Monday, March 16, 2015



Imagine my surprise the other day on reading that Hillary Clinton had some views on encryption and that the Washinton Post published an article on it.  Here it is:

The positions she takes are similar to what Republicans have and make me wonder if she has any where near enough knowledge and skill to say anything at all about the subject.  I disagree with her about Edward Snowden since I appreciate what he reveals.  I would disagree with Edward Snowden on certain things like complaining about Amazon not using https (PK enciphered) full time when they have an even bigger glaring hole in storing your credit card number without your consent.  What is there to prevent a hacker from stealing it.  Just a year or so ago, every time I ordered something from Amazon the email account associated with it all of sudden would receive a large amount of spam.  But somebody with the pen name LeisureGuy summed up what Hillary Clinton believes about encryption with this statement:

"It's pretty simple in concept: the encryption used must be able to detect the character of the person(s) trying to break the encryption. If they are "good", then the encryption allows them to break the encryption and read the contents; if they are "bad", then the encryption refuses to break.

That's what Clinton wants, and like many who are wealthy and powerful, she cannot understand why, if she wants something very much, it could possibly be something not available. The Dunning-Kruger effect also applies, I imagine: she knows so little of the technical aspects of encryption and cybersecurity that she doesn't understand the depth of her ignorance, so she trusts her "gut feeling" that whatever she *really* wants must be possible."

Dunning Kruger Effect (Wikipedia)

It wasn't just her that had that deep of ignorance.  Others had it too.  So let me look at two recent (within less than a month) things that may change her ideas on encryption and soften her stance towards Edward Snowden.

FREAK Attack
The FREAK attack is because a too soft cipher was mandated to all companies by the NSA and other agencies of the United States government.  Here is a write up on it:

FREAK Attack (Washington Post)

You can test your browser side (there is also a server side to this) here:

Be sure to run the FREAK test named "FREAK Client Test Tool (clienttest.html).  Just remeber that  this weakness was introduced the same way that she purports should be done - a middle way.  My statement on that was that you make encryption as strong as possible and hope it doesn't break.  What happened here?  It broke.  It also shows that Snowden's PowerPoint presentations were correct.  The NSA could crack iPhones.

Gemalto Sim Ki Heist
Here are the first two good articles on this from FirstLook on this:

Gemalto Sim Ki Heist (Breaking In)
Gemalto Sim Ki Heist (In The Dark)

What baffles me is why Gemalto would say none of the Kis were stolen when we have proof from Edward Snowden and other sources that the NSA and GCHQ were actually exploiting cell phones.  We have Angela Merkel whose phone conversations were recorded among other things.  No matter what anybody says, something like this makes other people mad, especially when they are proceding on good faith and not doing anywhere near the same thing.  Okay I will sum up with some points.

Point 1:  There are a lot of people in the United States and other countries that are mad as hell that they are being spied upon.  I can already hear the excuse.  Oh, they are just looking at the metadata.  They throw everything away except for the terrorists that they are after.  Oh really?  Is that why the NSA contract analysts gave porn style pictures and videos to each other as gifts?  They are looking at a lot of text files and pictures solely in the pursuit of voyeurism.  That is strange metadata.  The sad thing is that this Democratic administration is coming dangerously close to doing what the Nazis did and there are many Republicans that will assist in reauthorzing both the metadata collection of phone records and the Patriot act wrongly believing that it will make them safer.  It will not make them safer and the Supreme Court of the United States stands by and favors stripping the American public of their constitutional rights.

Point 2.  You may think we are saying no to a middle way on encryption just based on our feelings.  I don't know about the others but I do know about me.  I have vetted the entire GnuPG code many times and cannot see a way of putting in what Hillary Clinton is requesting.  Others say you can but it would weaken the encryption to dangerous levels.  My observation after studying hackers for years is that if you can put it in that they will eventually learn how to exploit it.  Sometimes it is pure luck but it is always happening.  I still don't see how it is even remotely technically possible.  It is just the way that public-key encryption works.  In case you are wondering, yes, I have the book The Little Book Of BIG Primes by Paulo Ribenboim.  It used to cost $100.  It is a little bit more reasonable now but indicates we are not in Kansas any more.

