In an effort to avoid further prosecution Trudeau urged his supporters to email the judge to tell him what his cures did for them and to urge him to find in his favor. The judge said his inbox was overwhelmed with spam and demands that the complaint against Trudeau be dropped and found him in contempt of court. Trudeau was scheduled to report to jail today. The court gave no reason for the change of heart but said the stay was contingent on no more spam campaigns being aimed at the judge or the court.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

King of Informercial Scams Avoids Jail for Spamming Judge

One of the more effective methods of reducing spam in recent years is through IP filtering.  This technique involves checking the IP address of the computer or server that is trying to send you email against a list of known or highly suspect spam sources.  The lists are provided by various third party organizations such as Spamhaus and are typically integrated into the products sold by security vendors.

The best part of this technique is that the check occurs at the earliest stage of the initial communication between the two servers.  If the IP address is considered to be a spam source then the connection is terminated before time and server resources are wasted by accepting any further part of the email content.

This meant greater efficiency in spam protection systems compared to earlier techniques that involved checking the entire message content for certain keywords or strings that matched a database of known spam.  This technique is still used today, but it is only performed on email that first passes the IP filtering checks.

Some estimates put the amount of spam that is typically stopped by IP filtering at around 80-90%.  That is up to 90% of spam (not of total email traffic) that can be prevented by IP filtering, usually with very few false positives.

The remaining 10-20% poses a bigger challenge.  These emails need to be checked more thoroughly for other characteristics such as:

• Sender address/domain
• Email body content such as text or URI (Uniform Resource Identifier, often called a URL by web users)
• Images and file attachments

This is because spam emails can come from trustworthy sources such as webmail providers and ISPs in which specific accounts have been compromised by a phishing attach.  As a result they cannot be blocked reliably on the basis of sender address/domain.These checks are also computationally more expensive and more prone to false negatives when new spam techniques emerge.  One of these new techniques is the use of URL shortening services to cloak malicious website addresses.

URL shortening sites typically do not police the links that people create using their services, which elevates the risk of them being used for malicious purposes.  However, the services do often provide an API that can be accessed by other applications, which has led to the emergence of sites and web browser add-ons that can be used to manually check a shortened URL before it is clicked on.

This process is manual and tedious though, and relies on the weakest point in spam prevention – the end user.  Only the most security conscious end user will do this check even some of the time.

But the combination of URI filtering and URL shortening APIs offers the chance for the problem to be attacked from two angles.  Email security products could possibly detect shortened URLs and perform a check against the provider’s API to determine the actual destination address.  That destination address can then be checked against URI filtering lists for known malicious sites.

Though this check may be effective it is not particularly efficient.  Email servers will need to send API requests and wait for responses before determining if an email is malicious or not.  And it does not solve the issue of these services being used by spammers in the first place.

As an alternative, the URL shortening services could make use of URI filtering lists when providing shortened URLs to their anonymous users, and deny the creation of short URLs that lead to malicious sites.  This might eliminate the problem at the source.

As a positive flow on effect of this type of change the use of shortened URLs by spammers on social networks and other non-email communications would also be reduced, reducing the risk of several different threats at once.

These checks are obviously not being performed by shortening services yet.  I tested several spam URLs from a URI filtering list on a few of the popular services and none of them prevented me from creating a shortened URL.  I wonder if soon we will see them forced into action as spammers exploit their systems to the point where they are completely untrusted and actively blocked by security systems.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Could Better URI Filtering Cure Email Spam?

According to Microsoft, Waledec is one of the 10 largest botnets in the world and responsible for most of the spam hawking fake and shady internet pharmacies, male enhancement products and designer knock offs. They had this to say about Waledec on their blog:

Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

While Microsoft claims victory, it’s more than likely short lived. As we’ve seen in the past with shutdowns like McColo, it doesn’t take long for the cybercriminals behind botnets to regroup and start anew, and they are getting better and better at it everyday.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft Slays Waledec

SPF is good but not perfect at flagging spam.

How effective is sender authentication in contributing to the fight against spam? A recent analysis of Microsoft’s email volumes revealed some interesting findings on the subject.

The analysis conducted by Terry Zink studied the impact of two sender authentication technologies, DKIM and SPF, on his company’s email flows.

