The Messaging Anti-Abuse Working Group (MAAWG) has released new figures that put the average volume of email spam on the internet at 90%, peaking as high as 94.2% in recent years.

Jerry Upton, MAAWG Executive Director said “We’ve been sitting at a stalemate for probably two to three years.  Taking out the highs and lows, we’re sitting at about 90%”.

Figures that regularly appear from various security vendors have been telling the same story for several years now.  With latest figures confirming the continuing trend one might be forgiven for wondering who is really winning the war against spam.

Spam fighting is a multi-billion dollar industry and businesses are spending thousands or even millions of dollars each year to try and protect their networks from spam threats.

Network providers have had some successes by disconnecting major spam networks from the internet but in most cases the spammers have resurfaced or simply distributed their infrastructure across international jurisdictions.

Consumer ISPs are generally against implementing measures to prevent their customers from adding to the problem.  This despite MAAWG’s findings that “tens of millions of Web users in North America and Western Europe have clicked on spam at least once – and many of them did it on purpose”. Continue reading The Spam Statemate»

A research team from two Californian universities has developed what it believes will be a game changing approach to defeating spam.

The researchers used a captured spam bot to analyze a sample of the spam emails that it produced and then used this information to reverse engineer the template that the spam emails were based upon.  Once this template was known 100% of further spam emails from that bot were successfully blocked while avoiding any false positives on one million genuine email messages in the test.

Leading anti-spam products in the market today claim up to 99% accuracy for spam detection and use sophisticated analysis techniques such as Bayesian filtering to reduce false positives.  However a large part of the fight against spam remains reactive.

Continue reading Researchers Analyze Bots to Beat Spam, But Will it Work?»

British ISPs have reacted strongly to the suggestion of Trend Micro CTO David Rand that the ISPs should actively combat the problem of spam on the internet.

Rand’s suggestion is the blocking of TCP port 25 (the port used for SMTP, or email, communications between servers on the internet), making contact with customers who they suspect may be the source of spam outbreaks, as well as stronger government legislation.

The legislation idea has merit, after all the lack of cooperation between government agencies is how many international spam operations manage to go unpunished.  The blocking of SMTP on the other hand is impractical and costly to implement, both from a technical and a service perspective.

The basis of the idea is this.  Customers send mail using SMTP, therefore by blocking SMTP and requiring that customers send mail via the ISP’s mail servers allows close monitoring of email traffic and detection of spam.

The solution is problematic though because many ISP customers, both home users as well as businesses, have perfectly good reasons to not send their email via their ISPs mail servers.  These customers would need to be unblocked from using SMTP, and hence cannot be closely monitored.

The monitoring itself also presents two problems – firstly customers object to having their email correspondence inspected by other parties including their ISP.  Secondly, any false positives could have disastrous consequences if important emails were blocked.  ISPs do not want the exposure to liability if they block an email that results in monetary loss for the sender or recipient. Continue reading ISPs Don’t Want to be Spam Cops»

A judge in Brisbane, Australia has fined a man accused of being one of the world’s biggest spammers nearly $200,000. The fine was levied against Lance Atkinson after the court found him in violation of the Australian Spam Act of 2003. The Australian Communications and Media Authority filed charges against him after fielding over 100,000 complaints from consumers about his spamming.

Atkinson is the ringleader of what is believed to be the world’s largest spam ring. His operation, doing business under the names HerbalKing and Canadian Healthcare sent billions of spam messages advertising fake or black market male enhancement products, weight loss pills, and other drugs. When unwitting customers placed orders at their sites they raked in affiliate fees as their credit card info was stolen. Medical experts have warned that the drugs being sold could cause serious harm if taken since they are made in India and not tested for quality or safety. Earlier this month in the U.S., the Federal Trade Commission slapped Atkinson with a $15 million fine for violations of the CAN-SPAM Act  but they have little hope of collecting unless he enters the U.S.

Atkinson, who failed to appear in court, was also banned from sending any kind of commercial email for 7 years. It will be interesting to see how they plan to enforce that!

NBC Chicago published a list of 5 tips for people to protect themselves from scam emails.  Although they mean well, and the tips are a step in the right direction, they are far too simple to be really effective at stopping spam.  Let’s take a look.

Tip 1 – If you don’t know the sender, don’t open it!

This tip is a carry-over from the old days of computer viruses where people were advised not to trust attachments in emails that they were not expecting.  These days the malicious payload of an email is rarely in an attachment, rather it is usually hosted on a website somewhere in the form of a product sales scam or a web browser hijack exploit.

The tip doesn’t work for two reasons:

1. Emails from people you know can be just as untrustworthy as emails from people you don’t know.  If someone you know has their email or social networking account compromised then you are likely to receive malicious email from “someone you know”.
2. Businesses could not survive if they did not open emails from people they don’t know.  An analogy in the physical world would be not opening the door to your store for anyone you didn’t recognize, cutting off all new customers from your business.

A more practical approach would be to assess emails based on their contents, and use alternate channels to verify anything that seems unusual or out of character.  A graphic designer receiving an email from someone they don’t know would be turning away a customer if they didn’t open it, whereas a person trusting the message from their friend asking for money in an emergency could easily fall victim to a scam.

Tip 2 – Watch out for emails that request personal information

This tip is oversimplified with the statement “No legitimate organization will ask for your social security number”.  Protecting your sensitive personal information such as social security and credit card numbers is important, but what about seemingly harmless information?

