Categories
Anti Spam Tips & Tricks Business and Marketing Computer & Internet Literacy

Beyond Snowden: How Government Corrupts Business

It seems we have been living with the Snowden revelations forever. But in truth, he has only been a household name since mid-2013. There was so much news released that it quickly became information overload. There was too much information to fully process any one piece of it. The takeaways from the information dumps can be summed up in the following manner:

  • The government is spying on its own people
  • Everything you do on your cell phone is being monitored in some way
  • Private businesses are colluding with the government to erode your civil liberties

Everyone kind of suspected the government was spying on them. And they knew that cellphone data could be monitored. But they were surprised and offended that the companies with which they were doing business were actively selling them out.

The level to which the government has subverted private industry is still news. The more we learn about what the government is doing in the name of security, the less security we feel like we have. Here are two examples:

The Government Compromises Your Protection

Never mind China and Russia. One of the biggest malware threats U.S. citizens face is from the U.S. government. For years, we’ve known that various governmental agencies attend black hat conferences. We also know that they hire some of the best hackers. Now we know what they are doing with all of that black hat talent. They are making and releasing malware. While we know about some of the malware offensives against other governments, there is no reason to believe that some of that malware isn’t used against U.S. citizens.

For these reasons, the government wants your computer to be as insecure as possible. Spiking the security punch your computer is drinking is one of the ways they can lull you into believing that you are secure when you really are not.

When your system is breached, sometimes the only thing you can do is wipe all the data and make a clean start. Before you can do that, you need to be sure to have a secure backup of your data. That means you will have to have some type of data loss prevention plan for such an eventuality. A plan is necessary due to risk factors such as:

  • Rapidly evolving compliance regulations and mandates
  • Continued growth of workforce mobility
  • Employees using their own mobile devices and consumer apps for work
  • Rising frequency of advanced persistent threats (APTs) and data breach incidents

The Government Causes Businesses to Compromise Core Values

Blackberry is in the news again, and it is not good for Blackberry fans. Blackberry CEO, John Chen, speaks on the great encryption debate and where BlackBerry stands on it all. What he is saying is proving worrisome to many longtime Blackberry fans.

Blackberry still has a lot of government contracts. And Blackberry’s only stronghold is mobile security. The conflict of interest becomes apparent when one hears what every branch of the government in almost every country is saying. Right now, especially in the U.S., there is a war on strong encryption on consumer devices. The government is demanding backdoors, and wants access to consumer communications upon request.

For his part, Apple’s Tim Cook has drawn a hard line when it comes to cooperating with such requests. He has publicly stated that Apple cannot comply with such requests because they have engineered its solutions so that Apple holds no keys, and cannot comply with such requests. They are in the business of privacy.

On the other hand, Blackberry’s John Chen is promising cooperation. He is not promising a backdoor. But he is taking a pro-government stance which seems geared toward protecting existing ties with government entities. Blackberry is not necessarily doing anything wrong. But it is a strange day when a consumer company defies the government in the name of security, while the security company defies security in the name of the government.

We have seen some disturbing examples of how the government is becoming more emboldened when it comes to pressuring businesses to serve as an unofficial branch of the state. As a consumer, your best protection is to use products that have a proven track record of consumer protection and strong encryption, and keep a good set of backups just in case.

Categories
Anti Spam Tips & Tricks Domains Google Hacks, Cheats & Tips PHP Tips & Tutorials

Remove Gmail via Field and Add mailed-by & signed-by with PHP mail()

PHP mail() is a great function to easily send emails from your website server. If you have ever used it before in action, or are currently using mail() to send out emails from your website or application, chances are you would find Gmail to be very persistent in attaching a ‘via’ field to the from address of your messages to the recipient. If you are on a shared host or have multiple websites on a VPS, the ‘via’ field would be the domain of a whole different website from that of the sending domain, which makes you very uncomfortable.

So how to make the ‘via’ field disappear in Gmail messages sent from your PHP mail() function? How to make the ‘mailed-by‘ field and the ‘signed-by‘ field to be the email-sending domain rather than the server hostname?

How to make Gmail trust your messages sent from the mail() function?