Point 3:  In all of this most people probably think of enciphering to be the same as encryption and deciphering to be the same as decryption.  You usually just say that encryption involves one of the four activities: enciphering, deciphering, signing, and verifying.  About all I do with OpenPGP encryption is sign and hope that others use it to verify.  Here are two folders on my server where the signed files are at:

Hosts File Changes

Where you will know I am signing you will see for a file named something like "hosts.txt" there will also be a file named "hosts.txt.sig".  The file with a ".sig" on the end of it is called a detached signature file.  Using OpenPGP you test the file with the ".sig" on the end of it and it searches for the file without the ".sig" and uses Digest algorithms and their copy of your key (the public side) to verify that "sig" file which was created with your copy of the key (the secret side) says the base file really did come from you.  What do I do this for?  To make hackers lives more difficult if they try to change the base file.  If the hackers change even so much as just one little teensy bit in the file, the verify fails.  So far, so good.

But that same key that is used for signing and verifying is also used for enciphering and deciphering.  You use the secret side of your key to sign and to decipher.  You use the public side of the other person's key to verify and encipher.  But since it is all bound up and used together there is a possibiliry that if there is a middle way that the CIA, FBI, Federal Marshall's, GCHQ, or the NSA could get some sort of nasty file and sign it with my key.  But surely they wouldn't do that would they?  Do you want to make a bet on that one?  If I did the same thing to Gemalto and was caught I would probably go to jail for at least 40 years.  I am showing just the latest of these things they have done that may be illegal and are immoral.  Do I trust them.  NO!  And there is more to it than I am revealing.


This is a strange one.  Hillary sets up the domain for her email account.  Then a supposed security expert says that it is strange that he sees a construction page.  That is normal for most IWSPs (Internet Web Service Providers) for somebody that doesn't have a web presence yet.  Some IWSPs will even allow you to redirect to another existing web service from these parked host names:

Then I find out she has secured a mail service from

The AV Product
At first I thought that the AV package used was the only thing that McAfee recently purchased.  I thought that McAfee would integrate the heuristics of it into their McAfee-GW-Edition product.  That may have been done but then I learn that McAfee bought the whole company.  That could still be just for MxLogic's one AV product but only time will tell.  But it has never been at VirusTotal, now run by Google that allows you to contrast multiple AV packages to determine if something is safe.  Here is one of my email borne malware I have scheduled to rescan:

VirusTotal Malware Scan

It is much better now than it used to be.  When I got it only two AV packages detected it.  They were Ikarus and Kaspersky.  Here was the scan back then:

Original Malware Scan

But overall, for most email borne malware Sophos is one of the first that detects them.  Kaspersky is also good for email-borne malware as are a few others.  I really would not use what Hillary used if I had a Windows system.  I would want Sophos for the scanner on the email server.  But maybe all Hillary uses is her iPhone.  If so then maybe another AV product that scans for phish would be more appropriate.

What AV do the government email servers use?  I don't know but I can only assume it is much more robust than what she was using.  But they know that they have to defend Windows machines as well as iPhones.

The Anti-Spam Product
At first I thought Hillary had a lot of problems with spam with that number in her user name.  E.g. were there user names with different numbers in them that she abandoned as the spam took over and she created new user names to run away from the spam?  Only the government email people will know the answer to that one since any email received by others on the government email system will have any and all user names that she used.  I stopped looking into this the moment I saw all the problems people were having in getting email into an MXLogic email server.  I suspect you may even need to white-list everybody you want to allow in.  That is how bad some of the people commenting about it found it to be.  Suffice it to say that I think the spam protection is probably one of the better ones out there.  You just have to tune it to get email in and out.  Since the base product is Microsoft Exchange for the SMTP server I of course hate it.  After qmail's nice headers everything else except maybe postfix are sub-standard SMTP servers in my mind.

Who Has Emails?
This one is where it becomes really problematical.  If the government email system only backs up what is received then it will only backup what she sends to others that are on the government email servers.  But if they backup both what is received and sent then they will have copies of the email that is sent both from her and to her from another user that is using the government email system.  Either way, any emails sent to somebody else that is at a company in the United States that are compliant with the law should have backups.  But email sent to or received from another email system like hers or to a web-mail account will only have what those users keep.