Let’s say you receive one of those amusing chain letter emails asking 25 questions about you such as the name of the street you grew up in, your favorite movie, your pet’s name, and so on.  Now consider that in doing so you are revealing useful information about yourself that can be used in future attacks. Continue reading 5 Tips to Protect Yourself From Spam Scams (That Don’t Quite Work)»

I came across an article today written last week that proclaimed “We won the war on spam”.  The general thrust of the article is that “despite continued hysteria, unwanted e-mail is largely a thing of the past”.

This is an interesting point of view which I happen to disagree with, but in thinking further I realize that this is mostly a matter of perspective – business vs personal, or big vs small.

The writer, Mark Gimein, approaches the matter from his own personal experience.  Mark has a slightly more complex email setup than the average person – a series of email addresses for various purposes all forwarding into a Gmail account.  In Mark’s experience spam has all but vanished from his inbox, although a few false negatives remain.

I’m not disputing Mark’s account, I don’t see very much spam slip through the filters into my inbox either, but the war on spam is most definitely not won.  Mark hints at what I’m about to say with this paragraph in his article:

Stopping spam does take effort—without a doubt Yahoo and Google devote resources to it. But that’s just part of their business, no different from all the other things they need to do to keep their e-mail systems running. What matters is that from the point of view of users like me, what’s going on under the hood to keep junk out and legitimate messages in needn’t concern us.

For an email user in a business what goes on under the hood shouldn’t concern them, but it most certainly concerns the business.  Businesses spend thousands of dollars each year on protecting their email systems from spam and malware.  This is not a trivial expense and in itself stands as solid proof that the war on spam is far from over. Continue reading We Have Not Won The War On Spam»

My last post on international spam fighting attracted a comment from reader Andreas Kroll.  Andreas asks “Why is it really so hard to tackle spam?”

That is a good question, and one we don’t often stop and think about.  The war against spam carries on with each side adjusting to the other’s new techniques with new ways of defeating them.  This constant shifting of the landscape makes anti-spam a very fluid, dynamic industry with rapid technology changes.  Of course to the regular person using their computer for email and internet access they are probably wondering what all of the clever people at anti-spam company are really doing about it.

Let’s take Andreas’ comment for example.

“Spam in itself is the repeated sending of (nearly) identical messages to a lot of people.”

This would be true if all spam messages were created equally.  I’m sure we’re all familiar with viagra spam, or Nigerian 419 spam, or lottery spam, but if you sat and looked at 10 viagra spam emails in your Junk email folder you won’t find two the same.  Spammers will simply use an email template with a series of variable portions, and run scripts to insert a variety of values into those fields.  A short spam email with just 10 fields, each with 10 possible values, means 10,000,000,000 unique spam emails can be produced. Continue reading Why is it Really So Hard to Tackle Spam?»

Well I’m back on my “the best email user is an educated email user” soap box. Like it or not, the best tool email administrators can arm staff against spam, phishing and information security threats is through education. OnGuard Online provides a platform for administrators to create some awesome cyber security educational programs.

OnGuard Online provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information.  Funding from many partners has allowed OnGuard Online to develop educational cyber security videos, tutorials, games and other tools.  Some partnering organizations include the Internal Revenue Service, NCIS, the Federal Trade Commission, Homeland Security and the Security and Exchange Commission. Even non-profit companies, like Latinos in Information Sciences & Technology Association  (LISTA), are partners with OnGuard Online.

The target audience for these free educational products is the everyday email, computer and Internet user. There are phishy videos. Then there are games with names like “Invasion of the Wireless Hackers” and “Spam Scam Slam“. Let’s not forget “ID Theft Face Off“. Now these are educational video games for all ages.

Continue reading Spam and Phishing Education Goldmine»

At a basic level, comment spam sometimes involves spammers manually typing spam into a blog comment form. This submission of spam is entered the same way as any regular reader. Although this allows a spammer to assume the same identity of regular commenters, this is a painfully slow process. The return on the investment of time dictates that spammers rarely use this method to post spam comments.

The more serious issue is automating the process of posting spam comments. This process is driven by custom scripts or software written to quickly produce a high volume of spam comments. This type of software becomes a spam producing machine.  It can submit thousands of spam comments in a very short period of time. This spam machine can hit multiple pages within many blogs.

Continue reading Stopping Comment Spam»

AOL users are being warned of a new phishing attack targeting the popular ISP. Customers are receiving emails claiming to be from the company’s “Safety and Security Team”. The emails claim they need to verify the recipent’s billing and account information. A link is provided, and if the recipient clicks on it they are sent to a fake AOL site and prompted to log in, then are asked to provide their credit card number and other personal info, all of which is sent to the scammers behind the attack.

This is far from the first time AOL has been exploited by scammers. Back in the 90’s AOL users were routinely sent fake emails claiming to be from AOL and asking for their login info. The scammers then logged into the compromised accounts and sent spam. The very first phishing scam I remember running into was on AOL as well, back in 1995 or so. I got an email that looked like it was from AOL saying the credit card I had on file had expired and asking me to log in and update it. I almost fell for it too, until I realized the email hadn’t been sent to the master screen name on my account, just that one sub account. Phishers and scammers have gotten a lot more sophisticated since then!

Continue reading AOL Latest To Be Exploited By Phishers»