Get rid of Gmail ‘via’ field for PHP mail() messages and make your domain show up in ‘mailed-by’ and ‘signed-by’

Here are what you need to do to make Gmail completely trusts your domain and your PHP mail() messages sent from it.

1. SPF and DKIM

Firstly, you would need to set an SPF record for the domain you are sending emails from and enable DKIM as well. These are primarily for identifying your messages against spam.

2. "From: [email protected]"

Secondly, make sure you are setting the “From: ” header to be an email address on the domain you are sending messages from. Don’t pretend to be someone else. Use “From: [email protected]” if you are sending the messages from abc.com, rather than anything else, such as [email protected], or [email protected], or whatever. If you want the recipient to reply to your Gmail email instead of your domain email, use the “Reply-To: ” header. “From: ” must always be the domain email that you are sending the email from.

3. "Return-Path: [email protected]"

Thirdly and most importantly, set the “Return-Path: ” header to be the same domain as that of the “From: ” header. Use the 5th parameter of the mail() function for this:

mail('[email protected]', 'Subject', "Message Body", $headers, '[email protected]')

So the Return-Path of this message would be “[email protected]yourdomain.com” (the email address immediately following the -f switch). The $headers parameter should contain all the necessary message headers. Make sure “From: ” is [email protected]yourdomain.com.

Now Gmail trusts all emails from yourdomain.com

After these steps and measures, Gmail should now completely trust your messages from yourdomain.com. The ‘via‘ field of your messages should be gone and the ‘mailed-by‘ field as well as the ‘signed-by‘ field should be correctly showing up as yourdomain.com.

Uploaded below is the screenshot of a message sent to my Gmail email from one of my websites (*ses.com) using the mail() function:

make Gmail trust your email

Both ‘mailed-by‘ and ‘signed-by‘ fields are correctly populated with the sending domain even though it is not the primary site nor hostname of the server that sends the email. The ‘via‘ field is also gone.

This site doesn’t have any SSL certificates installed.

Gmail is by far the best spam catcher of all email services so if they trust you, your emails sent by PHP mail() from yourdomain.com should look good in all other email inboxes. Our forum has also got a thread to cover this.

Thanks to Michael Gorven and Laura for the help.

Categories
Anti Spam Tips & Tricks PHP Tips & Tutorials

PHP: Checking Text Strings against Reserved or Censored Words

I created a free online web form builder a while back and since it went well in search engine rankings, spammers and phishers found it and started to use it creating forms to collect email account usernames and passwords through phishing attempts. I’ve got to do something before my host closes down my site because of all the complaints and alerts from security department of the universities. They’ve got good reasons. I’m hosting all the phishing forms.

Phishers tend to use URL slugs that include words such as ‘admin’, ‘webmail’ or ‘account’ so that the form seems authoritative at first glance. After they have signed up, they will create forms with fields labeled ‘Password’ or something. So what I’m going to do is to list all such words as reserved words and prohibit the users from doing anything with them.

A function will be needed to examine a subject string against an array of reserved words that will be censored when users use them as input. Listed is a my function:

public static function isStringLegal($subjectString = '', $disallowedWords = array()) {
	$alphabetSubject = preg_replace('|[^a-zA-Z]+|', '', $subjectString);
	foreach ($disallowedWords as $disallowedWord) {
		if (stripos($alphabetSubject, $disallowedWord) !== false) {
			return false;
		}
	}
	return true;
}

The PHP function stripos() returns a numeric value if it finds $disallowedWord in $alphabetSubject, case-insensitive. If it fails to find anything, it returns false.

A sample disallowed words list:

$slugDisallowedWords = array(
	'formkid', 
	'kavoir', 
	'mail', 
	'admin',
	'account',
	'password'
);

The disallowed words list can only contain alphabet letters. If you need a phrase such as ‘no way’, you have to add it in the array as ‘noway’. This is to prevent illegal attempts to add any word or phrase in manners such as ‘a-d-m-i-n’ or ‘Pa_ss Word’. All the non-alphabet letters / characters are first gotten rid of and then the deprived string which contains only alphabet letters are checked against each word in the disallowed words list.

Categories
Anti Spam Tips & Tricks Content / SEO Tips & Tutorials Google Hacks, Cheats & Tips Information Security

How to know if your site has been penalized by Google for malicious software or suspicious content?

