PDA

View Full Version : Mailinator anti-spam tool


sidney
December 29th, 2008, 02:02 PM
I just encountered a very specialized free anti-spam service that I thought is really neat in its simplicity at accomplishing one very narrow task in anti-spam.

Mailinator (http://www.mailinator.com/faq.jsp) does one thing and does it very well. You use it when you want to provide someone with an throw-away email address that they are going to use immediately to send you mail where secrecy is not a big concern and you don't trust them enough to give out a real email address. For example, you can use it to register with a forum as using a temporary email address that you will have access to for a few hours, long enough to confirm the registration. If you decide to give the forum a permanent email address, you change your profile in the forum, but there is no reason to give any information that points to you personally until you decide you want to.

The simplicity of the service is what I find amazing. Mailinator accepts email sent to any address in any of their domains, allows anyone to read mail in any mailbox whose name they know without any password, and deletes all mail after a few hours. So you can, for example, register with a forum or a newspaper site that requires a confirmed working email address making up a mailinator.com address on the spot that nobody is likely to use, guess, or look at in the next few hours, retrieve the email from that address by going to their website and entering the email address, then let it disappear without a trace. There are no accounts or logins on mailinator, and nothing you have to do in advance to choose or prepare a mailbox.

If you have a use for it for which it would be a concern that the person you give the mailinator email address would recognize what it is and would be able to also read the mail sent to that address, you can add one step to the process to prevent that: You go to their website, enter the email address that you want to use, and are given a unique alias email address to have the mail sent to. You give out that alias address and only you know the address to read the mail. For the common use of registering with a throwaway email address that is not an issue.

Judy G. Russell
December 29th, 2008, 11:04 PM
Very cool, Sidney! Thanks!

MollyM/CA
December 30th, 2008, 12:03 AM
Hey, sounds useful -- good catch and thanks.

mm

Mike
December 30th, 2008, 03:22 AM
I just encountered a very specialized free anti-spam service that I thought is really neat in its simplicity at accomplishing one very narrow task in anti-spam.
I've been using SpamGourmet (http://spamgourmet.com) for "temporary" things, Sidney. That also doesn't require setting anything up before giving out the address, and the address expires after a specified number of messages (specified within the address) have been sent to it. The real beauty is the messages are forwarded to a permanent address, which can be accessed however messages already are accessed.

There's also OtherInbox (http://beta.otherinbox.com), which allows addresses to be created and used on the fly without any previous set up, but I don't know if it will be free long-term, like SpamGourmet.

sidney
December 30th, 2008, 04:41 AM
I've been using SpamGourmet (http://spamgourmet.com) for "temporary" things

So have I, and I started to contrast mailinator with it and then decided to keep the post shorter. Before I encountered spamgourmet I tried creating email aliases in my domain on the fly so that I could, for example, use a unique email address when registering with each vendor and so know who was leaking my address to spammers. By the time spamming as enough of an annoyance for me to consider doing that I had already disabled having a "catch-all" address on my domain, so email to random addresses did not end up in my mailbox. That meant that every time I was presented with a request for an email address I would have to stop what I was doing, browse to my ISP's control panel, create a new email alias, then go back to the registration if it had not by then timed out.

Needless to say, I more often decided not to bother with generating special purpose email addresses.

Then Sonic.net enabled the feature of Sendmail that lets you add '+' and a character string after any email address name and delivers all such mail to the mailbox identified before the '+'. That allowed me to, for example, define an email alias of reg@example.com that delivers to my inbox, and it would also deliver mail sent to reg+amazon@example.com and reg+nyt@exampe.com, and so on. I could also define an alias for reg+somespammer@example.com that bounces or goes nowhere if one of the addresses I gave out ends up on a spammers list.

The use scenario went like this: Faced with a request for an email address to register with Acme Products, a make up one on the spot for reg+acmeprod@example.com. It works immediately, sending mail to my inbox, so their confirmation email does not bounce. Later, at my leisure, I login to my account at my ISP and explicitly define a reg+acmeprod email address on my example.com domain. That records for my reference that I am using that address. If I ever get spam on it I can change the definition to one that throws away mail sent to it.

