Protection of email traffic flowing between hub servers and separate servers that store mail box accounts is established through encryption in an Exchange 2007 environment. So interception of emails transported between the hub and mail server is nearly prevented with an Exchange journaling system in place. Although email traffic is encrypted, there are other steps required to tighten security with the Exchange journaling mail box.

What still keeps the Exchange journaling system susceptible to attack is the ease of anyone being able to spoof an email.  Being able to compose an email message outside of Microsoft Outlook lets you specify the sender, rather than having Outlook do it. Exchange must authenticate the message, but you can set your display name to anything you want. This can create the illusion that a message was sent by someone else.   A spammer’s daily routine includes using this technique regularly.

When you send an email message using Microsoft Outlook, it combines the sender, subject and body with various SMTP mail delivery control commands. Then Outlook sends out the message to the server. Although isn’t usually practical, a person can actually use the same commands to manually send a message from the command line or from a script without using Microsoft Outlook. Continue reading Go Beyond Encryption with a Tunnel»

Most of the articles you’ll read on a blog such as this will describe how to protect yourself from certain types of spam.  Most of the articles I’ve written so far do exactly that.  Today I’m going to add another dimension to my post and discuss how to protect both yourself and others from “backscatter” spam.

What is Backscatter Spam?

The term “backscatter spam” refers to a spam attack that targets non-existent email addresses and causes email “bounce” messages to be sent to innocent parties.  The “bounce” messages are known as Non-Delivery Reports (NDRs) and are sent by an email server to let the sender know that the message was not delivered.

NDRs are a normal and useful part of the SMTP protocol.  However when NDRs were first envisaged the concept of address spoofing was not considered.  Address spoofing is when a spammer forges the “From” address on a piece of spam they are sending.  This is how backscatter affects innocent parties – even though they didn’t send the spam, they receive the NDR because their email address was forged by the spammer.

Continue reading Protecting Yourself and Others from Backscatter Spam with Exchange Server 2007»

We usually think of spam as unsolicited advertisements peddling things that we don’t want and don’t care about, but spam can take many forms, including attempts to spread false rumors. Some such viral emails may be just hoaxes, while others may be spread with the intent of doing harm to a company’s or an individual’s reputation. I’ve seen dozens of these, and recently wrote about them.

Many of these virtual rumor-mills revolve around distributing emails having to do with political issues. Most recently is the one that has gained a lot of attention and has spread very quickly. The email purports to have been written by a Navy SEAL, complaining that President Obama delayed a decision to deploy the SEALS in the recent pirate hostage standoff. According to an MSNBC report this week, although the email may well have been written by a Navy SEAL, the claims are bogus. The report includes a timeline of actual events that discredits the email.

The danger of spam goes far beyond the annoying and time-consuming issues–it can easily be used as a weapon to discredit a company (or in this case, the President). Other rumors have been circulating on the Internet for years concerning some companies. Microsoft is a frequent target (remember the one that claimed to be from Microsoft, and if you sent the email to enough people, you’d get paid?), and there was one that even promised free beer. Too good to be true, but the prospect of a coupon for a free six-pack fooled a lot of people into thinking Miller Brewing Company was tracking emails (still not a technological possibility) and would give everybody a free six-pack if the viral email distribution hit two million people. There’s still another completely disgusting one I won’t get into about the Olive Garden restaurant–again not true. Still another one I received recently showed a young Iranian boy who appeared to be having his arm crushed by an automobile. The email claimed that it was an Islamic law punishment for stealing a loaf of bread; in reality the photos were from a street performance and the boy’s arm was not really being crushed.

How do companies handle these sorts of email-based rumors, hoaxes and smear campaigns? They are more common than we realize, and almost impossible to extinguish. Nonetheless, if the rumor is harmful, a vigorous PR campaign is in order, as well as submitting it to anti-hoax Web sites like snopes.com and hoax-slayer.com, and doing your own blogging and social media campaigns to promote evidence to show the original email is false.

