Archive for June, 2007

It’s been that kind of week.

Following hot on the heels of the email spoofing incident, I received this fake email pretending to be from PayPal, with the subject line ‘Account Authentication Required’:

[PayPal logo was copied here]

Dear PayPal Customer,

Due to recent fraudulent activities on some of PayPal online
accounts we are launching a new security system to make
PayPal online accounts more secure and safe. Before we can
activate it we will be checking all PayPal online accounts to confirm
the authenticity of the holder.

We will require a confirmation that your account has not been
stolen or hacked. Your account has not been suspended or frozen.

To confirm your account status please Login

-complete the required information to authenticate and reset your account

-make sure your account balance has not been changed

-make sure your details have not been changed

-review recent transactions in your account history for any unauthorized
transfer

If you find any type of suspicious activities please contact us immediately.
Please include in your message your account number, your account name
and the unauthorized transfer date & time.

Please do not reply to this message. For any inquiries, contact Customer Service.

PayPal Copyright © 2007

Although the ‘reply-to’ field says PayPal, the email address given is ‘account2 @payprocorp.com’ (though as I’ve learned, reply-to addresses can be faked to look like anyone). Links in emails such as this (see the ‘Login’ link) will often lead to a fake website designed to trick you into entering your account details. PayPal, like online banks and eBay, advise against ever trying to log into your account from an emailed link. Instead, they recommend always going directly to the website. Pay Pal themselves say:

Many phishing emails have links that look valid, but send you to fraudulent sites instead. Here’s what you should do: Open a new browser window, type https://www.paypal.com and log in to your PayPal account directly.

Try out PayPal’s ‘Can you spot Phishing?’ Challenge.

PayPal’s web page on security and protecting against identity theft, fraud and phishing is here.

EBay also provide a very clear and helpful tutorial on recognising spoof emails and fake websites.

Slashdot: New Targeted E-mail Attack Hits Business Execs

A couple of days ago I found a lot of bounced emails in my ‘Spam’ folder. On closer inspection, I was alarmed to discover they were all spam that appeared to have been sent from my domain. The return addresses all began with different nonsense usernames like ‘Three_Nasrabi’ before the @ sign, and then ended with my domain name. The contents were various kinds of junk mail.

My home computer has a firewall and virus shield that is updated daily, and my email hosts also check for viruses, so I didn’t think that was the cause of the problem.

My first concern was that someone might have sent them by hijacking scripts on my website. I had recently been working on improvements to overall security, but what if I had made a mistake? I checked my website statistics, and the scripts did not seem to have been accessed more than usual. I deactivated them just in case while I contacted my web hosts.

They replied very quickly, offering to check the headers of any of the spam emails to see where they were coming from. Luckily, some of them had very detailed header information. But unluckily, it showed that the problem was nothing I could fix.

Somebody, somewhere else, had found that my domain name was a valid name, and was inserting it into their email headers as the return address for sending spam. They need to use a genuine domain name to get past the spam filters used by email accounts that receive them. Sometimes they use programs that put words together at random to make possible names and test them. Otherwise they just get a list of genuine domain names in other ways, such as automatically spidering the internet, collecting marketing information lists, and so on.

This is a form of identity theft known as ‘email spoofing’ and there is apparently no way to prevent people from doing this. The best protection currently is to add an ‘SPF’ listing to your DNS TXT record.

Using SPF

SPF stands for ‘Sender Policy Framework’ (here’s its listing in Wikipedia). The SPF record allows you to specify which computers are allowed to send email from your domain name, so that email applications that check this can reject the spoofed email as spam before they even receive the body of the message.

SPF records look approximately like this:

example.org. IN TXT “v=spf1 a mx -all”

Wikipedia explains them quite well. There is more information (though very technical and confusing) at the SPF Project Overview home page and an online tool to help you set them up at: http://old.openspf.org/wizard.html?mydomain=example.com&submit=Go%21
The tool will provide you with the code to add to your DNS TXT record. For the exact formatting, you will need to know whether your hosting uses BIND, Windows DNS or tinydns (djbdns). You will also need to change the DNS TXT record yourself via your hosting control panel or if you can’t access this, ask your web hosts to do it. Be aware that DNS changes can take several hours to work their way through the system.

Having taken immediate steps to establish the cause and protect (as far as possible) against further spamming, I thought I should do the responsible but embarrassing thing and warn my customers. The next day one of them told me their computers had had a virus, so that could have caused a small amount of bounced emails to addresses taken from their address book (fingers crossed).

