You might have been considering implementing a hosted spam filtering solution such as GFI’s Max MailEdge service, but are unclear as to how it works, and what reprecussions it might have on your existing IT infrastructure.

Simply put, the majority of hosted or cloud-based spam filtering works by redirecting incoming e-mails directly to the appointed service provider instead.  This is achieved by appropriately modifying the IP address listed under the MX configuration of the company’s domain. As a result, e-mails that come in are forwarded to the service provider’s servers first, before being rerouted to the “real” e-mail server.

Today, I’ve listed some important factors of a hosted spam filtering deployment that the technical manager will be interested in.

Freedom from the burden of processing spam

One of the key advantages of using a hosted provider to tackle spam is how it allows businesses to offload the computational and storage demands of eliminating spam to a service provider.  Unlike the hard to predict costs of operating and maintaining servers over any length of time, hosted spam filtering providers charge a fixed rate per protected mailbox, which serves to eliminate hidden or unanticipated costs.  Ultimately, this allows businesses to better track and budget for the cost of properly equipping each employee in the company.

Bandwidth and DDOS protection

One facet that is usually missed out in a hosted spam filtering deployment is the greatly reduced bandwidth required for the e-mail server.  Assuming the company e-mail server is hosted in a data centre, this translates into direct savings on the billable bandwidth since only e-mails that have been cleaned are forwarded to the mail server.  This reduction in network traffic is true even in servers deployed on the local area network and which will be evidenced by faster Internet connectivity in the office.

In addition, the use of a hosted spam filtering service also grants an implicit defence against denial of service attacks that are propagated against the e-mail domain.  Obviously, this does not stop a malicious hacker or entity from directly targeting your e-mail server’s IP address.  It does however form an additional layer of defence against DDOS, and should be more than adequate against casual or widely targeted spamming.

Platform Neutrality

One of the greatest advantages of a hosted spam filtering service is its platform neutral nature. All messaging systems are supported by default, ranging from Microsoft Exchange, Lotus Notes, to standard POP or IMAP servers.  This includes more sophisticated deployments involving BES implementations of BlackBerry smartphones or Exchange Sync clients like the iPhone.

The only real prerequisite to use hosted spam filtering is that the protected e-mail address must belong to a company-owned and managed domain, in order to allow the MX configuration to be modified accordingly.  E-mails flowing in will be automatically forwarded to the service provider, which will eventually route processed e-mails back to the correct e-mail server.

Ease of deployment

All it takes is a signed service contract and the appropriate modification of MX records to enable hosted spam filtering, making it a trivial matter to implement.  The reverse is true of a self-deployed solution; companies usually have to either acquire physical severs (or provision virtual ones), purchase the correct number of client access licenses, followed by the installation and configuration of the appropriate spam filtering software.  And I’ve not even got started about setting up the appropriate level of failover redundancy or the training and lead time required of the technical staffers running it on a day-to-day basis.

On the other hand, hosted spam filtering can be implemented without extraneous training for already overwhelmed IT managers or system administrators.  In fact, the correct information and authorization to modify the MX records could even allow service providers to setup and enable their service – remotely.

Flexible and versatile

Finally, the nature of hosted spam filtering allows for great flexibility and versatility in how it is deployed.  For example, users can concievably “stack” multiple providers in a chain, or opt to channel e-mails through another server (or service provider) for archival first, or even reroute new e-mails to a different server for the purpose of rolling out a new e-mail server.  The list goes on.

This clean separation between the various components of your e-mail subsystem means there is no need for corporations to be concerned about operating system security patches or updates to the spam filtering software inadvertently “breaking” any part of your precious e-mail infrastructure.

Conclusion

Of course, while the controls and spam filters afforded by the hosted spam filtering services are generally excellent, there are also advantages to running a self-deployed spam filtering server as well. Next week, I shall be looking at some of the features that an IT manager will want to look for in a self-deployed system, so stay tuned!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Some Reasons to Consider Hosted Spam Filtering

One aspect of spam has to do with trickery, where users are cajoled or tricked into performing an action, usually in the form of clicking on a specially prepared URL link.  While the best way to stop the proliferation of spam would of course be the implementation of a good spam filter, the inevitable junk e-mail slipping is often an inevitable state of affair.

Rather than having to sort through the mess after the fact, one way that IT managers can turn the situation around is to train non-technical staffers to complement and enhance technical methods of identifying spam. Teaching employees how to identify spam is a good idea on a few fronts, such as allowing spam administrators to better refine or tweak existing spam filters.  In addition, savvy users dramatically reduce the possibility of malware being introduced through spam.

Today, I will highlight a number of current spam vectors that you can use to train your users on how to identify spam.  You can of course also use these methods to better tune your spam blacklist.

