systems including DOS and Microsoft Windows NT, but reached a point where running in a proprietary environment was proving too costly. With a disparate environment across 3,400 locations, Czech Post was experiencing increased administration costs, as well as downtime and security issues.

According to this link the system has been rolled out with assistance from Novell consultants.

Chip, chip ... Chipping awaaaaay!

Back To Index

When are you going to sue your customers?

Date: Thu, 27 Jan 2005 10:59:58 +1000

Stephen R. Walli has written an essay titled When will you sue your customers?

He makes the rather obvious point that the US Patents system is broken, and it will soon start to impact on business in the USA and the world. The issues Intellectual Property, including Software Patents and Copyright Protection Measures, are controversial and emotive topics. Stephen Walli still manages to discuss these matters in a dispassionate manner.

He examines the proposition that Vendors might sue customers. This remains a topic of discussions, because of vague threatening pronouncements from corporations such as Microsoft.

He also examines the notion of insurance against such circumstances. And if I might quote him:

The idea that as an enterprise (not a vendor or developer) one might want to buy insurance against such risk is interesting. One insures ones assets, not one's liabilities. I insure my life and health as it relates to earning power for the household. As my salary goes up over time, I might increase that insurance. Likewise I insure my car, but as the value of the car depreciates over time, I remove insurance from the vehicle as it relates to replacement of the devalued "old clunker." I don't insure my children.

This is a timely and well-considered essay.

Back To Index

Plaxo - Black, Grey or White?

Date: 26 Jan 2005 04:22:06 -0000

The other day I got an email from someone who has uploaded his address book to Plaxo. I have mentioned Plaxo previously, in the PGTS Feedback Column. At the time, I stated that I could not make up my mind whether it qualified as SPAM or HAM. Now turning to the most recent e-mail, the headers are less hammy but they are, nevertheless, quite interesting. Here they are: 

	From baddr-171979931699-39699068-900436804-1S@mx.plaxo.com Wed Jan 26 15:31:15 2005
	Return-Path: <baddr-171979931699-39699068-900436804-1S@mx.plaxo.com>
	Received: from mx.plaxo.com (mx01.plaxo.com [66.54.249.34])
		by pgts04.pgts.com.au (8.11.6/8.11.6) with SMTP id j0O4VDm69655
		for <gerry@pgts.com.au>; Wed, 26 Jan 2005 15:31:13 +1100 (EST)
		(envelope-from baddr-171979931699-39699068-900436804-1S@mx.plaxo.com)
	Received: (qmail 21137 invoked from network); 26 Jan 2005 04:22:06 -0000
	Received: from pas05.plaxo.com (10.1.0.6)
	  by mx03.plaxo.com with QMQP; 26 Jan 2005 04:22:06 -0000
	Received: from 211.30.111.41 by pas02.plaxo.com; 26 Jan 2005 04:26:17 -0000
	Message-ID: <1106540526.20403.26910.sendUpdate@mx.plaxo.com>
	XDSB-Id: 1031992::20040701::PlaxoUpdateRequest
	Date: 26 Jan 2005 04:22:06 -0000
	From: "Fred Nurk" <fred_nurk@optusnet.com.au>
	To: "Gerry Patterson" <gerry@pgts.com.au>
	Reply-to: "Plaxo Contact Update for Fred Nurk" <addrupdate-171979931699-39699068-900436804-1SH@mx.plaxo.com>
	Precedence: bulk
	Subject: Please help me update my address book
	MIME-Version: 1.0
	Content-Type: multipart/mixed;
	 boundary="_-------==3636427023"

Note: I have munged the addresses (to protect the identity of the person who owns the address book. (I use the fictional name "Fred Nurk" and munged plaxo labels so that nobody can trace back to discover who this person really is).

also included was the following message (as multipart/mixed). It is rendered below as plain text: 

	Greeting Gerry,

	I'm updating my address book. Please take a moment to update
	your latest contact information. Your information is stored in
	my personal address book and will not be shared with anyone
	else.

	Kind regards

	Fred Nurk

	Click the following link to correct or confirm your information: <link to Plaxo Site>

	Name: Gerry Patterson
	Job Title:
	Company:
	Work E-mail: gerry@pgts.com.au
	Work Phone:
	Work Fax:
	Work Address Line 1:
	Work Address Line 2:
	Work City, State, Zip:
	Mobile Phone:

	Home E-mail:
	Home Phone:
	Home Fax:
	Home Address Line 1:
	Home Address Line 2:
	Home City, State, Zip:
	Birthday:

I do find these headers (and the body) intriguing.

I use mutt, which is a non-GUI MUA. And I must say, that had HTML email been invented first, what a marvellous invention text-only email would seem! I have configured mutt to show headers when I compose email (with vi). I can also view all the headers easily. So, when the email from Plaxo arrived, the following things were apparent to me:

  1. The From Address says From Fred Nurk <fred_nurk@optusnet.com.au>.
  2. Although it says it is from Fred, the Reply-To Address says something different, and if I press "r" (in mutt this means "reply"), the To: tag will contain <addrupdate-171979931699-39699068-900436804-1SH@mx.plaxo.com>, rather than Fred Nurk's e-mail address.
  3. The Subject: says "Please help me update my address book", which is not my friend Fred Nurk speaking, but Plaxo.
  4. The body text is signed with Fred's name, but it actually comes from Plaxo!
  5. Unless I get gripped by a bout of sudden temporary insanity, Plaxo have about as much chance of me volunteering information such as my birthday, home address, business address, etc I would of getting a date with Sharon Stone.

Now that might be obvious to me, but most of it (apart from the last point) may not be so obvious to your average GUI user.

Your average GUI user might look at the HTML version of this email in their GUI MUA and suppose that they are looking at an email from their good friend Fred Nurk, asking them to please update their details in his address book. They might even click on the link to update Fred's address book

Now the more wary GUI user (yes there are a few of them) might pause to think -- Hey! Fred should know all this stuff! (seeing as how they are such good mates.

This would not occur to the less wary, or they might think -- Oh well, maybe he was just too lazy to put it in his address book -- I'll do it for him. And they would hand over the details to Plaxo (who up to this point only had their e-mail address.

The more wary GUI user might click the reply button (finally the lesson has begun to sink in that one should not click on things in HTML emails -- especially if one is a GUI-only user).

Well it should be safe to reply -- After all the email does say it is From: Fred Nurk. But the Reply-To: tag means that the reply goes to <addrupdate-171979931699-39699068-900436804-1SH@mx.plaxo.com>.

Now your average GUI user can't see that portion of the address. He only sees the part in double quotes. So if he is still a very wary user he might see that, after clicking "Reply" the To: address now says "Plaxo Contact Update for Fred Nurk", and reconsider. But this only happens after actually clicking on Reply, and "Fred" did mention that it was for his address book. So if the victim fills in the parts in the body they have just clicks on send ... it goes not to Fred Nurk ... but to Plaxo.

It appears that Plaxo have tried to clean up their act since I last mentioned them in the Feedback Column. And yes, they are no longer listed in popular DNS-block lists. And some people are even saying nice things about them. But I think this email shows that are not so nice. In fact, the rather tricky construction of these headers borders on deceptive and misleading conduct. It may not be illegal but it certainly is not honest.

For an in-depth discussion of what else might be not-so-nice about Plaxo see Roger Clarke's Black Book.