What else can you do if your email address is being forged by spammers?

It’s important to tell your web hosts, so that at least they know it isn’t you that’s sending the spam. In some cases, if web hosts receive complaints of junk mail spamming, they may deactivate your hosting. In my case, I asked my web hosts to confirm that they wouldn’t be suspending my hosting or email over this, as the spam was not coming from the account itself. They replied, ‘No, unless we get serious complaints regarding it, in which case we will speak to you first.’ – not 100% reassuring, but at least it would give me the chance to make alternative arrangements.

So the next thing to do to protect your hosting (not to mention your personal or business name and reputation!) is to prevent these complaints by publishing information and an apology for any irate spam recipients that come to your website looking for an explanation. I’ve discovered several companies that have done this, and following their examples, I have posted my own page here: ‘Email Spoofing – please read on’, with a link from the start of my home page text as the email spam is so recent.

Click here for lots of useful advice from
Risky Thinking: Advice on how to protect yourself from Email Identity Theft.

This white paper from Artic Soft covers more technical information on
security and various kinds of spoofing threats.

Useful security tools, downloads and information.

This article from Webtech explains email spoofing in clear and friendly terms.

In rare cases, email spoofing is part of a coordinated deliberate attack of personal revenge or competitive sabotage, known as a ‘Joe Job’ after the first company that was closed down in this way. Here is advice on preventing and coping with a Joe Job.

Having read more about this recently, it appears the problem can become massive. So far, (fingers crossed), there has been nothing here on this scale yet, so I’m hoping the legal actions mentioned may have put spammers off using any domain too intensively, and also that the measures taken may help avoid the worst and keep us out of legal action ourselves.

Click here for a list of Spam lawsuits or legal actions.

For the last few months I’ve been told by Google to put more ads on my pages. This is the type of feedback report I get from AdSense:

May 2007 Optimization Report

Dear Publisher,

Here is your optimization report for the month of May. After an automatic review of your sites, we think you might be able to improve your monetization using the following tips:

Placing more than one ad unit on a page often generates more revenue.
Many of your sites only contain one ad unit.
How can I fix this? Dismiss this tip.

We hope these tips are helpful, and encourage you to experiment using different layouts and formats–no two sites monetize the same way!

Sincerely,
Google Adsense

The link from ‘How can I fix this?’ has some guidelines as which which types of page can do best with more adverts. It also raises the interesting point that the first group of ads to appear in the page’s source code will be higher paying than subsequent groups:

Maximize ad space with multiple ad units

Multiple ad units can help optimize your performance by leveraging our large inventory of ads. You can place up to three ad units per page (in addition to one link unit and two referral units per product). Remember that the best way to measure the effect of multiple ad units is to examine the impact on your overall earnings. Multiple ad units may prove particularly successful for:

* Pages with lots of text, requiring users to scroll down the page.
* Forum or message board pages, particularly within threads.
* Pages where only smaller ad formats (such as the 125 x125 button) will fit.

Tip for maximizing multiple ad units: make sure that the ad unit with the best placement on the page is the ad unit that appears first in your HTML code. This will help ensure that your prime ad real estate is occupied by the ads that place highest in the auction and will generate the most revenue for you.

Best of all, they then lead you to this page, Where should I place Google ads on my pages?, which includes a ‘heat map’ to show which areas of a web page are most successful for ad placements:

(Google heatmap showing the most successful areas for advertising)

In general, the most successful areas for adsense appear to be the places where you’d look for navigation menus and subject headings. This seems like it might conflict with usability, but there’s also a nice block in the centre just above the footer, so I’ve taken their advice and started using that one more.

But I couldn’t just take their sensible advice. I’d been putting together a resources section, but it wasn’t yet organized beyond a single page list. So I thought, let’s try out a monster page to see how many adverts a single page can stand. It’s got the maximum amount possible of Google Adsense: 3 content units, 1 search unit and 2 of each kind of referral unit. But not only that, it’s got affiliate banners and most of the text links are affiliate links as well. And to give it more content as well, it’s got an RSS feed. It’s a dog of a page – it takes a hundred years to load! Click here for a page with an insane amount of advertising!

I’ve since organised the resources into a much more sensible arrangement. Ironically, the total amount of adsense on them now is much more – in some cases, where the categories don’t have as much in them, I’ve even used the content units to fill in gaps until I’ve got more to put there.

I’m not that bothered about having to change things around, so it’s all an experiment. But if Google send me the same report next month I’ll be wondering why.