1. “Mail undeliverable” messages
   I personally experienced a spike of such e-mails recently, which were all fortunately caught in my spam filter.  Depending on specific configurations – so as not to erroneously block legitimate warnings about unsuccessful mail delivery – some organisations might inadvertently let in more of such spam.  Less savvy users who see such e-mails might be panicked into rashly clicking a link in a misguided attempt to determine the problem.  While it would be unreasonable to train every employee on how to read e-mail headers, it won’t be as difficult to coach them on how to watch out for bogus links embedded within such e-mails.
2. Messages from popular on-line services
   The shotgun nature of unsolicited mails means that spammers are drawn to masquerade as popular Web services that have a higher chance of being used by their targets.  Common vectors are sites such as Facebook, PayPal, Amazon, or even iTunes. In a nutshell, messages that claim to come from these popular on-line services are then laced with links in the hope that victims will click on them.
3. Nonsensical headers or text body
   One popular trick by spammers is to copy or paste snippets of legitimate Web content as the e-mail header or text.  Links to specific sites are then carefully embedded to trick readers into clicking them.  The content of copied text can vary greatly, and I’ve seen materials from several sites combined before in a bid to bypass Bayesian filters.  Users can be further confused because e-mail recipients and senders are typically spoofed.
   IT managers need to remind users that if an e-mail makes absolutely no sense, it probably isn’t legitimate – even if apparently originating from someone they know.
4. Death and accident involving well-known personalities
   Events ranging from the demise of pop megastar Michael Jackson to the recent World Cup have clearly shown us how spammers are reacting much faster than before in an attempt to circumvent increasingly sophisticated spam technology.  Spam involving current or breaking news have a far higher chance of making it into inboxes before administrators have an opportunity to react.  Also, users who might have heard part of the news via other avenues are far more susceptible to read or click on any links that are given. Rather than forcing spam administrators to stay glued to breaking news, tapping into users to identify such spam is also an excellent opportunity to involve them in the fight against spam.
5. HTML file attached
   Most e-mail servers and spam filters now block executables by default, even if compressed within ZIP archives.  However, the continued discovery of flaws in popular Web browsers have led to spammers who send HTML files containing code to exploit these vulnerabilities.  Header and body text can vary as usual, but suffice to say that it usually involves something enticing such as winning a lucky draw or some unsolicited transfer of funds.  Users need to know that the sending of HTML files constitutes extremely suspicious behaviour and should first be verified with the appropriate administrator.

The above list represents just some of the newer spam attempts that I’ve personally witnessed; periodical training will be necessary to keep users up-to-date.  Ultimately, staffers need to know that the spam (or mail) administrator is always available to address any doubts or queries that they might have.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Five Ways to Train Your Users to Identify Spam

Six people, five men and one woman, have been arrested for their parts in a huge phishing ring. UK authorities say that the group has so far stolen over $550,000 and compromised over 20,000 credit card and bank accounts but say the tab could potentially reach over $6 million once they are able to establish the full extent of the operation. The five were arrested in London and County Meath, Ireland by the Metropolitan Police as part of an investigation called Operation Dynamophone.

          “We have taken this action to shut down an organised criminal network running an online phishing and account take-over operation,” said the Met’s Detective Inspector Colin Wetherill.”A great deal of personal information was compromised and cleverly exploited for substantial profit. By disrupting the operation we have hopefully prevented further loss to individuals and institutions across the UK.”

The group sent out fake emails made to look like they came from legit banking institutions in an attempt to trick them into going to the lookalike sites they created and turning over their login info. Once the info was in their hands they went to town cleaning out bank accounts and maxing out credit cards. Detective superintendent Charlie McMurdie of the Police Central eCrime Unit (PCeU) said they are also trying to determine if the gang distributed malware as part of their operation.

          “In high-volume phishing, malware infection goes on,” said McMurdie. “One million emails through various channels and in various forms will get a certain percentage of response.”

The accused remain in custody in London on suspicion of conspiracy to commit online banking fraud and violations of the Computer Misuse Act.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Six Arrested in UK Phishing Operation Bust

Google and Verizon set off a blizzard of chatter on the Internet this week when they aired their “open Internet framework.” The framework bars a provider of broadband Internet access “from engaging in undue discrimination against any lawful Internet content, application, or service in a manner that causes meaningful harm to competition or to users.”

Under the proposal, any “[p]rioritization of Internet traffic would be presumed inconsistent with the non-discrimination standard.” “Prioritization” is a euphemism for a service provider acting as a traffic cop for content aimed at the users of their systems.

When pulling the wraps off their proposal, the companies have put a pro-consumer, open-Internet spin on their proposal.

          “Google and Verizon have been working together to find ways to preserve the open Internet and the vibrant and innovative markets it supports, to protect consumers, and to promote continued investment in broadband access,” they said in the preamble to the framework.

But consumer groups aren’t buying the pitch. Their criticisms of the framework are similar to those expressed by the Free Press’s Joel Kelsey.

          “Google and Verizon can try all they want to disguise this deal as a reasonable path forward, but the simple fact is this framework, if embraced by Congress and the Federal Communications Commission, would transform the free and open Internet into a closed platform like cable television,” he said in a statement.

          “This is much worse than a business arrangement between two companies,” he continued. “It’s a signed-sealed-and-delivered policy framework with giant loopholes that blesses the carving up of the Internet for a few deep-pocketed Internet companies and carriers.”       

          “If codified,” he added, “this arrangement will lead to toll booths on the information superhighway. It will lead to outright blocking of applications and content on increasingly popular wireless platforms. It would give companies like Verizon, Comcast and AT&T the right to decide which content will move fast and which should be slowed down. And it will destroy the open Internet as a platform for small business innovation and job creation, cementing companies’, like Google’s, dominant market power online.”

While the Google-Verizon proposal has generated a lot of heat, one of its implications that appears to have slipped through the cracks is its impact on spam. It could very well result in more of the junk ending up in the inboxes of consumers. That’s because much of the spam circulating on the Internet is “legal” under the broad definition of the framework. And if any content is “lawful,” then it can’t be discriminated against–even if it’s unwanted by the people receiving it.

It’s obvious that is not what the framework’s authors intend because in the “network management” section of the proposal, they state that broadband providers can employ “any technically sound practice…to address traffic that is unwanted by or harmful to users.”

But here’s the rub. The framework actually turns on its head how Internet service providers operate now. Now, if provider one receives spam from provider two, provider one can turn off the spigot from provider two. Then it’s incumbent on provider two to persuade provider one to turn the spigot on again.

Under the framework, when provider one turns off the spigot, a purveyor of “legal” spam can go running to the FCC to challenge that decision.