There are a few disadvantages to that setup which led me to try spamgourmet when I heard about it, as well as some extra functionality that spamgourment provides. 1) Some website designers do not properly code their forms that process email addresses and treat '+' as an illegal character, rejecting such email addresses. 2) The email address contains my own domain, which ties the address and the registration right to me. I can imagine wanting to be more anonymous with someone to whom I don't want to give out my primary email address. 3) The pattern could be obvious to anyone who sees the email address. If they know anything about Sendmail they could realize the implication of a reg+Vendor@example.com address that just about any made up reg+foo@example.com will be delivered to me,

So that led to SpamGourmet, which allows me to make up an email address on the spot with no login required before it is used, doesn't have any funny characters that a web site might reject, and isn't closely tied to me the way my own domain is. Spamgourmet has another advantages that I can name the made up email address with an embedded number, and after that many emails are sent to it the address will self-destruct and no longer accept mail. That lets me have a temporary mailbox with no need for me to log in somewhere to delete it.

Spamgourmet does have disadvantage #3 in the above list, that anyone who sees the email addresses and especially if they recognize the domain as being a spamgourmet domain, will see the pattern in the email address, which is always somearbitrarystring.number.MYUSERNAME@spamgourmet. com

It is true that Spamgourmet provides fixes for that last problem, but that requires a little bit of configuration and regular re-configuration.. Overall, though, it performs its functions very well, for when you want to have temporary email addresses that are not linked directly to you, that will deliver to your email box, and which will self-destruct after you have received a certain number of messages at that address.

In contrast, mailinator is only for one-time use email addresses (or rather, addresses with just a few hours lifetime) that are in no way tied to you personally, have no recognizable pattern, that require no setup at all and always self-destruct after some hours. Within that narrow usage pattern, I think it would do a better job than spamgourmet.

I just looked at OtherInbox and I don't see the advantages of that one compared to what I can do with an arbitrary number of email aliases I can set up in my own domain. I particularly don't like the answer they give in their FAQ to the question about spammers sending spam to arbitrary made up email addresses in their domain so the spam would end up in the user's mailbox.

-- sidney

Mike
December 31st, 2008, 03:29 AM
I like the idea of having an address expire after a few hours, but in some cases, the email I was expecting was not sent until much later--even the following day!

I normally use one of the alternative domains at Spamgourmet (my favorite is xoxy.net). To further obfuscate the pattern, instead of using a number for the portion of the address that defines the quantity of emails before expiring, I use a word.

SG also tells me the three latest spams that were eaten when I do log in, and it's fun to see what abandoned addresses are still being pestered.

I use SG for all contacts with a new merchant, and once I'm comfortable that the merchant won't spam me, then I change my profile to a a regular mailbox (although I don't use my primary box!).

sidney
December 31st, 2008, 05:19 AM
I like the idea of having an address expire after a few hours

Actually it is only the mail itself that expires after a few hours, not the address. The addresses never expire because mailinator accepts mail to any address at any time. They just delete each message a few hours after it comes in, so you would have to check that often.

in some cases, the email I was expecting was not sent until much later--even the following day!

Unless you don't mind checking the mail every couple of hours that would be a use case that you would not want to use mailinator for. They really are about doing just one thing and doing that one thing well. Spamgourmet does other things, and does them really, really well.

Mike
January 1st, 2009, 12:35 AM
Thanks for the additional clarifications. I can see some use for Mailinator, but I suspect it's much more useful for other people than for me. :-)

ktinkel
January 1st, 2009, 11:25 AM
I use SG for all contacts with a new merchant, and once I'm comfortable that the merchant won't spam me, then I change my profile to a a regular mailbox …You are a good citizen!

On our forum we are plagued by messages to people who sign up with a dummy address, start a thread and ask for e-mail notification of any replies, get some, and they bounce — back to me! Grrrr.

If I don’t know the people or if they have not been participating in discussions, I just delete them. But what a waste of time (and band-width, sometimes).

Judy G. Russell
January 1st, 2009, 11:56 PM
they bounce — back to me! Grrrr.That's annoying...