This is more of a transparency issue than anything else.  The idea of saving the records goes back to the 1950s when the first rules were made about saving these government communications.  Only slight modifications were made to update the regulations. I don't know if they are binding laws or not.  I do feel that from this time on that except for extremely extenuating circumstances the government email systems should be used.  All classifed email should of course use a separate, much  more secure system.  One thing that disturbed me is that Hillary didn't have the certs to do the transmissions through her email server using TLS encryption for the first two months of having her email server.  If she sent classified information this way it is traveling in clear text!  That may be fine for her personal email communiques.  But it is not good enough for Secretary of State email messages whether the messages are classifed or not.  That is why I think this needs to shift over to the government email servers where security professionals handle things.  Anything done outside that channel for email needs to be rare or not at all for government email communications from this time forward.  But it should not be done with anything other than with TLS securing the transmission of the messages.  Additional enciphering will be needed for messages with classified material in them.

Summing Up

Hillary Clinton is reminding me of the energizer bunny.  She has a fully charged battery and blasts into meeting after meeting without even taking a pause on what she is doing.  This is not a man versus woman thing either.  I know plenty of women who have high order rational thinking.  Two of them are Senators Boxer and Feinstein.  I hear they called her to say things are going horribly wrong.  I strongly suggest that Hillary call and talk to them and others in the days come.  Just remember these other people are very busy and have lots of demands on their time.  But she needs to give serious consideration that she is too old.  What she did with these two issues may show an age related problem.  All I know is that I see one person after another going into the presidency.  They go in bright eyed and bushy tailed.  They come out the tail end with gray hair, worry lines, and aged considerably.  I estimate they age everybody else's four years for each year in office.  That means they effectively age sixteen years for just one term of four years in office.  Ronald Reagan who was famous for doing as little as possible is maybe the only exception but even he aged a lot.  Aren't there any other Democrats that want the position of President of the United States?  I don't want to see Chris Christie in the oval office.  Isn't stopping all the traffic on a major bridge or Interstate an action that a Governor can be impeached for?  It should be.  I will check back for errors later but other than that I consider this post closed.  Post note, I did make some significant changes, most notably to show others just how bad new malware is at not being detected (2015-03-25).  You have a PDF file now to SEE just how bad it is.

Monday, December 15, 2014

Hosts file and PAC filter on Windows 7

New Way Of Handling Hosts File On Windows

Somebody wrote to me saying that my hosts file installer is no longer suitable for Windows Vista, 2008 Server, Windows 7 or if you are crazy enough to use it there - Windows 8.

This is absolutely correct.  The UnxUtils way of using my hosts file on a Windows system is only for Windows XP and for use with something like Homer to act as a pseudo HTTP server (phttpd).  The reason I don't provide anything else is because I depend on somebody else's program to handle incorporating my hosts file on Windows 7 systems now.

If you use Windows 7, use Alex Kowalski's hosts file maintainance program which I provide download space for.  Here is the Hosts file page which shows where the links are:

Hosts File Page

Down at the end you see these two links:

APK's 64/32 Host File Engine Program
APK's 64/32 Host File Engine Instructions

My hosts file is primarily used by Linux people.  They use dnsmasq, Marco Peereboom's adsuck program or similar.  I am the only one using my phttpd.  But all of these people expect the hosts to be remapped to  There is no on Linux like there is on Windows.  On Windows is normally used as an inter-process server.  On Linux and Unix they use a special file construct called pipes for processes to communicate with each other.