          “Even if the ISP can show that they have users complaining about his stuff, so the network management exception applies, the FCC, being a government agency, is likely to tell the ISP not to block anything until they rule on his complaint, which could easily take months, if not years, during which time the spam continues to flow,” explained John Levine in a column posted at CircleID.   

          “Although network neutrality sounds like a good idea, it’s not, because it breaks the underlying model of the way the Internet works,” Levine maintained.

          “It’s certainly true that in most parts of the country, there’s only one or two viable broadband ISPs, the phone company and the cable company, and they can’t be trusted to run the network the way their users want,” he continued. “But the right way to address the excessive market power isn’t to regulate the ISPs, it’s for the FCC to put the rules back the way they were in the early 1990s, so telcos and, ideally, cable companies have to provide the underlying connections to any ISP on the same terms, so we have enough competing ISPs that if you don’t like one, you can just switch to another.”

          “This isn’t a pipe dream–countries including the UK have done exactly that, with the result that their residents have a wide range of ISPs, who provide faster service at lower prices than we get in the US,” he added.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Is Verizon-Google plan boon to spammers?

BusinessWeek has a great article about the FTC and how they’ve evolved to become a fixture in the war against spam and online fraud. They have a server that holds over 314 million spam messages and receives over 200,000 more a day. Investigators analyze the messages in their efforts to track down spammers and prosecute them under the CAN-SPAM law. Successful investigations lead to spammers being fined and sometimes jailed. They’ve also begun moving into the areas of social networking and identity theft.

I wonder though, of all the spam messages they collect what percentage originates from somewhere other than the U.S. Most hardcore spamming operations are safely overseas on bullet proof hosts in countries that don’t investigate or prosecute cybercrime either due to lack of understanding, lack of resources, or law enforcement corruption. Since these spammers can be convicted and fined without having to actually appear in court, yet can’t be made to pay up unless they enter the U.S., it seems such investigations could all be done in vain. Suing spammers doesn’t work well either – they just declare bankruptcy and move on to a new scam. There have been a few cases lately about spammers who’ve gotten themselves pretty hefty jail sentences but again, it doesn’t really work when the spammer is overseas somewhere.

So yes, the FTC is doing a great thing by investigating spammers and holding them accountable under the CAN-SPAM Act, but fighting spam will only be truly effective when all countries do so together and have similar anti-spam laws.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The FTC gets over 200,000 Spam Messages a Day

Spammers appear to have taken their summer vacation in July, if the junk mail that evaded my gauntlet of garbage filters is any indication of their activities during the period. They stuck to shopworn and even hoary pitches with little in the way of inventiveness.

One vein that was worked extensively prior to July faked support messages from my Internet Service Provider. It seems my ISP wised up to these attacks and only a pair managed to make it to my inbox in July. One was a typical inept attempt to obtain my user ID and password. If the fact that the sender of the message spelled user incorrectly wasn’t enough of a tip off, the “reply to” address to an AOL account sealed the deal. The other lame pitch had a security angle. “This message is from Your Service provider kindly send your Login information because we noticed your account is being accessed from three different location,” it said. I don’t know about your service provider, but mine doesn’t refer to itself as “Your Service Provider.” It also knows a thing or two about punctuating sentences and when to use plural nouns.

One of the oddest messages landing in my inbox had a subject line in an alphabet I didn’t recognize, but had an English message beckoning me to go to kasate.com for a sealed lead acid automatic battery charger.

Speaking of battery recharging, by far the most effective spam penetrating my defenses dealt with drugs. The good old-fashioned “From Canada to you” subject line butchered in some fashion–Fro’m %Cana#da to y’ou, for example, or From| “+Canada to yo%u”–still seems to be working. However, rather than hawking male performance drugs, these junk emails simply offer cheap meds. Given that pharmaceutical spam has been a rising star in the spam universe, it shouldn’t be surprising that some of it makes it through mail sieves. The category has grown to 85 percent of all spam on the Internet from 65.5 percent last year. What is surprising to me, though, is how little of it reaches my inbox.

I’m also surprised as to how anyone could fall for the pitches in these messages. It’s obvious that the authors of this sputum aren’t on the level. Why else would they pepper their ploys with so many oddball characters to foil filters looking for words that flag messages as spam, words like Canadian, meds and money. I mean, who in their right mind responds to “Meds% are onsale &al(l ^week” or “Canad&ian m”eds ]are cheaper/Check our meds/ line up and __choose w|hats best.”

In addition to the profuse use of oddball characters in words, some passages are tacked on to the bottom of the messages. The idea behind that tactic is to make the junk look like a real email message to automated spam fighting systems which have limited intelligence. Those passages used to be true nonsense, meaningless collections of letters and words. In more recent times, though, the passages are snatched from literary works. In the batch of junk that last month survived my defenses, the most popular authors for the passages were Sir Arthur Conan Doyle, noted for his immortal detective Sherlock Holmes, and Sun Tzu, who penned the classic treatise The Art of War. Other authors cadged by the spammers were Lewis Carroll (Alice’s Adventures in Wonderland), H.G. Wells (The Invisible Man), A. E. Burgett (The Door of Heaven) and J.K. Huysmans (Là-Bas).

