The FTC has updated the CAN-SPAM law. Here’s what you need to know to remain compliant:

The first change is in the unsubscribe requirements. You can’t require a fee for unsubbing, make them visit a website to unsub, send any kind of reply to an unsub request (not even a confirmation), or ask for any information other than an email address. Any company requiring a recipient to log in to its site to unsub from a mailing list will have to change that fast.

The next change involves the sender. CAN SPAM now defines the sender as the entity whose products are being advertised in the email. That person is the one responsible for CAN SPAM compliance. If a commercial email contains multiple ads, the address in the from line becomes the designated sender.

Yet another change involves physical addresses. It is now okay to use a post office box as your physical address, although an actual street address is still the best way to go.

The second to last change is legalese. As far as the FTC is concerned a “person” now includes groups, organizations, businesses and non profits. This means that now all promotional emails, even those sent by charitable organizations, must comply with CAN-SPAM

The final chance has to do with forwarding. Any promotional emails that encourage the recipient to forward it to their friends must now comply with CAN-SPAM.

It’s important to review these changes and the entire law with your marketing department. You may also want to check with your legal department just to be sure you’re doing everything you can to stay compliant!

Marshal’s TRACE Team is reporting that the volume of malware infected spam has tripled in the past week. This is largely due to the Srizbi botnet, which is currently responsible for 46% of all spam traffic. The type of spam it’s sending isn’t selling anything. It’s simply trying to recruit more machines for its botnet by tricking recipients into downloading malware.

           “The Srizbi botnet is behind much of this increase in malicious spam,” said Phil Hay, lead threat analyst with Marshal’s TRACE team. “Srizbi’s criminal controllers are currently on a major expansion drive. The more computers infected by Srizbi bots the more money they can make.”

Right now there are two types of malicious spam being sent. The first, which researchers call the “stupid theme” delivers a message telling the recipient they look stupid in a video and include a link to it. Anyone following the link will have malware downloaded on to their computer. The second type attempts to exploit the popular Classmates.com service.

It tells the recipient they have a new message waiting for them on the service and provide a link. The link redirects to a fake Classmates.com page and prompted to download an update to their Flash player…the “update” is actually malware.

          “We see Srizbi as one of the biggest threats to Internet users today,” said Hay. “We are trying to work with other security researchers to raise the profile of Srizbi and the threat it represents. In contrast, the Storm botnet receives more research and media attention, yet its impact is now bordering on insignificant. When Storm became a high-profile target, Microsoft had great success in removing it from thousands of infected PCs with their Malicious Software Removal Tool. Now, Srizbi needs to become a similar priority for security researchers.”

          “In the meantime, users should be wary of emails that make personal offers such as online friend connections or include inflammatory personalised subjects such as ‘you look stupid in this video,’ particularly if they don’t recognise the sender,” he said.

Common sense rules apply here…don’t click on links in emails, especially those from people you don’t know-and to check out a link, let your mouse pointer hover over it. The actual site it directs to will be shown clearly at the bottom. So far hackers and scammers haven’t figured out how to get around that, so they rely on people’s ignorance to get their malware payload delivered. Don’t fall for it!

The Marshall Islands’ National Telecommunications Authority was hit by a spam attack that managed to shut down email service for the islands. The NTA is the sole ISP for the region, and is reporting that the constant flood of spam acted like a DDoS attack. It’s been over 24hours and email service has still not been restored.

          “The government-owned National Telecommunications Authority (NTA) was hit with a sudden four-fold increase in incoming email, which it described as an attack by “zombie computers”, said an NTA spokesman. While NTA customers could send and receive emails to each other through the local system, virtually no non-NTA emails had been received since Monday, impacting local businesses, banks and government offices.”

This attack was a vivid illustration of why a country having a sole ISP is a very bad idea. It makes it very easy to wreck havoc on a county’s Internet infrastructure, and with so many vital services and businesses relying heavily on that infrastructure, a spam or hacker attack could be catastrophic. Not only is a sole ISP a security nightmare, but it also makes it quite likely to be affected by corruption and censorship, as we’ve seen recently in Burma and China.

The NTA has no estimate on when their service will be fully restored.

Photobucket, the most popular photo sharing site on the net, had it’s DNS servers hijacked by a Turkish hacking group. The group, called NetDevilz, made the site redirect to a third party domain hosted by atspace.com. As a result, Photobucket was down for 15 minutes today while they fixed the compromised DNS server. They released this statement to their users:

          “On Tuesday afternoon, some users that typed in the Photobucket.com URL were temporarily redirected to an incorrect page due to an error in our DNS hosting services. The error was fixed within an hour of its discovery, but due to the nature of the problem, some users will not have access to Photobucket for a few hours as the fix rolls out. It is important to note that only a portion of Photobucket users encountered the problem and that no Photobucket content, password information or other personal information was affected by the redirect.”

This is the second such attack in a month. Three weeks ago cable, phone, and broadband giant Comcast had their DNS records hijacked, resulting in Comcast.net redirecting to a defaced page and their WHOIS replaced with sexually graphic and profane information. That group of hackers were also responsible for the attacks on the MySpace pages of celebrities Tila Tequila, Hilary Duff, and Justin Timberlake.

Photobucket users are still reporting minor outages and problems accessing their accounts, but these issues should subside once the DNS info propagates across the net. DNS hijacking seems to be the new weapon of choice for hackers unable to directly compromise a site. The new trend is worrisome-it’s only a matter of time until Paypal or a major bank’s site falls victim to a DNS hijack, and if the hackers manage to create a perfect copy of the site to redirect to, thousands of people could find their bank info in the hands of criminals.

MySpace didn’t bask in the glow of its $230 million dollar judgement against infamous “spam king” Sanford Wallace for long. The popular social networking site, who won the judgement against Wallace last month, won yet another judgement this week. This time their suit was against an affiliate network called Media Breakaway and it’s CEO, Scott Richter. His company was accused of sending over 100 million spam messages a day to MySpace members. The spam hyped a Web site called Consumerpromotionscenter.com, and were sent using accounts stolen through phishing. Here is MySpace’s statement:

          “MySpace has zero tolerance for illegal activity on our site and is committed to bringing to justice those who try to harm our members. Recently, MySpace won a major victory against Scott Richter and Media Breakaway under the Federal CAN SPAM Act. This award reflects MySpace’s continued momentum and holistic approach to ridding the site of spammers and phishers through technological innovation, education, partnerships and enforcement. We will continue to do our part in cleansing the Internet of this invasive onslaught of spam.”

While Richter denied the charges, a judge apparently didn’t believe him and awarded MySpace a $6 million dollar judgment. While MySpace’s crusade against spammers and phishers is admirable, it’s doubtful they will ever collect any of the judgements they win, and even more doubtful that they will do much to discourage the ever growing numbers of spammers plaguing the net.

A study done by Cisco Systems has found that the world’s most prolific spammers are making big profits in hawking fake prescription drugs. Their operations use the same cutting edge technology that legit and profitable companies like Amazon.com do. About 80% of all spam now is for fake pharmacies like MyCanadianPharmacy, which takes in over a hundred million dollars a year. People who fall for the ads receive pills from India, or from GlavMed, which manufactures fake versions of popular drugs like Viagra.

        ”The perpetrators are what I call the Bill Gateses of cyber-crime,” said Pat Peterson, a security researcher at Cisco Systems Inc.”Gates succeeded not because he was smart, a great engineer or a good businessman, but because he had all of those qualities and an innovative entrepreneurial spirit as well,” Peterson said. “That’s what we see here.’

Spammers and scammers have become self sustaining businesses with budgets, R&D departments and more, and now with the technology to create massive botnets like Storm and their increasing ability to outwit filters and security features, look for the spam problem to get worse before it gets better.

