I found a sneaky type of spambot this morning. It was impersonating regular commenters on Speed Force, using their names and (at first glance) email addresses to blend in.

The names weren’t terribly surprising, but the email addresses were. Where had it gotten them? WordPress shouldn’t reveal them, unless there’s a bug somewhere. Was one of my plugins accidentally leaking email addresses? Had someone figured out a way to correlate Gravatar hashes with another database of emails?

As I looked through the comments, I realized that in most cases, it wasn’t the commenter’s usual email address. Here’s what the spambot was doing:

  1. Extract the author’s name and website from an existing comment.
  2. Construct an email address using the author’s first name and the website’s domain name.
  3. Post a comment using the extracted name, the constructed email, and a link to the spamvertised site.

The actual content (if you can call it that) of the comments was just a random string of numbers, and the site was a variation on “hello world,” leading me to suspect that it might be a trial run. Certainly they could have been a lot sneakier: I’ve seen comment spam that extracts text from other comments, or from outbound links, or even from related sites to make it look like an actual relevant comment.

I’d worry about giving them ideas, but I suspect it’s already the next step in the design.

Update: They came back for a second round, this time here at K2R, and I noticed something else: It only uses the first name for the constructed email address, but does so naively, just breaking the name by spaces. This is particularly amusing with names like “Mr. So-and-so,” where it creates an address like mr@example.com, and pingbacks, where the “name” is really the title of a post.

OK, I appreciate that eBay has a dedicated email address for reporting phishing attempts. I appreciate that their abuse department is a lot busier than I am, and therefore has to rely heavily on form letters. And I appreciate that they’re making an effort to educate the public on how to spot phishing and avoid getting caught.

But when I forward them a message with the comment, “Here’s a sample of a blatant phish,” is it really necessary to reply with the full two-page notice explaining, “This is a spoof, we didn’t send it, here’s how to avoid it, blah blah blah” and the entire body of the original message, complete with the links to the phishing site?

I’d think in this case a simple, “Thanks for the report, we’ve notified the authorities” note would be sufficient, especially since the “how to spot a phish” stuff is already in the auto-response. All it takes is giving their abuse staff an extra choice for the form letter.

And under no circumstances should they be including the full, original text of the phish. At best, it’s asking for the response to get lost in a spam box or blocked outright. At worst, it’s a security risk waiting to happen (since this copy really did come from eBay). Somewhere in the middle is the risk of mucking up adaptive filters as they try to reconcile the original message, which was spam, with the new message, which isn’t.

Lost in the news about the IE7 Beta and Mozilla Corporation has been Opera’s decision to stop spoofing IE in its latest preview release.

So what is User-Agent spoofing? Well, let’s say someone decides that he’ll only allow blondes into an event. Depending on how its done, UA spoofing can be like wearing a blonde wig, or it can be like a brunette wearing a badge that says “Blonde.”

For several years, Opera has done the latter, basically wearing a badge that says “I’m Internet Explorer (wink, wink).” The sites with oversimplistic detection are fooled, but anyone paying attention can tell that it’s Opera.

The next question: Why is it even an issue? Well, web developers want to make sure that visitors will actually be able to see the site as intended, but it’s historically been easier to look for the browser’s name and version than figure out exactly what it can do. So developers often do the equivalent of asking someone whether they can speak French by asking them whether they live in France. You’ll get French speakers, but you’ll also block people from Quebec or Haiti, bilinguals, etc.

These days it’s recommended to check for capabilities, not to check the name of the browser and see if it’s on the approved list. It’s not always possible, since every browser has its own quirks, but it produces better results—and blocks fewer people who might otherwise be able to visit your website.