It seems no month of spam would be complete without a Nigerian scam sneaking through the cracks. Although this scam dates back to the 20th century, spammers apparently never tire of recycling it. In the version of the bunkum that ended up in my inbox, the spammer claims to be a 24-year-old Senegal woman who is an heiress to $7 million. She is writing to me “with due respect and heartful of tears since we have not known or meet ourselves previously” and trusts me with her money because “I have gone through a profile that speaks good of you.” In exchange for helping her transfer her inheritance from a “financier company” to her, she’ll give me 30 percent of the seven million. Further details about the transaction will be conveyed to me once she sees a copy of my passport, home address and telephone numbers. Actually, as Nigerian schemes go, this is a mild one. Usually, they ask for some cash upfront.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers lack imagination in July

It’s really not surprising but it’s disgusting anyway. A new phishing attack is aimed squarely at the victims of the disaster in the Gulf. Emails claiming to be from BP CEO Tony Hayward are circulating on the net. The emails offer a $500,000 “grant” from the company in exchange for some personal info such as their bank account number and social security number, so the email claims, they can deposit your grant funding right away.

Authorities say the emails actually originate in Nigeria. The Florida Attorney General’s office is so concerned they issued a statewide alert about the scam. It’s not the first time scammers have exploited a tragedy and it won’t be the last. After pop legend Michael Jackson’s sudden and tragic death last year, spam campaigns exploiting the event exploded across the net, offering links to “exclusive” videos and autopsy photos. Similar spam campaigns have exploited the financial crisis, the death of actress Brittany Murphy, Swine Flu, the World Cup and other big news events. Holidays are also exploited and we can expect to see Halloween and Christmas themed spam start rising in a few months. Those types of spam campaigns often hawk fake pharmaceuticals and designer goods.

Authorities say while the person or group responsible for the fake BP emails hasn’t been tracked down yet, the United States Postal Inspection Service is investigating. The scammers may have to rethink their scam though as Tony Hayward is no longer CEO of BP.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Phishing Scam Targets Oil Spill Victims

I’ve been dealing with spam for a long time now, and even though we see changes every year in the major threats and new techniques that spammers come up with, one of the things that never seems to change are the myths about spam that people still cling to.

Here are a few of my favourites.

Spam Isn’t a Problem Anymore

Every now and then a journalist will write a column declaring that spam is no longer a problem for the internet.  Their argument is usually based on their own individual experience, and usually includes a description of a complex series of forwarding addresses through multiple services and add-ons before a message actually arrives in their inbox.

Then they add a caveat like “And for the handful that do slip through…”

Unfortunately for businesses a complex solution that can’t scale is no option at all, especially one that still lets the spam through despite all that effort.

I Don’t Give Out My Email Address

This myth usually lasts as long as it takes for the first spam email to arrive at that email address, which is quickly followed by shock and outrage (and wild accusations that their ISP “sold” the address to a spammer).

The only type of email address that will never receive spam is the one that doesn’t exist at all.  No matter how diligently you work to keep your email address private there are multitudes of ways in which it can still end up getting spammed, such as malware on your computer, someone else disclosing it inadvertently, or various attacks where spammers discover the address through dictionary guesses, brute force, or directory harvesting.

The 100% Effective Anti-Spam Technique

If I had a dollar for every time I heard “Nobody would get any spam if we all just…” I’d be retired on the beach by now.  The anti-spam silver bullet doesn’t exist.  Grey listing, fake MX records, and challenge-response systems are often touted as the ultimate solution to spam, but each has flaws either in practicality, scalability, or long term effectiveness (if we all start using the same “perfect” trick, spammers will just find another way).

Anti-Spam Shouldn’t Cost Money

I can only assume this springs up from some kind of resentment over paying for solutions to a problem you didn’t cause, but then again isn’t that the case with most problems?

At any rate, some of my peers in IT opt for a home brew anti-spam solution that bolts together various free components into one overall solution.  Unfortunately for the masses this approach isn’t always possible, because any anti-spam solution is a trade-off between performance, effectiveness, administrative effort, and cost.  Particularly in medium to large environments if you take away the costs and you are most certainly either sacrificing performance or effectiveness, or increasing the amount of administrative effort involved.

There is a reason the anti-spam industry is as commercially successful as it is – people will pay for a solution that reduces spam in a cost effective way.

We’ll Never Stop Spam Completely

Despite my rebuttal of the myths above I do honestly believe that one day we’ll stop spam completely.  I understand that this will take a massive shift in the way that businesses think about email as a marketing channel, a genuine focus by online services to stop abuse, and an unprecedented level of cooperation between global legislative and law enforcement bodies, but I think that one day the cost and risk of being a spammer will be so great that it will die off as a threat to our businesses and way of life.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Top Spam Myths that Still Haven’t Changed

Phishing is usually associated with email, but scammers have been known to redirect their prey offline before they close in for a kill. One way they do that is through retro tech like the good old fashioned fax.

Of course, lots of faxes today are just a step removed from email. Fax hosting services issue their users a phone number for receiving faxes. When the faxes are received by that number, they’re emailed to the user who views them on a computer.

One kind of fax scam that has been a favorite of phishers involves the U.S. Internal Revenue Service. The flim-flammers send an official looking fax to a potential guppie demanding information from him or her. Failure to comply, the target is warned, will result in dire consequences.

Uncle Sam’s phishing fighters in the tax agency’s Online Fraud Detection and Prevention (OFDP) group began chasing down fax scammers in 2009. In the last 18 months, the group has shut down some 250 phishing numbers. Before the group entered the picture, the phishing phone numbers used to remain active for months. Now most numbers are croaked within 12 hours, according to the Anti Phishing Work Group (APWG).

That group announced this week that it has been enlisted by the IRS to help combat fax phishing and has launched a new educational initiative, the APWG Fax Back Phishing Education Program, to educate consumers about protecting themselves from offline grifters.

          “The average losses of offline phishing scams ranges from a few thousand to tens of thousands of dollars–losses that victims don’t realize they have sustained until long after the crime is complete,” the group said in a statement. “The APWG’s Fax Back Phishing Education Program provides telecommunications companies and Fax over Internet Protocol (FoIP) hosting firms with educational instruments to educate consumers the moment they are scammed.”