Email marketers (read: spammers!) e360 Insight’s recent legal action against Spamhaus has come back to bite them. In September, 2006, they obtained a judgement against the operators of the SBL forcing them to remove any and all IP blocks belonging to them from the blacklist The funny part is this-two of the blocks which were proven to be sources of spam, weren’t even linked to e360 until they were listed in the judgement. In essence, they stood up and proclaimed they were spammers. Here is an excerpt from Spamhaus’s recently released incident report:

        “Nothing in the IP address registration, domain registrations, nor even in the spam sample itself, even remotely showed any connection with e360 Insight or David Linhardt. At the time of creating the record it was technically impossible for Spamhaus to know that the IP range the spam was coming from and these domains were owned by David Linhardt.

Only when the Plaintiff’s counsel sent Spamhaus’ counsel a demand for SBL record SBL52363 to be removed, claiming it was in violation of Judge Kocoras’ order to never list David Linhardt’s domains or IPs, did Spamhaus then know that SBL52363 and therefore the 80 anonymous domains and IP range belonged to David Linhardt.

In other words, the spamming domains were anonymous and untraceable until e360 opened their big mouths and busted themselves. They also sued Comcast, saying they had the right to send mass emails to Comcast users, but last month, a judge ruled in Comcast’s favor. Here is an excerpt from e360’s response:

        ”Over the past few years, e360 has become aware of the intimate connection between improper blacklisters, fanatical anti-spammers and U.S.-based internet service providers (ISP’s). ISP’s, many of whom have previously employed or worked with e360 and its founder, provide blacklist organizations with financing and data and encourage nefarious behavior in the name of fighting spam. In our opinion, ISP’s who provide email services have strong incentives to block email, but little incentive to deliver it. These companies operate under a cloak of invincibility and without the knowledge and consent of the consumers for which the email messages are intended. In our experience, we believe this power is regularly abused to the detriment of legitimate marketers, the U.S. economy, and American consumers.

e360 continues to play the victim, claiming all email they send is legit and opt in, but the findings in their case against Spamhaus say otherwise. Then again, should we expect any less from a spammer?

Ingredients

• A willingness to suspend ethics
• A “win at any cost” nature
• Extra greed
• A false premise
• Knowledge of spam filters

Directions

1. Begin with a thorough cleaning. Be certain to remove all traces of ethics and empathy. Honesty and respect are especially damaging to this recipe.
2. Open the “win at any cost” nature, and pour in greed. Use the highest quality greed for financial gain, though greed for power may be substituted.
3. Add the false premise based on an unnecessary product. Here is where you can adjust the recipe to your tastes. Three of the most popular are: a man’s inadequacy, cheap quality drugs, and get rich quick.
4. Pour message carefully into your ASF (anti spam filter) rewriter, and wait for the scum to rise. Pour off the scum and reserve for your website.
5. Pack the message tightly into your email address list and send.
6. Pat yourself on the back for a worthy effort while you wait for customers to arrive begging for your product.
7. Serves millions – serving size: one mouthful, washed down with hype.

Serving Suggestions

Presentation is just as important as product. Here are common ways serve and display spam dishes.

Who? – The recipient didn’t sign up for this. You found the address online, bought a list, or created a group of names and hit it. Bonus points if they click on the “unsubscribe” list, notifying you of a good address for second servings.

Blasting Banners – Shout with all caps – “FREE,” “ACT NOW!!!” Adding three or more exclamation points will make your spam dish rise to the top!

I’m your Friend – A more sophisticate version of blasting banners is to look like a friend. “Saw you last night,” or “Thought you would like this,” are popular. Another version is to start the header with “ RE:” so it looks like a returned message they sent to you! Ingenious!

Hypothetical help – Needy souls are crying for this. The advertising media does a great job of creating need for more money, better body parts, and exploitive entertainment.  Serve up help by offering cheap drugs, moneymaking systems, or some other “quick and easy” fix.

There it is – a sure-to-win recipe for perfect SPAM!

