The Netsky worm seems to be running around now, and it has behavior that is very easy for Postfix to stop at the front door.

Apparently, this worm has a built-in SMTP engine, and it uses the target domain name in the HELO identification at the start of the transaction. There is no circumstance where an outsider should identify itself to my mailserver as "unixwiz.net", so these attempts are dropped immediately.

I wrote about this before when I found that spammers were identifying themselves with my IP address, so this is just a logical extension to that technique.

Of course, this doesn't work if you actually have a computer with that hostname that tries to route through your mailserver: this seems like a bad idea anyway.

UPDATE - Looks like I wrote too quickly: Postfix does a multiple-level check on this, so if you block "foo.com" in the HELO string, it blocks "anything.foo.com". This means that it only works in much more limited situations where your mailserver never accepts mail from others in the same domain.

UPDATE #2 - Ah, now I think I got it: by adding a "permit_mynetworks" before the access lookup, it allows all the machines inside your network to send mail with any kind of HELO string, but anybody on the outside gets bounces. I've updated the original weblog entry to reference this.

It's blocking quite a few of the viruses now. Gotta watch a while for false positives...

About a week ago I upgraded my weblog to Movable Type 2.661, and this morning I configured it to run as mod_perl handlers (perviously it was configured to use Apache::PerlRun). It's much faster, but all the comment and trackback link names got changed - I have no idea if this breaks things.

Anybody find broken stuff? Please let me know.

While shopping the other day I picked up some hamburger that had a curious typo. I guess this cow is safe?

Cow photo by Eric "ug" Carlson, and used with permission.

P.S. For the slow, "tat" is short for "tatoo", not something we usually associate with beef :-)

My No Dashes Or Spaces Hall of Shame has been mildly popular with visitors to my website, and most of the new entries are "more of the same".

But today I ran into a problem with Quicken 2003 that ended up being one of these problems, and it took a 20 minute phone call with tech support to figure it out. My online update to my First USA credit card account was failing, even though the same username/password worked fine on the website. The error message was numeric, with no obvious way to read more into it.

After speaking with the technician he asked "do you have any spaces or dashes in the account number?"

Bingo

Just for discussion's sake, let's say that they have a good reason to disallow dashes and spaces: why in the hell don't they have an error message that suggests "don't use spaces or dashes"? Not only has this been an ongoing irritation for a customer for a week, but it burned 20 minutes of technical support time on their end

This is expensive for them, and bad for their customers.

I wish I knew whether Quicken or First USA were responsible.

For shame.

Maybe I'm behind the times, but I look at a lot of spam and have never seen this before. Today the abuse mailbox I help manage got a Spamcop complaint about a customer, one which had never had even a hint of spamming. Investigation revealed something new (to me, at least).

We've all seen hashbuster "random words" designed to make each message unique, plus the bogus invisible HTML that does the same thing. But now they're including empty links to unrelated websites as hashbusters.

The original message

---

Now is the time for all good men to buy Viagra from Nigeria

---

The hashbusted message

---

Now is the ti<a href=www.unix-girl.com></a>me for all g<a href=www.dslreports.com></a>ood men to buy Viagr<a href=regex.info></a>a from Nige<a href=www.spamcop.com></a>ria

---

So not only does this break spam-detection software, it breaks spam-reporting software - there were on the order of fifty innocent URLs mentioned in this spam, in addition to the actual URL being promoted (it was the only URL that wasn't an empty link).

It looks like spam-reporting software will need a bit of tuning.

I recently had to do some shuffling around of several bank accounts, and I got the attached letter from my bank to my "old" address as a security confirmation. The idea is that if somebody else had somehow changed my address (say, to intercept my statements), I'd receive a notification for it. It's a very good policy.

In this case, however, it's more "amusing" and "pointless" than "secure". In fairness to Wells Fargo Bank, my couple of accounts were quite messed up, and there had been a lotof changes, and it's not surprising that the chain triggered this note to me.