For non-technical, GUI-only users (and I hope there are a few of you peeking over the other side of the fence to see what technos are discussing), a word of warning ... If you still wish to use Plaxo to store your address, make sure you let people on the list know that their details are held by Plaxo. You have just sent all the data on those people to an external organisation, and unless you are a Californian, it may be out of your jurisdiction (and judging by Roger Clarke's article, the news is not all that good for Californians).

If you are the recipient of one of these e-mails -- Remember the first rule of the Internet for GUI only users Don't click on anything in your inbox!

(Makes one wonder ... why have a GUI MUA? -- Why indeed!)

Back To Index

Unreal profits from Vocalscape Outsider Trading.

Date: Tue, 25 Jan 2005 11:24:36 +1100

Re: New Breed of VCSC St0ckTrader quadruplet

Dan (from Armidale) received some spam recently which gave him some "hot" stock market tips. The spammer told him that the company Vocalscape was going to make some "unreal profits" ... Ahh but for whom? That is the question.

<sarcasm> Of course, when information arrives from such a reliable source, we should all rush out and buy up lots of Vocalscape stock! </sarcasm>

The full transcript has been stored in the PGTS mail abuse database here.

This turned out to be quite an interesting sample of spam for many reasons.

First, it appears that it came from his own ISP! This seems to have been a common problem for this ISP which was listed not long ago. I also found evidence of mail abuse from a domain hosted by them There was one positive in the Openrbl multi DNSBL lookup list, and reports in the mail abuse section of http://groups.google.com/groups. Following an Openrbl reference, I found a recent mail abuse report from someone in the US. This has the appearance of something from a Microsoft spam zombie, it is dated 20-Jan-2005.

Jupiter.picknowl.com.au is the primary MX for the picknowl.com.au domain (hosted by Chariot), so it may be possible that zombies within that domain are relaying via this host, as well as via the Chariot host.

Microsoft spam zombies are so common, that it is nothing to get excited about. And the topic of spam zombies is one which could be worth an entire essay.

However, before I go off on a tangent about spam zombies, I should return to the topic of this particular spam, which is the New York Registered company, Vocalscape. This email appears to be part of a stock market scam. I am not sure if this particular scam has a name, but I suppose one could call it Outsider Trading?

To date, this is all I have discovered about Vocalscape, Inc.

Vocalscape, Inc. is an emerging developer of interactive communication software. The Company has created software and interactive solutions revolving around global communications and Data Voice Convergence. Vocalscape focuses on adding to customers website and customer support centres by integrating website solutions that enable real human assistance, live interaction services such as instant messaging, voice over the Internet (VOIP) and interactive desktop solutions sharing solutions. Web site: http://www.vocalscape.com

The above appears to be a press release of some sort from Vocalscape. It has probably been sent around to various websites that offer stock market analysis. It is still featured on many news websites around the world (esp those dealing with technology or Internet related news). In addition, many press releases often have the following news snippet:

Vocalscape Announces Partnership with VBS Telecom

Vocalscape appears to be a NY company: 

	VCSC-Vocalscape, Inc.

	Address:
	282 Katonah Ave.
	#200
	Katonah, NY 10536
	USA

As usual, this spam seems to have gone all around the globe. Google reported 240 hits for the search "Vocalscape+spam+stock+market". The question is ... has this helped their stock price?

The following is a chart which I found in a quote from ADVFN.com:

Interestingly, there is a missing chunk from this graph. And it is just before this particular spam was sent. I am not sure yet whether this is significant. Most of the spam reports seem to indicate that this particular spamming campaign peaked between December 2004 and January 2005. However, I have found reports going back to October 2004 (see this SPAM notice). And there does seem to have been a large spike in the price last year. So it is possible that there was a previous spam campaign promoting this stock.

Back To Index

Postgres and Network Address Types

Date: Mon, 24 Jan 2005 10:31:17 +1100

When I first started using postgres, I was already an experienced Oracle user. I found myself typing things like: 

	select 'yada' from dual;
of course in postgres all you need to use is: 
	select 'yada';

I even created a table called "dual" in order to overcome this. Of course since then I have learned to do things the postgres way.

One very useful feature in postgres is the Network Address Types. Unfortunately, I did not discover them until I had written a swag of software. Most of this was for the agent tracking system and it employs varchar data types for IP addresses. It was only later when I was writing perl routines to relate/extract CIDRs and IP addresses, that I discovered these very useful data types.

When I first started using postgres (to develop this website), I had used the manuals only as a reference guide, dipping into it when I had a question about the way that postgres worked. Later, the discovery of network address types caused me to regret that I hadn't spent the time to read all the documentation more thoroughly when I first installed it.

So a word of advice for those of you who are new to postgres, or contemplating using it. If you are dealing with addresses, CIDRs or mac addresses, read the section on network address types now!. It could save you a lot of work, and add a very powerful feature to your software toolbox.

Of course, now I am faced with the problem of how to upgrade the existing system that uses varchar types to store IP addresses. Just another little project that I have to do when I have the time.

Back To Index

Visitors to the PGTS Blog

Date: Sun, 23 Jan 2005 09:47:58 +1100

Still not many people have seen this blog. The stats so far are: 

Type    Visits   Hits Agent
----    ------   ---- -----
Visitor      8      8 MSIE 6.0
Visitor      4      6 Mozilla Firefox 1.0
Visitor      1      1 Netscape 7.2

Robot        9     11 Googlebot 2.1
Robot        2      3 MSNbot 0.3
Robot        2      3 Yahoo! Slurp
Robot        1      2 Ocelli 1.3
Robot        1      1 E-SocietyRobot
Robot        1      3 Junkbot/Spambot
Robot        1      1 Squid-Prefetch
Robot        1      1 Ichiro 1.0

It's still early days. These figures should change considerably when I put a link on the agent string information panels.

Of course, the Robots came first. I was surprised that MSNbot was the first to discover the blog. It had only been up for an hour when MSNbot pounced on it. The GoogleBot arrived eight hours later. As I expected the GoogleBot kept coming back. It now has a higher hit rate. Almost as much as the other Bots combined. It accounted for 44% of the hits to the blog. I expect that once Googlebot realises this file is being updated regularly it will keep on coming back.

Of course the Googlebot has as almost as much under the hood as all the other Bots combined so it has the horsepower to keep it up.

Also I have received a couple of emails with links to this article in BusinessWeek about Linux, and Linus Torvolds. An in-depth and interesting article.

I should add (this has been added post blog entry) that I discovered an interesting error when I tried to validate this page. According to the W3C site one should not use bare ampersands in URLs. Instead these should be coded as '&amp;'. This was news to me. I have written an entire job tracking system that generates URLs that do not obey this convention! It is only available to customers, so these pages won't be sent to the validator.

There are several areas in the agent_string pages where these non-standard URLs occur.

Back To Index

Websense Categories

Date: Sat, 22 Jan 2005 18:05:38 +1100

And while I was wondering about Websense and the strange "Network Errors" I thought I'd try those websites again.

I tried www.biblegateway.com a second time about an hour after my first attempt and the response was: 

	This site is not categorized by Websense
After another five hours this changed to: 
	Traditional Religions

Also, when I tested www.danbyrnes.com.au Websense said: 

	Educational Materials
It appears that "Network Errors" is just a generic answer that Websense returns when it has trouble locating a site, that has not been categorised. In the case of www.danbyrnes.com, I have access to the logfiles, so I did a little digging to try and figure out was going on.