Mike
January 2nd, 2009, 12:22 AM
You are a good citizen!
<beam!>

At least SpamGourmet addresses won't bounce, even if the messages don't get delivered.

On our forum we are plagued by messages to people who sign up with a dummy address, start a thread and ask for e-mail notification of any replies, get some, and they bounce
Are they truly dummy addresses, or abandoned addresses? I know a lot of people who switch addresses and figure a mass email to everyone in their address book will take care of it, forgetting about all the other places the former address has been used.

ktinkel
January 2nd, 2009, 08:40 AM
Are they truly dummy addresses, or abandoned addresses? I know a lot of people who switch addresses and figure a mass email to everyone in their address book will take care of it, forgetting about all the other places the former address has been used.Good question. Many (even most) of them have numbers and are at free e-mail sites — Yahoo, GMail, Hotmail, etc. Very rarely does someone sign up with a named site and not have it continue to work.

Spammers also often use numbers; and many use GMail.

So I always cock a crooked eye at addresses with numbers in them.

Mike
January 3rd, 2009, 02:54 AM
Good question. Many (even most) of them have numbers and are at free e-mail sites — Yahoo, GMail, Hotmail, etc. Very rarely does someone sign up with a named site and not have it continue to work.

Spammers also often use numbers; and many use GMail.
I try not to attribute to malice that which can be explained by stupidity (or ignorance). Also, being a believer in Occam's Razor <g>, I would suggest the following:


Many people who register for free mail addresses learn their first preference is already taken. However, the sites try to be helpful and suggest the same name with a numeric suffix. (OTOH, many spam filters include "email address ends with numbers" as one of the criteria for determining which emails might be spam. <shrug>)
Some people have learned that email addresses that are simply collections of letters are more likely to get spammed from dictionary attacks.
Many people who initially have obtained free email addresses later have changed ISPs (usually going to broadband) and have acquired new email addresses.
Many other people got tired of all the spam pouring into their free accounts and have acquired new email addresses.

I abandoned my Yahoo! mail account, mksfbay, because it's second only to my Classic CS account in the amount of spam it receives. I learned my lesson, and my Gmail accounts all have numbers in the addresses (some as suffixes, but others embedded within the address).

I'm sure there are some people who intentionally used an invalid address when registering for the forum. But my personal belief is that more people simply have forgotten the address they used to register for the forum no longer is valid.

ktinkel
January 3rd, 2009, 10:40 AM
On DTP we get approximately 20 spammers a week. Some of them we accept (not intentionally but because we don’t want to miss any one who might be a good member). But if they spam, we boot them, and record their details.

That is how we noticed that numbers were common in most of the addresses (along with implausible alpha names and/or a little mismatch between username and e-mail name). But there are other tell-tales, and it is the accumulation, not one detail or another, that trigger a refusal.

sidney
January 3rd, 2009, 04:04 PM
On DTP we get approximately 20 spammers a week

Do these seem to be people who manually go through the registration process, answer the anti-spam question, and actually post spams? Or might they be spam bots that are written to hit VBulletin sites and somehow are able to handle your verification question as well as the CAPTCHA?

If the latter, I wonder if a simple mod that requires Javascript to be enabled to get through the registration page would be enough to stop them. Not just checking is the browser claims that Javascript is enabled, but a few lines of Javascript that stores some critical attribute into the form, without which the registration form will not work.

ktinkel
January 3rd, 2009, 09:04 PM
Do these seem to be people who manually go through the registration process, answer the anti-spam question, and actually post spams? Or might they be spam bots that are written to hit VBulletin sites and somehow are able to handle your verification question as well as the CAPTCHA?Not sure. I have changed the question several times, and it doesn’t seem to matter much. I also have a plug-in that causes a post with certain words/phrases to be sent to moderation if their message count is below my threshhold (and that is included in the spammer count). I suspect many of these are scripts, but messing with Javascript is way beyond my skill set!

We do manage them fairly well; that is, the forum members almost never see a spam message (almost all go to moderation). It is mostly an annoyance for the staff.