DKIM, or DomainKeys Identified Mail, allows the sender of an email message to take responsibility for it while it’s in transit. It’s a way to validate a domain name identity associated with a message through cryptographic authentication.

While DKIM can be a way to block spam sent from hijacked domains, it’s less effective against spammers who create their own domains and spew junk from them. However, when used with some form of reputation analysis, it can contribute to cutting down spam traffic from those sites, too. The reasoning being that if a domain sent “good” mail to you in the past, it will continue to do so in the future.

SPF, or Sender Policy Framework, was designed to blunt another tactic used by spammers: address spoofing. It allows senders to specify which hosts are permitted to send their emails. It does that by creating an SPF record in the DNS, or Domain Name System. When a message arrives at its destination, the recipient system can check where it was sent from to the SPF record in the DNS. If it was sent from a host specified in the SPF record, the address can be assumed to belong to the originator of the message. If it’s sent from a host not in the SPF record, then it’s likely the message is spoofing its origin and can be trashed as spam.

One of the problems with SPF is that it can create more problems than it solves. A case in point: a recent attempt by Intersessions, a Web site hosting services provider, to implement the technology.

After implementing SPF enforcement, the company had to turn it off after three days. According to the owner of the company, Jeff Koch, here are some of the reasons for abandoning SPF:

• Domain owners and their employees regularly send email from servers that violate their own SPF.
• Customers were unable to receive email from important contacts.
• Customers didn’t understand why Intersessions was blocking important email.
• Customers couldn’t explain SPF to their business contacts, who would need to inform their IT departments to correct their SPF records.

“Our assessment is that SPF is a good idea but pretty much unworkable for an ISP/host without a major education program which we neither have the time or money to do,” Koch wrote recently. “Since we like our customers and they pay the bills it is now a dead issue.”

In his analysis of Microsoft’s email over a 45 day period, Zink estimated that 14 percent of the messages contained DKIM signatures, while 38 percent were validated with SPF checks.

Admittedly, not all the messages identified as non-spam by the sender authentication technologies were pristine, but that’s to be expected, Zink contended. “I don’t know of anyone worth their salt in the anti-spam world that would assume that a message authenticated using either of those two technologies must therefore be valid,” he said.

Nevertheless, as a first pass through email, the technologies did well. Only eight percent of the messages with DKIM signatures were later flagged by content filters as spam. The success rate for SPF was good, too–only 10 percent of the messages passing SPF muster were later canned by the email system’s spam filters.

“So,” Zink concluded, “the probability that an authenticated technology is high, but it is no guarantee.”

A more detailed analysis by Zink of the SPF results also proved intriguing.

That analysis looked at the various ways an SPF record can be evaluated and how it may influence the likelihood of a message being tagged by content filters after being classified as non-spam. For example, evaluations such as “neutral”–meaning no host was specified in the SPF record; “hard fail”–meaning the message came from a host not designated as an appropriate sender; and “none”–meaning a domain does not have an SPF record–don’t seem to have any influence on whether or not a message is subsequently marked as spam.

“This can be interpreted in two ways,” Zink wrote. “Either (1) there are lots of people out there who aren’t spamming despite doing no authentication, or (2) authentication hasn’t really caught on yet the way we in the email industry would like.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Sender authentication effective, but no panacea against spam

Another recent trend has been the appearance of botnets that have the ability to detect when they are being studied by security researchers.  Often this study is taking place using honey pots, which are fake systems set up by researchers to be deliberately infected with malware so that they can study its behaviour.

This has lead some security experts to predict that soon it will be common for botnets to actively look for the signs of a honey pot and either deactivate those systems, or perhaps even generate DDOS attacks against the researchers.

The CTO of database security firm Imperva, Amichai Shulman, suggests that “Most honeypot machines are based on a virtualization platform (most often VMWare). By detecting this attribute of the infected platform, malware developers will probably be able to detect most honeypots out there.”

The intersection of these two trends could have a positive outcome for businesses concerned about botnets infecting their corporate systems.  If botnets actually did begin shutting down when virtualization platforms were detected, then the use of virtual desktops could in itself prevent a botnet from becoming active.

