A notorious hacker who ran an underground site that was a popular hangout spot for hackers, carders, scammers, spammers, and other cybercriminals was slammed with a 13 year prison sentence for his part in a series of credit card scams that cost the US $86 million.

Max Ray Vision was also ordered to pay over $27 million in restitution. He ran CardersMarket, a forum where cybercriminals bought and sold malware and stolen card numbers, swapped war stories and socialized. His crimes, which included harvesting stolen banking and credit card information, came to a halt after the Secret Service infiltrated the site. When arrested he had near 2 million stolen credit card numbers in his possession.

Vision was facing a life sentence but it was reduced due to his cooperation with authorities. It won’t be his first time-in 2001 he spent 18 months in jail for participating in a scripting attack against the Pentagon.

British ISPs have reacted strongly to the suggestion of Trend Micro CTO David Rand that the ISPs should actively combat the problem of spam on the internet.

Rand’s suggestion is the blocking of TCP port 25 (the port used for SMTP, or email, communications between servers on the internet), making contact with customers who they suspect may be the source of spam outbreaks, as well as stronger government legislation.

The legislation idea has merit, after all the lack of cooperation between government agencies is how many international spam operations manage to go unpunished.  The blocking of SMTP on the other hand is impractical and costly to implement, both from a technical and a service perspective.

The basis of the idea is this.  Customers send mail using SMTP, therefore by blocking SMTP and requiring that customers send mail via the ISP’s mail servers allows close monitoring of email traffic and detection of spam.

The solution is problematic though because many ISP customers, both home users as well as businesses, have perfectly good reasons to not send their email via their ISPs mail servers.  These customers would need to be unblocked from using SMTP, and hence cannot be closely monitored.

The monitoring itself also presents two problems – firstly customers object to having their email correspondence inspected by other parties including their ISP.  Secondly, any false positives could have disastrous consequences if important emails were blocked.  ISPs do not want the exposure to liability if they block an email that results in monetary loss for the sender or recipient. Continue reading ISPs Don’t Want to be Spam Cops»

Get rid of spam once and for all this year with ExchangeServerPro.com and GFI Software. Head over to ExchangeServerPro.com where Paul Cunningham is holding a Spam Free 2010 contest in collaboration with GFI Software and giving away two license packs of GFI MailEssentials™.

Two people have the chance of winning either the first prize which is a 50 user license pack or the runner up prize – a 25 user license pack.

For details on how to enter the competition check out Paul’s blog post. The deadline for the contest is 31 January 2010, Australian EST.

A bug in the popular SpamAssassin anti-spam engine caused legit emails sent in the first few days of 2010 to be marked as spam. It’s not known exactly how many emails were affected but the bug affected ISPs across the globe. The problem was with the ‘FH_DATE_PAST_20XX’ rule. In compiled versions of the SpamAssassin 3.2.0 through 3.2.5, the rule was not fixed to reflect the new year, causing emails with a date of 2010 to be flagged. The rule is in response to the practice some spammers have of sending their messages with a date far into the future to appear at the top of recipent’s inboxes. Apache released a statement apologizing for the error:

          Versions of the FH_DATE_PAST_20XX rule released with versions of Apache SpamAssassin 3.2.0 thru 3.2.5 will trigger on most mail with a Date header that includes the year 2010 or later.  The rule will add a score of up to 3.6 towards the spam classification of all email.  You should take corrective action immediately; there are two easy ways to correct the problem:

If your system is configured to use sa-update run sa-update now.  An update is available that will correct the rule.  No further action is necessary (other than restarting spamd or any service that uses SpamAssassin directly).

Add “score FH_DATE_PAST_20XX 0″ without the quotes to the end of your local.cf file to disable the rule.

If you require help updating your rules to correct this issue you are encouraged to ask for assistance on the Apache SpamAssassin Users’ list.  Users’ mailing list info is here.

On behalf of the Apache SpamAssassin project I apologize for this error and the grief it may have caused you.

Experts say the incident is further proof that the practice of deleting flagged messages should be stopped and instead all messages marked as spam should be sent to a folder for review by the recipient.

Apache fixed the issue when it became aware of it and urged all their customers to update their filters regularly.

The University of Alabama’s Spam Data Mine has discovered a new malicious spam campaign that is designed to steal social security numbers as well. The messages are made to look like an alert from the Social Security Administration and have subject lines such as “Review your annual Social Security statement” and “Watch for errors on your Social Security Statement” and direct the recipient to click the included link to visit the SSA’s website. The link redirects to a legit-looking but malicious fake of the actual government website. The page asks visitors to input their social security number before proceeding. Next, it presents them with a page asking them to download their Social Security statement and review it for errors, promising tax breaks and refund payments if any errors are found.

The UAB Spam Data Mine says when the link is clicked the Zbot Trojan is download. This is a widespread and nasty banking Trojan that steals logins, banking info and other personal information. It installs a keylogger that records all information typed in websites by the infected computer, and also adds the machine to the Zeus botnet.

Zeus has been around for a while now and shows no signs of slowing down. It is also pummeling Facebook with phishing emails and sending out fake FDIC and IRS alerts in separate spam campaigns. Another variant of the Zbot Trojan is being spread via messages claiming someone has posted compromising photos of the recipient on the web. The messages direct them to the site where the alleged photos are on display, but the downloadable “photo archive” is actually Zbot.

Since this latest campaign is so new, it is still undetectable by many major anti-virus programs but that will likely change very soon.

