To show how serious they are about their attempts to eradicate spam, fifteen companies have joined forces to help fight one of the most dangerous spam tactics of all – phishing.

This collective, known as the Domain-based Message Authentication, Reporting and Conformance (DMARC), has come together to develop standards that they promise will help combat the practice of spammers sending emails that appear to come from a legitimate organization.

According to DMARC, its work:

“draws upon a history of private industry collaboration with 18 months of dedicated work, to outline an enhanced vision for email authentication that can scale up to today’s Internet needs.”

Who Is DMARC?

The group of fifteen who have dedicated resources to this fight consists of:

• Agari
• American Greetings
• AOL
• Bank of America
• Cloudmark
• Comcast
• Facebook
• Fidelity Investments
• Google
• LinkedIn
• Microsoft
• PayPal
• Return Path
• The Trusted Domain Project
• Yahoo!

And just what exactly they are trying to do is create a specification that allows senders and receivers of email messages to share information with each other about their authentication infrastructure to make sure that emails come from the organization they claim to be.

According to their website, DMARC attempts to address this by providing coordinated, tested methods for:

Domain owners to:

• Signal that they are using email authentication (SPF, DKIM),
• Provide an email address to gather feedback about messages using their domain – legitimate or not,
• A policy to apply to messages that fail authentication (report, quarantine, reject).

Email receivers to:

• Be certain a given sending domain is using email authentication,
• Consistently evaluate SPF (Sender Policy Framework) and DKIM(DomainKeys Identified Mail) along with what the end user sees in their inbox,
• Determine the domain owner’s preference (report, quarantine or reject) for messages that do not pass authentication checks,
• Provide the domain owner with feedback about messages using their domain.

So What Makes DMARC Different?

Most companies already employ some type of analysis on incoming email messages to include SPF and DKIM so this specification isn’t turning to something new. In fact, they recommend a continued approach employing other techniques such as high quality spam filters and rate limiters to form a well rounded solution to fighting spam.

What DMARC is trying to do is to standardize and streamline the process of analyzing messages because participating companies can rely on the coordination of the group to establish trust when it comes to determining whether or not a sender is legitimate.

In plain English, DMARC looks to form a conglomerate of cooperation between email senders and receivers (the organizations like Google, Microsoft, Yahoo!, etc. not the individual users themselves) who share information about the emails they send to each other. Turning to the information made available to the group, it can be easier to see whether or not an email is spoofed spam or a legitimate message worthy of delivery.

Not only is it the hope that less spam will make it through, but that resources will be streamlined as a result of these efforts as well. Large datacenters could see a positive result if all goes as planned.

The Flipside

Of course not everyone is completely sold that DMARC’s work is a panacea when it comes to ending spoofing and spam.

John Levine, one of authors of the DKIM related Author Domain Signing Practices (ADSP) standard, had this to say in an interview with Information Week:

“It’s a good thing as far as it goes, but it does have some of the chronic Internet tendency to put a steel door on a cardboard box.” Like many security standards that are not mandatory, if it’s not implemented then it won’t fail. Neither DKIM nor SPF are at the point where a recipient can say that they will only accept messages that use them. Therefore you still need to keep your eyes open.”

Using Bank of America as an example, it was pointed out in the same article that to fight phishing and spoofing in the past domains suggestive of the name Bank of America, as well as typos, were purchased en masse. Because the pool is so large, Bank of America was not able to purchase every domain available. For example, wwwbankofamerica.com is not owned by them.

So if an email arrives from support@wwwbankofamerica.com it won’t fail any of the checks from SPF or DKIM because it is not a spoofed email address. By all accounts, the sender is legitimate.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Will DMARC Have Much Impact on Spam?

The Microsoft Digital Crimes unit has continued its investigation into the perpetrators behind Kelihos, and today filed an amended complaint in the U.S. District Court for the Eastern District of Virginian, naming Russian citizen Andrey N. Sabelnikov as the alleged perpetrator.