As it stands now virtualizing desktops does offer some benefits for malware prevention.  Virtualized desktops will usually operate in a more locked down state than hardware-based desktop fleets.  This is not always because of poor administration of the hardware fleet, often it is more due to the administrative effort required to secure a hardware fleet making it more prone to exception or error than a centralized virtual desktop environment.

The rapid deployment capabilities of virtualized desktops also mean that any malware infections that do occur can be quickly dealt with by destroying that particular instance and provisioning a new one.

It will be interesting to see if botnets do continue along this trend of attempting to detect honey pot systems, and whether that does deliver an unintended benefit to businesses that are embracing desktop virtualization.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Will Virtualization Protect Businesses from Botnet Infection?

Jerry Upton, MAAWG Executive Director said “We’ve been sitting at a stalemate for probably two to three years.  Taking out the highs and lows, we’re sitting at about 90%”.

Figures that regularly appear from various security vendors have been telling the same story for several years now.  With latest figures confirming the continuing trend one might be forgiven for wondering who is really winning the war against spam.

Spam fighting is a multi-billion dollar industry and businesses are spending thousands or even millions of dollars each year to try and protect their networks from spam threats.

Network providers have had some successes by disconnecting major spam networks from the internet but in most cases the spammers have resurfaced or simply distributed their infrastructure across international jurisdictions.

Consumer ISPs are generally against implementing measures to prevent their customers from adding to the problem.  This despite MAAWG’s findings that “tens of millions of Web users in North America and Western Europe have clicked on spam at least once – and many of them did it on purpose”.

Were the ISPs to implement the sort of changes to their email infrastructure that some people say would reduce spam, this would do little for the emerging threats in non-email spam.

MAAWG members voiced concerns over the growing trend of “spam distributed through social networks”, a problem that is quickly becoming a serious threat to businesses.

Although security vendors quickly act on new threats and techniques by spammers and criminals the biggest vulnerabilities remain in the end user.  Many of the new attacks use strong social engineering techniques made possible by the increasingly public way in which people live their online lives.

And despite authorities attempting to educate the public on new threats the criminals are able to exploit these campaigns by delivering malware as fake antivirus and spyware programs, which users often eagerly accept thinking they are protecting themselves from the threats they have been warned about.

For businesses the most alarming trend is the increase in targeted attacks on high profile corporate officers.  It is thought that this type of attack was used in the recent hacks of Google and other US companies.

The benefit of MAAWG is the open forum in which competing companies can meet and share information with ISPs, government agencies, and each other in an effort to better understand online threats.  Unfortunately their ongoing efforts seem to have maintained a long running stalemate at best.  But we should appreciate their initiative, because it’s clear that without it our situation might be far worse.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Spam Statemate

          “Virus scanning has to extend beyond the PC to all types of removable storage”, Jason Holloway, Northern European sales manager with SanDisk said .”Better still, employees should only be able to use authorised flash drives that include on-board antivirus scanning. This ensures that users cant turn off, disable or work around the protection, and would stop these infections from spreading.”

Conficker has spread like wildfire across the net and has infected over 7 million computers. It was first spotted in 2008. Experts still aren’t sure what its purpose is since its botnet is seldom used.

A year ago Manchester council’s computers were attacked by Conficker, forcing the town to write off parking tickets and spend over $1 million pounds to fix the infection. It’s not yet known if the Manchester police will have to overlook any violations or void any arrests because of their infection.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Conficker Worm Cripples Police Department

Ninety-five percent of email never reaches an inbox.

Email service providers trash 95 percent of the traffic headed to their customers’ inboxes, according to a survey from a European security group.

“[S]pam’s impact on the business has been greatly reduced through effective anti-spam measures,” the European Network and Information Security Agency reported recently in its third annual 2009 Anti-Spam Measures Survey.

“Anti-spam measures are doing their job, reducing the threat of spam to a manageable security process,” it added. “This process still requires focus, expertise and resources, but it is arguably predictable.”

“These measures currently filter out over 95 percent of email traffic, using a variety of methods, greatly reducing the volume of spam that customers receive, without causing significant problems with false positives,” it continued.

The researchers found “alarming” the current state of blacklist management.

Blacklists are one of the most common ways service providers block spam from leaving their servers, followed by outbound virus scanning and port 25 monitoring. Yet some 66 percent of the survey participants said their servers had been added or retained on blacklists incorrectly. What’s more, the same percentage told the surveyors that they believe that major blacklists sometimes incorrectly include servers that do not or no longer send spam.

