Occasionally I would happen to notice strange wiki entry references in the logs. I never put two and two together until today. Using Google Analytics, I saw where Google had a number of spam appearances attributed to my domain. So I scoured the logs more thoroughly and found the wiki server had been set up to allow “unauthenticated” posts. Amazing, and even more so is that this is the default!?! I couldn’t believe it.

The “unauthenticated user” had created a “Publications” entry back in 2008. Again, WTF?!? (And that isn’t a reference to the CIA’s “WikiLeaks Task Force” either… ) There were, for the most part some that appeared to be legitimate posts. A lot of the entries had photos that added to the story. There were over 20 pages, each with many posts, going all the way back to 2008. They were posted with somewhat frequent regularity. The latest was posted last night at 02:00 or so.

A quick Google search really didn’t reveal a canned, step by step fix. I did see reference to how this configuration is a spam magnet. How true…

I decided to dive in to the configuration and see if I could figure it out. I don’t know if this will work, but since my address has been a regular target, only a day or two will tell if I have been successful.

In the end, I deleted the offending wiki and blog. I created a group that has permissions to make / edit a wiki post (and I hope this rolls to the blog entries, too.) Essentially, since this is a small server and it isn’t difficult to manage. On a larger scale, an automated configuration should be created. In essence, I just added authorized users to a group that allows wiki posts. The next step was to configure the wiki server to only accept posts from that group of users. (It was here in Server Admin that I finally noticed the ‘Wiki Allows Posts by Everybody’.

Sheesh! For folks like me, I would sure appreciate the default to explicitly reject posts by everyone and require specific permissions. It make me wonder just how many other compromised installations may be scattered around the Internet. Even more interesting, it make me think of some of the Google links I have followed… Some of the posts buried in my wiki / blog server looked suspiciously similar in style and content to ones I have visited.

Sure the idea is to drive traffic to your server… But this is NOT the right method!

I think there were around 400 messages. As I was scanning them before deleting (to make sure I didn’t delete good email) I saw the following:

Wow, I could have almost missed the opportunity! I saw it was from December 9, so figured it must have been a pre-Christmas sale or promotion. (It did say this week only, too.) I wonder if they still have it available at that price?!?! I know a few people who could take advantage of this…

No, I’m not talking about some big furry man-like creature that lurks in the wilderness.  But this was almost as scary.  I’m talking about the Bigfoot, “email address for life” service.  Well, it was alive until I killed it, anyway…

For the past couple of years, the spam received at my “Bigfoot for life” address was on the rise.  The spam that got through far out numbered the “good” mail that was received.  I spent hours tracking, logging, and charting the spam versus good.  What was worse, and far more frustrating, was that I had upgraded my account to “premium” membership.  This entitled me to increased spam protection.  Yea, right!  I think I overlooked the fine print that must have said ‘I pay for the privilege to receive all the spam I can handle, and then some.’

I threatened to delete the service, but was drawn in by that “email address for life.”  A few months ago, I did finally cancel my premium membership.  The spam protection was virtually non-existent, and I only had been using the address to receive a few mailing list emails a day.  I quit giving out the address long ago, when the spam started to become unbearable.

All of the other free email services, including Hotmail, Yahoo, and particularly Gmail, have far better spam protection.  I would forward the Bigfoot email to one of these services and literally less than a few spam messages *ever* made it through to the inbox.  That is saying a lot, since Hotmail was always notorious for spam.

The proverbial straw was when I received what (to me, anyway) appears to be a valid email from my Bigfoot account, to my business account.  Of course, it was spam.  I looked at the headers, since I just assume the ‘from’ was spoofed.  From my limited expertise however, this came from my Bigfoot account!

I tried to log on, and found I couldn’t remember my password, or it had been changed.  I was able to find a ‘contact us’ web form, but I’ve gone that route for issues in the past.  I think it goes off into a black hole.  I asked for my account to be disabled / deleted immediately.  That was yesterday, and still nothing today.  In the meantime, I did locate my password and was able to log in.  I didn’t even look through the webmail (which in hindsight was dumb) but immediately deleted the account.  Bigfoot is dead…

In the beginning, it was a good concept and actually worked well.  However, I think they got in to the business of selling their email addresses or something, as a source of revenue.  One interesting note, which makes me believe this, was a sign-on notice.  It said I had a “free” account, and would have to accept some terms of service, which allowed third-party mailings.  What a rip-off!  I think that borders on criminal.

But it’s all behind me now.  I know there are other redirections / forwarding services.  But with the proliferation of Gmail and others, why do you really need them now?

Bigfoot, RIP…

Diagnostic-Code: smtp;550 This account is not allowed...jczech@bigfoot.com

A test message to ensure Bigfoot is really dead.