Cannot say the same for my own e-mail. Most of it on my old CIS account is spam. And much on my first personal domain (before I understood the need to obfuscate e-mail addresses) is spam, even though it is now on a host that uses MailFoundry.

sidney
January 3rd, 2009, 11:29 PM
I suspect many of these are scripts, but messing with Javascript is way beyond my skill set!

Are you comfortable with editing a VBulletin template? I have a few lines you can add to the registration template which will force anyone who wants to register to have Javascript enabled, displaying "Javascript must be enabled to register on this site" instead of the form if it isn't, but not changing anything else about the registration process. If you do have bots getting through the question somehow, this may stop them cold. Of course if you are seeing actual human spammers, this won't help, but I don't see how spammers could get enough volume doing these things by hand.

Also, if I could get access to your server access logs I may be able to figure out if they are bots and if they are, how they are getting in. Email me if you want me to pursue this for you.

Mike
January 4th, 2009, 03:57 AM
On DTP we get approximately 20 spammers a week. ... That is how we noticed that numbers were common in most of the addresses (along with implausible alpha names and/or a little mismatch between username and e-mail name). But there are other tell-tales, and it is the accumulation, not one detail or another, that trigger a refusal.
Indeed, those are marks of spammers, but not guarantees that the person using the address is a spammer.

Without seeing the messages in question (along with other messages posted by the same IDs), however, I'm loathe to judge a person as a spammer simply because of a non-intuitive alpha part of the address with a numeric suffix.

Dan in Saint Louis
January 4th, 2009, 09:13 AM
I don't see how spammers could get enough volume doing these things by hand.
Cheap labor in certain parts of the world. I understand such labor can be bought for a couple of bucks a day.

sidney
January 4th, 2009, 01:35 PM
I suspect many of these are scripts, but messing with Javascript is way beyond my skill set!

Kathleen, I was playing with some antispam tricks and came up with a simple change to the registration template that should be quite effective if they are bots that are hitting your site. The only downside for users is that someone would have to have Javascript enabled during the registration process if they want to register a new user account.

Go to your admin console (click the admin link at the bottom of your forum page), click the expand arrow on Styles and Templates in the left navigation bar, then click on Style Manager. Click on the dropdown box on the resulting page, which will say "All Style Options" and select "Edit Templates".

Scroll down the box that shows up (which is a collapsible outline of templates) to find "Registration Templates" and double click on that to expand the list of registration templates. One of them will be named "register" and you should double-click on that, which will open an edit box for the registration template. Now, finally you are ready to make some changes to the registration template.

IMPORTANT NOTE: In case something goes wrong, notice that if instead of double clicking on "register" you just single click on it, the main window will show you some information about the register template with buttons that say things like "customize", "edit" and "revert". If after this is over you have somehow broken registration, you can go back to the original template by getting to this point and clicking on that Revert button. Keep this note in mind, just in case :)

In that edit box, scroll down (something like 50 lines or less, I think) until you find something that looks like:

<if condition="$show['coppa']">
document.forms.register.password.value = pass_copy;
document.forms.register.passwordconfirm.value = passconfirm_copy;
</if>
return true;
}
return false;
}
</script>

<form action="register.php?do=addmember" name="register" method="post"
onsubmit="return verify_passwords(password, passwordconfirm);">


If your version is slightly different, that's ok. Just before the "return true;" line insert the following:

document.forms.register.action = "register.php?do=addmember";

Just before the "<form action=" line insert the following:

<noscript>
<h2>Javascript is required to be enabled during registration</h2>
</noscript>

And finally, in the "<form action=" line, change that action field so the line begins with

<form action="nospamplease.php"

Be sure to replace the existing action="register.php?do=addmember" but do not change anything else about that line. The result should look like

<if condition="$show['coppa']">
document.forms.register.password.value = pass_copy;
document.forms.register.passwordconfirm.value = passconfirm_copy;
</if>
document.forms.register.action = "register.php?do=addmember";
return true;
}
return false;
}
</script>

<noscript>
<h2>Javascript is required to be enabled during registration</h2>
</noscript>
<form action="nospamplease.php" name="register" method="post"
onsubmit="return verify_passwords(password, passwordconfirm);">


Underneath the edit box, select the checkbox "Save in Template History" and enter a comment in the comment box underneath it to remind you of why you made this change. Finally, click on the Save button under that.