After encountering a blacklisting problem, the respondents split evenly on the difficulty of rectifying it, with 50 percent saying it was easy and 50 percent saying it was hard, according to the survey of 92 anti-spam and email service providers responsible for some 80 million email boxes in 30 countries.

“This high level of responses citing problems with blacklists incorrectly including non-spamming servers is alarming,” the report declared. “This problem may inevitably happen occasionally, but email providers clearly want to be sure that when a spam problem is fixed, that the server can be removed from the blacklist.”

The researchers also noted that spending to fight spam is wide ranging, with one of the major determinants being company size. “Even most small providers have anti-spam budgets over EUR 10,000 annually [about US$14,000], while the largest providers can have budgets in the millions of Euros,” they wrote.

They added that spam imposes a burden on company help desks. “Some respondents noted that a significant share of help desk calls concern spam, though most reported that less than 10 percent of help desk calls concern spam.”

“These results,” they continued, “suggest that most providers are currently managing to prevent spam from greatly harming the customer experience, though spam continues to impose costs on help desks.”

According to the survey, respondents emphasized the need for a coordinated approach against spam, and a key part of that is for providers to shut down spammers among their own customers before sending the spam on to other service providers.

“Generally,” it noted, “collaborative approaches are developing and proving successful, but there is much more that can be done to collaboratively address the problem of spam.”

The report also identified some of the most popular techniques deployed by spam fighters to skunk email junk.

The most common way of detecting spam is through complaints, folowed by monitoring peak traffic, traffic anomalies and signature detection. Seventy five percent of the respondents said they analyze a spam source when customers complain about it, the report noted, but “Far fewer analyze the source of spam based on automated tools, specifically when monitored spam levels reach a threshold.”

For blocking spam, the most popular methods are blacklisting, content filtering, and sender authentication. “The usage of most network-based measures has stayed constant since the 2007 survey, though use of sender authentication and URI blacklisting have increased markedly, while reputation systems and slowing the sender’s connection have become less common,” the report observed.

“The average number of network-based measures applied has also remained consistent at 4.7 per provider,” it added.

When authenticating the senders of email, the report found that SMTP AUTH remains the most popular, with SMTP TLS and SPF finishing a distant two and three. “The usage of the various sender authentication mechanisms has remained mostly constant since 2007, except for DKIM, which has increased significantly,” the report explained.

As effective as their efforts have been, the report revealed that spam fighters don’t intend to sit on their laurels. “Close to half of providers stated that they plan to implement new anti-spam measures within six months,” the researchers reported. “Reputation databases were mentioned most frequently with new blacklists most common, followed by greylists.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam traps nab 95% of all email

The irony is that the site’s co-founder, Greg Tseng, was himself fined $900,000 back in 2006 when his company, Jumpstart Technologies, was found in violation of the CAN-SPAM Act. What’s more, this past November, Tagged reached a $750,000 settlement with the Attorney Generals of New York and Tennessee over its own invitation practices.

The site has had a bad reputation for some time, and some anti-fraud advocates consider it a phishing site.

Whether the suit and the site’s recent revamp of its invitation process means the site is turning over a new leaf remains to be seen, but the irony is hard to ignore!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Tagged.com Wins Suit Against Spammer

Security experts are predicting such activities to keep rising as the iPad’s March release date draws closer. They advise users to keep their anti-virus software up to date and to get their Apple news from trusted, familiar sites. Companies should review their site security and keep a close eye on their code as many of the poisoned search results point toward legit sites that have been compromised by SQL injection attacks.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

iPad Launch Causes Spike in Apple Spam

Over half of the 500 companies received spam via a social network, and more than one third experienced a malware infection from one of these sites.

The perception is growing among businesses that social networks are a risk of more than just employees wasting time.  Most companies either take a blanket allow or deny approach to social networks but apply no other measures to address the larger risks that these websites expose them to.

Spam and phishing are rampant on the most popular networks such as Twitter and Facebook.  For all the attention paid to email security for businesses, often very little is given to the messaging capabilities of social network sites.  Clicking on a malicious link in a Twitter message is no different to the same link delivered via email.  From the spammer’s perspective the deliverability rate of their messages is much higher on social networks than it is for email.