I searched for evidence of Sqworm in the current www.danbyrnes.com.au logfile, but I could not find it.

However, I did find something interesting. It appears that Dan's site has been visited by the Konqueror Morphbot. This is a strange beast which constantly changes its' agent string. Earlier on when I was looking at robots and agent strings, I noticed this and I deemed this particular behaviour to be suspicious. It seems to me that an honest net denizen would not behave in this manner. And so this Morphbot was categorised as a suspicious robot in my database.

Now, it transpires that the Konqueror morphbot comes from Websense! I had observed this earlier, but failed to make the connection ...

I should explain that Morphbot is a name that I have given to robots that cloak themselves with a valid agent_string, and change that garmet on successive hits. For example they might hit with agent_strings like the following: 

	Mozilla/5.0 (compatible; Konqueror/3.1-rc5; i686 Linux; 20020821)
	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312460)
	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312466)
	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312468)
	Mozilla/5.0 (compatible; Konqueror/3.0-rc1; i686 Linux; 20021016)
(These are actual strings sent by Websense Morphbots)

This is probably designed to fool sites that employ browser sniffing.

The Websense MSIE morphbots tend to get lost amongst the general clutter of MSIE junkbots and spambots. In fact, most susbots tend to cloak as MSIE. Now that there is a new kid on the block, we can expect to see Firefox Morphbots before long.

So there is more to the Websense story than I initially thought. According to whois, Websense owns the netblock 66.194.6/24. (more about this in the PGTS feedback column). www.danbyrnes.com.au has received 56 hits from Websense in the month of January all of them Morphbots, either Konqueror or MSIE.

From the limited testing that I have done, it appears that the "Network Errors", and "Not Categorised" categories may sometimes be interchangeable.

In the case of biblegateway.com, the first request returned as "Network Errors" and the second request returned as "Not Categorised".

In the case of danbyrnes.com.au, there is a chance that I may have mis-typed this URL when I was testing it.

In any case both of them have categories now. This behaviour seems consistent with what I have seen of some corporations that I know of who run websense. All of which would suggest to me that Websense are struggling to keep up with the workload. And sometimes they may just cover this with the message "Network Errors".

I suspect the main problem is that their search engine does not have enough grunt ... or enough smarts.

Back To Index

Blars really does hate 'em

Date: Sat, 22 Jan 2005 13:45:55 +1100

Blars has, arguably, the most aggressive block list. For those that haven't heard of Blars his website is here. Now this guy does hate spammers! His block list is much more comprehensive than others, he has the following categories for the two least significant bytes. They are:

Least significant byte:

Second least significant byte:

One thing that Blars doesn't have is an automated removal screen. I would have thought that this would have eased his workload. He could manually over-ride and not allow removal requests of confirmed spamming domains, but accidental inclusions could be remedied by users (plus he'd have a record of the removal request in his log files). That's probably why the major lists use this approach.

I see that he has already listed our polish spammers. He has given them a lookup of: 127.1.0.17.

Which according to his list, means they are guilty of spamming and of not having a working abuse address. And I concur fully with his listing. This polish spam should be served on toast! Major lists, please take note ... you might as well list these guys now! I'm sure it won't be long before we see them in spamcomp and dnsbl.

Go get 'em Blars!

And while on the topic of spam, I received some HAM from www.bizwiz.com. I did actually subscribe to their list, when I was setting up this site. The email was not HTML-only and was only 5.6K in size. But it did have a rather hammy flavour. I thought I had requested to be removed from their list, but I can't remember. Whatever, they had a removal request which I used. The removal screen came back and said that I had been removed.

So I just thought I'd make an entry in my blog to make note that Clickit Add-a-link, BizWiz, should not be sending me any more e-mails. (Take care, BizWiz!)

The worst offenders, in this area have been TechRepublic. About eighteen months ago, I wanted to view a document on their site and they would not allow me to see it until I signed up.

I carefully checked the boxes saying that I did not want to receive any e-mail (apart from the one with my password) from them, and I did not want to receive promotional materials or any other communication. This displayed the usual notice that they would "still respect me in the morning".

A week later my first promotional e-mail arrived from TechRepublic. And continued each month thereafter, despite repeated requests from me to stop sending e-mail. Eventually (about Jan 2004) TechRepublic's MX was listed and I did not get any more e-mail. They struggled for a while to get unlisted. And then when they did, resumed sending me e-mail! Typically, these were HTML-only documents advising me to upgrade to Service Pack 2 or that the latest version of MS-Access was available now. Here is a sample of the last one that got through: 


   [ lots of graphics ... ]

   Security.
   For such a simple word it causes so many headaches.
   Attending the Microsoft Security Summit 2005 can help. This year's
   Summit will include topics as diverse as `Fighting SPAM', `Defending
   against Malicious Software' and `Tools for Quality Code'. We'll focus
   on practical skills, processes and technology that can help with your
   day-to-day security challenges. Whether you are an IT Professional or
   a Developer this event is also an opportunity to get an update on the
   latest developments from Microsoft.
   It's running in Sydney, Melbourne, Brisbane, Adelaide, Canberra and
   Perth.
   Best of all it's complimentary - with no charge to attend. So you can
   come all day or just to the sessions in the [1]agenda which interest
   you. Places are strictly limited and filling fast.
   
   ©2004 Microsoft Corporation. All rights reserved. Microsoft, the
   Microsoft logo, MSDN and the MSDN logo are either registered
   trademarks or trademarks of Microsoft Corporation in the United States
   and/or other countries.
   
   [ more graphics ... ]

   You have been selected to receive this e-mail because you indicated
   you wanted to receive valuable information and product updates from
   technology vendors when you provided your e-mail address to

   [ ... blah, blah, blah, etc, etc ... the usual weasel words ]

   [ and more graphics ... ]

In December, I manually added them to my permanent block list. I haven't heard from them since however ... perhaps they've got the message now?

Back To Index

Anti M$ Humour and XML training

Date: Fri, 21 Jan 2005 08:27:08 +1100 (EST)
When you want a system that just works, choose Unix.
When you want a system that just works, choose Windows.

-- Old Jungle Saying

Brian (from Sydney) sent me the following bit of satire, which he got from a SLUG post. If I might quote from this link:

Many Microsoft Windows users who downloaded the recently released AntiSpyware program from Microsoft, or had it installed through an automatic Windows update, woke up to a surprise. Unintentionally, the heuristics of the software detected Internet Explorer as spyware, and removed the program from their systems.

Many a true word was spoken in jest ... All very amusing, I must say, (or should that be very droll?). Best bit of satire I have read for a while. The www.bbspot.com site runs Apache/1.3.33 (Unix) and PHP/4.3.9 (Well, I would have been more than a little surprised if it had been IIS!). The pages have a slick online news look, that renders well on w3m and lynx, the code is not W3C.

In fact, the page is so slick and newsy looking that many unwary readers might not realise it is satire. Actually, I had trouble myself, until I got to this paragraph:

Many computer users did not view this new "feature" positively. "I tried to check the weather this morning and all my little blue 'e' icons were missing. I couldn't get to the Internet at all. I guess I'll have to get a new computer," said Windows XP user Graham Newton.

Even then, I pondered ... that could also be true! But no, it is satire!