Will I remap the entries to something else other than  No.  I depend on Alex Kowalski's program to do that for me.  The reason I mention this is because somebody wrote to me about this 4chan comment on hosts files (which you will note has Alex Kowalski's comment - APK):

4Chan comment on hosts files

What is my statement on using 0 versus  I defer to Alex Kowalski on that issue since it is his APK 64/32 Hosts file engine that automatically does the conversion from to what ever he uses.  Frankly I am surprised somebody wrote to me about it.  You can NOT use my shell file to install a hosts file on anything newer than Windows XP anyway.  Even if you give the script a temporary over-ride you have lots of programs like wget, rm, etcetera, the script calls that do not have the over-ride.  IOW, attempting to use my script file on Windows 7 will fail.  Even if you can seem to get it to work (I couldn't) use APK's Host File Engine Program instead.  His program does much more than just install a hosts file.  I will say you must use some other AV program on Windows 7 than the one provided by Microsoft with a hosts file.  The AV program supplied by Microsoft will remove every entry in a hosts file.  You need another AV program that doesn't do that.

New Way Of Handling PAC On Windows

Here the special instructions for putting the PAC filter on Windows 7.  You don't put it on there the same way you do it on XP.  You should change it to put the all of the files which can be used for Firefox in your account in an etc folder.  You also need an extra special folder for Internet Settings and it is mandatory for the Chrome browser.  For example for a user named hhhobbit and assuming your system drive is C: you will have these folders (substitute your user name for mine and it should be just alphabetic or alphanumeric characters):


You put all of the files in the etc folder.  You need to edit all of the proxy files and change the blackhole from to unless you intend to install Homer in roughly the same area, e.g.:


I don't advise that and didn't even try it due to too many problems.  Like I just said, you should change the blackhole to be  Use the Error Console in Firefox for debugging.  Unlike a hosts file it is done only once on one line in the PAC filter.  Then you copy which ever of proxy_en.txt or proxy_fr.txt file that you use to the OneFile folder.  WARNING!  This is the only file you should have in that folder.  You set your Internet Settings browsers to use that file.  Why have just one file?  The Chrome browser parses evey darn file in the folder.  Worse yet, it sucks up those settings and puts them in places I cannot find.  It doesn't know how to handle the debug statements.  The proxy_en.txt and proxy_fr.txt files have the debug statements removed. The debug even if it is not used causes unexpected "Object Unexpected" pop-up messages.  I have even uninstalled Chrome completely, removed all the files Chrome left manually, and then manually cleaned the Registry.  Why?  Because Chrome parses every file in the folder.  The debug causes it to pop up "Objected Unexpected" messages.  I then reset Internet Settings to use the OneFile folder and used it that way successfully with Opera and Safari.  I have even waited as long as 4 months.  But the instant I reinstall Chome, back comes the "Object Unexpected" messages if you did it wrong the first time around.  I am beginning to suspect that Google sucks your Chrome settings up into the cloud and puts them right back the way they were when you reinstall.  Hasn't Google ever heard of a clean state reinstall to get rid of problems?  There are times when a history should not be done!  This is one of them.

Actually the only people I know using the PAC filter are all on Linux and the rest just look at the rules and if they like some of them, they stuff them into their company's proxy. expect most of these users to be smart enough that they can handle it all with just what I say here.

Friday, September 19, 2014

Are we being hacked by the Chinese?

I wrote a response to a comment made about this article that said the US Senate was invenstigating the Chinese break-ins that occurred at TRANSCOM in September 2014:

Fierce Government IT - Chinese Hackers

I wrote this reply to callmebc's comments (it may not be exact because the original is gone - they deleted it):

You can be skeptical about the Chinese being behind it but you should not be skeptical about it being done. It IS done. I am an independent security analyst that cannot work due to actions by the FBI going on eighteen years with no end in sight. But I have even pulled down a banker trojan from a Financial Institution ( about one month ago. We need to get Windows systems out of the POS cash registers at brick and mortars and work upward from there. APT (Advanced Persistant Threat) can be avoided by shifting to Linux (not nearly as secure as OpenBSD but more user friendly) and using Thunderbird or other email programs that don't render HTML making phish a thing of the past.

I got the very same malware that did in Google several years back and it WAS of Chinese origin right down to the hashing function that could only be theirs.

Since the editors deleted my response here it is.  I do have the malware that did in Google and will provide it to Fierce Goverment IT upon request.  I also have malware that used the same RealTek certs used in Stuxnet.  The visible proof is here:

Realtek certs used in Stuxnet

That malware will also be provided to Fierce Govenment IT upon request.

