If spammers are anything, they are persistent, as is the case with Boris Mizhen. Mizhen, along with Dimitri Kovalsky and Muhommad Mohsan-ul Moula were sued by Microsoft this week for creating bogus Hotmail accounts and using them to camouflage their spam.

Microsoft is very familiar with Mizhen’s antics. In 2004, the Connecticut resident paid the company $2 million to settle a lawsuit slapped on him for spamming Hotmail users.

Microsoft revealed the CAN-SPAM Act lawsuit, filed in federal district court in Seattle, in an item written by its General Manager of Safety Services John Scarrow in its “Microsoft on the Issues” blog. In the blog item, Scarrow wrote that the scheme hatched by Mizhen et al was “one of the largest-ever spam attacks on Windows Live Hotmail.”

Three of Mizhen’s companies were named in the litigation–Media Network, Inc., New Age Opt-In, Inc. and Permission, Inc. While posing as legitimate advertising companies, Microsoft alleges, the outfits are actually just launching pads for spam.

According to Microsoft, the spammers devised and implemented a plan to use Hotmail’s junk defense systems–Junk E-Mail Reporting Program (JMRP) and Smart Network Data Services (SNDS)–to legitimize their electronic effluent.

JMRP is free program that senders can enroll in. It’s designed to create reports for senders about how their messages are being treated by Hotmail. If a message is marked “junk” or “phishing” by the system, it, along with its headers, will be returned to the sender. The purpose of the program is to help senders avoid squirting unwanted messages to Hotmail users.

SNDS is another free service offered by Microsoft. It’s designed to give senders some insight into how Hotmail users are rating the email they receive from senders and how the system’s filters are treating those senders’ messages. Continue reading Microsoft spam suit involves old nemesis»

Microsoft notched an important legal victory this past week. A court awarded them a restraining order that has effectively cut Waledec off at the knees. The decision was the result of a lawsuit filed on February 22^nd and will result in traffic being cut off to 277 domains that hold the command and control servers that run the botnet. All of the domains are located in China and will be blacklisted by VeriSign. Without its command and control servers Waldec is essentially dead because its millions of zombies can’t contact home for instructions.

According to Microsoft, Waledec is one of the 10 largest botnets in the world and responsible for most of the spam hawking fake and shady internet pharmacies, male enhancement products and designer knock offs. They had this to say about Waledec on their blog:

Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

While Microsoft claims victory, it’s more than likely short lived. As we’ve seen in the past with shutdowns like McColo, it doesn’t take long for the cybercriminals behind botnets to regroup and start anew, and they are getting better and better at it everyday.

Microsoft released a security advisory this week about a dangerous vulnerability in the Microsoft Video ActiveX Control (msvidctl.dll), which is used for streaming video. According to the advisory, an attacker who exploits the vulnerability could gain the same rights to an attacked PC as the local user. The code execution takes place remotely in Internet Explorer, and doesn’t require any user intervention. In other words, it’s a “drive-by” attack that injects a Trojan downloader into the victim’s PC. In the advisory, Microsoft said they would release a patch, and provide an automated tool for disabling the ActiveX control. Disabling the ActiveX control manually is a difficult process and requires re-setting several kill bits in the registry. The “FixIt” automated tool is now available here.

This dangerous exploit holds tremendous potential to cause damage on the same scale as Conficker, or perhaps even more. Conficker took advantage of a bug that had already been patched, and captured millions of PCs to create a huge botnet. The exploit is already widely published on several Chinese web sites, and could cause tremendous damage by the time the patch is created and sent through Microsoft’s regular update mechanism.

The ActiveX control can be accessed using Internet Explorer. Several security companies have reported detecting compromised sites that use the exploit.

Systems running Vista or Windows Server 2008 are not vulnerable to the attack, since the ability to pass data within IE in those systems is restricted. Users running running IE8, Firefox, or Chrome, are also not vulnerable to the attack. Users still running Windows XP, or Windows Server 2003, are vulnerable if using IE6 or IE7.

A new malware attack is lurking behind emails made to look like Outlook updates sent by Microsoft. The messages look authentic and include a link that looks like it points to update.microsoft.com but actually points to a malicious domain. If clicked the link activates a download which contains the Zbot Trojan. Zbot steals usernames, passwords and banking information and installs a rootkit that could allow a hacker access to any network the infected computer is attached to.

Zbot even contains a list of specific sites to monitor including Facebook, MySpace, Bank of America, Amazon, HSBC, Paypal, Blogger, and just about every bank you can think of. This Trojan means business. Once a user on an infected machine accesses one of the sites on the list, a built in keylogger is activated and records their information. The stolen information is then uploaded to a remote server.

Continue reading New Malware Attack Pretends to Be a Microsoft Update»

There are a vast number of different email hygiene solutions on the market today offering protection from viruses, malware, phishing, and spam for customers of all sizes.  Typically these products are built on a combination of several prevention techniques such as content filtering, RBLs, reputation filtering, and safe lists.

Some products also support one or more of a relatively new type of prevention – email authentication.

What is Email Authentication?

When the SMTP protocol was first created all users were trustworthy and hence there was no need to include any significant level of security within the protocol.  This has lead to many of today’s problems such as address spoofing.  Several  email authentication schemes have appeared on the scene to try and authenticate that an email using different methods, each with positive and negative aspects.

Sender Policy Framework

Sender Policy Framework (SPF) allows domain owners to use DNS TXT records to specify which email servers are allowed to send email for that domain.  This technique works on the assumption that the DNS records for a domain name are correct and trustworthy.  However there are a few weaknesses with this approach.

Firstly there has not been widespread adoption of this method by domain owners.  As such it is not practical for email administrators to block emails that fail an SPF test.  For example, if the owners of the domain example.com have no SPF record in their DNS zone then spammers are free to continue forging example.com email addresses.

Continue reading Antispam Frameworks Explained»

Spamhaus has released its latest list of the top 10 spammer-friendly ISPs and there is one familiar name, Microsoft. That’s right. Microsoft sits in the number 5 spot on the list. Why do spammers like Microsoft? The same reason they love Gmail. They know those domains have a highly positive reputation and aren’t likely to be placed on any blacklists. This increases the chances of their spam actually reaching people’s inboxes.

The spam tracking group says spammers and scammers routinely use Microsoft’s Live.com and Livefilestore.com to send spam and redirect visitors to various sites that sell porn and fake drugs.

Continue reading Microsoft Now 5th Most Spammer Friendly ISP»