Picture this. You’re at your office, minding your own business and going about your day when all of a sudden the FBI busts in with warrants and seizes every piece of computer equipment in your company. They also take phone bills, bank statements, video equipment, and just about any personal information they can find. What would you think? The boss fudged his taxes? Roberta in accounting did a little insider trading? Now what if you were told they were raiding your company because someone clicked on a link? Sounds absurd, doesn’t it? The scary part is it actually happened to a history professor named Roderick Vosburgh at La Salle University. The link he was accused of clicking on was one the FBI had created to catch people trying to download kiddie porn. Any computer accessing the link has their  IP straight to the Feds. Federal law makes even an attempt to download such material a crime punishable by up to 10 years in prison, and Vosburgh was found guilty of attempting to follow that link.

What makes his case of such concern is that if an IP belonging to you accesses one of these links. YOU are guilty. That means if one of your employees does so, your entire business is at risk. If you haven’t secured your Wi-Fi access point, or worse yet, operate a Wi-Fi Hotspot, watch out for that chink in your business security. If those links are accessed through them, you’re on the hook. The FBI doesn’t care that it wasn’t you personally who accessed them. As far as they are concerned, if you own the IP, you pay. They don’t bother trying to dig any deeper.

And then there is the issues of browser add-ons that pre-cache the content of links on a page. If you or an employee run a web search and one of those links inadvertently comes up, the browser will access the link and bingo. Say hello to the FBI as they raid your business, seize your equipment and become your worst nightmare.

So what is a business to do? The answer isn’t yet clear. Filtering, better employee training and disabling pre-caching in browsers may help, but it appears the FBI’s policy is what really needs to be changed.

Spammers are hitting Google’s Blogger service hard, using botnets to create hundreds of fake pages. The pages are full of spam ads, obviously, but some also redirect the viewer to a porn or other spam site. In essence, they are using Blogger as a way to avoid being caught by security software and spam filters, knowing that the service is unlikely to ever be blacklisted. The fact that the service has such a huge number of pages overall also helps the spam sites stay undetected longer.

According to Websense, the specially coded instructions the spammers send to their bots tell a compromised PC how to register accounts on the service and also helps it get past the CAPTCHA system. The PC sends a request to an external host that tries to solve the CAPTCHA and sends the answer back to the PC. So far it is estimated to have a success rate of about 13%.

While no one has yet figured out exactly how the CAPTCHA gets solved, some experts believe spammers are paying actual humans in third world countries to solve them. The pay is estimated to be roughly $3 for every successful solution. However, since security researchers have managed to develop methods that help computers increase their success rate, it wouldn’t be surprising if hackers and spammers have also figured out those methods.

A rapid rise in spam accounts on MSN, Yahoo, and Google is a strong indicator that CAPTCHA technology is no longer an effective means of preventing spam. So what’s next? IMAGINATION. Developers at Penn State have developed this new generation of CAPTCHA that is based on ALIPR (Automatic Linguistic Indexing of Pictures). Here is how Computerworld describes it:

This is an image-based system. In it, you’re first required to pick out the geometric center of a distorted image from a page that’s filled with similar overlapping pictures. Then, if you get that right, you’re presented with another carefully distorted image and asked to pick a word to describe what you’re seeing.

Intrigued? You can try it out for yourself here. Will it be more effective than CAPTCHA? That remains to be seen but so far it is getting rave reviews. Will it annoy your customers who already find CAPTCHA irritating? Probably, but better for them to be momentarily annoyed by an anti-spam measure than repeatedly annoyed-or worse-by spammers.

According to Slashdot, Google’s mail servers appear to be responsible for sending large amounts of backscatter. They don’t perform any recipient validation for the googlegroups and blogger.com domains (and presumably their other domains as well), allowing spammers to launch large-scale dictionary attacks against them using forged headers and envelope sender addresses. This results in the owners of those forged addresses getting huge amounts of bounce messages when the spam hits non-existent users on Google’s domains. Most correctly set up mail servers don’t generate such bounce messages. Tell that to Google’s mail server! Botnets love mail servers like this and will go to town on them, commencing an unrelenting barrage of spam.

Most ISPs won’t hesitate to place a block on any IP that receives complaints of backscatter, and that can cause big headaches for innocent people. There are even reports of businesses having entire mail servers wiped out due to backscatter.