Back when WordPress was pretty young there’s some loopholes that enable hackers to inject unauthorized and dangerous HTML code into your website pages, thus promoting the distribution of malware that damages the end users computer. I was once there and got penalized by Google for one of my sites. However, they are gentle enough to detect that this might not be my fault but still decided to bring down the overall ranking of all the pages on that site for a while to protect Internet users and notify me.

If you have spotted anything suspicious or sense that your overall site ranking is down, you may want to check it out for sure if your site has been infected with malware or anything else that’s a threat to your site and the visitors.

Just go here: http://www.google.com/safebrowsing/diagnostic?site=example.com

And Google will present you a detailed report of what they have found on your site for the last 90 days.

Categories
Anti Spam Tips & Tricks Information Security Web Applications & Online Software

phpBB Spam Control – phpBB Anti-Spam Options for Fresh Forum Installations

phpBB is pretty much the best php forum software out there that is free, and comes the first choice of many webmasters. However, after a few weeks of first installation, many complain that spam bots start to overwhelm their forums, flooding with automated spam registrations and spam posts.

Unfortunately, that is generally because:

  1. phpBB disables account activation by default so that any registered account would be instantly able to write and submit posts.
  2. The default image captcha at registration is much too easy for anti-captcha programs to break.

So, taking phpBB 3.0.4 for an example, to prevent the majority of simple phpBB forum spam bots, with every new phpBB installation, you will:

  1. Enable registration activation: Administration Control Panel => General => (Board Configuration) User registration settings => (General settings) Account activation => Now select ‘By User‘ from ‘None‘ => Submit.Thereby all new registered accounts will be required to validate the email address which no automated spam bots would do with fabricated ones, at least for not-so-valuable new forums.
  2. Use harder captcha images: Administration Control Panel => General => (Board Configuration) Visual confirmation settings => (General options) => GD CAPTCHA foreground noise => Select ‘Yes‘ instead of ‘No‘ => Submit.This would make the captcha a lot harder to break but also less user friendly / accessible because the texts are also much harder for human recognizing. To ease the pain, you may want to set the numeric values just below the option for background noises of x-axis and y-axis higher or zero. I use 200.

After all these efforts you should be receiving much less spam now. If they still laugh at your defense and keep on coming, you should consider using more advanced image captcha such as reCaptcha.net.

For an idea of what captcha works best

Below is a list of famous Chinese websites image captchas that have allegedly been broken by automated text recognition programs with an accuracy percentage and price for each of them. From them you can get an idea of what captcha works the best and what can be easily worked around.

Origin Samples Accuracy Price Comments
9you captcha broken by spam bots 100% 500
$100
Very Easy
tiancity captcha broken by spam bots 100% 500
$100
Very Easy
cncard captcha broken by spam bots 100% 500
$100
Very Easy
the9 captcha broken by spam bots 100% 500
$100
Very Easy
the9 captcha broken by spam bots 99% 1000
$200
Easy
kingsoft captcha broken by spam bots 98% 1000
$200
Easy
taobao captcha broken by spam bots 95% 1000
$200
Easy
dvbbs captcha broken by spam bots 95% 1000
$200
Easy
126 captcha broken by spam bots 95% 1000
$200
Easy
163 captcha broken by spam bots 95% 1500
$300
Middle
shanda captcha broken by spam bots 90% 1500
$300
Middle
qq captcha broken by spam bots 90% 1500
$300
Middle
xiaonei captcha broken by spam bots 85% 1000
$200
Middle
sdo captcha broken by spam bots 85% 1500
$300
Middle
ourgame captcha broken by spam bots 80% 1500
$300
Middle
chinaren captcha broken by spam bots 85% 2000
$400
Middle
monter captcha broken by spam bots 80% 2000
$400
Middle
baidu captcha broken by spam bots 80% $3000 Difficult
qq captcha broken by spam bots 75% $3000 Difficult
ebay captcha broken by spam bots 60% $4000 Difficult
myspace captcha broken by spam bots 30%
google captcha broken by spam bots 30%
hotmail captcha broken by spam bots 30%
yahoo captcha broken by spam bots 45% $8000