Tag: Spam

Calandra Vargas Won't Stop Spamming Me

In 2006, I made a mistake.

I was working for a small company in north Phoenix. (That was not the mistake. ...Well, actually, it was, but not the one I'm here to talk about today.) And I represented that company in a networking group of local small businesses.

One of the people in the group was Sam Crump. I'm not used to using people's real names when I tell stories like this, but Sam's a public figure, so I'm going to go ahead and make an exception in this case.

Sam owns a law firm. I can't tell you anything about it from personal experience, but I hear good things.

And in 2006, Sam decided to run for the state legislature.

Sam's politics are not my politics; he would later describe himself as a "Tea Party Republican," though people weren't calling themselves that yet. I wouldn't have voted for him. But I liked him; he was a nice guy, and so when he asked us all to join his mailing list, I went ahead and wrote my E-Mail down.

Never put your E-Mail address on a political mailing list. Not for a politician you agree with, and certainly not for one whose views you find appalling. No matter how much you like him as a person.

Now, I don't know for sure that Sam or his people sold or gave away my E-Mail address to some group that collects E-Mail addresses for various fringe Republican candidates. It could be just a coincidence. But it's an E-Mail address I don't give out to a lot of people, it's the only E-Mail where I regularly get right-wing spam, and it just so happens that I started getting right-wing spam at that address after giving it to a local right-wing politician. Maybe whatever godforsaken list that address got put on got it from someplace else. But if I had to guess, I'd say they got it from Sam.

In the past, I've gotten spam for Arizona political candidates including Pamela Gorman and Joe Arpaio. But the latest politician who won't leave me the fuck alone is a woman named Calandra Vargas, who is running for Congress in Colorado Springs.

I have never set foot in the state of Colorado.

In fact, I've explained that to Ms. Vargas, or whoever's reading her inbox (if anybody), multiple times, in between clicking the Unsubscribe link at the bottom of her E-Mails.

The campaign's response to my first unsubscribe request, a few weeks ago, was to send me three more fucking E-Mails. When I got them, I clicked the Unsubscribe link again, and sent a reply letting Ms. Vargas, or whoever's reading her inbox (if anybody), know that if I received any more E-Mails from her campaign I would report her to the FCC for violating the CAN-SPAM Act.

I got another E-Mail from the Vargas campaign today.

Calandra Vargas is a politician, so she's probably not used to dealing with people who keep their promises. But I'm a man of my word, and I filed that complaint. And if I hear from her again, I'll file another one.

Here's the FCC's guide to reporting spam. If you're getting unsolicited E-Mails from politicians who won't let you unsubscribe from their lists, they're breaking the law.

AOMEI is a Spammer

From: Doris
Subject: AOMEI Freeware Review Invitation (corporate-sellout.com contact form)
06/11/2016 11:15 PM

Dear admin,

This is Doris from AOMEI Technology Ltd. I am writing for inviting you to evaluate our free backup and restore software - AOMEI Backupper Standard, the simplest free backup software. It has been upgraded to version 3.2 now, supporting Windows 10, Windows 8.1, Windows 8, Windows 7, Vista, and XP.

As a freeware, our Backupper has many advantages which most of other free backup software lack, such as incremental backup, differential backup, schedule automatic backup, create bootable media, PXE boot tool, dissimilar hardware restore and file synchronization etc.
Download Link: [direct link to an executable file]
Learn more: [some generically-named website]

Could you please spare your precious time to test and review our freeware? Or could you please take a look at that and pass on your comments to me, any of your suggestion will be much appreciated.

I am eagerly looking forward to your reply.

From: Thad Boyd
Subject: Re: AOMEI Freeware Review Invitation (corporate-sellout.com contact form)
06/13/2016 10:01 PM

What's that, Doris? You want to know if I'd be interested in writing up a nice blog post about how AOMEI Technology Ltd. is a dodgy company that advertises its products by spamming people's contact forms? Why, I would LOVE to!

E-Mails and Passwords

So the other day I decided it was past time to reset all my passwords.