These attacks continually come to light in the media.  Twitter has notified some users that they may have been subjected to a phishing attack and has forced them to update their passwords to ensure their accounts are not misused.  This reactionary step is the closest thing to protection that can be achieved on an unmoderated medium like Twitter that has no entry requirement other than a working email address, and exposes a rich API that is perfect for spam automation systems.Facebook has partnered with a security vendor to offer free 6 month trials of internet security products to prevent user computers from being compromised.  This places the responsibility for Facebook security on the user and is an opt-in offering only, which will mean minimal uptake.

Other vendors are offering their own products that claim to protect from social networking risks.  As a point solution these might be effective, although they currently support only one or two popular services.  For businesses the cost and administrative overhead does not scale well.

Deploying a special product to a fleet of desktops to combat a subset of the risks of being online will not be an attractive option for large environments.  These organizations look for unified threat management systems that can be more easily deployed and centrally administered, and can operate at key network locations such as web proxy servers rather than at individual computers.

Security against spam, phishing and malware is just one important part of social networks.  Another significant issue is that of privacy of personal information.  Facebook recently changed its privacy policy to expose all personal information as public, a reversal of its previous “private by default” stance.  Employees are not often careful with what information they share on social networks, that can be valuable to an attacker for use in social engineering.

Professional social networks such as LinkedIn encourage the exposure of employee names and position titles as people build their network of contacts.  Security experts have proposed that social networks may have played a part in the recent Google hack, as the attackers compromised the accounts of low level employees in order to gain access to those who had the higher levels of access they needed to make a successful intrusion.

Email spam, though it constantly evolves, is a relatively well understood and manageable threat.  Social networks are a relatively new threat that most businesses are only just becoming aware of.  Protection strategies need to be expanded beyond just the email server and firewalls in order to deal with these new threats.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Social Network Spam Continues to Rise, Businesses Feeling Impact

          “System Defender – Kernel Error 0xC00000005

This problem is unambigously cause by malicious contents in IP packers in transport layer from website: www.offroad-lm.szm.sk. To bee patient, Windows Defender scan your hard drive(s) for bugs caused by system incompatible code. To recovery of system press OK button. Wait to successfull end of scanning. Inform about this administrator on www.szm.sk and incriminated web site.”

Once that appears, the system is doomed. The next time the user restarts the computer they will be greeted with the heart stopping error “FATAL: No bootable medium found.” This is because the virus overwrites the Master Boot Record, which permanently damages the drive. What makes this virus even more dangerous is that until the message pops up it’s nearly impossible to know the system is infected.

Win32.Worm.Zimuse A and B distribute themselves in very different ways. The first variant embeds itself on legit sites, possibly by poisoning an ad network, and pretends to be an IQ test. The second spreads via exchangeable media like USB flash drives. Experts think it was a malicious prank intended only for fans of a Slovakian motorcycle gang but it has gone far beyond that, destroying data wherever it lands. This could be especially devastating if it hit a critical government or business network.

It is extremely important to make sure your data is backed up safely and to be more cautious than ever about sharing storage media and clicking on links. All IQ tests should be avoided, and web surfing should be confined to familiar sites. If you aren’t sure if your system’s anti-virus programs are up to date, contact your IT department.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Vicious, Data Destroying Virus Discovered

CAN-SPAM says commercial emailers must provide a clear and easy way for recipients to opt out of receiving further messages and they must promptly honor those requests. What some sleazy marketers have found however, is that they can get around having to do so by changing their name. They send a blast of spam as XYZCompany at XYZ.com. They get a flurry of opt out requests and instead of honoring them, they change their name to XYZCompany1 at XYZ1.com.  More spam sent, more requests received, and they change their name again, this time to XYZCompany2 and XYZ2.com.

What can be done? It’s up to the U.S. to change the law to say that direct marketers and commercial emailers must get permission from consumers BEFORE sending any of their spam. In doing so the U.S. will fall into line with spam laws in most other countries.