Henry Hertz Hobbit   (Intenet Name)
David Alexander Harvey   (Legal Name)

Saturday, May 10, 2014

No to all HTTPS

Letter to Google

   Google, people probably always want to use port 443 (HTTPS) for logging into GMail. They also want to use it for their blog.  They even may want to use it for Google+ which I need about as much as a hole in the head.  Ditto for Facebook, Twitter, Linked-In, et al.  I don't need any of those "ant-social" web-sites.  They have turned people into anti-social idiots in the real world.
   But forcing me to use HTTPS for your search engine all the time is inappropriate.  I am generally searching for the usage of some new hosts in tracking, ad-servers and malware.  You are second on that with DuckDuckGo being the primary.  For what ever reason, you seem to be trying HTTPS first on the link which causes all sorts of problems when I click on the links.  I could care less that the NSA tracks this activity.  If they are using Windows and get infected by the ad-ware I find that is their fault.  I get the high octane malware stuff in my email box almost every day.  They can have that too because I give it to your VirusTotal service with comments I hope help people learn what is happening.
   In case you are wondering, DuckDuckGo just uses the URLs as-is  But there I can also use DuckDuckGo as either or, which ever is most appropriate.  It is just that my ISP (Comcast / Xfinity) kept snooping on my activity, supposedly to protect my Linux systems from Windows malware.  So I usually use HTTPS with DuckDuckGo to foil them.  But I am having extreme difficulties testing for whether I have a tracker / ad-server off of your links.  Invariably the links are not using HTTPS.

   So please make it so we can use HTTP for your search engine when that is appropriate.  Over 90% of the time I could care  less that the NSA knows what I am searching for.  Again a warning is in order.  When it looks like I am searching for porn I am usually looking for malware, an ad-service, or a tracker at a porn site.  Despite common wisdom to the contrary, porn sites still up the chance of Windows malware considerably.  So if I am looking for info on it may be their ad-service, a tracker or given where it came from, maybe malware.  Even if it just their ad-service or their tracker it still gets tossed into my porn bin when I add it to my hosts file.  After all, it is not a generic ad service.  There is no malware I know of at it. But there is no reason to hide the search from anybody.

Sunday, March 30, 2014

Setting up email

Where The Spam Comes From

  Recently I read a piece from eSet (makers of NOD32).  They claimed that there were 10,000 hacked Linux machines sending out spam and malware.  Could this be the hackers I originally dubbed PeskySpammer and renamed PerniciousMalware that put in 500+ spam per day in one of my email boxes plus occasional malware I asked myself?  No, it cannot be that because you can see yourself that the majority of the IPv4 addresses used are in DSL and cable IP blocks.  You don't believe me?  Here you go:

Public PeskySpammer folder
Originating IPs
Left 0 Pad Filled Originating IPs

  Just look them up in whois.  I stopped keeping records of these about six months ago.  But if you ever wanted proof of what was sending the spam and malware all you had to do is seize the machines at the sending IP addresses.  On the machines which would be running Microsoft Windows you would find specially crafted SMTP engines that only send email.  How do they get around where it was sent from?  They pretend it was sent from some place else.  That is how I first got them.  They were pretending to send from ficititious users at my domain.  It took me over a year to get email admins to learn NOT to boomerang messages to me.  Evidently thinking has gone out of style. Whether the hackers realized that Yahoo and other domains have email set up wrong from a practical point of view but probably correctly from the old RFC is unknown.  It does argue that things need to change and immediately.  There will be more on that in a moment.

Are The Linux Machines Hacked?