Former Senator Bill Bradley sits on the board of a company called QuinStreet, which has been identified as a major spammer. It labels itself as a leading “vertical marketer” but experts say that’s frequently a code word for spamming. QuinStreet’s clients include trade school DeVry, several dating websites, and credit card and gaming companies.

          “There’s a class of company called ‘affiliates,’ and they’re basically organizations that send spam for some other company that holds the product,” said Adam O’Donnell, Director of Emerging Technologies at Cloudmark Inc., an Internet security firm. “Think of it as a third-party marketing firm that does the dirty work of sending spam.”

The company has been the target of many complaints about its allegedly aggressive spamming activities, both under the QuinStreet name and under aliases such as VendorSeek, and it’s likely they could be in violation of the CAN-SPAM Act as some of the complaints say the company refused to stop sending junk mail even after they clicked the opt out link.

While companies like QuinStreet try to hide their spamming behind affiliates and shell companies, the fact remains that spamming is spamming and the CAN-SPAM Act isn’t to be taken lightly. It carries an $11,o00 fine per offense. Before you begin any kind of email marketing plan, review the law with your legal department and make sure your company is following it to the letter!

Security researchers at TRACELabs has found that the top botnets on the net today are Rustock and Xarvester. Rustock, which was temporarily laid low by the shutdown of spammer friendly McColo, has returned with a roar and is now sending out 25,000 spam messages an hour, or 600,000 a day. This still pales in comparison with the Srizbi botnet, which never returned to its former glory after McColo shut down. At its peak it was capable of sending 60 billion spam messages a day.

Sharing the top spot is the Xarvester botnet, which rose from the ruins of Srizbi and also sends out 25,000 spam messages an hour. Mega-D, a former giant, brings up the rear with 15,000 spam messages a day being sent. Interestingly, Waldec, the botnet behind Conficker, is far below the top three, sending only 7,000 spam messages a day. There are a total of 9 botnets that are responsible for most of the spam on the net.

What does this all mean? Well it proves that as far as spammers are concerned, where there’s a will there’s a way, and if their host is shut down, they’ll just find somewhere else to set up shop. Since there are still many countries, such as Romania and Estonia, that do little or nothing to fight cybercrime, there will always be someplace for these cybercriminals to hide. It will take a truly global effort for the war against hackers, spammers and other cybercriminals to truly become effective.

When you boil the spam problem down it becomes quite simple – someone is sending you emails that you don’t want to receive.  This makes the anti-spam solution a simple one too – stop unwanted emails from arriving in someone’s email account.  However, actually achieving this is a very complex task.

Any anti-spam system that is worth using will contain a range of preventative measures and features that are used to determine whether an email is likely to be spam or not.  As a complete solution they can be very effective, but taken individually and their weaknesses become more apparent.  Here are some examples.

Source IP Filtering

Also known as Connection Filtering, DNSBL, or RBL, this technique compares the source IP of an incoming SMTP connection to a list of suspected spam sources.  The list can be either a manually generated list that the email administrator creates, or can be a subscribed list by a third party provider (such as SpamHAUS).  If the IP address is on the list then the email is considered likely to be spam and the server will drop or reject it.

The weakness of this technique is when IP addresses are mistakenly included in the list.  A legitimate email server may find itself blocked by other systems that are subscribed to a particular IP list, which prevents important business email from being sent to those systems.  Similarly, some regular sources of spam emails such as free web-based email services cannot be blocked by IP address because that would certainly block a lot of legitimate email as well.

Content Filtering

Early anti-spam products made decisions about spam emails using single word matches such as “Viagra” or foul language.  This quickly proved fruitless because spammers would simply vary the word slightly in each email, for example “v1agra” and “via.gra”.  Content filtering then improved to include databases of spam phrases and patterns and would assess more of the content in an email to determine if it was spam. Continue reading Anti-Spam Products Are More Than the Sum of Their Parts»

A new report is revealing that most federal agencies aren’t following security protocols that could prevent phishing attacks. The report by the Online Trust Alliance, a group of security companies working to fight Internet fraud, found that 56% of the 25 agencies it studied did not authenticate emails or domain names.