Will this happen? That’s anyone’s guess. The Supreme Court’s decision to allow businesses to spend as much as they want on political campaigns may have a less than pleasant effect on the law. In the meantime, if your company is using this practice, stop. It’s not legal and it’s not good business.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

U.S. Based Spammers Using Loophole to Get Around CAN-SPAM

The report also identified Taiwan (62.20%), Russia (56.77%) and Poland (55.40%) as the countries with the highest levels of malware infected computers and Sweden (31.63%), Portugal (37.79%) and the Netherlands (38.02%) as the countries with the lowest infection levels. The United States is in the middle with about a 50% infection level. Many of these infections may not even be known to the user. Millions of computers have been turned into “zombies” and added to botnets.

Experts say malware attacks will be on the rise and become more and more sophisticated as scammers develop new techniques to avoid detection. Social networking sites will bear much of the brunt as spammers and scammers seek to take advantage of the huge audiences these sites attract. Facebook has 400 million members and Twitter over 15 million in the US alone.

As 2010 continues to unfold stay with All Spammed Up for the latest spam and security news. It’s going to be an interesting year.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Over 25 Million New Strains of Malware Identified in 2009

          “ACMA expects that Australian businesses take note of this outcome,” ACMA chairman Chris Chapman said. “Under the Spam Act, every person has the right to unsubscribe from receiving commercial electronic messages and to have that request acted on effectively and quickly. The failure to act on a request can result in significant penalties if a business is found to have breached the Act.”

CommSec sent over 6 million advertising emails in 2009. The company says it has agreed to have an independent consultant to review its compliance systems and to also provide additional training to its staff.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Australian Financial Firm Fined 55K For Spamming

The researchers used a captured spam bot to analyze a sample of the spam emails that it produced and then used this information to reverse engineer the template that the spam emails were based upon.  Once this template was known 100% of further spam emails from that bot were successfully blocked while avoiding any false positives on one million genuine email messages in the test.

Leading anti-spam products in the market today claim up to 99% accuracy for spam detection and use sophisticated analysis techniques such as Bayesian filtering to reduce false positives.  However a large part of the fight against spam remains reactive.

Adding this new technique into the protection mix may tilt the playing field in the good guys’ favour for a little while but the constantly evolving threat landscape online will find a way to get around it soon enough.  Fighting spam comes down to a numbers game – if there are more people who want to send spam than there are researchers and professionals fighting it then the war will go on for a very long time.

The spam and malware industry has already become well known as a sort of underground marketplace where anyone can buy the software and email lists they need to begin a spam campaign.  The business model behind these ventures has become so well established that ongoing maintenance plans are even available for the spam tools and malware available.  For a fee a malicious coder will develop a new variant of a tool for you that circumvent any detection that has been implemented by security vendors.

It is easy to expect this same type of service offered to botnet operators who will need a constant supply of new email templates to avoid detection by any vendor who uses this new spam analysis technique.  In fact it is also easy to expect that bot software will no longer contain all of the template information in its code and will instead regularly download new variations from other sources to hamper attempts reverse engineer it.  Most bots are already self-updating and constantly evolving into new variants anyway.

The full details of this new research will be unveiled in March and it will be very interested to see just how practical it will be to integrate this new technique into current anti-spam products.  The turnaround time required to discover and capture a new bot, analyse it, create detection signatures, and then deploy those to a global customer base may be more than enough for spammers to successfully send out their campaigns.   By the time protection is achieved the next bot variant already exists.

As far as the overall impact on spam this technique may have little to no impact at all.  Although it may prevent some spam that is sent directly from the computers compromised by bots it will not have any effect on bots that serve other purposes such as taking over webmail or social networking accounts for use by spammers.

As an anti-spam development this research is interesting but I have some doubts about its practicality and effectiveness.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Researchers Analyze Bots to Beat Spam, But Will it Work?

Compromised computers spew spam.

In judo, an attacker’s assets are turned into liabilities by a defender. The attacker’s attributes like weight and size are leveraged against the aggressor and used to neutralize him or her with a flip. A similiar tactic to fight spam propogated by botnets has been developed by an octet of researchers.

The team from the International Computer Science Institute in Berkeley, Calif. and University of California in San Diego–Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver, and Stefan Savage–have developed a way to flip the software running a botnet so it assists spam fighters in blocking the cyber junk spewed by the malware.