Brian also reports that spam is holding at a little below last month's record levels. Which concurs with my own observations. It seems that there is a Christmas rush for everything, including spamming. However in the case of spam this is taking place against the overall upward trend. The figures that I see from the PGTS mailhub are as follows: 

	yyyy-mm attempts
	------- --------
	2004-07      323
	2004-08      289
	2004-09      271
	2004-10      473
	2004-11      679
	2004-12      843
	2005-01      573

According to this, the projected figure for January is 837. These are stats gathered from a database that runs for rejected spam coming to PGTS. Here is a rough sort of Mail Abuse Switchboard" which I will complete sometime. I intend to allow request for updating the exclusion list and to build my own private DNS-block list (another project on the back-burner).

Also, on an entirely different tack, I forgot to mention that there was an interesting phone call this morning from someone who asked me if I do computer training. I am not really in a position to do this, but I have had a few calls inquiring about it. I didn't get his name (very remiss of me -- but I simply cannot do sales and marketing).

He wanted to know if I could recommend a course on XML. I told him I couldn't. However I did warn him that most of the "courses on XML" would not teach much about XML. Instead they would teach users how to point and click with software that purported to be XML-compliant. I recommended Open Office as the best XML-compliant package available.

The best place to learn about XML is on the Internet.

Also found a very interesting article on Salon.com, How Microsoft Is Losing The War On Spam! For those of you who have not encountered it, Salon is a subscription based news service. Although if you want to, you can accept a cookie after viewing one of their commercials, and the advertiser picks up the tab for the subscription. Very slick operation. Well put together and makes good commercial sense. Unfortunately will not work with text only browsers like w3m. But hey! someone's got to pay the salary of all those people who design those slick ads! Salon.com looks like a smart online operator.

Back To Index

The mysterious Sqworm

Date: Thu, 20 Jan 2005 19:21:59 +1100 (EST)

There has been quite a bit of feedback about Sqworm lately. I am sorry not to have responded to those people who asked me about it. It seems that Sqworm comes from a company called Websense.

According to their advertisements Websense offers a server-based, Internet content-screening system, to allow organisations to monitor and/or block network traffic to inappropriate Internet sites. Here is how they say it works:

They offer products for the following platforms:

There may be others. Since some of this information was gathered from old advertisements. I could not get access to their site unless I registered.

Websense make a pitch to schools and parents who might be concerned about what their youngsters might be viewing on the Internet.

I get the impression that Websense are now focusing on the Corporate sector, and offering services that limit employees' Internet access.

Apart from being a less lucrative market it would seem that the domestic market has some potential flaws. The effectiveness of the solution would be dependent on the supervisor (parent/guardian) being a more sophisticated and informed computer user than the person who is being supervised (child/youngster). From my own observations of many households this is not often the case. Or if it is, it is only a temporary state of affairs.

Nevertheless when I went through their 80+ categories it seemed they have not given up on the domestic market.

The only way I could get a look at these categories was to sign-up and give them my e-mail address.

The Websense site uses IIS version 5.0 with PHP version 4.3.7, and ASP. The webpages are prepared with the aid of software from WebSideStory. It is not W3C.

The list of categories is remarkably long. It seems hard to believe that a single company such as this would have the resources to categorise these sites accurately.

They may have quite a few schools amongst their clients.

Out of curiosity, I ran the following sites through Websense:
URL Category
http://www.danbyrnes.com.au Network Errors
http://www.pgts.com.au Information Technology
http://www.voyeurmagic.com.au Travel
http://block.blars.org Personal Web Sites
http://www.biblegateway.com/ Network Errors
http://www.cutecandy.com Sex

The last one (Sex), comes from the PGTS agent_string database. It was attached to an agent_string that pretended to be "grub-client" (or it may actually have been a "grub-client", with a customised agent string). There were HTML tags embedded in the string which pointed to a porn site. Unfortunately it was during a period that the database was neglected, and I did not discover it for a while. I have since updated the software to suppress display of tags.

I also pondered "Network errors". It seems that for some reason websense are not happy with the site www.danbyrnes.com.au. Nor are they happy with www.biblegateway.com. But the DNS entries for both these sites appear ok. And both the sites rate well in Google. More about this later ...

For those who would like to know what the categories are, there is list displayed below. These are the categories that were on the Websense site as of 2005-01-20. I should warn you now that it is quite a long list ... so those that want to skip past it, click here.

Websense Enterprise Premium Groups (available at additional cost)

End of list ... (whew!) ... Now I was going to send them an email asking about "Network Errors", but with the workload they have set themselves, they probably won't have time to answer emails ...

It seems rather ambitions for Websense to expect that the entire Internet could be categorised in such a manner and even if it could, it is hard to believe that an organisation of their size would have the resources to achieve such a herculean task.

I could be wrong of course ... maybe the Internet is a more shallow pond then we all thought ...

Note: Since this was written, I have found out more about websense. To read this report click here.

Back To Index

RingOfSaturn and other sites

Date: Thu, 20 Jan 2005 01:48:37 +1100

Yesterday I was looking for some webtools that could run nslookup and other network tools. I was not able to use these (because I was at a site which had provided me with a Microsoft workstation and used proxy servers that ban network tools).

I discovered a website called RingOfSaturn.com, which had a Tools Page. This is is an Apache/2.0.52 (FreeBSD) PHP/4.3.10 mod_ssl/2.0.52 OpenSSL/0.9.7d server. The home page is well constructed, using css and javascript, but it also supports non-script browsers.

The tools include:

I tried the browser sniffer, and the script ran an impressive array of tests. It is quite scary what a sniffer can discover from a GUI browser running on a Microsoft machine.

I also tried the tools with w3m and it also worked. The browser sniffer did not discover as much and did not have access to javascript, vbscript or java (and no security holes). But it did a thorough job on HTTP headers.

Dig (domain information groper) is the well-known DNS-lookup utility. IP calculator is for netmasks. Probe remote host, offers information on Domain/Network and DNS records. It also offers Port scan and Traceroute.

I tried nslookup on my site:

After the problems that had been reported by Steve (in Canberra) I tried Tracerouting to www.pgts.com.au from RingOfSaturn using TCP packets... 

 1  hyperion.ringofsaturn.com (66.13.175.241)  16.938 ms  16.869 ms  16.893 ms
 2  ge-7-1-205.core1.Dallas1.Level3.net (4.9.8.65)  17.086 ms  17.126 ms  16.972 ms
 3  ae-1-53.bbr1.Dallas1.Level3.net (4.68.122.65)  17.202 ms  17.234 ms  17.171 ms
 4  so-6-0-0.edge1.Dallas1.Level3.net (209.244.15.162)  17.481 ms  17.276 ms  17.452 ms
 5  sprint-level3-oc48.Dallas1.Level3.net (64.158.168.74)  17.443 ms  17.533 ms  17.812 ms
 6  sl-bb27-fw-5-0.sprintlink.net (144.232.9.137)  19.356 ms  18.762 ms  18.762 ms
 7  sl-bb24-fw-14-0.sprintlink.net (144.232.11.73)  18.803 ms  18.733 ms  18.787 ms
 8  sl-bb25-ana-8-0.sprintlink.net (144.232.9.64)  49.708 ms  49.103 ms  49.048 ms
 9  sl-bb23-ana-15-0.sprintlink.net (144.232.1.165)  49.089 ms  49.051 ms  49.493 ms
10  sl-bb25-sj-9-0.sprintlink.net (144.232.20.159)  59.884 ms  59.812 ms  59.857 ms
11  sl-bb22-sj-12-0.sprintlink.net (144.232.3.209)  60.300 ms  60.044 ms  62.032 ms
12  sl-bb21-syd-14-2.sprintlink.net (144.232.8.129)  209.407 ms  208.869 ms  209.001 ms
13  sl-gw10-syd-15-0.sprintlink.net (203.222.32.42)  208.745 ms  208.766 ms  208.870 ms
14  sla-tpg1-1-0.sprintlink.net (203.222.35.110)  217.076 ms  216.956 ms  223.291 ms
15  * * *
16  * * *
17  nme-ibo-tit-2-fe-0-0.tpgi.com.au (203.29.131.1)  230.660 ms  229.677 ms  230.008 ms
18  * * *
19  * * *
20  203-213-19-22-vic.tpgi.com.au (203.213.19.22)  247.570 ms  247.519 ms  262.198 ms
21  203-213-17-10-vic.tpgi.com.au (203.213.17.10) [open]  247.545 ms  247.502 ms  248.516 ms