As part of that program, the APWG developed a fax coversheet that carriers can use to alert their customers that they may have been the victim of a phishing scam. At the top of the sheet is the ominous message: “WARNING! The Fax Number You Dialed Connected to a Scam!”

          “You may have gotten this fax number directly via fax or from an email, text, or voicemail message,” the sheet explains. “No matter how real it seemed, it was a trick.”

“It’s called ‘phishing,’ because scammers fish for information about you or your financial accounts,” it continues. “Once scammers have it, they use it to commit identity theft or fraud.”

In addition to warning victims about phishing, the cover sheet provides useful links for obtaining additional information about phishing swindles and for reporting them to authorities like the Federal Trade Commission (FTC) and the International Consumer Protection and Enforcement Network. Both sites cited by the APWG feed information into a complaint database maintained by the FTC. That database has proven to be a valuable resource to law enforcement and regulatory agencies around the world in probing and disrupting phishing operations.

Soon into its existence, the OFDP reasoned that it would be a good idea to caution callers who were phoning numbers disabled by the agency. Those callers had been targeted by a phisher once. Given the way the Internet underworld shares information, those callers would no doubt be targeted again. In that eventuality, the OFDP wanted the callers to be aware of the peril they’d narrowly avoided because the agency had disconnected the scam line.

The first idea floated by the feds was a voice landing page. When a target called a disabled scam line, he or she would be redirected to that page and hear a message about the line being disconnected, the reason why and some additional information about phishing. That didn’t work too well. It required carrier cooperation, and the carriers weren’t too keen on integrating it into their systems. Another problem was that not everyone targeted by the cyber thieves spoke English so the voice message was just gibberish to them. In addition, many people use automated fax devices. Those devices are looking for a fax signal after making a connection. If they encounter a voice at the other end of the line, they’ll just disconnect the call after failing to find a fax machine there. Looking for a better solution, the OFDP contacted the APWG, which cooked up the fax cover sheet idea.

          “The APWG Internet Policy Committee commends the IRS for its role in protecting consumers against these fax-phishing scams,” Laura Mather, co-chair of APWG’s Internet Policy Committee, said in a statement. “The phishers continue to find compelling mechanisms for contacting consumers and having the IRS work with us to create a program for protecting people who have been contacted by this type of scam shows that the crime fighters cooperate as well as the criminals.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

IRS teams with phishing fighters to school public

Security experts are warning about a new phone scam exploiting Microsoft. The scammers are making phone calls claiming to be from the company’s tech support department. The fake Microsoft representatives call and explain that critical errors have been detected in the recipient’s operating system and they want to help correct them. To do so they walk them through several “diagnostic” steps, one of which is to download a program from a website the scammer sends them to. If the recipient goes along, they will have given the scammers remote access to their computer. They then turn their system into a zombie, add it to a botnet and start pumping out spam. Some variations of the scam use the remote access to launch a phishing attack, scanning the system for any personal information. A few bold scammers have even demanded payment for their “help”! So far the scam calls have been reported in Australia, the UK, and the United States. It’s not yet known exactly what botnet is behind the attacks.

If you or any of your employees get such a call, hang up immediately. Should someone in your company fall for the scam, take the infected computer off your network and off the internet completely until it can be cleaned out. An even better idea would be to keep computers containing sensitive data such as financials and employee info isolated from the network and internet in the first place. If it’s not connected it can’t be infected very easily.

Microsoft says they are aware of the calls and are investigating.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phone Scam Adds Computers to Botnet

Blacklists (or block lists) are a spam prevention technique that uses lists of IP addresses or domain names that are associated with spamming to determine whether to block or allow a particular email transmission.

Although the technique falls under one general description, there are many different implementations of block lists that can be used to make different determinations about whether an email is spam or not.

Some of the different techniques include:

• URI lists – these are lists of domain names and IP addresses that have been used as hyperlinks in emails that lead a victim to a malicious website, for example a bank phishing scam
• Open Relay lists – these are lists of mail server IP addresses that have been discovered as open relays and can be (or have been) used by spammers to send emails
• IP lists – aside from open relays an IP address that has directly been a source of spam, or is highly likely to be a source of spam (eg an ISP’s customer IP blocks)

The mechanism for each is basically the same – the mail server inspects the SMTP connection, or email message, that it is receiving.  It then queries one of these block list providers with the URIs or IP addresses, and if it registers a hit it then takes the configured action (usually to drop the email).

With so many different block list providers and different techniques the obvious question is whether more than one provider should be configured on the email server that is responsible for blocking spam in your organization.  Naturally this depends on the specific organization and which services are being used.

The biggest benefit to using more than one block list provider is that there are more chances to detect spam thanks to a greater diversity of lists being queried.  If you’ve ever had to troubleshoot a deliverability issue by investigating whether a mail server IP is on a block list you would have discovered that of the dozens of lists available not all of them will give the same result for a given query.

Using multiple block list providers also protects you from the scenario in which the provider is unavailable, which could lead to spam entering your organization when it can’t be checked.

However the biggest drawback is that every additional list provider that you configure means additional resources are consume for every email that is checked, both in terms of server processing and network bandwidth.

This trade-off between effectiveness and performance is one that should be seriously considered, as well as monitored on an ongoing basis.

An alternative solution is to use a provided that aggregates multiple techniques into a single service.  This is common for most commercial anti-spam solutions, which will be pre-configured with a vendor-supplies block list service that offers the best trade-off between performance, effectiveness, and also reliability.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Should You Use More than One Blacklist to Prevent Spam?