  Probably.  But which would you want to send spam from?  A tiny number of Linux boxes (10,000 is tiny) which you can easily map out the IP addresses and take them out of the loop with blocks at major IMSPs (Internet Mail Service Providers)?  Or do you want a huge flotilla of Windows boxes where the machines sending spam come and go regularly in such a way that a preventitive measure based on the originating IP address is almost useless?  The infected Windows machine route will win hands down.  But lets probe the weaknesses of Linux.  The very first one for me is actually not security.  Because of that stupid X-Windows DB I am almost always staring at 640X480 at install time.  Gone are the days of hacking the X Config file and being on with my business.  But I work from Linux and it is a compromize.  Maybe OpenBSD would be a better choice.
   Linux systems have so much software that is hacked into place and the software changes so furiously that it is almost impossible to eradicate problems.  This is especially true for the servers.  But my two machines named GandalfTW and Sauron aren't servers and they eye each other suspiciouly.  They will allow a hello and are you there (ICMP ping) and that is about it.  I don't even let one do print server duty and instead rely on the JetDirect card in the old HP printer to handle things.  Getting that configured took a lot of work.  Yes, it has an old parallel printer interface.  But with this much complexity I have this nagging feeling I have too many holes in my systems.  Blowing down the protection of IPv4 with IPv6 (no NAT, no firewall) doesn't help.  But I do have two routers in place.
   But then I hear that there is an SSL bug in Macintosh, iPhone, and iPad.  I can remember Apple taking over six months to fix a simple problem several years back.  Did they really fix the iPhone in 2-7 days and Macintosh in less than two weeks?  Unbelieveable.  Then the boom was lowered.  Many versions of Linux also had an SSL security flaw.  At least some Linux distors do make use of OpenPGP signing to make the downloads trusted or not.  But is my kernel the real deal or did the NSA hack a SHA1 certificate and give me a modified kernel?  I am paranoid.  I am paranoid enough or too paranoid?
   But the coup-de-grace was when was hacked and they sat there saying how super secure SHA1 was.  Pshaw.  I have malware with SHA1 and I know others do too where they hacked the SHA1.  Still, it is more likely that the certs were stolen as in this case:

But it is not Stuxnet!  The cert passed muster until the keys were revoked.  What am I saying?  There are ways around encryption.  But coming from SSL and hitting serious security stuff gives one the idea that SHA1 is powerful.  Not one serious AV company depends on SHA1.  They have shifted to SHA-256 years ago.  My OpenPGP keys have SHA-256 as the preferred Digest algorithm:

Cipher:  TwoFish, Camellia256, Camellia192, Camellia128, BlowFish, Cast5, 3DES.
Digest: SHA256, SHA512, SHA1, SHA384

I used to have 4096 paired RSA keys and SHA512.  It was fine with a dual core and quad core machine.  It was a little too much for older single core machines.  But I get 3DES whether I want it or not.  I don't want it.  Note that both BlowFish and Cast5 precede it and iPhone and Android systems can handle that.  SHA384 is non-standard so I have no choice but to bump SHA1 up in pecking priority.

But if a Linux system is truly hacked they can steal your keys unless you put in a symlink to a flash drive where your keys are really at and the hacker always hits it with your flash drive removed.  The key logger gets the pass-phrase.  But I doubt most Linux people ever police their shell startup files.  I do look at my shell startup files which have been altered considerably by me;  FREQUENTLY!  I told you I was paranoid.  But what do you expect of somebody that has now handled well over 12,000 Windows malware.

So is it too much to ask that  Linux people shift from SHA1 to SHA256?  I don't think so.  The less services you run the less vulnerable you are.  That is the way it has been forever.

Lest Windows People Snort

  Windows did not wait for IBM to add owner group and other things to the file system which is also used in the processes.  Back then it was called the HPFS and it became the NTFS.  But here is what would have happened if they had waited:

It isn't just limited to the file system.  Look at voodoo.txt.  If Target, Neiman Marcus, and others had used Linux instead of Windows in their POS terminals scraping would not have worked.  Try it!  The SourceBuffer is invariably out of your process's memory space.  The result?  A segnment violation.  No memory scraping here.  Where did all of those Siemens Nixdorf POS terminals go?  Why did they replace them with Windows?

How To Setup Email

   On to the main reason for this blog entry.  Because of the way that Yahoo (and other IMSPs) set up email I have over 500 spam per day in my mini honey-net.  I don't mind the malware except for those two days I got 500+ malware instead of spam each day.  But really, email should be set up like this as the first step in reducing spam:

1. There are only three email accounts that are extra but for anything other than those three email accounts, your email account, and any other created email accounts, anything sent to any other users than the ones enumerated should be tossed.  Bye, bye mini honey-net!