Microsoft indicated in a blog post today that former defendants Piatti and the dotFREE Group have been cooperating with Microsoft, and it is this cooperation combined with new evidence that has enabled Microsoft to amend their complaint and name Sabelnikov.

In the amended complaint, Microsoft presented evidence against Sabelnikov alleging that he wrote code for Kelihos and either created or participated in the creation of the malware. Evidence was also presented supporting the allegation that

Sabelnikov “used the malware to control, operate, maintain and grow the Kelihos botnet.”

The complaint goes on to allege that Sabelnikov registered over 3,700 domains in the cz.cc namespace with the dotFREE Group SRO, using these in the ongoing spread and control of Kelihos.

A statement on Microsoft’s official company blog by Senior Attorney for the Microsoft Digital Crimes Unit Richard Domingues Boscovich asserts Microsoft’s commitment to continuing the investigation and taking action against all the individuals who participated in Kelihos. Remember that the original complaint named twenty-two John Doe co-conspirators. One can only assume that Sabelnikov is the first, with another twenty-one to be named as more evidence is developed.

Microsoft has also made available more information on botnets and free tools to help clean users’ computers if they have been infected. You can view that information at: http://support.microsoft.com/botnets.

As more information develops on this case, we’ll be sure to keep you up-to-date with continued coverage. Those of you with an interest in the legal actions involving Sabelnikov can read the amended complaint here (PDF, new window).

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Kelihos Actions Continue: New Defendant Named

Skammers (see what I did there?) have once again started contacting Skype users using contact names that seem designed to convince users to answer the call. Culprits include NOTIFICATION™ URGENT ACTION REQUIRED, URGENT SYSTEM NOTIFICATION, URGENT NOTICE, and others. Each of these is an attempt to use social engineering to convince the victim that the call is legitimate. I particularly like the one that bears the trademark logo for the word NOTIFICATION.

If a user answers the call, they will typically hear a prerecorded message warning them that their system has been infected or is at risk, and then they read a URL which tells them that they should immediately visit this site for further assistance. Typically these sites are phishing sites, and they may have downloads purporting to be antivirus software or security fixes, but of course they all contain malware. Some of these sites are set up to attempt to exploit your browser using a variety of attacks, hoping you are running an unpatched browser, Flash player, etc. And in at least one instance, the target reported that the site had a chat applet which connected them to an apparent human who tried to get personal information from them to set up an account for assistance.

Skype users can easily block calls from people not on their contact list, if they wish. Note that the Windows client, by default, will allow calls from anyone. If you are using Skype for business, and want to enable potential customers to call you without first requesting permission to add you to their contact list, you’re going to have to deal with potential spam calls. The rest of us can be a little more restrictive, changing the Allow calls from… to “people in my Contact list only”.

While logged on to Skype, click Skype on the menu bar, and then click “Privacy…”

In the Privacy settings tab, change the default “Allow calls from…” from “anyone” to “people in my Contact list only”.

Click “Save” and you are done.

Users of the smartphone clients will need to make these settings using a full PC client; not all settings are available in the mini versions, and this is one of those that are not, but the settings apply to the account, and not to the specific instance of the software.

Skype has recently updated the visual appearance of both calls and contact list requests to make it more obvious to users when another user tries to either call them, or add them to a contact list. If you do receive a fraudulent call, Skype encourages you to right click the contact and report them for abuse. To do this, right click the contact and select “Block This Person…” and then tick the box to “Report abuse”. Click the “Block” button and not only will the user be blocked from contacting you, but their account will be investigated for abuse, and if they are violating Skype’s terms of service, their account will be cancelled.

Skype is a great communications tool, but just like IM and email, users will have to deal with skam, err, spam. Fortunately Skype and Microsoft take this very seriously, provide the settings to help reduce this, and take reports of violations very seriously.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Should We Call It Skam?

False positives, as this scenario is referred to, can be a problem for both business and personal emails alike. Unfortunately, most people are under the impression that there is nothing they can do to prevent their emails from being falsely labeled as spam. They couldn’t be more wrong.