The researchers, who will be presenting their findings next month at the 17th Annual Network and Distributed System Security Symposium in San Diego in a paper titled “Botnet Judo: Fighting Spam with Itself,” turn a technique deployed by botware to disguise its nefarious activity from spam assassins into a tool for blocking junk email.

Here’s how the technique works. To fool spam filters analyzing the text of a spam message, a botware program will periodically make changes in its output. To do that, it uses a template. The template not only specifies the content of a message, but it also determines how to vary that content in future iterations. If those templates could be cracked, the team reasoned, then they could be used to block the bot’s output.

After analyzing 1000 spam messages from one compromised machine–about 10 minutes output for a bot engine–the boffins were able to construct the template. With that knowledge, they could appropriately modify spam filters to block 100 percent of the spam generated from the infected machine. Better yet, they could do it without producing a single false positive.

“This is an interesting approach which really differs by using the bots themselves as the oracles for producing the filters,” Michael O’Reirdan, chairman of the Messaging Anti-Abuse Working Group told the New Scientist in an interview.

However, it does take some time to crack the template. In the spam world, even a short delay can be enough time to unleash a raft of junk. Botnets have grown so large, Reirdan added, that even a one minute delay in cracking the template would be “long enough for a very substantial spam campaign.”

While the spam battlers’ research garnered kudos from many quarters, one security expert was less than impressed by their efforts. “All you have to do is download the malware, capture the spam traffic, and then use the traffic to build an anti-spam corpus of rules,” wrote Terry Zink, a program manager for Microsoft’s Forefront Online Security unit, in his Anti-malware blog. “In other words, it’s the next step in doing what anti-spam vendors have been doing since 2002.”

He questioned how effective the template technique would be in practice. In order for it to have a significant impact on spam, he reasoned, bad apps from many botnets would need to be captured not just one. That could be a daunting task.

What’s more, botware isn’t a static target, he points out. Malware on the zombie nets often updates itself automatically. A template that works today might not work tomorrow. Any anti-spam software would have to keep pace with those changes to make sure it’s correctly identifying how the malware is sending out its nasty payloads.

In addition, he continued, all botware doesn’t directly send out spam. Some of them are designed to compromise  email services like Hotmail, Gmail and Yahoo mail. Once they’ve done that, they set up accounts there and use those accounts to distribute their junk. Intercepting the traffic from those kinds of bots would have a limited impact on their ability to generate spam.

He also noted that because of the competitiveness of the botware universe, malware writers often design their programs to zap any other black apps on a targeted computer. So a template could be created for a piece of botware that subsequently gets wiped by a competitor. In that case, the compromised computer will restart pumping out its noisome payloads unabated.

Nevertheless, Zink doesn’t totally write off the researchers efforts. “Still, this technique is a viable anti-spam measure if you can capture malware and install it; however, one would need to understand that it is but one tool in the antispam arsenal,” he writes. “It would have to be supplemented with other techniques like IP reputation and sender reputation.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Botnet judo fights spam with a flip

Rand’s suggestion is the blocking of TCP port 25 (the port used for SMTP, or email, communications between servers on the internet), making contact with customers who they suspect may be the source of spam outbreaks, as well as stronger government legislation.

The legislation idea has merit, after all the lack of cooperation between government agencies is how many international spam operations manage to go unpunished.  The blocking of SMTP on the other hand is impractical and costly to implement, both from a technical and a service perspective.

The basis of the idea is this.  Customers send mail using SMTP, therefore by blocking SMTP and requiring that customers send mail via the ISP’s mail servers allows close monitoring of email traffic and detection of spam.

The solution is problematic though because many ISP customers, both home users as well as businesses, have perfectly good reasons to not send their email via their ISPs mail servers.  These customers would need to be unblocked from using SMTP, and hence cannot be closely monitored.

The monitoring itself also presents two problems – firstly customers object to having their email correspondence inspected by other parties including their ISP.  Secondly, any false positives could have disastrous consequences if important emails were blocked.  ISPs do not want the exposure to liability if they block an email that results in monetary loss for the sender or recipient.A serious issue is also that of costs.  A higher email load combined with more thorough monitoring means more costs to the ISP for servers and software to do those jobs.  The human resource costs also increase, both in the management of the systems as well as the teams who need to contact and support customers who are suspected of sending spam.

