Hardly a surprising statistic when you look at the amount of trouble this meagre site has had with the spamming hordes. I wouldn’t care to guess what the ratio of spam-to-ham is like here, but I bet it’s nowhere near as good as 6% real meat.

Fortunately, the spammers that hit this site regularly are a particularly stupid bunch, and even a small sample of their automated antics was enough to build a bulletproof spam filter back in January. Recently, though, they’ve started being a bit more subtle:

These enigmatic gems pushed me over the edge and I implemented Akismet, an online service for preventing comment spam. Their home page is where I got my 94% figure.

The idea’s simple enough: when someone sees fit to hurl their erudite observations at your feet, your blog queries Akismet’s web service with the contents, and receives the thumbs-up or thumbs-down from them in reply.

So far it seems to work, with one minor drawback: all my own comments are flagged as spam. Less than ideal, but hopefully that’ll stop with time.

Victory over the bastards again – for another six months at least.

Remember the good old days when email spam was straightforward? You’d crack open your email account to be met with a deluge of subject lines promising HOT HOT SEX and WILD, WILD, WILD TRACTION ACTION – and that was just the ad for Microsoft Monster Truck Madness – and perhaps the odd message, buried within it, from your mate who’d just discovered the Internet. Life was simpler then.

Nowadays, spammers go to all sorts of lengths to make their subject lines look innocuous, and one of their favourites is including a common name in the hope that it’s yours. You know the sort of thing: “Hi, Dave!” or “Check this out, John Smith!”. That’s some good spamming, and fairly likely to be semi-successful.

Then we have the cretins who bombard huz.org.uk’s role accounts:

Pantograph… Snaffle?

Good work, guys.

Can you guess how many have been blocked since last Sunday, 18th June, readers?

The answer: 1134. Man, subtlety is not the spammer’s strong suit.

Apparently spammers, not content with spamming-up my comments, have now moved on to abusing my email form (now defunct). What fun! This time they’ve concocted an ingenious wheeze for injecting their own headers into the generated emails, allowing them to add their own ‘Cc:’ and ‘Bcc:’ lines with impunity. That allows them to fire emails off to all and sundry – in addition to me, the unchangable ‘To:’ addressee, of course.

This is all possible thanks to the wonders of injection for the PHP mail() function. It’s simple enough: you shove in some magic characters when filling in the form, and suddenly you can write whatever you want in the email headers. Not good.

Why is this still possible? It’s 2006! The first time I came across a problem like this, it was on a MUD. Yes, that fine piece of 80s technology, friend of university procrastinators everywhere. (The only friend, but we won’t go into that.) You could exploit badly written code to inject your own, wreaking all kinds of havok if you chose your mark carefully.

Sound familiar?

Why is the PHP mail() function so stupid? Why is it left to the PHP programmer to prevent this nastiness? Why is it left to any user of any similar function to consider all these possibilities? It’s not reasonable to expect PHP programmers each to duplicate each others’ effort, all to thwart the same idiotic flaw in a built-in function.

I’m sure it’s a simple oversight on the part of the PHP developers – as are most flaws allowing this kind of injection – but hey, it’s not called a rant for nothing. Bloody PHP, and bloody spammers.

I haven’t personally had much spam in a long time – this isn’t a hint – mostly because I avoid posting my email address anywhere and I make sure I sign up for sites using a Hotmail address I don’t ever have to look at. I think that’s the most effective way of keeping email spammers at bay, but there are a few more.

SpamAssassin is super if you can be bothered to get it running; it’s written in Perl and only really works on Unix systems. It’s great though – it assigns scores to various spam-like attributes, and if a message scores above a certain threshold, it’s thrown out. Very clever. The Thunderbird email client lets you mark messages as “spam” or “not spam”, and learns from experience. That’s pretty clever too.

It could improve your life!

Others, however, are like this:

Tihs eliam was setn by the Bcralays serevr to vyfire yoru emial arddess. You mtsu ctelpmoe tsih prsseco by cilcking on the lkni bwole and egniretn in the slaml winodw yruo Bacrlays Membeihsrp numbre, passcode and melbarome wdro.
Tsih is doen for yuor protcetion – bsuacee smoe of our mrebmes no lregno hvae acecss to tehir emial arddesses and we msut vefiry it. To virefy yruo eliam adsserd and acecss yruo bakn acnuoct , clc on the lkni bleow:

Well, quite. Rest assured I’ll be handing over my login details post haste!

Update: Whoa – the text is screwed in Firefox/Thunderbird but for some reason it’s magically rearranged to make sense in Internet Explorer. Freaky control codes ahoy – I’ve removed them for your viewing pleasure, but I suppose this scam isn’t quite as stupid as it would seem! :~