        “Phishers will send mail that appears to come from the most recognized domains, such as IRS.gov, for example,” said Craig Spiezle, chairman and founder of the Online Trust Alliance. “What the owner of those domains can do is publish a declaration that tells Internet service providers, receiving networks and e-mail programs, ‘No e-mail will come from this domain,’ or ‘Only mail from these specific IP addresses is authorized to send mail from this domain.’ But most agencies are not doing that.”

Continue reading Federal Agencies Not Doing Enough to Prevent Phishing»

Nobody likes Zango, and with good reason. The spyware company–or to put it more politely, “adware distributor,” operated by sneaking software onto PCs to deliver ads. The company closed its doors after being bought by Blinx, a video search engine.

Zango claimed that deceptive installations had long since stopped. Much of the controversy about Zango revolved around users getting inadequate information about “opting out” from the download. The company blamed the problems on its affiliates that used security vulnerabilities in browsers to download the Zango software to unsuspecting victims. Ultimately, the company failed because of its poor reputation as a spyware vendor, and that is and should be the nature of the Internet business. The company was attempting to position itself as legitimate, but increasingly, its business partners wanted to distance themselves from the company to protect their own reputation. The end result of all this is that the message has been reinforced that this is not a legitimate business model.

The company, which started out as 180 Solutions, had initially raised $40 million in venture capital–again perhaps testimony to poor due diligence on the part of venture capitalists who failed to foresee what sort of mischief this company had in mind or was capable of perpetrating. Throughout its history, security companies listed Zango’s software as adware, and Zango unsuccessfully sued two of them over their listings. The end of Zango is significant, because it really marks the end of the adware model, at least the pretense that it is a legitimate business. Other adware companies, such as Gator and DirectRevenue, have also long since gone out of business; Zango is the last one in a long line of briefly profitable but ultimately unsuccessful adware companies.

Indy.com reported in early April 2009 about the waledec bot riding along with Conficker virus. “Conficker, for the first time, moved beyond sitting quietly on millions of Windows computers worldwide to infecting other vulnerable computers.

This means many more consumers could end up with a variant of Conficker. You also could catch a worm that’s now tagging along for the ride.

This new worm, called Waledec, can open a back door to your computer to steal information or to allow an outsider to control it, security experts warn.”  Waledec’s goal is to make money by harnessing the power of an infected computer and millions of other computers to create a massive “bot network,” or “botnet,” to send out spam.

Continue reading Meet Waledec, Conficker’s Child»

Disgraced former FL District Attorney Jack Thompson is facing spam charges for flooding a Utah State Senator with complaints about the CAN-SPAM Act. Oh the irony!  Thompson was disabarred last September for making false statements to tribunals, disparaging litigants and other lawyers, and improperly practicing  law outside the state of Florida.

The possible spam charges come as a result of another barrage of emails he sent in an attempt to pursuade Utah lawmakers to override a veto of a law that would have made the sale of video games labled Mature illegal. Thompson is a rabid anti-video game activist.

          “In the grip of such legislative ignorance, Mr. Waddoups has today threatened Mr. Thompson with criminal prosecution by Utah’s Attorney General for writing him, the ultimate purpose of which is to encourage Utah legislature to override Gov. Huntsman bizarre veto,” reads Thompson’s press release. “Thompson also informed Sen. Waddoups that the same Attorney General he wants to have prosecute Thompson has received thousands of dollars from the video game industry whom Mr. Shurtleff now helps protect. Gov. Huntsman has received their money as well. What a surprise. This is pay to play in Utah. Maybe the whistle blowing as to this is what concerns Mr. Waddoups the most.”

The email in question included an image of two barely clad women about to give a Grand Theft Auto IV character a lap dance. When State Senate President Waddoups asked to be removed from Thompson’s email list, he refused, leading Waddoup to seek charges under the CAN-SPAM Act, which carries fines of up to $11,000. Thompson pledges to fight any charges and keep his vendetta against video games going strong.