This is a real case study, which happened over the last couple of weeks at a client site. During this time the client email administration team had been experiencing various problems with their LISTSERV.  First, let’s cover a few technical details. This will lay a foundation as to why backscatter is the most dangerous tool in a spammer’s arsenal of weapons.

Spammers like to put fake information in email messages. This sneaks them past email filters. Since email spam  filters now just delete messages that come from non-existent domains, the spammers are very slick about making their messages look like they’re coming from real email addresses.   If your corporate e-mail addresses has been published anywhere on the Internet, you and your coworkers  are at risk as prime candidates for backscatter.

Continue reading Spammers’ Most Lethal Weapon»

Protection of email traffic flowing between hub servers and separate servers that store mail box accounts is established through encryption in an Exchange 2007 environment. So interception of emails transported between the hub and mail server is nearly prevented with an Exchange journaling system in place. Although email traffic is encrypted, there are other steps required to tighten security with the Exchange journaling mail box.

What still keeps the Exchange journaling system susceptible to attack is the ease of anyone being able to spoof an email.  Being able to compose an email message outside of Microsoft Outlook lets you specify the sender, rather than having Outlook do it. Exchange must authenticate the message, but you can set your display name to anything you want. This can create the illusion that a message was sent by someone else.   A spammer’s daily routine includes using this technique regularly.

When you send an email message using Microsoft Outlook, it combines the sender, subject and body with various SMTP mail delivery control commands. Then Outlook sends out the message to the server. Although isn’t usually practical, a person can actually use the same commands to manually send a message from the command line or from a script without using Microsoft Outlook. Continue reading Go Beyond Encryption with a Tunnel»

Indy.com reported in early April 2009 about the waledec bot riding along with Conficker virus. “Conficker, for the first time, moved beyond sitting quietly on millions of Windows computers worldwide to infecting other vulnerable computers.

This means many more consumers could end up with a variant of Conficker. You also could catch a worm that’s now tagging along for the ride.

This new worm, called Waledec, can open a back door to your computer to steal information or to allow an outsider to control it, security experts warn.”  Waledec’s goal is to make money by harnessing the power of an infected computer and millions of other computers to create a massive “bot network,” or “botnet,” to send out spam.

Continue reading Meet Waledec, Conficker’s Child»

Here’s a puzzle that needs to be solved by our email administrators. Dancho Danchev reports on a new marketing software product called tweet tornado as a spamming tool.  Now Dancho comes with solid credentials as an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and E-crime incident response.  In Dancho’s article “Commercial Twitter spamming tool hits the market” he points out that the tweet tornado pitches itself as a “fully automated advertising software for Twitter”.  He goes on to say “this software potentially empowers phishers, spammers, malware authors and everyone in between with the ability to generate bogus Twitter accounts and spread their campaigns across the micro-blogging service.”

Continue reading Legitimate Marketing Tool or Spammers’ Delight?»

Well I’m back on my “the best email user is an educated email user” soap box. Like it or not, the best tool email administrators can arm staff against spam, phishing and information security threats is through education. OnGuard Online provides a platform for administrators to create some awesome cyber security educational programs.

OnGuard Online provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information.  Funding from many partners has allowed OnGuard Online to develop educational cyber security videos, tutorials, games and other tools.  Some partnering organizations include the Internal Revenue Service, NCIS, the Federal Trade Commission, Homeland Security and the Security and Exchange Commission. Even non-profit companies, like Latinos in Information Sciences & Technology Association  (LISTA), are partners with OnGuard Online.

The target audience for these free educational products is the everyday email, computer and Internet user. There are phishy videos. Then there are games with names like “Invasion of the Wireless Hackers” and “Spam Scam Slam“. Let’s not forget “ID Theft Face Off“. Now these are educational video games for all ages.

Continue reading Spam and Phishing Education Goldmine»

Yesterday I experienced quite a scare.  Several client social networks I created and maintain all had fake member registration forms filled out. I immediately identified each registration as spam. Luckily all registrations must be manually approved by the administrator.  I found this to be a very sophisticated spam attack. In each instance the spammer even uploaded a required picture of a pretty girl.  The registration form field entries each had the same entry of “I’ll tell you later”.  This indicates an automated spam machine was used. The different email addresses entered all used the malinator.com domain.  All the social network administrators have been notified to be on alert.

With account registration moderation in place, the scenario above is a more controlled environment. So spam infiltrations are much harder to achieve. More mainstream popular social networks, like Facebook and Twitter, do not moderate registration. So spammers can slip in very easily to target legitimate members.

As mentioned in a previous article “Belated Spam Predictions“, spammers will continue to phish social networks, but use more sophisticated approaches. The goal is to collect not only personal information, but also retrieve information surrounding a person’s inner circle of friends and associates.

