You didn't really think it'd stop, did you? We start off with another series of educational institutions:

Brisbane Boys' College
Kensington Tce
Toowong QLD 4066
AU

spammed us on Monday, 1 February 2010 - 7:25pm, 7:39pm, 7:50pm, 8:02pm, 8:03pm and 8:12pm via IP 203.57.147.3

Prince of Songkla University
Computer Center
Korhong, Hatyai, Songkhla, 90110

spammed us on Monday, 1 February 2010 - 5:28pm; Thursday, 4 February 2010 - 10:08am via IP 202.12.74.44

Polish Academy of Science
Institute of Bioorganic Chemistry
Poznan Supercomputing and Networking Center
ul. Noskowskiego 12/14
61-704 Poznan
Poland

spammed us on Friday, 5 February 2010 - 2:58pm via IP 150.254.161.3

That's right, the botnets even have access to a supercomputing center, and yet they haven't figured out anything better to do with it than spam dumb blogs like mine.

Next up with have an otherwise generic IP block owner:

Cox Communications
1400 Lake Hearn Dr
Atlanta, GA 30319

spammed us on Monday, 1 February 2010 - 5:26pm, 7:25pm, 7:30pm, 7:31pm, 7:39pm and 8:03pm; Thursday, 4 February 2010 - 2:35am; Friday, 5 February 2010 - 6:05pm, 8:00pm, and 8:05pm via IP 98.172.30.138

What is notable about that IP is that it resolves to nat-gw.productionadvantage.com. The Production Advantage, Inc. appears to be a direct marketing company, so if you've ever done business with them, it's a good bet that your data has been compromised. They even helpfully list their clients, so if you've ever given your personal information to any of those organizations, you might want to contact them regarding your pending identity theft.

Another generic IP block owner:

Savvis
1 SAVVIS Parkway
Town and Country, MO 63017

spammed us on Thursday, 4 February 2010 - 11:20am via IP 216.109.73.21

That IP resolves to dc3-pw-nat.ws.ag.com. I will helpfully point out that ag.com belongs to American Greetings. As though it weren't bad enough for your "friends" to give up your identity for a stupid eCard, welcome to their insecure system that gives it up to people that are probably even worse.

And it's always the most fun when someone selling security is insecure:

TREND MICRO INCORPORATED
10101 N. De Anza Blvd,
Cupertino, CA 95014

spammed us on Monday, 1 February 2010 - 8:08pm via IP 216.104.15.138

and in an odd twist, they also came in a half hour earlier from half way around the world, doing a scouting mission on Monday, 1 February 2010 - 7:33pm via IP 150.70.84.26

The slogan on their site is "Securing Your Web World". Since they can't secure their own, I have my doubts. Their traffic pattern is so strange, though, it makes me think that they themselves might be abusing network resources instead of being part of someone else's botnet.

Since there haven't been any new notable organizations spamming the blog comments here in the last couple weeks (although there have been quite a number of repeat offenders), I'm going to pass along some observations about the good ol' fashioned email variety of spam.

I have a long history of fighting spam emails. I won't get into the details, but I was onboard with all the mainstream anti-spam efforts from the early days. Then something happened in 2005, which I also won't get into, that made me realize that a lot of the anti-spam people weren't much more than power-hungry goons who themselves were more interested in profiting from spam than eliminating it.

At the time, my main address was getting 5000+ spam/day. So I did the Impossibly Stupid thing of taking a step back from all the filtering and blacklisting and reporting and all the other machinery that has been thrown at the problem of email spam, asking myself instead what I, as a lone individual, could do to keep my inbox clean.

I now get maybe 1 spam/week. I do no filtering. I maintain no blacklists. My server only sees that one email, so there isn't much need to do anything fancy after the fact. I'm not really hiding my contact info, either. I even provide a clickable email link on web pages without a hint of JavaScript obfuscation. I did think up and use some new techniques to choke the flow, but this post isn't really about detailing them.

Instead, because my inbox was essentially cleared of spam for over a year, I decided to start an experiment. In November of 2007, I put up a web page on the corporate site that had a unique email address link in the clear. The question in my mind at the time was "Is web spidering even done to collect email addresses anymore?"

You see, the trickle of spam I was getting in my "real" email was easily traced by my new techniques. 99% of it was from Usenet posts; if I started using an invalid address there I'd essentially get no spam at all. Nothing was coming in via any web site I was on, but I wasn't certain if that was directly due to things I had done. So I put up an email address free and clear. Very retro!

Just now, 2 years and 2 months later, I saw the first spam to that email address. A couple more came in after that, and I'm going to keep an eye on whether or not the volume starts to take off. But the conclusion is pretty clear: there seems to be very little need to make people browsing your web site jump through a lot of hoops to get your email, because that doesn't appear to be how spammers are finding you these days.

Caveats abound, to be sure, but that's what I'm seeing. One obvious factor is that the web has gotten so large that it no longer makes sense to spider it all just to scrape out a new email address or two. It may be that they just hit the index page of most sites (my test email address was buried at least 3 clicks deep). I'm even going to test that out by making my main contact to the right a clear email address. Stay tuned for progress reports. If they're not even doing that small amount of spidering, you might have a long wait . . .

As I have mentioned before, I'm a big fan of inversions. They seem to thrive along the fine line of things that are impossibly stupid. One of my favorite quotes related to that is by Neils Bohr:

The opposite of a correct statement is a false statement. But the opposite of a profound truth may well be another profound truth.

I was prompted to tip the hat again because Darwin has been getting a lot of attention over the last year, and a segment on a podcast (ABC Radio National's The Science Show Daniel Dennett - why are we here?) really hit home for me. It nicely ties together a number of inversions, and all sorts of other ideas in a way that makes me so much happier to know what I don't know (and possibly not even know that). You owe it to yourself to listen to or read the entire thing, but here's a particularly nice excerpt quoting a critic of Darwin:

who, by a strange inversion of reasoning, seems to think absolute ignorance fully qualified to take the place of absolute wisdom in all the achievements of creative skill

I like it most because it folds back into itself so well. Proclaiming yourself to be on the side of "absolute wisdom" is just about the boldest setup for circular reasoning you can get. Absolute ignorance, on the other hand, has nothing but an upside. Maybe Oscar Wilde said it better:

We are all in the gutter, but some of us are looking at the stars.

So here we have it: the last single digit spam call out is also the last "on demand" one and, as you will soon see, it's a great capper. I'll still be raking insecure hosts over the coals, of course, but not as they come in. To that end, anonymous comments must now be approved, and when that queue get cleaned is when you'll see new outings. (weekly? monthly? we'll see . . .)

In the ongoing theme of failed educational institutions, we have this decidedly-non-educational-institution IP owner:

Open Software Foundation
P.O. Box 7286
Nashua, NH 03060

spammed us on Sunday, 17 January 2010 - 6:59am via IP 130.105.36.54

Because it resolves to www.hudsonvalleyschool.org, though, I'm dumping it in with other educational institutions. With any luck, it's just a basic web host without any student records or other confidential information, but it still represents a machine that may be considered a trusted host, and it's now part of some botnet. I mainly only listed it to create a calm before the storm.

And here comes the big one! The insecurity to make all insecurity envious! If you had asked me to predict this day, I would have said "never in my wildest dreams", yet:

Microsoft Corp
One Microsoft Way
Redmond, WA 98052

spammed us on Sunday, 17 January 2010 - 4:09am, 4:19am, 5:17am, and 10:41am via IP 131.107.33.62

Color me both shocked and amused. They hit this site not just once, but four times! Sadly, this entry will likely be lost amongst all the other Microsoft insecurities that pop up all over the Internet on a daily basis. I wonder if I would be just as careless if I had billions of dollars. Would you?

Sadly, it doesn't look like the comment spam is coming in waves any longer, but rather just a steady stream. If it keeps up, I'll soon turn approval on and limit these updates to once a week. They've already taken away too much from the content, such as it is, of this blog.

So again we have a number of educational institutions:

New Kent County Schools
New Kent County Schools
PO Box 110
New Kent, VA 23124

spammed us on Thursday, 14 January 2010 - 11:50pm via IP 208.32.18.245

The University of Nottingham
University Park
Nottingham NG7 2RD
UNITED KINGDOM

spammed us on Friday, 15 January 2010 - 12:15am and 2:16pm via IP 128.243.21.224

University of Tokyo
2-11-16 Yayoi Bunkyo-ku
Tokyo, 113-8658
JP

spammed us on Friday, 15 January 2010 - 1:17pm via IP 157.82.41.171

I again feel the need to point out that none of these seem to be differentiated as dorms or dynamic or in any other way associated with student shenanigans. The indication is that they belong to faculty and staff, on machines with access to confidential information, or otherwise represent an entire network that lacks proper security.

And this final spammer we feature not because the IP owner:

Core Internet Telmex Chile
Rinconada el Salto, 202, Huechuraba
-- - Santiago -
CL

spammed us on Friday, 15 January 2010 - 1:16pm via IP 190.54.16.184

but because of the domain it resolves to: mail.legalfact.cl. I guess you could say it's a legal fact that, if you've sent them mail, people other than your attorney have had access to it.

Did you notice I used a swear word a couple posts back? The FCC would have, and acted like idiots about it if they could. Judge Pierre Leval, and seemingly every other judge present, gets the Impossibly Stupid Seal of Approval for saying:

What are you protecting children from?

U.S. judges mock broadcast regulator's 'fleeting expletives' policy

As someone who still remembers being a child, I assure you that the lack of seven words being broadcast didn't keep me from learning them at a young age. More to the point, I only figured out they were worse than other words because the adults made a fuss about them. Even Sesame Street taught me to pick out when one of these things is not like the others:

• buck
• duck
• funk
• luck
• muck
• puck
• suck
• tuck
• yuck

I foolishly posted Round 6 too soon, thinking this most recent spam run was over yesterday. We'll again start with those in higher learning who never seem to learn:

University of Geneva
Division Informatique
Rue General Dufour, 24
1211 Geneva 4
Switzerland

spammed us on Thursday, 14 January 2010 - 5:32pm via IP 129.194.8.73

and then highlight this agency purporting to "provide leadership" to educators:

eTech Ohio
2323 West Fifth Avenue, Suite 100
Columbus, OH 43204

spammed us on Thursday, 14 January 2010 - 4:21pm and 5:52pm via IP 208.108.141.3

If by "surpass customer expectations" they mean providing more spam than anyone asked for, bang up job, folks! And with that IP resolving to mgmt.ironport.laca.org, everyone gets to play the bonus game of "Do IronPort products inherently have security flaws?"

Finally, here is a exceptionally bad example of network management:

Internetbrands.com
909 North Sepulveda
El Segundo, CA 90245

spammed us on Thursday, 14 January 2010 - 2:19pm via IP 67.201.17.228

If you go to their home page, you'll see a huge list of sites, any of which might be storing your personal data on their compromised machine. May I suggest to investors that now might be a good time to sell NASDAQ:INET?

Change-up is the watchword for this update. We start off with another educational institution:

Northeastern University
360 Huntington Avenue
BOSTON, MA 02115

spammed us on Wednesday, 13 January 2010 - 1:36pm via IP 155.33.223.244

but immediately shift focus to this gem:

American General Corporation
2929 Allen Parkway
Houston, TX 77019

spammed us on Wednesday, 13 January 2010 - 2:39pm and 5:03pm via IP 161.159.4.33

If that name's not ringing any bells, let me help you out by pointing out that the space is handled by aig.com. Yes, those AIG assholes. Apparently billions in bailouts and millions in bonuses still isn't enough to get the people working there to competently do their jobs.

When I started listing my noteworthy blog spammers, it was mainly to vent. I didn't really expect anything to come of it, but it looks like there might be a business plan in there somewhere. You see, I was contacted by two of them (Quinnian Health and Home Shopping Network) with claims that things should be cool now, but I have no way to verify that. Time will tell if spam comes my way again, or other sites might notice them if they've only blocked off outgoing traffic to my humble site.

The point is, I'm inclined to take their assurances on face value because they contacted me. That means they at least have some process in place that puts my ranting on their radar. Maybe it's a brand management firm that searches the Internet for buzz (good or bad), or maybe it was just some other, less formal, chain of events that made someone there aware of my post. I'm not one to pry.

My second point is, the only reason they were able to contact me is because I posted about it in the first place. There are hundreds of other spam, pointing to that many more exploited systems, that I've just dumped without mention. To say nothing of the suspicious spidering that is coming from decidedly non-spider IPs! Certainly none of them are contacting me to say they've found and fixed their problems. For example, I've set my server to deny anything coming in from an Amazon owned IP block (their "cloud" services are entirely too spam-friendly), but they're probably blissfully unaware of how much damage their reputation is suffering, all because there is no automated feedback mechanism to let them know what traffic escaping their network is rotten.

So here's the Impossibly Stupid business proposition for that feedback mechanism: let my sites serve as the canary in your coal mine. For $5.20/year, for up to 10,000 interested parties, I will open up my access logs and offer a daily report on the traffic from one IP or class of IPs. It could be yours or it could be your competitors; I don't care. The result is an early warning system that also happens to relieve me of taking the trouble to shame the culprit myself. Interested?

The spam has only been trickling in recently, for better or worse, so I just have these two overseas educational institutions to share from the end of last year:

Heriot-Watt University
Riccarton
Edinburgh EH14 4AS
United Kingdom

spammed us on Tuesday, 29 December 2009 - 11:58am via IP 137.195.176.11

National Chung Cheng University
Chia-Yi Taiwan

spammed us on Wednesday, 30 December 2009 - 10:59pm via IP 140.130.17.72

I don't know what the vacation schedules are in those parts of the world, but I would not be at all surprised to find that it was not student machines that were the source of these spam.