2. The other three extra users are abuse, postmaster, and webmaster.  Although it may seem nice to not put email for those into the master user's account in case of somebody hacking your computer what if your computer (as opposed to Yahoo's or other IWSP / IMSP) is compromized?

3. The number of domains for places like Yahoo are huge.  I would set it up with some sort of a self balancing binary tree for fast lookup.  For example, if you had a domain named with just master user named keyboard, here is what the users and email box (only one, would look like (email name then email box):


Only the emails for those four users at would be accepted and all of the messages for them would be put in the user's email box.  Any emails sent to any other user at would be dropped like a hot scalding potato.  That means they would just be discarded.

Once that is done, all of my other comments apply.  But if Yahoo set it up this way I would get less than 2% of what I get now.  Their email servers would get a break.  The people that aren't involved in the spam and malware storm would finally see the odd behavior of their email vanish.  No?  Then look at my other points.  I am pretty sure qmail can do it.  It has the richest set of fillter options of any SMTP server.

Saturday, January 25, 2014


Volunteer Reviewers Needed
   I have noticed that Phishtank has gone from something where I could review the phish they had in one session of about two three hours to impossible.  It is not the only thing that has gone down.  Here was what my and others email spam problem used to look like:

(click on picture to enlarge)

Now it is malware as numerous as spam:

(click on picture to enlarge)

So kiss any idea of any help you will get from "the man".  I have been getting many hundreds of malware per day recently.  I have been submitting what I can at VirusTotal but the number has gone way beyond ridiculous.  I can only assume that if the FBI didn't request it that they are in favor of it.  Ditto for the US and Russian governments, the NSA, and the CIA.  Look, we have millions of stolen credit card numbers at Target and Neiman Marcus at the end of 2013.  Except for the contractors working on the problem they seem to be going it alone.  Right now the world is upside down.

First, you need the link to Phishtank.  Here it is with the secure login specified since they shift you to that whether you want it or not if you use their GUI to review..  Trust me; it is to your advantage to use the secure route (port 443) since many Internet Service Providers will interpret it as your machine is infected and no, they will not see that you are going to PhishTank.  Okay, here is where they are at:

Phishtank Home

Here are tips mostly in just what pops into my mind order to help you to review the phish:
  1. I frown on the use of Windows for doing this.  There is malware at Phishtank. Even worse there is no button say it is malware which could be used to winnow those entries out.  I have tried to encourage a redesign that has a malware button but we won't get it.  Use Windows only if you really know what you are doing.  Avoid obvious malware links where the URL ends in ".cpl", ".exe" or similar.  Better yet, use some sort of block mechanism that blocks those for you.  But Firefox on Linux is one recommended phish review combination.  Be aware that Firefox doesn't handle iFrames.  Opera has similar problems where it really is a phish but you don't see it.  Either Firefox or Safari on Macintosh will also do nicely as well.  You don't have to use the GUI since Phishtank does provide lists but I strongly discourage the list approach if you are using Windows.
  2. Okay, you ignored me and you are using Windows anyway.  Then I advise skipping those enties where they don't show you a picture.  Just be aware that if it shows Google Docs in the picture and the URL is definitely not Google Docs that does not mean it is still a phish.  Things come and go quickly here.  What it does mean is that you can probably safely snatch the URL and try it out since it at least was a phish.
  3. While working on these I have two lists showing in vim in an xterm.  They are Phish / Not Phish.  They are the list not of the URLs but just the affected hosts when I notice three or more phish at a domain they go into the phish list.  Rather than blaze away calling them all phish, check them every so often during the session.  Do not be surprised that the host goes the phish list to the no phish list even during the session.  The list I use has dates when I added them.  These are helpful but volatile.  Anything older than 5-7 days in your list is probably gone.
  4. If the URL shown to you is using not a host name but an IP (IPv4) address, if it shows what was a phish, then it is still a phish.  The only question remaining is whether it is an active phish or whether it is gone.  What do I do?  If it shows one of the many banks, Google Docs, or other known phish types in the picture I mark it as a phish.  It is never (well, almost never) a legitimate host.  Instead it is a hacked Windows PC.  See the two pictures in this blog entry?  The machines sending the email messages are hacked Windows PCs.  They are not supposed to be doing web-service duty or sending email directly.  Mark them as phish and let us Linux and Mac reviewers put them to bed.
  5. You just got a redirect to Google so the people fixed the problem, right?  Wrong!  Malware links in web pages frequently let only 5% to 15% of the people through to the malware.  Often, they redirect the others to Google or do nothing.  So how do you "fix a phish?"  First, clean the server and install new web-server code.  Second close the entire folder down where all the phish live.  Third, set all the phish links to redirect to your own home page.  Fourth, set it to just give a blank line.  In Firefox this can be viewed under Tools - Web Developer - Page Source.  You will see a grayed out 1, or 1 and 2 which means that many blank lines.  But it is just as likely that the phisher themselves have set the phish to go to Google or some place else 85% to 95% of the time.  The only valid redirect phish fix is to yourself.  It showed Google docs and now it shows Google?  It is still a phish since you and me don't know who did the redirect.
  6. If your filters caused a block and you know this some way, just click on either "I don't know" or preferably just ask for the next entry.  I use my PAC filter but in a file with all of the phish rules stripped out of it.  I then actually have to add some of the GoodDomains phish rules back in but not the pair.  E.g., the GoodDomains ebay rules may be added back in but I don't put the other Bad rules for ebay in.  We shouldn't be testing your phish filtration.  We are reviewing the phish.
  7. I will put more here as they come to me.  Right now I am handling a slug of malware that despite the scam being the same the malware is not.  I am probably getting 5+ different types of malware per day.