All looks ok to me ... bit slow ... but ok? The online quizzes consists of 19 tests on:

The tests on Cisco look very tough, or at least they do to someone who like me who knows very little about Cisco routers. I took the test on Subnetting class B and got 90%. (oops -- I didn't know the answer to the last question -- oh well I am a self-taught network administrator) Most embarrassingly I only got 90% on the "vi" test (I clicked on the wrong box -- even though I knew the correct answer. Typical for someone who is over-confident!)

This is a very good site, and obviously built by an experienced administrator. I heartily commend it to anyone who is looking for robust, fast online network tools. It happens occasionally ...

I'd love to be able to say that http://networking.ringofsaturn.com/Tools was W3C, but sadly, they did not pass.

But while I was surfing I came across a blog called Postneo 2.0, by Matt Croydon. This, while I was surfing for blogs to give me a few ideas. Great blog, well maintained and current. It gives me something to aim for ... I don't know how he finds the time though. Also he may have found the right niche (Apple) In the meantime, I will add it to my list of bookmarks.

Also for those who really want to "Get The Facts", you could start here for Novell's counter-punch to the Microsoft "Get The Facts" FUD.

Back To Index

Out of the Abyss

Date: Wed, 19 Jan 2005 10:21:38 +1100

Abyss, noun:

  1. An immeasurably deep chasm, depth, or void: "lost in the vast abysses of space and time" (Loren Eiseley).
    • The primeval chaos out of which it was believed that the earth and sky were formed.
    • The abode of evil spirits; hell.

Thanks Dictionary.com for that definition. In fact, if I could launch into another tangent, thanks in many ways ...

No doubt that is why you rate so well in Google. And in my own humble fashion I have just added to that rating (just leave the money on the fridge). When you think about it ... it's unfair. The popular sites get more popular. And the less popular just fade away. Well that's the Internet, for you! ... it is not really that fair! In fact, if I could indulge in a little internal self-promotion, I wrote about the undemocratic nature of the Internet here.

And that's why a site like Dictionary.com will probably maintain a good position whilst newcomers, with poorly designed, crappy sites that depend heavily on frames and javascript with huge graphics will languish at the bottom of the a list of 26,000 hits from Google, for a few months, and then disappear! Although, if anyone from Dictionary.com should happen to read my humble little blog, I should mention to them, that if they made their HTML W3C, and used ISO-standard characters in the text, I would heap further praise upon them, as would many other sites and their rating would go truly stellar! They would be in an unassailable position!

Just some free advice for the management team at Dictionary.com ...

And poor design is the reason why I often don't accept links on my links page. And now that I think about it, it is a bit churlish not to respond. I should set up something like the following: 

    This site tries to promote good website design and open standards.

    And for that reason does not foster reciprocal links with websites
    that exhibit poor design.

    If you wish to find out more about website design, use the search
    engine Google to search for information on this ...

    HINT: Try "KISS website design"

          or  "W3C website design"

    If you would like an assessment and a report on your site, you could
    arrange one at [put link here]. However, their will be a fee for
    professional services.

Well, that's the unpaid advertisements out of the way. Now to get down to the topic of this blog entry which is "Abyss". This was prompted by some feedback, from Jeremy Hill. He mentioned that he was using Abyss on his PC.

According to what may be the original source forge page, Abyss has a tiny footprint, uses minimal resources, is written in C, and is consequently very portable. A quote from this page is as follows:

It is capable of running CGI scripts and has a built in Web Admin interface.

Also it appears that Mahfoudh has not used the GPL. Instead it looks more like a limited public license (possibly similar to the BSD license)

It seems to have found a home on http://www.aprelium.com/

The page http://www.aprelium.com/abyssws/opinions.html contains many testimonials. I searched through them. But most of the testimonials were from webhosts running Apache. I eventually found one that was Abyss. (http://www.atlantamessengers.org/), fairly rough looking code ...

Also I note that in the netcraft survey, Abyss does not even rate a mention.

And as I write this my doorbell rings. I have only just arisen (I was working late last night). Outside it is already very hot. Flies buzz busily in the early morning heat. Two attractive young ladies are standing on my doorstep, bibles and pamphlets in hand. They never had religious instruction teachers like this when I was at school ... They are Jehova's Witnesses asking if I like many others have been wondering how it is God could allow such terrible things to occur, as have been occurring lately (esp natural disasters like tsunamis). Well no I haven't -- I have a rational view of earth science.

They leave me with a copy of "The Watchtower" and a quotation from Revelations 21:3,4

I search through my shelf of old biochemistry and physics text books, where I am sure I had an old bible ... where is it? No salvation for me today! This leads me to wonder ... Would I be able to look this up online?

I turn to almighty Google (to whom we all beseech and pray -- alleluia, have mercy on us all!). I discover there are some appalling bible sites online! Typical American evangelist rubbish! I think we need some equal time for atheist evangelists.

Of course true to form the website that comes up top of Google's list is quite superb (the cream often rises in Google). I have not heard of the server, which is HTTP/1, GoGoGadgetWebserver/0.3. (maybe that's a customised header). It serves up an XHTML page on the home page. The code is very well written. Although it uses Javascript, it has <script> .. <noscript> pairs. Works like a charm with w3m! Fast and powerful. This website is very well designed. It also appears to have a lot of additional features for GUI browsers. Plus it will let visually impaired people listen to the passages!

And very scholarly. It allows you to search by chapter and verse, by passage, keyword search or topical index. I specify chapter and verse and it offers a choice of hundreds of bibles (19 in English -- all the major ones). I choose the King James version and in the blink of an eye I am presented with the verses I was looking for:

And I heard a great voice out of heaven saying, Behold, the tabernacle of God is with men, and he will dwell with them, and they shall be his people, and God himself shall be with them, and be their God.

And God will wipe away every tear from their eyes; there shall be no more death, nor sorrow, nor crying. There shall be no more pain, for the former things have passed away."

Hmm ... normally Revelations puts me in an Armegeddon sort of mood! However, this quotation is not very apocalyptic.

But wait! There is more! Yes ... you're not going to believe this ...

This Page Is Valid XHTML 1.0 Transitional!

(Gasp!)

Congratulations, Biblegateway.com, you get five stars! I predict that you will spend a long time at the top of the pile. Especially when the competition is so hopeless!

Back To Index

I Don't Really Hate Them (much)

Date: Tue, 18 Jan 2005 10:30:18 +1100

Sadly, my BAS is still not completed. Well, I have an excuse, I am trying to rectify a problem with invoicing. Of course I leap at any excuse to avoid doing my BAS. I strive for ever new heights in the area of procrastination.

