This blog is retired.

Archive for the ‘Explanations’ Category

WordPress spam - II. Types of spam.

Wednesday, February 13th, 2008

I know 3 types of spam in WordPress, and speculate one more:

* comment spam
* trackback (or pingback) spam
* registration spam
* plugin spam


How to Give Your Hard Work Away For Free

Wednesday, November 7th, 2007

Good job! You’ve built a great web site that’s going to attract a lot of visitors. But before you start counting all of that money you plan to make, take a moment to meet Mr. FUD.

Yep, good old Fear, Uncertainty, and Doubt is about to step into your life if you’re thinking about adding a CAPTCHA gateway to your registration or message forms. Here are two reasons why:


Why phpBB and PHP-Nuke developers are not bothered by spam?

Thursday, November 1st, 2007

I always wondered why the support forums of phpBB and PHP-Nuke are free of spam. Yes, there is a number of moderators, but bots work faster than people and they are never tired. Recently I stumbled upon the “don’t spam here” list of XRumer (the best spam bot) and realized it all:

The industry-leading spam bots don’t spam the developers’ forums! That’s why the developers don’t know that the spam problem is so important to users. That’s why the developers don’t improve the spam protection.

I’ve looked through the black (hmm… white?) list and decided to highlight some sites:


The evil idea again, now with the screenshot and with Harry Potter quiz

Sunday, October 21st, 2007

The post “Evil Idea: Make money from spammers!” has raised a number of comments. The intermediate verdict is: “A bad idea if put into practice, not a bad idea in theory”. Probably I know the first step to refactor the idea. Let’s try this way:


Spam and the Commercial Malware Industry

Wednesday, October 3rd, 2007

Evil spammers and renegade programmers aren’t who you think they are. Sure, both types of Internet abusers can trace their origins back to random individuals who weren’t commercially organized and whose actions didn’t really cause a huge ripple effect across the ‘Net. But all of that has changed.

Today’s virus attacks are written by professional software developers who charge fees to buyers who want to release their own spam, virus or Trojan horse attack. Developers sell plug-and-play “instant virus outbreaks” and root kits that can be purchased and downloaded online. Organized crime cartels from around the world have sunk their claws into the Internet and they’re making billions of dollars per year running their spam networks and phishing sites.


Too Bad You Can’t Look Spammers Up In The Telephone Book Part II

Sunday, September 30th, 2007

In my last post I told you about some BB anti-spam protection schemes out there that rely upon third-party spam reports to build a list of know spammers who frequent the forum community and blogosphere. I also wrote about why this method of protecting your site from spam wasn’t as good an idea as it seemed from a technical point of view. Today I want to tell you about a few legal issues you may face if you choose to utilize a blacklist.

One of the biggest legal obstacles is that UK webmasters are subject to fines and penalties if they transmit sensitive user data to any organisation that is not subject to the UK Data Protection Act.


Too Bad You Can’t Look Spammers Up In The Telephone Book

Wednesday, September 26th, 2007

Wouldn’t it be great if you could get access to an automatically maintained list of forum spammers and simply check each new member against it before you allowed someone to register or create a new post? Well you kind of can do that, to some extent, but you may not want to. Here’s why…


How does Advanced Textual Confirmation work

Sunday, September 23rd, 2007

Many people, including me, believe that security by obscurity gives a false sense of security. Any security tool must be available in source code, even to bad guys. But Advanced Textual Confirmation (ATC) is encoded. Why?

It’s all about the business. If I deliver the tool as is, some “alternatively smart” programmer can copy/paste the code in a few minutes and start selling the clone. This is my worry: “alternatively smart” programmers.

To satisfy those who are against security by obscurity, I’m diclosing the ATC internals is this post. Warning: to understand the text in full, you have to be a web programmer.


MOD Textual Confirmation Rises From Pit of Despair

Sunday, September 9th, 2007

True Story:

I became so irritated from using phpBB2 Advanced Visual Confirmation, which ended up causing me more trouble that it was worth, that I finally did something about it.

After thinking that I had wrapped a spammer-proof wall of security around my forum, I discovered that spammers were having an easier time decrypting my captcha images than my authorized members were. In fact, I often ended up having to manually register new users who I thought weren’t smart enough to decipher the image that was sitting right there in front of their face. It was only after I tried (and failed) to register one particular user 5 times that the truth hit me:

When it comes to default captcha decoding skills: Computers win, humans lose.


Captcha recognition experiment

Wednesday, August 29th, 2007

Just stumbled upon the article “Using AI to beat CAPTCHA and post comment spam”. There is a number of projects related to breaking CAPTCHAs and a number of articles on the topic, but this article strikes me most, because of: