Tuesday, April 29, 2008

Fight SPAM with reCaptcha

We’re having trouble with SPAM here at the Missoula Public Library. Four times in the past week, on four different accounts, the user gets a lot of SPAM. This will last for hours. Then it stops.

Our accounts generally get a few to a few dozen SPAM emails over the course of a day. But these episodes will bring in hundreds of messages over a period of minutes to hours. So it is a pretty noticeable effect when it happens.

We have three layers of SPAM and virus protection at MPL. You may think that Jim wears suspenders, a belt, and hangs on to his pants as well, and maybe I do sometimes, but layered protection is one of the main tenets of computer security. We have a layer of protection at our ISP, there is a layer at our perimeter (the router), and another at our mail server. Still we see this SPAM.

We are in a period that is seeing a lot of new exploits being tried out. Have a look at http://isc.sans.org/diary.html?storyid=4343 for an interesting analysis of one’s person’s SPAM.

We’re not actually getting so much SPAM itself as the failed detritus of attempted mailings. We are getting a lot of “Undeliverable” messages. It works like this. This spammer has a list of millions of email addresses. Some of them are valid, some are not. He sends a mortgage refinancing email to all the millions of addresses. He is careful to set the sender address of all these emails to some valid address, because email servers are getting clever enough to verify that the return address must be valid or they won’t accept the email.

So what valid sender email address does he put in the SPAM he sends out. In some of them he is putting our main library contact address. So when the SPAM gets to an email server and the server says there is no such user at that address, the mail server automatically sends out an “undeliverable” message. And that comes back to us here at MPL.

How do they get our email addresses? There are robots that roam websites looking for email addresses and collecting them. Have you looked at our website lately? We have email addresses all over it; contact addresses, staff addresses, board members, etc. That’s only one way these robots collect addresses. They also get them from listservs, signatures, and more.

Contrary to my inclination, we have had addresses on our website for a long time, but now we have a good alternative. Ben Miller is our webmaster and a bright color in the box here at MPL. He is in the process of doing good in the world and protecting our email addresses at the same time. Before you can see one of our email addresses you have to identify a word. The words that are presented are part of a digitization project.

Take a look at recaptcha.net and think about what you can do to protect your addresses and help digitize hard to read texts. See how it is working for us by going to http://www.missoulapubliclibrary.org/contact.htm. Try clicking on “Ben Miller” to see how the process works.

No comments: