a monochromatic oeuvre

Some time in mid-February, I got tired of my spam filter’s many false positives and decided to turn it off. I preferred having to sift through 10-20 spam emails by hand than risk missing an important email falsely flagged and blocked. An additional bonus was the entertainment value of new and novel spam. Over the last month or two, I noticed a large amount of weird spam (as in not like your average spam, since all spam is pretty weird). This phenomenon peaked around two weeks ago, when I was receiving upwards of 5-10 of them a day.

Each email consisted of a subject, and when appeared to be a couplet of 19th-century-poetry sounding text. Some examples included:

Subject: and said, as her tear drops back she forced,
and, though i should say it never,
the trees bring forth sweet ecstasy only for the sake of present ease or gratification?

Subject: launched on yon shining bay,–
the latest spawn the press hath cast,–
father, father, where are you going look on the rising sun: there god does live

Subject: thy summer’s play younger and younger every day;
darkness passes away then cherish pity; lest you drive an angel from
answer’d the lovely maid and said; i am a watry weed, this time last evening. right there! all aboard!”

And that was it! No link to porn, no methods to please my man in bed, no pills to grow myself a 4 foot penis.

I think Scott put it best.

Subject: Re: the sky-lark and thrush,
From: Scott Smith
…the fuck?

On Sat, Jun 27, 2009 at 1:15 AM, Nathan Harrison
wrote:

> he doth give his joy to all. sits and smiles on the night.
> become a garden mild. the miner pauses in his rugged labor,

Incidentally, that one is my favorite, for some reason. It almost makes sense.

In the name of science, I did a little snooping regarding the emails. First, I checked the originating IP addresses from the email headers. I looked at maybe a dozen emails and traced the originating countries to see if they came from any one place. They came from a variety of countries, including Uruguay, Kuwait, Germany, Italy, and even Urbana, Ohio. Was this a semi-sentient global botnet determined to demonstrate its Vogon-esque poetry skills to the world?

The next question then is, were these couplets originally composed or plagarized from some famous poems? I pulled up Google and searched for some of the more coherent sounding phrases, and indeed several of them were hits. It appeared that this botnet was channeling the works of William Blake and Bret Harte to create its poetic genius.

So what’s going on? My guess is probably some variant on standard Bayesian poisoning, to try to confuse spam checkers. According to the wikipedia article on email spam, a common technique for Bayesian poisoning involves taking text from Project Gutenberg, and suspiciously, both Blake and Harte are in there.

However, Bayesian poisoning is used for text that goes along with spam trying to sell things, not random text by itself. Meh, whatever. Over the course of the last week, these emails have slowed, and I haven’t seen one in a couple days.  All I get now are my normal “How to Have rGeat sex – Smash alll Records www. bu15. net. Bewitcheed, Bedazzled, uBsted” emails.  Perhaps this will forever become a mystery.

Hey, maybe this is Conficker finally doing something interesting

* Note: Not to be confused with spam poetry or “spoetry”, another interesting phenomenon where people make poems out of spam subject lines. Seriously.

Cardinary Sins of Passwords

• Using short passwords with few numbers or special characters.
• Using the same password for many things (or everything).
• Rarely (or never) changing passwords.
• Using a name or common phrase in a password.

If you’re guilty of one or more of these bad password habits, raise your hand!

*Raises hand*

Despite being (I think) very tech savvy, I have some very bad password habits, and I would not be at all surprised if many of my similarly computer-smart friends do too. Mostly, I use the same password for many things, and I rarely change my passwords.  The password I use most often, for almost all of my accounts on various websites, I first used with my first email account so long ago in the mid 90s. It is a relatively short and simple password, and someone could definitely wreak some havoc if they got their hands on it, though they wouldn’t have access to anything important. Of my other passwords, the newest one is about 3 years old and I came up with the oldest one almost 7 years ago. That’s plenty of time for someone to get their hands on the keys to my personal information, bank accounts, etc.

One of my new years resolutions this year was to improve on my password habits, and I definitely haven’t gotten anywhere with that. (Another one was to blog more, heh, fail there too.) So I guess the question is, why is it so hard to keep passwords up to date and secure?

For me, the number one barrier to changing passwords regularly is the hassle of having to memorize a new password, especially a complex one with numbers and special characters. Similarly, I reuse the 3 or 4 passwords I use most often to minimize the risk of forgetting a password.  With so many different services which require passwords, and more every week as I sign up for a new web site, it is sometimes difficult to remember whether I have an account to a certain site, much less remember a unique password for each one. Furthermore, I’ve never had any problems with security, so I don’t have any real motivation to change them.

Possible solutions

Using a password manager: I got a free license for 1password during MacHeist’s Giving Tree this year, which I’m going to start using. This allows me to use more passwords of greater complexity, and not have to worry about forgetting them. Of course, this is only as secure as the master password I use for 1password, and I have to figure something out for when I am on a public computer. If I don’t actually remember my passwords, I won’t be able to get to my accounts away from my computer.
Using phrase passwords: Instead of the traditional 8-12 character random passwords, use a 20-30 character phrase that is easy to memorize but difficult to guess. To help mitigate the risk of getting locked out of my accounts if I lose access to my password manager somehow, I think I will start using phrases from songs or quotes or something as passwords, instead. Unfortunately, the longer a phrase is, the greater a chance for a typo while typing it in.
Using a password generation system: Another option which might be safer than phrase passwords is using a system to generate secure passwords that are unique for every site. One such system is this one suggested by Lifehacker.

I’m starting to migrate towards these practices right now. Hopefully, I’ll be able to keep it up and maintain my good luck with regard to password security for a while longer.