Continue reading Social Network Spam Scare»

The Anti-Phishing Working Group (APWG)  is at the top of their game, where ecrime is concerned.  APWG is a consortium that tracks Internet fraud and scams. This organization  recently submitted a plan to automate submissions of phishing and other ecrime related incident reports. This plan is pending review by the Internet Engineering Task Force (IETF)

As reported in PC World by Jeremy Kirk , “The challenge facing law enforcement and security organizations is a lack of a coherent reporting system, said Peter Cassidy,  secretary general of the APWG. Until now, there was no standard way to file an e-crime report. That makes it hard to coordinate the vast amount of data that is collected on cybercrime, Cassidy said.”

Once the IETF approves this electronic reporting system, it may still be a while for a complete roll out of this ecrime reporting system.  In the meantime, the APWG has published an industry advisory, which provides guidelines for developing a company ecrime incident reporting process.  This can be immediately implemented.

Continue reading APWG Introduces New eCrime Incident Reporting»

In early January the article “Have a Spam Free Year” by Dan Blacharski, introduced the term “fast flux“.  Clicking on the image to the left provides an excellent visual of fast flux in action.   About 2 weeks after Dan’s article was published, the Generic Names Supporting Organisation (GNSO) Fast Flux Hosting Working Group published an initial report on January 26, 2009. This group was formulated by Internet Corporation for Assigned Names and Numbers (ICANN).  This report is obviously in response to a serious anticipation of increased spam and phishing attacks.

Fast flux is where botnet herders continuously move the location of a website, email source, or DNS server from one computer to next. This makes malicious spam and phishing activity extremely difficult to detect. IP blacklists become useless in finding fast flux-based botnets. This stymies law enforcement agencies in being able to locate the criminal elements in cyberspace.  The storm botnet was one of the first to deploy this technique of preserving its botnet infrastructure and hiding from investigators.

It gets worse. “Double-flux is another evasion technique applying two levels of deception as opposed to one,” says David Piscitello, a member of ICANN’s Security and Stability Advisory Committee (SSAC). David is also one of the authors of a SSAC advisory paper that addresses fast and double flux attacks. Dan Piscitello further explains  “It’s particularly troublesome because using domain names is a whole lot easier than using IP addresses. Before this, you could hone in on a domain server as a way of shutting down a malicious site. But now the bad guys have one more tool in their evasion toolkit.”

Continue reading Fast Flux Primer»

I recently joined a few email administrator discussion groups on LinkedIn.  I was surpirsed to see how many administrators are currently in a job search.  Although you may already know how to identify email phishing scams, it’s easy to get so caught up in the pressure which may derail our focus.

With the global economic meltdown, millions of people are out of work.  The stress is enormous. Marriages are dissolving, because  love jumps out the back window when money stops coming through the front door.  CNN even reports that many failed marrages can’t be completely dissolved, because couples can’t even afford to go their separate ways.  Tensions escalate as some couples are forced to stay together because they can’t sell property.  This is very fertile ground for email spam phishing scams to reap huge profits.

The phishing sharks are circling the rough water of a highly competitive job market. This volatile emotional climate sets the  stage for people to make very irrational decisions. People in a job search are vulnerable and easy prey for phishing scams. Bank accounts are being emptied due to people allowing their emotions to override making practical business decisions.    It’s  easy for anyone to get lathered up with email scams promising a job opportunity or making fast cash working at home in, but a cool head and common sense must prevail. I can  personally attest there are legitimate work at home opportunities.  When I’m not providing technology support to email clients, I provide business career coaching services.  My wife also runs a very successful Internet eComerce business. Continue reading Use Common Sense During a Job Search»

DomainKeys Identified Mail (DKIM) is a method for verifying email as being authentic.  DomainKeys was designed by Mark Delany of Yahoo!.  DomainKeys is covered by a U.S. patent assigned to Yahoo!.  Although it has been around for quite a few years, I suspect 3 variables have prevented DKIM from gaining wider acceptance.  Cost of implementation, universal compatibility between disparate email systems and speed of encryption/decryption processing must each be addressed for wider acceptance.  DKIM would be an excellent compliment to spam filters.

DKIM adds a header named “DKIM-Signature” that contains a digital signature of the contents (headers and body) of the mail message. The default parameters for the authentication mechanism uses a  cryptographic
algorithm and RSA as the public key encryption scheme, and then encodes the encrypted hash.

The receiving SMTP server then uses the name of the domain from which the mail originated, the string “domain key”, and a selector from the header to perform a DNS lookup. The returned data includes the domain’s public key. The receiver can then decrypt the hash value in the header field and at the same time recalculate the hash value for the mail message (headers and body) that was received. If the two values match, this cryptographically proves that the mail originated at the purported domain and has not been tampered with during transmission.

Continue reading The New Spam Sheriff in Town»