Dan Byrnes has looked at this blog and offered me some valuable editorial advice. He pointed out that I am putting programming tips in it ... and they should be in the programming tips section.

As usual, when on the topic of writing, he is correct. Putting programming tips in this, makes the whole thing cluttered. And it's cluttered enough as it is. I have removed the tips from the earlier entry and put them in the Feedback and Hints column, where they belong.

He also asked why was I writing my own software to publish the blog?

There are many reasons for writing your own software to do a task:

  1. When you get something off the shelf, it is much easier to install it and use the system as the author intended. This means that you must change your way of working to suit the way the software works.
  2. Customising software, even Open Source software is difficult and can take a considerable amount of time.
  3. If it's a simple task, writing your own software may not take as long as installing and configuring a package. And you can tailor the software to your exact requirements.
  4. Programmers like writing software! We do it because we enjoy it! Surely Mr Byrnes, if you were a mechanic and you really enjoyed fixing cars, you'd probably fix your own car! Even if it hadn't broken down. Hey! Maybe you can come and fix my car, while your about it! But there you have it. Someone would really enjoys fixing cars probably finds it hard to believe that anyone could enjoy programming ... just as much as someone who enjoys programming would not appreciate the joys of fixing a motor vehicle (which would be quite low on my to-do list -- somewhat lower than being buried at sea)

Dan Byrnes also accused me of nursing a "spectacular hatred of spammers". I really must tone down my rhetoric ... I would have thought hatred much too strong a word for the trivial annoyance of spamming. As I have said on many previous occasions, spamming is impolite. So is pushing in front of someone in a queue, or farting in lifts. But hardly worth a million dollar fine.

In the real world, there are so many constraints on physical "rage". Seems that word is very much in vogue these days. We are now used to hearing about "road rage". Lately, we hear about "shopping rage", "pool rage", and amazingly enough "golf rage" (that's "golf" not "gulf" -- "Gulf Rage" is quite deadly). And ... God have mercy on us all! "Yoga Rage!" -- apparently when someone arrives at yoga class and doesn't get the perfect yoga mat, or cannot reach the transcendental state in 56 seconds etc etc -- they might spin off into some "yoga rage".

Still with all these types of "rage" there are physical constraints. Or there is, if you have a physical presence in the real world. The object of your rage stands right in front of you and too much of it could earn you a bloody nose or even get you killed (as in the case of "road rage"). But spam rage, it seems, has no such constraints. It can ratchet all the way up into the stratosphere. You can throw a complete "wobbly" about it. Start foaming at the mouth ... Go ballistic ... Throw yourself on the floor and kick your legs ... and never even leave your chair becuase it's all in your mind, you know! It's remarkable ... the excesses we exceed to in virtual space.

I wouldn't go so far as to say that I am fond of spammers, but surely even the most dour and serious person has smiled (just a little) upon receiving one of those cute little nigerian letters in broken English and CAPITALS. A friend, who lives in Sydney, and shall remain nameless, took to replying to them with small sentences like: 

	Your assassination has been planned. Flee the country now!

Nice one Brian, (oops, I did promise not to mention your name).

Truth be told, and I am telling the truth here, I probably feel more dislike for the "intellectually challenged" victims. I am talking about the dickheads who send spammers money and in so doing, perpetuate the endless cycle.

In fact, if legislators targeted those dull-witted spammer clients, they would get a far better result. Because:

Ahh but what about the cost of spamming? You ask. And you may well ask! There are numerous articles that quote the billions of dollars that it costs us. These figures are just as rubbery as the ones which cite the billions of dollars worth of "intellectual property" that Internet users "steal" from media conglomerates. The costs like the rage are virtual.

Back To Index

itax on Sourceforge

Date: Mon, 17 Jan 2005 09:04:54 +1100

Well the first part of the blog publishing software has been completed. I need to get the posting and editing components working. But the basics seem to be ok.

Not much time for blogging, because I have to do my BAS. This is the bane of my life. Every three months I find myself tearing my hair and cursing the ATO. Most of the work is actually doing the figures. And then I have to lodge it. I suppose it would be nice if I could do that online.

This is not likely however since the ATO's system is crap.

So I was pleasantly surprised to learn (from OSIA) about the proposal of the itax project.

The itax proposal lists the following objectives:

(The above taken from sourceforge)

Very Interesting ...

Of course I still have to do the figures!

And while I was reading about it, the same e-mail (from OSIA) directed my attention to LAMP. This lead me to wonder about that word. What do those letters stand for? I have encountered the acronym previously, however I have forgotten the meaning. The first letter, 'L' must be for "Linux". and the second letter is probably Apache ... I tried googling for the answer, and, of course, found many references to LAMP ...

I discovered there is a book about LAMP: The Open Source Web Platform by Dale Dougherty. According to this website, O'Reilly Network runs a LAMP web site, as do many organisations.

LAMP is an acronym for the a suite of Open Source programs software used to create a dynamic web site:

So now I recall the definition: 

	LAMP = Linux + Apache + MySQL + (PHP | Perl | Python)

(I prefer LAPP = Linux + Apache + postgres + Perl)

(Although BAPP = BSD + Apache + postgres + Perl is pretty good also)

The wikipedia, as usual has a well-written and informative summary of the origins of this acronym.

Whilst Googling for this, I discovered a good list of Linux Distros. Well worth a look, if you are pondering the question of which distro?

Back To Index

Tiscali repeat

Date: Sun, 16 Jan 2005 23:50:20 +1100

Some spam just arrived from 83.154.168.192. The headers identify ppp.tiscali.fr as the domain. This is the correct name (returned by DNS lookup). It is a dial-up network: 

 From kuo@3aweb.com Sun Jan 16 23:15:39 2005
 Return-Path: <kuo@3aweb.com>
 Received: from dyn-83-154-168-192.ppp.tiscali.fr (dyn-83-154-168-192.ppp.tiscali.fr [83.154.168.192])
 	by pgts04.pgts.com.au (8.11.6/8.11.6) with SMTP id j0GCFYm41527
 	for <info@pgts.com.au>; Sun, 16 Jan 2005 23:15:36 +1100 (EST)
 	(envelope-from kuo@3aweb.com)
 Message-ID: <30e201c4fbc1$1ca00ca4$850832d0@3aweb.com>
 From: "Susan M. Taylor" <kuo@3aweb.com>
 To: info@pgts.com.au
 Subject: =?iso-8859-1?B?U3dpc3Mgd2F0Y2hlcyAtIHJlcGxpY2E=?=
 Date: Sun, 16 Jan 2005 11:52:11 +0000
 MIME-Version: 1.0
 Content-Type: multipart/related;
     type="multipart/alternative";
     boundary="----=_NextPart_000_0000_FA385981.9B2A4014"
 X-Priority: 3
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

And according to nslookup: 

    Non-authoritative answer:
    192.168.154.83.in-addr.arpa     name = dyn-83-154-168-192.ppp.tiscali.fr.

    Authoritative answers can be found from:
    154.83.in-addr.arpa     nameserver = ns3.libertysurf.net.
    154.83.in-addr.arpa     nameserver = ns.ripe.net.
    154.83.in-addr.arpa     nameserver = ns.libertysurf.net.
    154.83.in-addr.arpa     nameserver = ns2.libertysurf.net.