Monday, January 20, 2014


   PerniciousMalware (nee PeskySpammer), lets review what I have already given you for pruning your lists.  I am doing this because I may be posting to slashdot to shame some people into rectifying major defects in the way things are being done right now.  So here is the code for doing a first pass clean up of your TO list:

Winnow Users

   What is the result of you, Yahoo and other Mail service providers doing it wrong?  Here is how it looks in Thunderbird:

(click on picture to enlarge)
   And here is what it looks like in Yahoo's web-mail interface:

(click on picture to enlarge)

   I call the first one DOS because that is exactly what it is. a Denial Of Service.  There are no fake pharmacy URLs or malware.  In fact the supposedly real world user names are nothing more than the titles of the articles whose contents you put into the messages.  In short, how stupid can you be?  Sending somebody hundreds of messages like this makes me wonder if the FBI requested that you do it.  As bad as you are there are some others this message is addressed to.
   To Yahoo - stop changing your web-mail GUI and take care of your hack-in.  You have been shoving out malware through your ad-servers and I have detected the hackers still have various levels of internal access.  Make it so your paying customers get the email addressed to the users for the given domain with mail for the users postmaster, webmaster, and abuse delivered to the master user.  For me that means only four email accounts.  All other email to other non-existent users should be stapled, mutilated, spindled, and shredded.  This especially includes email like this that isn't even coming from the domains it purportedly comes from.  Search for previous blog entries to learn to handle them.  If you did this your email volume would be reduced to a trickle of what is now.
   To Comcast - after about the fourth time it seems you would have a log that once you talked to Yahoo your check would result in the proper action for me and others like me that are victims of this type of abuse - complain to Yahoo or other Mail Service Providers to fix their problems.  Instead you have blocked me from sending email repeatedly due to your stupid no white-list rule.  If I was rich I would sue you for slander and anything else an attorney would be willing to go after you on.  All I know is you must be stupid to have not figured it out by now. Almost all the mail is coming DOWN to me.  I send out less than 1% of what I receive.
   To the FBI, Interpol, and NSA.  The sending IP addresses are in the saved email messages.  It would be a simple matter to do forensic analysis on one of the machines and track it back to the Russian (sometimes the stupidity of PerniciousMalware makes me disbelieve they could be Russian) or Chinese hackers.  It isn't just spam.  I just made information on their two malware today and will make the malware available to the AV companies on demand (as if they really need it - they are swamped).
   To the Russian and / or Chinese governments.  Find these people and put them where the sun doesn't shine.