Security experts have issued a warning about a new spam campaign using PDFs to spread malware. The email arrives with what looks like a note from a friend:

          “Hey man… Remember all those long distance phone calls we made. Well I got my telephone bill and WOW. Please help me and look at the bill see which calls where yours ok…”

The “bill” is attached to the email as “PhoneCalls.pdf” and if clicked on, takes advantage of vulnerability in Adobe Reader in order to download the Sality virus. This virus, which appears to have originated in Russia, is extremely dangerous. It takes over the autorun feature, installs a peer to peer connection to a botnet, downloads additional malware, looks for and disables any anti-virus software it finds, looks for and infects any local, remote, and removable drives, alters the Windows registry to infect any .exe file set to load on startup, and worst of all, damages every file it infects beyond repair. It is one of the nastiest viruses out there today. Its botnet contains over 100,000 computers.

Adobe says they have released an update that repairs the vulnerability and if your IT department hasn’t installed it they should ASAP, but neither that nor having the most recent version of the program are guarantees against getting infected. Sality has been around since 2003 and has grown more and more complex and sophisticated with no end in sight. It’s important to have an anti-virus solution that can block zero-day attacks and threats.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

PDF Spam Returns With a Malicious Twist

VOIP provider Vonage has won a startling court victory when a California judge threw out a lawsuit alleging CAN-SPAM violations saying that deliberately designing emails to bypass spam filters is not illegal.

The suit was filed by the LA County DA’s office after many people complained about getting spam messages from the company with from lines that indicated that they had come from domains that had nothing to do with Vonage. The marketing agent working for the company sent the emails from a list of mostly nonsensical domains registered to them:

• superhugeterm.com
• formycompanysite.com
• ursunrchcntr.com
• urgrtquirkz.com
• countryfolkgospel.com
• lowdirectsme.com
• yearnfrmore.com
• openwrldkidz.com
• ourgossipfrom.com
• specialvrguide.com
• struggletailssite.com

Surprisingly, Justice Ming Chin ruled that the accusations of the spam mails being deliberately misleading were not true:

          “We find,” found Justice Ming Chin, “that a single e-mail with an accurate and traceable domain name neither contains nor is accompanied by ‘misrepresented … header information’ … merely because its domain name … is ‘random,’ ‘varied,’ ‘garbled’ and ‘nonsensical’ when viewed in conjunction with domain names used in other e-mails. An e-mail with an accurate and traceable domain name makes no affirmative representation or statement of fact that is false.”

Obviously Vonage was doing everything they could to prevent their spam from being caught in spam filters, including sending it from ridiculous, nonsensical domains in order to hide, and sadly, it’s all perfectly legal.

How do you feel about the judge’s ruling? Do you agree, or do you think this loophole in the law needs to be closed?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Vonage Beats CAN-SPAM Lawsuit

Online Media Daily is reporting that Microsoft has filed a lawsuit against a spammer they sued 7 years ago for the same thing. Boris Mizhen is accused of spamming Hotmail users and then using millions of fake accounts to manipulate the service’s spam filters. Mizhen and his associates sent their spam to those fake accounts and then moved the messages to their inboxes to trick Hotmail into thinking they were legit and removing the block.

          “Defendants’ deceptive conduct allowed them to circumvent Hotmail spam filters and to continue to disseminate a vast quantity of spam email messages to legitimate Hotmail users,” the company asserts.

An interesting tactic? Yes. A real scum bag? Pretty much. That said I’m not sure suing spammers is really all that wise. There have been many lawsuits filed and won and huge settlements awarded, but have the companies who won ever seen a dime? Not likely. Most spammers avoid paying by filing bankruptcy, and some live overseas, making collecting futile. The companies have their victories-and their legal expenses. Is it worth it? It doesn’t appear to stop spammers one bit, and Mizhen is proof.  He lost the first lawsuit, was ordered to pay Microsoft $2 million and agreed not to spam Hotmail users any more. That didn’t last long. While something needs to be done about spammers I don’t think lawsuits are the answer. Instead, we need tough new anti-spam laws and more prosecutions. Multi-million dollar judgments don’t faze spammers one bit. Maybe the prospect of doing hard jail time will.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Suing Spammers: Is It Worth It?

If spammers are anything, they are persistent, as is the case with Boris Mizhen. Mizhen, along with Dimitri Kovalsky and Muhommad Mohsan-ul Moula were sued by Microsoft this week for creating bogus Hotmail accounts and using them to camouflage their spam.

Microsoft is very familiar with Mizhen’s antics. In 2004, the Connecticut resident paid the company $2 million to settle a lawsuit slapped on him for spamming Hotmail users.

Microsoft revealed the CAN-SPAM Act lawsuit, filed in federal district court in Seattle, in an item written by its General Manager of Safety Services John Scarrow in its “Microsoft on the Issues” blog. In the blog item, Scarrow wrote that the scheme hatched by Mizhen et al was “one of the largest-ever spam attacks on Windows Live Hotmail.”

Three of Mizhen’s companies were named in the litigation–Media Network, Inc., New Age Opt-In, Inc. and Permission, Inc. While posing as legitimate advertising companies, Microsoft alleges, the outfits are actually just launching pads for spam.

According to Microsoft, the spammers devised and implemented a plan to use Hotmail’s junk defense systems–Junk E-Mail Reporting Program (JMRP) and Smart Network Data Services (SNDS)–to legitimize their electronic effluent.

JMRP is free program that senders can enroll in. It’s designed to create reports for senders about how their messages are being treated by Hotmail. If a message is marked “junk” or “phishing” by the system, it, along with its headers, will be returned to the sender. The purpose of the program is to help senders avoid squirting unwanted messages to Hotmail users.