The address 83.154.168.192 is listed in only four lists in OpenRBL (3 lists that i do not use, since they are too agressive). It was listed in SORBS, however there was a removal request!

Tiscali seem to be an International firm providing broadband services. The fact that they are so large, may acoount for their popularity amongst spammers.

Well at least, I have finished the program that formats this blog ... so I can put it online. Next I need to finish the software for editing.

Back To Index

Polish Spam on Rye

Date: Sat, 15 Jan 2005 09:45:56 +1100
There are many reasons to buy Microsoft, not all of them financial:
  1. Empire building. You have a nice little IT empire with 30 servers, 300 staff and a $20 million budget, and some upstart comes along and suggests that Linux can do the same with 10 servers, 100 staff and a budget of $10 million.
  2. Familiarity. You know Windows. You like to tell yourself that if your system administrators all got killed in a freak coffee-poisoning massacre, you could roll up your sleeves and do their job all by yourself, and now there is this fellow who comes along and tries to sell you a solution that will make all your IT experience obsolete.
  3. Friends in high places. You play golf with the local Microsoft branch manager, and he takes your boss out for dinner occasionally. Once in a blue moon, Steve or Bill himself fly out in their corporate jet and wine and dine your boss' boss for a week, and now this fellow comes along who tries to sell you a solution that will mean Steve rings your boss' boss and ask "What is going on?"
  4. Butt-covering. Nobody ever got fired for buying IBM^H^H^H Microsoft.
  5. Concerns about the ability of Linux to do the job. You have a solution that works. Sure, there are warts, but it does most of what you want and if it costs a lot, that's the price you pay. Now somebody comes along and tries to sell you an unproven (to you) solution that costs a lot less and may or may not do the job.

From: Steven D'Aprano (OSIA Discussion List)

Steve makes a very persuasive case there! I think I'll rush out and spend several thousand dollars on converting to Microsoft. My website is running much too quickly and I need to slow things down. I also need to contribute something to the economy. So buying a whole bunch of extra hardware and anti-virus software might give the economy that extra little boost ... Not to mention the extra revenue that can help Microsoft continue with the worthy projects they have like replacing open standards with their own. Yes, I am sure that would be putting my money to good use. Much better than using it for things like feeding myself and my family ...

Ok, it's hard to tell when I am using a keyboard ... but that previous paragraph should have been enclosed in a <sarcasm> ... </sarcasm> pair.

Now where was I? Blog entry number 2 ... The things to do to set up this blog.

  1. Setup method for the blog posting.
  2. Setup a method of editing the blogs after they are published (to fix spelling grammar and errors of fact)

There is a bit of work to be done. However I may be able to borrow some code from the job tracking system, which system is a perl/CGI system that I created to track and bill jobs. The tools that I use are mutt, awk, perl, shell, SQL, etc. So there may be a considerable amount of code there that I could borrow.

And ... now, I see some more spam arrived this morning ... (Hmm this could get a bit tedious). BTW if anyone wants to read the most recent article I published on the topic it is here.

This is a trifle amusing ... I use mutt, a text only MUA. The Subject Line is: 

Subject: Your Life Ins. Company does NOT WANT you to see this...

Well I don't know about my Insurance company but I wont see it! Mutt is text only and they have sent the email as HTML-only. Of course if I really wanted to I could view it, by pressing {Enter} and then 'v'. I have set up mutt to pipe HTML through lynx (see an earlier HINT in the feedback column). And, after a campaign to persuade everyone of the foolishness of sending HTML-only mail, most of the people who correspond regularly with me now send either TEXT-only (which is best) or mixed (not so bad). Whereas almost all HTML-only email is spam!

I can tell by the Subject tag that this is not a spam I wish to read ... Usually it isn't.

In this case I will just press 'h' (for headers). This reveals the following: 

 From carelink@2minutequote.prserv.net Sat Jan 15 07:29:35 2005
 Return-Path: <carelink@2minutequote.prserv.net>
 Received: from smtp.wp.pl (smtp.wp.pl [212.77.101.160])
 	by pgts04.pgts.com.au (8.11.6/8.11.6) with ESMTP id j0EKTX814966
 	for <gerry@pgts.com.au>; Sat, 15 Jan 2005 07:29:33 +1100 (EST)
 	(envelope-from carelink@2minutequote.prserv.net)
 Received: (wp-smtpd smtp.wp.pl 22018 invoked from network); 14 Jan 2005 21:16:57 +0100
 Received: from katalog-admin.wp.pl (HELO 212.77.100.201) ([212.77.100.201])
           (envelope-sender <carelink@2minutequote.prserv.net>)
           by smtp.wp.pl (WP-SMTPD) with SMTP
           for <mands@dailyrecord.com>; 14 Jan 2005 21:16:57 +0100
 Message-ID: <00004ec01000$0000716a$00006433@212.77.100.201>
 To: <PersonalizedQuote>
 From: "Low-Cost Term Life" <carelink@2minutequote.prserv.net>
 Subject: Your Life Ins. Company does NOT WANT you to see this...
 Date: Fri, 14 Jan 2005 14:17:02 -0600
 Reply-To: carelink@2minutequote.prserv.net
 MIME-Version: 1.0
 Content-Type: text/html;
 	charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 X-Priority: 3 (Normal)
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook, Build 10.0.4510
 Importance: Normal
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
 X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A.
 X-WP-SPAM: NO AS1=NO AS2=YES(1.000000) AS3=NO AS4=NO

And sorry guys, I will never see the body text ... Not that you really care. As long as half a dozen users, out of the 50 million or so that received your message, inquire about your services, you will probably keep sending them.

At first glance, this appears to have come from a polish dial-in address. The netblock owner is Wirtualna Polska SA. Closer inspection reveals that they do have a DNS entry. The host is registered as smtp.wp.pl. Looking up this address gives the following information: 

    Authoritative answers can be found from:
    wp.pl
            origin = ns1.wp.pl
            mail addr = dnsmaster.wp-sa.pl
            serial = 2005011401
            refresh = 900
            retry = 600
            expire = 86400
            minimum = 3600
    > 212.77.101.160

    Non-authoritative answer:
    160.101.77.212.in-addr.arpa     name = smtp.wp.pl.

    Authoritative answers can be found from:
    101.77.212.in-addr.arpa nameserver = ns2.wp.pl.
    101.77.212.in-addr.arpa nameserver = ns1.wp.pl.
    > set type=mx
    > 212.77.101.160

    Non-authoritative answer:
    160.101.77.212.in-addr.arpa     name = smtp.wp.pl.

    Authoritative answers can be found from:
    101.77.212.in-addr.arpa nameserver = ns2.wp.pl.
    101.77.212.in-addr.arpa nameserver = ns1.wp.pl.
    ns2.wp.pl       internet address = 153.19.102.182
    ns1.wp.pl       internet address = 212.77.102.200

Overall this appears to have been sent from a spam host. It has an MX record and according to Senderbase is the only host in this netblock that sends a significant quantity of email. In fact the amount is so large it seems strange that it has not been listed yet. Perhaps it is a spamhost startup?

Back To Index

Flogging A Dead Horse

Date: Sat, 15 Jan 2005 01:07:33 +1100

So this is the first blog entry ... Now what am I going to say? I am not very good at just putting my thoughts down. I usually spend too much time considering what I am about to say. But here I go

Yesterday afternoon I got an email from someone called Joseph (last name withheld unless he wants me to release it). He wanted to inquire about "acquiring my services". I arranged for him to ring me and we discussed his situation.

