Hakin9 - Spam Kings
Thurs 4th Oct 12
Update - 15th March 13
Before writing this article I was sometimes receiving a couple of mails from one of the Hakin9 team per week however, in the past six months, I'd not received a single one, till yesterday. I'd love to take full credit for having the company change their policies but I think the amazing DICKS article and the work by Attrition probably had more to do with it.
But, back to the mail. I dug out my very long list of email addresses I'd collected for anyone associated with the Hakin9 group and replied to the request cc'ing everyone in. The message simply pointed the reader to the various articles mentioned above along with this post.
From this I got a reply from Ewa Duranc, a lady whose email footer has her as the "Senior Editor of Hakin9, PenTest and CYB3R IT Securitty Magazine"[sic]. She apologised and I thought "here we go again" but after some back and forth emails she sent me a screenshot which shows access to various sites being blocked on their office network. This is an attempt to stop editors who are looking for authors visiting sites owned by people who do not want to be contacted. Pair this with the no-contact list they already have in place, which has worked for me for the past six months, and I do feel that they are trying to reform. The solution isn't perfect but nothing will stop a rogue editor from contacting anyone they want, it just can't be done.
My next question to Ewa was how other people could get themselves included on this list? She offered to put a new page on their sites containing the contact information required, I agreed this was a good idea and the pages were created within minutes. You can see them both here: Hakin9 and PenTest Magazine.
Will this solve the unsolicited contact problem for everyone, possibly not but I think for the majority it will work. Is the company sorry, I think they realised that they lost a lot of credibility with the DICKS article and are trying to rebuild that.
So, for now, thank you Ewa for putting the policies in place and lets hope they work.
This blog post goes with a lightning talk I gave at BruCon 2012, here are my slides.
About 3 years ago I got an email from an assistant editor for Hakin9 magazine asking if I'd be interested in writing an article for them. At the time I was thinking about trying to earn a bit of cash on the side writing articles so was interested. Also, being asked by a magazine I'd previously subscribed to when it was paper based made me feel a bit special - they were asking me to write for them, I must be doing something good. So I replied asking what they were looking for and how much they were offering for an article. The message came back that they didn't pay for articles but you got a free copy of the edition you were in and the kudos of being having your work published. Seeing as they charge readers for the magazine I decided that I didn't like the idea that they would be profiting from my work and so turned them down. If they had been giving away the content for free then I might have considered it.
A week or so later I got another mail from a different assistant editor asking the same thing. I politely explained that I wasn't interested and forgot about it. Another few weeks went by and I got a request on LinkedIn from yet another assistant editor asking for an article. Again I turned it down.
At this point I mentioned it on Twitter and to my surprise lots of people came back saying they were getting the same requests. This burst my balloon, I wasn't special, everyone was getting the same emails.
Since then I've been getting some kind of request for an article from either Hakin9 or one of its sister publications, PenTest Magazine and e-forensics, about once a fortnight via direct email and maybe once a month through LinkedIn. I've also seen requests on mailing lists and forums. Normally I just ignore them or reply asking to be taken off their lists. I know I could just set up a mail filter and dump everything from software.com.pl into spam but it is the principal of the thing, a person should be able to tell a company not to contact them and have the company honour that request.
About a month ago a request came in at just the wrong time and I let the assistant editor have it with both barrels. I rarely shout or swear in emails but on this one occasion I had a real go at the person who had been unlucky enough to send that piece of spam. I also had a complain about it on Twitter and managed to get the attention of the Hakin9 Twitter account .
They asked if they could discuss the matter in private, not a chance! So we took it to Google+ with a lady called Ewelina Soltysiak representing Hakin9.
Things started off well, with an apology and a suggestion of how they were going to fix the problem, a "Do not contact" list. There was also another request to make the discussion private, I think they were trying to avoid public fuss over it.
And a second message later that day says the list is in place, myself and Kevin Johnson (the other part of "both of you") have been added to it and all the staff will be told about it in a meeting. That should mean no more mails right?
I wasn't particularly surprised when on the 6th, the day after the above messages, I got another request. When I forwarded this to Ewelina she pointed out that it had come from PenTest Magazine and she works for Hakin9. Apparently they are completely different and have no connection with each other apart from having the same parent company. The general response was "Sorry I can't do anything about them". The next day I got a LinkedIn request from a Hakin9 representative, when I reported this one to Ewelina I was ignored. There are two possible situations here, either the "Do not contact" list was just made up to shut us up or the assistant editors don't really care about management policy and do whatever they want regardless. I think both are equally plausible, the editors probably get paid on commission so the more people they approach the higher chance of a pay day.
So I figured that if Ewelina couldn't do anything to control her staff then I'd see if I could find someone who could. Out came the toolbox and I started looking for email addresses. In the end I gathered a list of 146 addresses and sent them all a polite email saying that I wasn't interested in writing for them. Quite a few bounced or came back with an automated "I'm not working here anymore" but a good chunk were delivered. From this I had a mail back from Maciej Kozuszek who works for PenTest Magazine, he offered to set up the same list for his people and would work with Hakin9 to make sure the list was shared. He also offered the following advice on how to not be contacted by their various magazines:
Unfortunately his advice didn't make anyone react and a month later I'm still getting requests.
If everyone is to be believed, this list the list of people who should be able to make a difference and react:
- firstname.lastname@example.org - Hakin9
- email@example.com - PenTest
- firstname.lastname@example.org - Cryptomag
- email@example.com - eForensice
- firstname.lastname@example.org - BSD
- email@example.com - General "do not contact"
So, what am I trying to achieve with this blog post. A few things, the first, I've now got an article I can submit whenever I'm asked in the future, second, whenever I mention Hakin9 to people they all seem to have the same experience, I want people to know that they are not alone. Finally, an article like this may somehow make it through to the top people at the various magazines and make them realise that rather than appealing to their main target audience they are actually alienating them.
A last couple of things, Dave Hardy noticed that there is a new magazine on the block, Greyhat Magazine. Whois shows that this is from the same stable so expect mails from them to be added to the list of spammers.
If you are actually considering writing for any of these magazines, keep an eye on the Attrition Plagiarism site for an upcoming article by Jericho, don't get tarred with the same brush.
Update After talking to one of the owners of Greyhat Magazine I no longer believe that they are part of the same company. I've been assured by him that they won't be sending out spam requests and that articles will only be written by people they already know. I was initially tipped off to Greyhat by Dave as he received an article request through LinkedIn, I was told that was a one off and that they won't be doing it again. As with Hakin9 when they started promising things I'll give them the benefit of the doubt but if I do start hearing of spam from them then expect another follow up article.
And here is the link to some very good research articles about Hakin9 from Errata.
And if you want a good laugh you can check out the quality of the articles published by Hakin9 by having a read of this amazing article on nmap, it is a work of shear genius.