Note to cook: If you have a guest that cannot stomach spam, give them these tips:

• Do not post your email address in forums. If you must, spell it out like this: yourname – at – domain – dot – com.
• When filling in a web form, check the privacy notice to make sure your address will not be sold in a list.
• Do not reply to spam messages. If you click on the “unsubscribe” link, it shows the spammer that they hit a valid address.
• Use an email filter. Most mail programs and service providers have some sort of blocking system that will keep most spam from reaching your inbox.

A pair of researchers at Newcastle University’s School of Computing Science have successfully cracked Microsoft’s CAPTCHA system. The system is used for such services as Windows Live and Hotmail. The duo claims an amazing 92% recognition rate. Here’s an excerpt from the paper they published about it:

          “In this paper, we analyse the security of a text-based CAPTCHA designed by Microsoft and deployed for years at many of their online services including Hotmail, MSN and Windows Live. This scheme was designed to be segmentation-resistant, and it has been well studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took ~80 ms for our attack to completely segment a challenge on a desktop computer with a 1.86 GHz Intel Core 2 CPU and 2 GB RAM. As a result, we estimate that this Microsoft scheme can be broken with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, its design goal was that “automatic scripts should not be more successful than 1 in 10,000″ attempts (i.e. a success rate of 0.01%). For the first time, we show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks. Our results show that it is not a trivial task to design a CAPTCHA scheme that is both usable and robust.”

The researchers did notify Microsoft before publishing their research but there is no word on what their response was. Over the past year there have been many such incidents of CAPTCHA systems being thwarted, including those of Ebay, Yahoo! and Google. This clearly illustrates that the effectiveness of such systems is dwindling while demand for CAPTCHA breaking tools is at an all time high. Some of the breaking is done by automated programs but there are also reports that some spammers are paying actual live humans to do the cracking for them, shelling out $3US for every successful solution.

There are several non-text based CAPTCHA alternatives being tested, including IMAGINATION, which presents the user with a page filled with overlapping and slightly distorted images. If they correctly pick out the geometric center of one of the images, you’re presented with another distorted image and must pick a word to describe it. Another one is called Kitten Auth, where the user is presented with a group of images depicting cute animals and is asked to click on all the images of a particular one. It’s clear that text based CAPTCHA’s are now too easy to crack. The question now is how effective these new image based systems will be, and perhaps most importantly, how will legit users react to using them? Time will soon tell.

After sending an email, we frequently receive an automated mail in reply, such as Out Of Office messages, informing us that the intended recipient is out on vacation or traveling. Other messages would have informed us that the message is queued for delivery, or just cannot be delivered at all, due to the recipient not being available.

Some organizations aggressively respond to these types of messages without mercy by informing real-time blacklisting services, marking such emails as spam. This can possibly cause a well intentioned corporate policy to blacklist the responding organization, causing a resulting loss of reputation and business. Most businesses list email services as more important than phone services – any outage in mail can be crippling for business.

To find a balance between using auto responder messages with the risk of being blacklisted versus not using auto responders altogether is tricky. A number of companies, including a large number of fortune 500 companies responsible for originating huge amount of mail traffic, allow Out Of Office messages to leave their network, on the basis that the original sender would like to be informed on the status of the received mail, especially if the recipient is travelling and cannot reply.

Another approach used especially in the legal sector is to allow Out Of Office functionality, but internally only, so that internal senders are informed of recipient mail status. However, these messages may not leave the corporate firewall.

List mail users, who may have subscribed to a commercial list service such as yahoo groups or other similar services, may be familiar with receiving an Out Of Office message from someone in a company they may not have heard of. This kind of mail becomes classified as spam rather quickly, since it is unwanted and unsolicited.

In my opinion, well managed auto responders as well as the educated users using them, may add enormous value in terms of informing a sender of an alternative person or manager to redirect their mail to. Both mail server and client software today allows intelligent filtering of mail, along with the setting up of rules for managing incoming and outgoing mail, as well as managing who a auto responder may send mail to.

Proper auto responder management may be the right balance to strike, keeping the blacklist knee jerk response at bay, as well as allowing well intentioned corporate and private mail users to benefit.