Joe lives in Queensland. I did not find out where, exactly, but judging by the IP address of his first communication, it might be somewhere near Caloundra. It's not possible to say exactly, because many of the databases that are constructed for IP addresses contain inaccuracies. This is due to the fact that the topology of The Internet is extremely elastic. And there is nothing to prevent anyone from delegating an address to corner of the globe that is millions of miles from their physical location. But that is a horse of an entirely different colour.

Joe rang from a public phone which sounded as though it was located near a park I could hear some kids playing, and the rasping, long drawling croak of crows, in the background. A sound which always reminds me of the long summer days of my youth in Western Australia.

He was a home user and his problem was that he was being harrassed by hackers. He went through a detailed list of problems that struck him in the previous months. The litany included slow performance, persistant lockout of login accounts and system crashes and reboots. All of which could have been due to hardware problems. But then he observed the words "Ha! Ha! Ha! Ha!" written in his system logs ... which seems like a smoking gun.

I told him that most computer systems are notoriously bad for security. I was going to recommend that he use an open source system, when he stated that he changed to Linux, and he still got hacked!

As I listened to his tale, it began to seem increasingly likely that someone had hacked his modem. His ISP was BigPond, and they had been exceedling unhelpful.

I quickly went through a check list of things that he should look for. I started with personal security around the house ... which curiously enough is something that many people can overlook when someone is thinking about computer security, they often overlook the fact that the best way in to a system is via the system console.

At one stage he said:

I'm not a bad person ... really ...
I don't associate with criminals or anything ...
I don't understand why they are doing this.
His voice trembled with a note of desperation ...

He said that he had tried contacting the police. However they had stated that unless there had been fraud, they would not send anyone to investigate.

It was quite a saga. And he was clearly upset by experience. He had not actually checked my address, when he had contacted me. And it is not likely that I will be travelling to Queensland anytime soon. However I sent him an email detailing some of the things that he should look at regarding system security. Generally speaking an Open Source setup is orders of magnitude more secure than other options. However there are couple of obvious traps that need to be avoided.

Since then I have thought that I should set some of these down:

  1. Not all holes get closed. This is especially true for less experienced users who rely on a menu-driven installation process. Most of the major distributions offer a couple of choices on your install menu. And the security of final installation depends on some of the choices you make. Most people are setting up a client workstation and if this is the case, you should choose Maximum security, and do not setup the machine as a server. However even after doing this, you should check that telnet and ssh are not running. Unfortunately every distribution is slightly different so the way that you check this can vary between different versions of Linux and BSD. However in general the telnet and ssh daemons are called telnetd and sshd. And the following commands: 
       	ps -ef | grep telnet
   	ps -ef | grep ssh
    should return no evidence of these daemons. If you have any doubts write to your local user group and I am sure that someone will help you further.
  2. Apart from that, you should disallow most services, except of course 80, 25 and 53. There really is no need for most of the other services. This especially applies to people who are not sure what a service is!
  3. Secure your modem/firewall. This is not part of the system install. However a broadband modem which is provided by your ISP or which you purchased from a local supplier often purports to be a firewall. Most of these leak like a sieve. They should not be called firewalls at all! This is the most obvious hole in the entire setup. A real firewall should not accept telnet from the public network. Once a cracker gets into this device he can just squat there for a while and use brute force attacks on anything on the local side. If your modem/firewall is in this category, make sure to close off telnet access from the public network.
  4. If other people have physical access to your workstation, use strong passwords to secuire all accounts. And if you are using a GUI that can put a password on the screen saver, then do it. Also it is a good idea to log off when you finish using the system. Keep system disks in a secure place. Above all, try to be aware who does have physical access to the computer. Once someone has physical access it is much easier to hack into the system.

So, Joe if you are reading this ... I hope things turned out ok. Send me an email if you want me to release your name.

Oh dear some spam has arrived ... So I might leave Joe's rather interesting case for the time being ... The headers are as follows: 

 From qmjahgks@yahoo.com Sat Jan 15 03:48:48 2005
 Return-Path: <qmjahgks@yahoo.com>
 Received: from 83-134-7-200.Paille.GoPlus.FastDSL.tiscali.be (83-134-7-200.Paille.GoPlus.FastDSL.tiscali.be [83.134.7.200])
	by pgts04.pgts.com.au (8.11.6/8.11.6) with SMTP id j0EGmj810221
	for <gerry@xxxx.com.au>; Sat, 15 Jan 2005 03:48:46 +1100 (EST)
	(envelope-from qmjahgks@yahoo.com)
 X-Message-Info: MPLqPC627chB476BBKoggN1NFxjJH95U973WWF581oh8R
 Received: (from wvt13barberry@localhost)
	by gzw5-snick04.t285f.msn.com (7.51.32/7.77.61) id gi787FV2jp370213;
	Fri, 14 Jan 2005 10:38:44 -0600 GMT
 X-Authentication-Warning: ouf79-bernardo87.dh2xu.msn.com: puh7cover set sender to qmjahgks@yahoo.com using -o
 MIME-Version: 1.0
 Date: Fri, 14 Jan 2005 18:33:44 +0200
 From: Ethel London <qmjahgks@yahoo.com>
 Subject: REFILL  Your RX order ...DARVON..VALIUM...XANAX
 To: gerry@xxxx.com.au
 Message-Id: <jt588nbz3-208498851076-922314887191749219975531307758241@dryden9>
 Content-Type: multipart/alternative;
	boundary="--73059118967945244887"

Whois says that this entire Netblock has been assigned to other users. And directs me to look at http://www.ripe.net/whois

Ok ... then ... w3m gets me that info. The netblock is owned by a Belgium ISP called Tiscali ADSL Go/Plus and it appears that this particular netblock has been extraordinarily active at sending email (according to SenderBase).

Now I am just thinking on my feet here ... But, having just done some maintenance on the agent_strings database, I seem to recall several browser agents with "tiscali" or "Tiscali" attached to them. From memory they all seemed to be MSIE strings (well, did anyone really expect them to be w3m or lynx?).

This should be easy to find out ..

The list of browsers, and their names and date of last visit is:

MSIE 2002-10-02
MSIE 2003-01-19
MSIE 2003-03-17
MSIE 2003-05-12
MSIE 2003-05-19
MSIE 2004-02-03 81.131.120.3/32
MSIE 2004-02-14 205.188.209.71/32
MSIE 2004-02-14 195.93.34.10/32
MSIE 2004-02-15 62.252.0.4/32
MSIE 2004-03-15 82.3.65.27
MSIE 2004-04-07 82.84.196.145
Tiscali 2004-06-06 80.46.188.101
MSIE 2004-07-09 81.152.109.248
MSIE 2004-11-01 193.60.159.61
MSIE 2004-12-07 196.30.113.163
MSIE 2004-12-08 62.11.130.225
MSIE 2004-12-13 81.26.104.195

Of course none of the above may be related to the spam that I received but I thought I would include it in this blog anyway. If anyone knows what "Tiscali" actually does for an MSIE browser, drop me a line.

And if you'd like to know how I produced the above list, you can see the details here.

Now, before I went off on that tangent, it might be a good idea to ban the entire netblock ... which has now been done! The next time someone e-mails me from that netblock, they will get a message saying that they are under investigation. I need to work on the Mail Abuse software that I am working on ... another project.

And while I'm about it ... I still have to write the software to post this blog ...

Back To Index