Although email is currently the largest source of spam on the internet there are other forms of spam that are quickly becoming very common that would not be addressed by this solution.  Social networks such as Facebook and Twitter have become rich hunting grounds for spammers and phishers who are able to target victims with highly personalized attacks thanks to the open nature of these networks.

In a world where ISPs block spam email from customers the focus of botnets would simply shift to exploiting social networks and identity theft for the same outcomes.  Because these networks run simply as interactive websites they become impossible to block at the protocol level, and blocking them on a site by site basis would immediately outrage customers.

The British ISP heads who commented are correct in their view that businesses and email administrators need to take the responsibility of blocking spam that is sent to them, rather than expect ISPs to do all the work for them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ISPs Don’t Want to be Spam Cops

Two people have the chance of winning either the first prize which is a 50 user license pack or the runner up prize – a 25 user license pack.

For details on how to enter the competition check out Paul’s blog post. The deadline for the contest is 31 January 2010, Australian EST.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Win a copy of GFI MailEssentials for your business

One prognostication by anti-spam expert Laura Atkins at her “Word to the Wise” blog is that DKIM–Domain Keys Identified Mail–will begin to supplant SPF–Sender Policy Framework–as a method for authenticating the senders of email.

Both methods were developed to counter “source address spoofing,” where spammers make their payloads look like they originated from a legitimate email source. SPF allows an email administrator to designate the Internet hosts that can claim emails originated at a certain domain. DKIM takes a tougher approach. It adds a cryptographic signature to outbound mail that can be verified at the message’s destination.

“I think we’re on the cusp of critical mass and signing will become less of a bonus and more of a given,” Atkins writes. “Right now, it seems that senders who are signing with DKIM are seeing a bit of a reputation bump just because they’re signing. I expect this positive effect will wane, but for now anyone who is signing seems to be seeing improved delivery.”

The use of domain-based reputation as a means of verifying email veracity will also be on the rise in the coming year, according to the spamfighter. Despite its rising popularity, though, it won’t totally replace IP-based reputation as a verification vehicle. “A few people have predicted that domain reputation will replace IP reputation, and they’re wrong,” Atkins declares. “Domain-based reputation will augment but not replace IP-based reputation.”

She added that a fertile clientele for domain-based reputation technology will be smaller email marketers who share IP addresses with others. “Small senders often have to share IP addresses with other senders and domain-based reputation will allow them to establish their own reputation separately from the reputation of other senders using the same IP,” she explains.

Another augury that could spank spammers is the increased use of engagement filtering by ISPs. Two mainstays of spamfighting used by ISPs have been complaints and email bounce rates. Online Web mail providers have long included a spam button in their interfaces to allow users to quickly complain when they receive a message that they believe to be spam. By the same token, if a message is sent to a suspicious number of invalid email addresses and is bounced, an email provider will leverage that information to block future messages with similar characteristics. However, measures like complaints and bounce rates can be “gamed”–manipulated by spammers to fool ISPs into thinking that junk mail is actually desired mail.

In recent times, ISPs have taken their filtering efforts to a new level through engagement. With engagement, what they try to do is read how their users feel about a piece of email by how they interact with it. If they ignore it, for instance, or fail to follow links in it, the message isn’t engaging that user’s attention so it’s likely that the user didn’t want it in the first place and won’t want messages similar to it in the future.

“‘Wanted’ mail will no longer be measured using the proxy measurements, as those have proven to be easy to game,” Atkins writes. “Instead, ISPs will directly measure how much recipients want a particular mail. These changes will force senders to stop sending mail that [generates] complaints and start sending mails that recipients are eager to receive.”

While social networks are all the rage on the Internet and marketers have been burning brain cells attempting to exploit the phenomenon, Atkins predicted that email will continue to be a pillar for online hucksters. “I don’t see social networking replacing email marketing at any time,” she notes. “I do see, though, email marketing giving recipients opportunities to share information with social networks.”

Savvy marketers, she asserts, will use email as a key to open up a target’s social networks to them. To do that, however, the marketer needs to offer the target something that’s wanted, wanted so much that he or she will want to tell the members of their social networks about it. If marketers followed that advice, it might not have any impact on spam, but it would significantly reduce the amount of marketing email flooding inboxes across the Internet.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Email predictions could be bad news for spammers