SNDS is another free service offered by Microsoft. It’s designed to give senders some insight into how Hotmail users are rating the email they receive from senders and how the system’s filters are treating those senders’ messages.

While both applications are meant to be helpful tools for legitimate marketers, like any tool, they can be used for both bad or good. Allegedly, Mizhen and his co-defendants apparently chose to use the tools as a means for nefarious ends.

“In our lawsuit,” Scarrow explained in his blog posting, “we allege that defendants opened millions of Hotmail email accounts and hired people to manually identify spam mails as legitimate mails in order to trick Hotmail into classifying spam as legitimate mail.”

“Such actions undermine the measures we’ve put in place to protect people,” he continued. “We take this abuse very seriously, and while Hotmail and our SmartScreen filter continue to work to block spam from this identified scheme, we’ll keep investigating and pursuing spam attacks to protect our network and our customers.”

“SmartScreen” is a way devised by Microsoft to use crowd sourcing to improve the efficiency of its spam  filtering. If a spam message arrives in a user’s Hotmail inbox, the user can mark the message as junk. That information is then sent to Microsoft, which will use it to classify similar messages in the future. If legitimate mail is misdirected to the junk mail folder, a user can mark it as “not junk” and Microsoft will take that information into account in the future, too.

Ordinarily, as a supplementary spam fighting system SmartScreen would work well. To undermine it, a lot of manual labor would be involved. Spammers, generally, aren’t into manual labor. They’d prefer to automate their misdeeds. Mizhen and company, though, appear to have broken that tendency and brute forced their attack on the Hotmail filtering systems.

Automation was used in creating the millions of Hotmail accounts used in the scheme to sanitize the junk mail sent into the account by the spammers. Once the accounts were created, the emails were sanitized by hand so the messages could reach legitimate Hotmail users unimpeded by Microsoft’s spam filters.

Opening a Hotmail account requires solving a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) puzzle. That usually requires typing in some words displayed on the screen in distressed type. It usually works very effectively at foiling the bots used by spammers to automate creating accounts.

However, spammers have become increasingly sophisticated in cracking CAPTCHA schemes, as was evident in this massive attack on Hotmail. Reportedly, one of the defendants in the case, Muhommad Mohsan-ul Moula, is able to create Hotmail accounts for $15 per thousand. Another well-known CAPTCHA cracking outfit, Decaptcher.com, says it can do it even cheaper at $2 per thousand.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft spam suit involves old nemesis

Technically it wasn’t them but a third party marketing company they hired, but the irony remains. According to an article on The Register, a few months ago security firm Sophos was red faced after discovering the marketing company they hired was flooding blogs with comment spam. They quickly apologized and promised to give the company a stern talking to. It’s unknown whether that marketing company is still on the company’s payroll.

I find it incredible that this was allowed to happen in the first place. You’d think part of the agreement with the marketing firm was that all campaigns and ideas needed to be approved by Sophos before being put into action? If not it was a foolish mistake on their part. If the marketing company was supposed to get approval but didn’t bother, shame on them!

This illustrates the importance of really checking out any company you hire to do advertising, marketing or PR. These companies will be representing you and any mistakes they make will reflect on you. A good reputation takes a while to build but can be shattered in an instant. If you decide to work with a company, do your homework. Research them and get recommendations from colleagues, and have your legal department go over contracts carefully. Make sure you make it very clear the kinds of advertising and publicity techniques you are okay with and which ones are forbidden, and make sure you approve all campaigns before they are launched. Finally, make the consequences of any kind of spamming or SEO attack activity crystal clear.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Ultimate Irony: When An Anti-Spam Firm is Caught Spamming!

          My Internet Service Provider is very effective in blocking spam from my inbox. However, recently I noticed more junk mail sneaking through than is typically the case. So last month I decided to collect the pesky crap sneaking through my ISP’s filters. Here’s what I discovered.

An apparent tried and true technique for getting a subject line through a filter is to sprinkle numbers within words. So “From Canada to you” becomes “Fr4m C9nada to you” and “See huge discounts now” becomes “See hu2e discounts now.” The word medications is often misspelled “medication’s,” but that seems to be more an ignorant mistake than a devious tactic to breach anti-spam defenses. The mixed letters-numbers technique seems to be a favorite of pharmaceutical spammers.

What escapes me about the tack is that it actually makes identifying the junk easier for a user–even if spam filters appear to have trouble catching it. The numbers stick out in the subject’s words like a Goth at a young Christians convention so targets can send the electronic detritus to the trash without viewing its contents and without being tempted to click on the link in it.

The inside of the pharma spam messages is fairly simple. It consists of another mixed alpha-number phrase–”Canadian m36ication’s are cheaper,” for example, or “Sa1e4on your medication’s with us today”–a URL and several rows of letters and numbers. The URLs share one thing in common: the subdomain spaces.live.com. Although spaces.live.com belongs to Microsoft’s Live Spaces service, several sources on the Web note that the subdomain is just one stop in a series of redirects a real spam site.

The letter-number dodge, by the way, was developed by spammers to fool signature-based filters. Those filters create signatures for spam messages from the text in them. The problem is, any change in text triggers a new signature. Spammers can keep one step ahead of the filters by automatically changing the text in each message. So a signature that identifies a message containing “m3dications” as spam won’t work on message that uses “m7dications” in its text.

As with any automated scheme, patterns began to emerge that spam fighters could use to identify junk  containing randomly generated characters, but spammers continually modify their methods, too, and have managed to stay ahead of the curve on their adversaries.