Now logout of the forum, go to the forum home page, click on the "register" link, and then turn off Javascript in your browser. Confirm that when you get to the registration page 1) You see a message in big letters that Javascript must be enabled, and 2) If you go ahead and try to register anyway, when you submit the form you go to a page not found for the nonexistent page "nospamplease.php". Finally confirm that registration works normally if you do have Javascript enabled.

That's it. As usual, it is much simpler to do than to read through an attempt to capture every detail in a step by step description of the process :)

ktinkel
January 7th, 2009, 02:29 PM
Indeed, those are marks of spammers, but not guarantees that the person using the address is a spammer.

Without seeing the messages in question (along with other messages posted by the same IDs), however, I'm loathe to judge a person as a spammer simply because of a non-intuitive alpha part of the address with a numeric suffix.I actually have a bunch of earmarks, but I would rather not talk about them in public. As it is, as soon as word gets out, they adopt a new pattern. It is the pattern — two or three earmarks — that trigger a rejection. And if I have any doubt I accept them.

The last 5 times I accepted someone who triggered my markers, because I really like to give people the benefit of the doubt, we got spammed (caught by the moderation plug-in) — messages offering long lists of drugs or audio/computer gear at unreal prices or with links to a dubious web site — so I am pretty sure we are not being ham-fisted about this). We really do want members. Just not spamming ones!

Of course, there are always new approaches; the miscreants are like viruses, endlessly mutating.

ktinkel
January 7th, 2009, 02:47 PM
Are you comfortable with editing a VBulletin template? I have a few lines you can add to the registration template which will force anyone who wants to register to have Javascript enabled, displaying "Javascript must be enabled to register on this site" instead of the form if it isn't, but not changing anything else about the registration process. If you do have bots getting through the question somehow, this may stop them cold. Of course if you are seeing actual human spammers, this won't help, but I don't see how spammers could get enough volume doing these things by hand.

Also, if I could get access to your server access logs I may be able to figure out if they are bots and if they are, how they are getting in. Email me if you want me to pursue this for you.Thank you. I would be glad to let you look at our logs; I use Summary to view them, but do not really understand all that I see. :(

My impression is that we get several types of spam: some are campaigns (offering to buy/sell gold, for example; we get several a month — but except for one who fooled me, these are rejected). They are probably scripted. Others seem like real people but turn out to be selling something or shilling for some sort of sales site. And then there are others that are kind of hit or miss (including a couple of serious polemicists), most of them probably one-offs.

I will send you a handful of recent access and error logs. They seem pretty much alike to my untutored eye, but if you spot something I would love to know how to deal with it. Merci.

sidney
January 7th, 2009, 03:16 PM
I will send you a handful of recent access and error logs

I just thought of something that could be very useful: If there is an account that you suspect is a bot who successfully registered an account and you have the access logs that you believe covers the time when they actually registered, and espeially if you have their ip address, I could tell exactly what they did to bypass your antispam registration protection.

If you can't get that it will still be useful to see access logs, but it will be hit and miss if any of them happen to contain an actual example of a spam bot successfully registering.

BTW, send me a private message if you don't already know my email address.

ktinkel
January 8th, 2009, 10:45 AM
I just thought of something that could be very useful: If there is an account that you suspect is a bot who successfully registered an account and you have the access logs that you believe covers the time when they actually registered, and espeially if you have their ip address, I could tell exactly what they did to bypass your antispam registration protection.That sounds promising. I will find half a dozen of the likely spammers and send all their info (date, time, IP, etc.).

BTW, send me a private message if you don't already know my email address.Okay. And thanks.

Mike
January 9th, 2009, 03:31 AM
I actually have a bunch of earmarks, but I would rather not talk about them in public.
D'accord. But I'm glad to hear they're not limited only to the format of the email address!

ktinkel
January 9th, 2009, 10:50 AM
I would like to give that a try, but guess we need to upgrade to 3.7x first. We set up a test forum, but let it slide after that. Now I see that 3.8 is imminent. Sigh.