BusinessWeek has a great article about the FTC and how they’ve evolved to become a fixture in the war against spam and online fraud. They have a server that holds over 314 million spam messages and receives over 200,000 more a day. Investigators analyze the messages in their efforts to track down spammers and prosecute them under the CAN-SPAM law. Successful investigations lead to spammers being fined and sometimes jailed. They’ve also begun moving into the areas of social networking and identity theft.

I wonder though, of all the spam messages they collect what percentage originates from somewhere other than the U.S. Most hardcore spamming operations are safely overseas on bullet proof hosts in countries that don’t investigate or prosecute cybercrime either due to lack of understanding, lack of resources, or law enforcement corruption. Since these spammers can be convicted and fined without having to actually appear in court, yet can’t be made to pay up unless they enter the U.S., it seems such investigations could all be done in vain. Suing spammers doesn’t work well either – they just declare bankruptcy and move on to a new scam. There have been a few cases lately about spammers who’ve gotten themselves pretty hefty jail sentences but again, it doesn’t really work when the spammer is overseas somewhere.

So yes, the FTC is doing a great thing by investigating spammers and holding them accountable under the CAN-SPAM Act, but fighting spam will only be truly effective when all countries do so together and have similar anti-spam laws.

With so much spam choking email channels on the Internet–some estimates peg spam volumes at as much as 95 percent of all email traffic–you’d think they’d be more lawsuits against the perpetrators of the junk. That’s not the case, however, and there are more than a few reasons why that’s so.

Terry Zink, at his Anti-malware blog, argues that the reason spammers aren’t prosecuted is they locate themselves in jurisdictions that tolerate the junksters for various motivations. “Some of the worst criminals in [the] spamming underworld are located in [E]astern Europe and Russia,” he writes. “Many of them are known to the authorities but they are not pursued by [those] authorities.”

A quick look at the latest Spamhaus list of the world’s Top 10 Worst Spammers shows that Zink’s analysis is right on the money. Seven of the top 10 junko artists are from Russia or one of its former republics.

Among the culprits fingered by Spamhaus were three from the Russian Federation–Leo Kuvayev, of Bad Cow, which deals in pirated software, knock-off pharmaceuticals, porn spam and payments collections, and botnet viruses; Peter Severa/Peter Levashov, a partner with a number of spam gangs; and Ruslan Ibragimov, of send-safe.com, creator of stealth spamware and operator of a spam distribution network from compromised computers and hijacked open proxies.

Spammers based in the Ukraine were Canadian Pharmacy, which operates a botnet spam distribution network and a number of spam websites; Alex Blood/Alexander Mosh/AlekseyB/Alex Polyakov, a massive botnet operator and purveyor of child porn, pharma and mortgage spam; and Yambo Financials, a distributor of child, animal and incest porn, as well as pirated software and pharma spam.

Continue reading Why spammers slip through jaws of legal beagles»

California based ISP Asis Internet Services won their lawsuit against a group of spammers and was awarded a $2.6 million judgment.  Asis sued a company called Find a Quote after being hit with nearly 25,000 spam messages from them. They said dealing with the flood of spam cost them money, time, and business. They asked for $3.1 million, the maximum amount allowed by law.

The spam was an attempt to drum up leads for an affiliate programs. Find a Quote said it does not tolerate spam and had no knowledge that its affiliates were using spam to get sign ups.  Presumably the judge didn’t buy that argument.

A U.S. District Court judge agreed with Asis’ argument that Find a Quote had violated the CAN-SPAM Act by sending emails with fake headers but awarded them an initial $865,000, which was then tripled because the company’s spamming was considered aggravated. Asis says Find  a Quote used directory attacks and automated scripts to create the fake email accounts it used to send the spam.  Asis said it cost them around $3,000 to process the spam.

It’s not likely Asis will ever see any of that $2.6 million. Find a Quotes website has vanished and there is no contact info available. They’ve had no comment on the matter and it’s not known if they even showed up in court or not.

Is filing lawsuits against spammers worth it to your company? Even if a monetary judgment is awarded the chances of actually seeing any of it are slim. Spammers either file for bankruptcy or are located in another country and are impossible to collect from.

Could your business become financially liable for spam that comes from your network?  It might sound far-fetched, but it could one day become reality.

The Email Security Matters blog notes a German court has ruled that home users could be fined for malicious or illegal acts that take place on their unsecured wireless network.  The focus at the moment seems to be on illegal downloads, but other issues such as spam could just as easily be thrown into the spotlight.

Fined for Being a Victim?

The implications for business are serious enough to take some notice.  Even the lawmakers who do make an effort to combat spam face the massive difficulty of enforcing their local laws across numerous international jurisdictions.

Faced with those challenges law enforcement may turn their attention to homes and businesses that are, by ignorance or laziness, allowing their computers and networks to be used as spam conduits.

I do sometimes wonder if spam would be taken more seriously if a server owner could be fined for their server being overtaken by spammers, or an ISP fined and shut down (not by upstream providers, but by legal or regulatory intervention) for sending spam.

Criminal liability is one thing, but precedents for civil liability could also be set.  Imagine a world where one company sues another for the malware or spam outbreak that originated from their networks and cost time and resources to combat.

Who is Really Liable for Spam?

But in reality where does the liability begin, and where does it end, if not with the spammer themselves?  Is the home computer user responsible for their computer becoming part of a botnet?  Or is the browser developer who allowed the cross-site scripting attack, the operating system maker for permitting the machine to be taken over, the antivirus vendor for not stopping the malicious code from executing, or the ISP for not detecting and blocking the resulting spam? Continue reading Will Businesses Need Spam Insurance One Day?»

Anti-spam technology encompasses a lot of different practices, techniques, and systems for detecting and blocking spam emails.  Customers sometimes look for a turnkey, push button, set and forget anti-spam solution that will “just work”.

The reality is that not all anti-spam techniques are suitable for all occasions, and often require specific configuration or tuning to suit a given environment.  Here are some examples:

Recipient Filtering

This technique makes the assumption that email that is sent to a non-existent address is likely to be a spammer trying a dictionary attack, and should therefore be rejected.

However that assumption does not take into account some valid scenarios, such as:

• Email servers that are accepting email for other organizations and relaying it to them. In these cases the recipient does not exist in the first organization, but does exist in the second organization.  The first organization therefore must accept emails even for recipients that are invalid in its own organization.  This is quite common for two organizations going through a merger process.
• Companies that want to make use of a “catch all” mailbox to receive misspelled or incorrectly addressed email that might be critical to their business, such as sales and customer service enquiries.

Content Filtering on Specific Keywords

About 10 years ago it was very common to do anti-spam filtering by using a list of specific keywords and phrases.  Some organizations try to continue this technique even today, and it can work well, but in some industries it is impractical or impossible to block certain keywords that most people would associate with spam. Continue reading Anti-Spam is Not One Size Fits All»

The Messaging Anti-Abuse Working Group (MAAWG) has released new figures that put the average volume of email spam on the internet at 90%, peaking as high as 94.2% in recent years.

Jerry Upton, MAAWG Executive Director said “We’ve been sitting at a stalemate for probably two to three years.  Taking out the highs and lows, we’re sitting at about 90%”.

Figures that regularly appear from various security vendors have been telling the same story for several years now.  With latest figures confirming the continuing trend one might be forgiven for wondering who is really winning the war against spam.

Spam fighting is a multi-billion dollar industry and businesses are spending thousands or even millions of dollars each year to try and protect their networks from spam threats.

Network providers have had some successes by disconnecting major spam networks from the internet but in most cases the spammers have resurfaced or simply distributed their infrastructure across international jurisdictions.

Consumer ISPs are generally against implementing measures to prevent their customers from adding to the problem.  This despite MAAWG’s findings that “tens of millions of Web users in North America and Western Europe have clicked on spam at least once – and many of them did it on purpose”. Continue reading The Spam Statemate»

A research team from two Californian universities has developed what it believes will be a game changing approach to defeating spam.

The researchers used a captured spam bot to analyze a sample of the spam emails that it produced and then used this information to reverse engineer the template that the spam emails were based upon.  Once this template was known 100% of further spam emails from that bot were successfully blocked while avoiding any false positives on one million genuine email messages in the test.

Leading anti-spam products in the market today claim up to 99% accuracy for spam detection and use sophisticated analysis techniques such as Bayesian filtering to reduce false positives.  However a large part of the fight against spam remains reactive.

