Lately I’m seeing a lot of spam user registrations here at iandouglas.com which of course raises the question of whether using a third-party application such as e107 is beneficial to my needs, or if there’s some inherent flaw/exploit/vulnerability that someone’s trying to take advantage of.

I see a lot of this kind of behavior on client sites who have third-party apps running that advertise the CMS/forum software along with version numbers, like phpBB where spammers have learned to read the default ‘captcha’ image and register accounts so that posting spam comments is easier. All they need to do is go to Google and search for “phpBB” with a version number with a known exploit, and Google will happily serve up a list of sites that proudly proclaim “powered by phpBB v1.0.0″ or whatever.

I’m currently using the latest release of e107, but I’m starting to think, again, that a home-grown solution might be more beneficial. There’s so much bloat in third-party apps as CMS engines try to be “all things to all people”. Like my struggle with buying a cell phone that’s JUST a cell phone, CMS application developers keep cramming in features I’ll never use, and offer no easy way to strip them out or disable them.

I’m seriously debating just going back to the ol’ drawing board, like Wile E. Coyote, and just design my own CMS software. I’ve started it in the past and usually gave up because it was a pretty daunting task. Now, with tools like Symfony, it’s a lot quicker and simpler to build scaled applications like that.

It’s not like I need anything terribly fancy either, just a place to write my blog articles, manage my file downloads, and let users register to leave comments. Barely anyone uses my forums any more for support help on the software I write, so I’ll likely take that completely offline in the near future.

Of course, with a new CMS comes the chore of writing a fistful of .htaccess rules to ensure search engines and bookmarks to my site still work by bouncing browsers and bots over to the new URLs. Overall, that’s the easy part of the job…

Update, June 1 2007: I had shut of wild98.com for nearly two full years and recently enabled it again and it’s insane to see 100+ pieces of spam show up every day to addresses that have been bouncing back to never-never-land for two years straight. You’d think there would be a bigger market for ‘clean’ Email addresses that don’t bounce back…

Check out this article at ZDnet for more information.

Apparently the spammers have made a zombie trojan that can figure out your ISP’s Email proxy information, and send spam through your PC as if you were actually sending it from your PC using your ISP’s Email service.

The potential is huge: major ISP’s won’t want to block every other major ISP, so the only solution will be content filtering, but that’ll likely only work if you’ve already been training your spam blocking software (like SpamAssassin) to what you think is spam or not over a number of months to be smart enough. Simply turning on this type of bayesian filtering right away may not help.

Thankfully, LunarPages includes SpamAssassin as a free service, and I’ve written up a tutorial in their forums for how to train SpamAssassin.