I'm pretty good about password hygiene. I've been using a password locker for years, with a unique, randomly-generated* password for every account I use. But I'll admit that, like most of us, I don't do as good a job of password rotation as I might. That's probably because I've managed to amass over 150 different accounts across different sites, and resetting 150 different passwords is a giant pain in the ass.

(I'm thinking that, from here on in, I should pick a subset of passwords to reset every month, so I never wind up having to reset all 150 at once again. It would also help me to clear out the cruft and not keep logins for sites that no longer exist, or which I'm never going to use again, or where I can't even find the damn login page anymore.)

There was one more reason I decided now was a good time to do a mass update: I've got two E-Mail addresses that have turned into spam holes. As I've mentioned previously, I'm currently looking for work and getting inundated with job spam; unfortunately I went and put my primary E-Mail address at the top of my resume, which in hindsight was a mistake. Never post your personal E-Mail in any public place; always use a throwaway.

Which I do, most of the time -- and that's created a second problem: I've been signing up for websites with the same E-Mail address for 15 years, and also used to use it in my whois information. (I've since switched to dedicated E-Mail addresses that I use only for domain registration.) So now, that E-Mail has turned into a huge spam hole; it's currently got over 500 messages in its Junk folder, and that's with a filter that deletes anything that's been in there longer than a week. My spam filters are well-trained, but unfortunately they only run on the client side, not the server side, so any time Thunderbird isn't running on my desktop, my spam doesn't get filtered. (If I'm out of the house, I can tell if the network's gone down, because I start getting a bunch of spam in my inbox on my phone.)

So now I've gone and created two new E-Mail addresses: one that's just for E-Mails about jobs, and another as my new all-purpose signing-up-for-things address.

My hope is that the companies hammering my primary E-Mail address with job notifications will eventually switch to the new, jobs-only E-Mail address, and I'll get my personal E-Mail address back to normal. And that I can quit using the Spam Hole address entirely and switch all my accounts over to the new address. Which hopefully shouldn't get as spam-filled as the old one since I haven't published it in a publicly-accessible place like whois.

Anyway, some things to take into account with E-Mail and passwords:

  • Don't use your personal E-Mail address for anything but personal communication. Don't give it to anyone you don't know.
  • Keep at least one secondary E-Mail address that you can abandon if it gets compromised or filled up with spam. It's not necessarily a bad idea to have several -- in my case, I've got one for accounts at various sites, several that I use as contacts for web domains, and one that's just for communication about jobs.
  • Use a password locker. 1Password, Keepass, and Lastpass are all pretty highly-regarded, but they're just three of the many available options.
  • Remember all the different devices you'll be using these passwords on.
    • I'm using a Linux desktop, an OSX desktop, a Windows desktop, and an Android phone; that means I need to pick a password locker that will run on all those different OS's.
    • And have some way of keeping the data synced across them.
    • And don't forget that, even with a password locker, chances are that at some point you'll end up having to type some of these passwords manually, on a screen keyboard. Adding brackets and carets and other symbols to your password will make it more secure, but you're going to want to weigh that against the hassle of having to dive three levels deep into your screen keyboard just to type those symbols. It may be worth it if it's the password for, say, your bank account, but it's definitely not worth it for your Gmail login.
  • Of course, you need a master password to access all those other passwords, and you should choose a good one. There's no point in picking a bunch of unique, strong passwords if you protect them with a shitty unsecure password. There are ways to come up with a password that's secure but easy to remember:
    • The "correct horse battery staple" method of creating a passphrase of four random words is a good one, but there are caveats:
      • You have to make sure they're actually random words, words that don't have anything to do with each other. Edward Snowden's example, "MargaretThatcheris110%SEXY.", is not actually very secure; it follows correct English sentence structure, "MargaretThatcher" and "110%" are each effectively one word since they're commonly-used phrases, the word "SEXY" is common as fuck in passwords, and mixed case and punctuation don't really make your password significantly more secure if, for example, you capitalize the beginnings of words or entire words and end sentences with periods, question marks, or exclamation points. Basically, if you pick the words in your passphrase yourself, they're not random enough; use a computer to pick the words for you.
      • And this method unfortunately doesn't work very well on a screen keyboard. Unless you know of a screen keyboard that autocompletes words inside a password prompt but won't remember those words or their sequence. I think this would be a very good idea for screen keyboards to implement, but I don't know of any that do it.
    • There are programs and sites that generate pronounceable passwords -- something like "ahx2Boh8" or "ireeQuaico". Sequences of letters (and possibly numbers) that are gibberish but can be pronounced, which makes them easy to remember -- a little less secure than a password that doesn't follow such a rule, but a lot more secure than a dictionary word. But read reviews before you use one of these services -- you want to make sure that the passwords it generates are sufficiently random to be secure, and that it's reputable and can be trusted not to snoop on you and send that master password off to some third party. It's best to pick one that generates multiple passwords at once; if you pick one from a list it's harder for a third party to know which one you chose.
  • Of course, any password is memorable if you type it enough times.
  • And no password is going to protect you from a targeted attack by a sufficiently dedicated and resourceful attacker -- if somebody's after something you've got, he can probably find somebody in tech support for your ISP, or your registrar, or your hosting provider, or your phone company, or some company you've bought something from, somewhere, who can be tricked into giving him access to your account. Or maybe he'll exploit a zero-day vulnerability. Or maybe one of the sites you've got an account with will be compromised and they'll get everybody's account information. Password security isn't about protecting yourself against a targeted attack. It's about making yourself a bigger hassle to go after than the guy sitting next to you, like the old joke about "I don't have to outrun the tiger, I just have to outrun you." And it's about minimizing the amount of damage somebody can do if he does compromise one of your accounts.
  • And speaking of social engineering, security questions are deliberate vulnerabilities, and they are bullshit. Never answer a security question truthfully. If security questions are optional, do not fill them out. If they are not optional and a site forces you to add a security question, your best bet is to generate a pseudorandom answer (remember you may have to read it over the phone, so a pronounceable password or "correct horse battery staple"-style phrase would be a good idea here, though you could always just use letters and numbers too -- knowing the phonetic alphabet helps) and store it in your password locker alongside your username and password.
  • You know what else is stupid? Password strength indicators. I once used one (it was Plesk's) that rejected K"Nb\:uO`) as weak but accepted P@55w0rd as strong. You can generally ignore password strength indicators, unless they reject your password outright and make you come up with a new one.