Another sortie launched on my inbox would have been insidious if it weren’t so incompetently handled. It involved inept phishers posing as personnel from my ISP. One message, for instance, had an address with my ISP’s domain on the “from:” line, but the “reply-to:” field had a mail2wold address. What’s more, the letter generator used to create the message apparently hiccupped in the middle of composing its malicious missive. “Please provide your details for our storage limit which is 10GB as set by your administrator immediately provide Your Dear [Web mail account] Subscriber,” it said.

Two other attacks that slid through my ISP’s defenses  involved a phony support call. Both of the  messages made the same addressing mistakes as the storage ploy. They used an address with my ISP’s domain in the originating address (one used the actual address of singer) and a foreign address in the reply field. The messages were a little better crafted than the storage ploy, but still contained fractured English and transparently unofficial. Here’s what one said.

“There will be an upgrade in our system between May 25th to 2nd June 2010.  Due to the anonymous registration of Webmail Account [ISP] and number of dormant accounts, we will be running this upgrade to determine the exact number of subscribers we have at present.

“Be instructed to login to your WEBMAIL.[ISP] email account to verify if your account is still valid and send immediately your login information’s [spammers have a lot of trouble with English plurals...] to enable us Verify [...as well as the use of verbs and uppercase letters] your account properly in other [sic] to keep your email account active so it will continue as normal.:

User  ID
Password
Date of Birth
State

“Thanks for your attention to this request. Once again We apologize for any inconveniences. Warning!!! Account users that refuse to update His/her account within 24hrs of receiving this notifications will automatically have His/her account deactivated.”

While the substance of these attacks may be laughable, they’re serious business for their originators. It’s a business that, I believe, most of us can live without.


Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Pharma, ISP spam invade inbox in May

A U.S. district court judge in California has forced a shady ISP out of business.  On April 8^th, Judge Ronald Whyte ordered the sale of all assets belonging to Pricewert, also known as 3FN.net.  He also ordered the company to forfeit over $1 million in profits to the FTC, profits he says were gained through illegal activity.  Security experts helped make the case against them.

          Whyte wrote in a disgorgement order. “These experts had analyzed data derived from internet searches which establish that defendant, an internet service provider, was engaged in widespread illegal activity, there seems to be little doubt from the information provided that Pricewert functioned primarily as an internet service provider for illegal activity.”

Pricewert has long been known as an ISP that catered to spammers, malware distributors and child pornographers, so news of its closure was cause for celebration by many.  The FTC claimed that by providing services to botnet herders and spammers was an unfair business practice.  Whyte agreed and issued a restraining order against them last year, barring the any upstream provider or data center from providing service to them.

The FTC alleges that Pricewert blatantly ignored take down orders and ran its own botnets for which it actively recruited herders for. Transcripts of IM chats show the employees discussing those botnets with several botnet herders, and officials say nearly 5,000 different types of malware  were controlled by those botnets.

The company fired back, accusing the FTC of blaming them for the actions of their customers  but the agency says that only a tiny percentage of the company’s customers were legit .

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Judge Orders Permanent Shut Down of Shady ISP

A recent study looked at 50 U.S. cities to determine how vulnerable they are to cybercrime. They used a variety of factors to create the rankings, including number of hotspots, percentage of citizens with internet access and the type of access available, how many zombie computers found in the city, and more. They then ranked the cities using categories such as percentage of residents that shop and bank online, which they consider risky behavior, and reported cybercrimes per capita.  Here are the top 10:

1. Seattle, WA
2. Boston, MA
3. Washington, DC
4. San Francisco, CA
5. Raleigh, NC
6. Atlanta, GA
7. Minneapolis, MN
8. Denver, CO
9. Austin, TX
10. Portland, OR

Seattle came in first because it is an extremely wired city with an average of 103 hotspots for every 100,000 people and the highest percentage of citizens that go online regularly-68%. Boston ranked highly due to its dubious distinction of being one of the most zombie infested (the spam kind, not the horror movie kind!) cities in the country. Only Atlanta and Miami have more. Not surprisingly, Washington DC has one of the highest cybercrime rates in the country.

Does this mean if your company is located in one of these cities you’re doomed to be a cybercime victim? Of course not.  There are plenty of things your company can do to protect itself. A strong IT department, solid security practices and a clear, enforced internet usage policy for your employees are your best defenses. Don’t skimp on them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 10 Most Cybercrime Vulnerable Cities

A Russian ISP known to be friendly to cybercriminals has been knocked offline. PROXIEZ-NET was known to be hosting over a dozen command and control servers for the massive Zeus botnet. Zeus is an information thief that targets banking info and logon credentials for popular e-commerce sites like Amzazon.com and eBay. The bots C&C servers also allowed the attackers to have complete control over the computers it infected. They were able to do everything from shut the computers down to wiping their hard drives completely. Those servers are now cut off from the net because PROXIEZ-NET’s upstream provider DIGERNET has refused to provide further service to them.

          In a BBC News interview, ZDNet UK editor Rupert Goodwins said this takedown is yet “another skirmish in the fight to decapitate the malware networks, in this case by disconnecting the control networks used to co-ordinate trojans and rootkits”.

Any legitimate services that may have been using PROXIEZ-NET should probably be thankful for the action as it’s likely that they were or would eventually have been blacklisted. Should PROXIEZ-NET be able to find a new provider, they will almost certainly be ostracized by the online community due to their reputation.

The shutdown brings to mind the 2008 shutdown of notorious ISP McColo, which hosted numerous spammers and several of the top botnets at the time, including Rustock.  Those botnets were crippled by the shutdown and global spam levels plummeted by 75%. Sadly, that didn’t last for long as several months later new hosts had been found and the botnets returned with a vengeance.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Botnet Friendly ISP Knocked Offline