Researchers have successfully knocked a major botnet offline. The Mega-D botnet was shut down by a team at FireEye. The researchers attacked the botnet by registering some domains meant for the botnet’s command and control servers and shutting down others. As a result it stopped sending spam immediately.

The attack began with abuse complaints being sent to the ISPs where Mega-D was being hosted. Nearly all the complaints were successful. Then the researchers began working with domain registrars to shut down the primary domains of the CnC channels, registered domains on Mega-D’s CnC list and registered some of the not yet generated ones (the botnet is programmed to generate new domains based on the date and time to back up its own list) for a total of three days to further cripple the botnet.

In the process of crippling the botnet, FireEye gained CnC control, which it used to help the owners of the zombie computers in it regain control of their PCs.

While Mega-D has for now completely stopped sending spam, researchers say it is only a matter of time before it comes back to life. To keep the botnet offline for good they’d have to keep registering future domains to stay ahead of it. This is still very good news. Mega-D is one of the largest botnets on the net and is responsible for pumping out billions of spam messages, most hawking fake supplements, shady internet pharmacies, and male enhancement products. FireEye’s experiment has proven that maybe, just maybe, bot herders aren’t quite as smart as they think they are.

By the middle of next year, the lock that Latin alphabets have had on Internet domain names will be broken, when a plan announced last week by the International Corporation for Assigned Names and Numbers, better known as ICANN, is implemented. That prospect may have phishers licking their lips.

The move–claimed by ICANN as the biggest technical change in the 40-year history of the Internet–will allow domain names to be created in languages such as Arabic, Korean, Greek, Hindi, Japanese and Cyrillic. It was initially approved in 2008, but finalization won’t be completed until the organization wraps up its conference in Seoul, Korea. While the new non-Latin alphabet addresses won’t start appearing until next year, ICANN expects to see applications for the domains appearing as early as next month.

ICANN estimates that more than half of the Internet’s 1.6 billion surfers use non-Latin alphabets and that the acceptance of those alphabets in domain names will save 60 billion to 100 billion keystrokes a day by averting the need to type country codes in Web addresses. Some countries are already using their native alphabets in domain names, but their country codes are in a Latin letter set. Bulgaria, for example, uses Cyrilic, but uses .bg for its country code.

Continue reading ICANN move contributing to URL spoofing?»

Despite the economic downturn, spam is still as profitable as ever. A new report says that the group of spammers behind most Viagra spam rakes in an average of $4000 a day. The average order for the drug totals around $200 so they only need 50 sales a day out of the millions of spam messages they send to make a handsome profit.

The report says that most of the spam is the work of “the partnerka” a group of Russian spammers that work on behalf of Canadian pharmacies. The group gets a 40% commission on each sale, and that is where the $4000 a day profit comes from. One of the biggest pharmacies is a company called GlavMed. While it claims to be strongly anti-spam, it has a sister company called SpamIt, a group of affiliates that are suspected to be responsible for several botnets including Waledec and Conficker.

Think getting those sales can’t be easy with all the spam filters and tools available? Unbelievably, Messaging Anti-Abuse Working Group conducted a report of their own and found that a whopping 52% of email users admitted to clicking on a spam email and 12% actually bought the product!

While email spam is still profitable, the proliferation of tough new spam filters and blacklists has led many spammers to move over into web based spam, which is becoming an increasing problem on sites like Twitter and Facebook. Spammers seem to think it’s easier than traditional email spam.

It’s clear that spam is a vital part of the booming underground economy of cybercrime, and it’s not going anywhere. As long as there are still people out there who are not only willing to read spam but to visit spam sites and actually buy the product, there will be spammers doing all they can to cash in on them.

I am currently involved in discussions with a client about the feasibility of moving their Exchange environment to a hosted email provider.  The client is considering it on the basis that it will reduce costs and improve the maintenance and health of their email platform by having it all looked after by an outsourced provider.

At face value these points may be valid (a detailed cost/benefit analysis is still ongoing) however one item that did come up in the technical analysis is the impact it would have on the choice of email security product being used.  Basically it would remove the choice entirely, as the providers being considered offer a single solution for email anti-virus and anti-spam protection.

Although most email security products have similar features, not all of them are created equal.  Features can be included or excluded from product to product, and even features that are common between products can have very different levels of quality and performance. Continue reading Do Hosted Email Providers Mean Lack of Choice?»

My last post on international spam fighting attracted a comment from reader Andreas Kroll.  Andreas asks “Why is it really so hard to tackle spam?”

That is a good question, and one we don’t often stop and think about.  The war against spam carries on with each side adjusting to the other’s new techniques with new ways of defeating them.  This constant shifting of the landscape makes anti-spam a very fluid, dynamic industry with rapid technology changes.  Of course to the regular person using their computer for email and internet access they are probably wondering what all of the clever people at anti-spam company are really doing about it.

Let’s take Andreas’ comment for example.

“Spam in itself is the repeated sending of (nearly) identical messages to a lot of people.”

This would be true if all spam messages were created equally.  I’m sure we’re all familiar with viagra spam, or Nigerian 419 spam, or lottery spam, but if you sat and looked at 10 viagra spam emails in your Junk email folder you won’t find two the same.  Spammers will simply use an email template with a series of variable portions, and run scripts to insert a variety of values into those fields.  A short spam email with just 10 fields, each with 10 possible values, means 10,000,000,000 unique spam emails can be produced. Continue reading Why is it Really So Hard to Tackle Spam?»