What Google should be doing is rejecting traffic to bogus users during the SMTP transaction. Several techniques can be used to do this:

• Recipient validation
• Reject senders on dynamic black lists
• Reject. email from servers senders that do not have a reverse DNS entry

Unfortunately Google is doing none of them. Slashdot also reports that emails sent to abuse@google.com and postmaster@google.com went unanswered except for a canned response that didn’t address the situation.

It’s very surprising that Google, whose Gmail program has been widely praised for its spam controls, would have such badly misconfigured mail servers. Ironically, those same spam controls have reportedly been blacklisting Google themselves. According to an article on newswireless.net, Gmail placed a user’s Google Alerts in his spam folder. Ah that wacky Google!

For more information, the website DontBounceSpam.org has an extensive list of resources and tips for server admins and end users on how to fight backscatter and reduce overall spam.

The Messaging Anti-Abuse Working Group (MAAWG), an industry group made to address messaging abuse and work to fight against spam, DDoS attacks and other types of cybercrimes involving email, has released version 2.0 of its Senders Best Communications Practices (BCP), which defines how bulk email senders can insure that their newsletters and other opt in marketing emails don’t get caught in spam filters and blacklists. The BCP was updated to cover new forms of spam and add further clarification of permission options and is available at the MAAWG website.  It also included guidelines to help legitimate email from being flagged as spam and recommend unsubscription procedures for users.

          “The MAAWG senders best practices are intended to help protect users’ online experience by improving industry cooperation and communication. For example, in this update we advise e-marketers not to embed unsubscribe instructions in an image or icon, as many users’ systems will automatically block the message or not display the icon,” MAAWG senders committee co-chair Dennis Dayman said.

The BCP also includes this questionnaire designed to help marketers open a dialogue with an potential Email Sender Provider:

• Do you incorporate and comply with public AUPs?
• Do you provide dedicated IPs?
• Do you provide a dedicated IP for each type of message stream (marketing vs. transactional)?
• Do you match forward and reverse lookups for your IPs?
• Which methods of authentication do you support and provide?
• Which ISPs are you whitelisted with?
• Which ISPs have you established a feedback loop with?
• Do you distinguish between hard and soft bounces?
• What is your hard bounce policy?
• What is your soft bounce policy?
• What is your standard retry policy for soft bounces?
• How do you handle connection timeouts?

The questions are designed to help marketers establish a provider’s conformance with the BCP and avoid potential delivery issues.

The practices were developed through a co-operative effort with the industry’s largest ISPs, vendors and network operators and are endorsed by other associations like CAUCE (Coalition Against Unsolicited Commercial Email). It members include AOL, Earthlink, Comcast, Yahoo!, and more.

Paypal, the net’s most popular payment service and a favorite target of scammers who send phishing emails, has announced it plans to block older browsers and any newer ones that don’t include anti phishing features from accessing its site. This includes older versions of Internet Explorer and Firefox, and perhaps most surprisingly, Apple’s Safari browser would be completely banned.

          “It’s critical to not only warn users about unsafe browsers, but also to disallow older and insecure browsers,” said Michael Barrett, PayPal’s chief information security officer, in a paper released at last week’s RSA Conference. “Letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.”

The features that browsers must have to access Paypal are the ability to block known and suspected phishing sites and support for Extended Validation Certificates. These certificates are given to companies only after they pass stringent background checks and are more difficult to obtain than SSL certificates which are relatively commonplace.  Browsers with EV support show a green address bar on safe sites.

Current versions of both IE and Firefox support these features, but Safar, the default browser for Mac computers, the iPhone, and the iPod Touch, has neither.

         “Apple, unfortunately, is lagging behind what they need to do to protect their customers,” Barrett said. “Safari has got nothing in terms of security support, only SSL, that’s it.”

For now, users of older browsers such as IE 6, Firefox 1.5, and Opera 8 which do not offer anti phishing features will simply be warned and allowed to log in, while older browsers such as IE 3,4 and 5, Netscape 4.x, and  Firefox 1.x will be completely blocked.  A specific timetable for the new plan hasn’t been announced.

          “Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.” Barrett said.  Opera, IE, and Firefox are “safer, precisely because we think they are safer for the average consumer,” he added. “I’d love to say that Safari was a safer browser, but at this point it isn’t.”

So far Apple has had no comment.