Continue reading Researchers Analyze Bots to Beat Spam, But Will it Work?»

British ISPs have reacted strongly to the suggestion of Trend Micro CTO David Rand that the ISPs should actively combat the problem of spam on the internet.

Rand’s suggestion is the blocking of TCP port 25 (the port used for SMTP, or email, communications between servers on the internet), making contact with customers who they suspect may be the source of spam outbreaks, as well as stronger government legislation.

The legislation idea has merit, after all the lack of cooperation between government agencies is how many international spam operations manage to go unpunished.  The blocking of SMTP on the other hand is impractical and costly to implement, both from a technical and a service perspective.

The basis of the idea is this.  Customers send mail using SMTP, therefore by blocking SMTP and requiring that customers send mail via the ISP’s mail servers allows close monitoring of email traffic and detection of spam.

The solution is problematic though because many ISP customers, both home users as well as businesses, have perfectly good reasons to not send their email via their ISPs mail servers.  These customers would need to be unblocked from using SMTP, and hence cannot be closely monitored.

The monitoring itself also presents two problems – firstly customers object to having their email correspondence inspected by other parties including their ISP.  Secondly, any false positives could have disastrous consequences if important emails were blocked.  ISPs do not want the exposure to liability if they block an email that results in monetary loss for the sender or recipient. Continue reading ISPs Don’t Want to be Spam Cops»

A judge in Brisbane, Australia has fined a man accused of being one of the world’s biggest spammers nearly $200,000. The fine was levied against Lance Atkinson after the court found him in violation of the Australian Spam Act of 2003. The Australian Communications and Media Authority filed charges against him after fielding over 100,000 complaints from consumers about his spamming.

Atkinson is the ringleader of what is believed to be the world’s largest spam ring. His operation, doing business under the names HerbalKing and Canadian Healthcare sent billions of spam messages advertising fake or black market male enhancement products, weight loss pills, and other drugs. When unwitting customers placed orders at their sites they raked in affiliate fees as their credit card info was stolen. Medical experts have warned that the drugs being sold could cause serious harm if taken since they are made in India and not tested for quality or safety. Earlier this month in the U.S., the Federal Trade Commission slapped Atkinson with a $15 million fine for violations of the CAN-SPAM Act  but they have little hope of collecting unless he enters the U.S.

Atkinson, who failed to appear in court, was also banned from sending any kind of commercial email for 7 years. It will be interesting to see how they plan to enforce that!

NBC Chicago published a list of 5 tips for people to protect themselves from scam emails.  Although they mean well, and the tips are a step in the right direction, they are far too simple to be really effective at stopping spam.  Let’s take a look.

Tip 1 – If you don’t know the sender, don’t open it!

This tip is a carry-over from the old days of computer viruses where people were advised not to trust attachments in emails that they were not expecting.  These days the malicious payload of an email is rarely in an attachment, rather it is usually hosted on a website somewhere in the form of a product sales scam or a web browser hijack exploit.

The tip doesn’t work for two reasons:

1. Emails from people you know can be just as untrustworthy as emails from people you don’t know.  If someone you know has their email or social networking account compromised then you are likely to receive malicious email from “someone you know”.
2. Businesses could not survive if they did not open emails from people they don’t know.  An analogy in the physical world would be not opening the door to your store for anyone you didn’t recognize, cutting off all new customers from your business.

A more practical approach would be to assess emails based on their contents, and use alternate channels to verify anything that seems unusual or out of character.  A graphic designer receiving an email from someone they don’t know would be turning away a customer if they didn’t open it, whereas a person trusting the message from their friend asking for money in an emergency could easily fall victim to a scam.

Tip 2 – Watch out for emails that request personal information

This tip is oversimplified with the statement “No legitimate organization will ask for your social security number”.  Protecting your sensitive personal information such as social security and credit card numbers is important, but what about seemingly harmless information?

Let’s say you receive one of those amusing chain letter emails asking 25 questions about you such as the name of the street you grew up in, your favorite movie, your pet’s name, and so on.  Now consider that in doing so you are revealing useful information about yourself that can be used in future attacks. Continue reading 5 Tips to Protect Yourself From Spam Scams (That Don’t Quite Work)»