* For the purposes of this discussion, I will be using the words "random" and "pseudorandom" interchangeably, because the difference between the two things is beyond the scope of this post.

Spam

I just deleted 2.8 fuckloads of spam referrals from my stats and banned the sites responsible.

In the off chance that I accidentally deleted a site I shouldn't have, let me know.

If you don't want your site to be banned, then never, ever directly link my stats page.

Not a Bubble-Gum Gang Leader Like Rest of Slovakia

The rain never quite hit us yesterday. But it sure smelled divine for about twenty minutes.

But none hit Sky Harbor Airport, which, as that's Phoenix's weather center, means we're technically still in our dry spell. This is day 142.

On another note, what's the deal with ICQ?

You remember ICQ. It's the redheaded stepchild of IM networks. It was big in the late '90's when it was the only game in town besides AIM, but has long since been displaced by MSN and Yahoo. Of course, the fact that AOL bought it out probably hasn't done it any favors either.

The weird thing about ICQ, as compared to the other networks, is the amount of random contact I've received.

A few years back, my ICQ account was inundated with porn spam. That's died down, but just the last couple weeks I've started getting weird random contacts from China and eastern Europe.

A sample:

(08:45:10) 264737669: hi
(08:46:46) 264737669: hey homie
(08:46:50) 264737669: write to me
(08:47:13) 264737669: i´m not a bubble gum gang leader like rest of slovakia

Now, my ICQ number's been relatively easy to find for the past...Jesus, has it been seven years already? Probably seven years. (Just for perspective, my ICQ number is seven digits, compared to the nine on my Slovakian friend's.) So my question is...why the hell have I just now started getting these messages? Where has my account number been recently posted to attract the attention of bubble-gum gang-leading Slovakians?

And on another topic, what genius decided Gaim should display ICQ numbers by default instead of nicknames? In the rare event that somebody I know drops me a message, I generally don't know who the hell it is, even if he's on my list under a nickname.

The world may never know. But at least somebody's asking the right questions.