Spam filters often employ Bayesian filtering to determine if a message should be allowed to pass through to the recipient’s inbox, or if it should be cast aside as spam.

The way this filter works is by scoring the content for the entire message. By looking for certain flags in an email message and assigning each a value, the spam filter can ascertain if a message is spam by totaling up the score and measuring it against a pre-set threshold. Emails that score too high are discarded while those that are considered legitimate safely find their way.

Email etiquette

Most organizations address email etiquette in their email policies to help protect the company’s image. A poorly written email can be embarrassing to a company. It looks unprofessional and it can cost a company money in lost accounts and lost respect.

But emails written with etiquette in mind can also help keep them in good graces with the spam filters as well.

When emails are written the right way, they wind up looking less like spam. The following rules of email etiquette will show you just how taking the time to write your messages properly will help get them delivered.

1. Clean up the spelling and grammar

Poorly written English is one of the first things a spam filter looks for. Excessive spelling, grammar and wrongly used words are clues that the content is not legitimate. Take the time to run your messages through a checker before you send them. If your email client does not offer this, write important emails in a word processor so they can be checked prior to your sending them.

2. Don’t over use the cc: and bcc: fields

At times it is important to include other recipients on an email message, but the more people that you include the more your message looks like spam. Remember, spammers would lose money if they had to send email messages one at a time so they send them in large batches.

3. Include an email signature

Most spammers don’t use an email signature. You should because the spam filters have the ability to read whether or not a signature file is used .

4. Avoid abbreviations that are unnecessary

If you are sending an important email message then you shouldn’t use abbreviations like LMAO or LOL. First of all if you are conducting business you don’t want to look like a gossiping teenager. Second of all, these abbreviations look like gibberish used to fool the spam filters so what do they do? Count this against the total spam score.

5. Avoid all caps in the email and the subject

Some emails are more important than others. Parts of your email may be more important than others as well. But there are better ways to show this than by using all caps.

We all know that writing in all caps is rude, but it also makes your message look like spam.

6. Avoid colored text

Professional emails don’t need fancy dressings like fonts that look like handwriting, animated gifs and certainly they don’t need colorful text. While colors, especially red, are often used to call attention to certain parts of email message, or even to responses, they also call attention to the message itself in the eyes of the spam filter.

7. Use punctuation properly

It is hard to show emotion when writing an email message. To compensate, we often overuse certain punctuation marks and symbols. Most commonly, the exclamation mark !!!, the question mark ??? and the dollar sign $$$. Overuse of these are as bad as using all caps in the eyes of the spam filters.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

7 Ways Email Etiquette Helps Get Your Messages Delivered

Microsoft, Google, AOL, and Yahoo are all providing metadata from messages sent to their users on a daily basis to Agari. Protecting users’ privacy is of paramount importance to all of the participants. The metadata includes aggregate information on things like source IP address, subject, and sender address, but not the body of the email. Participating providers may provide URLs contained within messages that are already failing other tests so that Agari can notify the company being spoofed in the message, but no other email content is shared.

As email metadata is analyzed by Agari, who is handling over 1.5 billion messages a day, characteristics of messages that are spam or phishing messages are identified. Data is then pushed back to the participants, who can update the policies on their borders to reject spam and block phishing attacks.

There are about fifty other participants in the Agari service, including financial and e-commerce corporations. Business site LinkedIn, and social media sites Facebook and YouSendIt are also participating, which is great news for the users of these services, who are often flooded by spam messages.

It may surprise you to learn that you have probably already been protected by Agari. The company began operations in 2009, running in stealth mode. Current estimates have Agari protecting half of US consumer email users, and over 1 billion individual mailboxes.

Agari, a spinoff of Cisco Systems, is a venture capital funded company based in Palo Alto, California and led by several of the people who were responsible for creating and running Cisco’s IronPort technology. Agari promotes their technology as a cloud based infrastructure, capable of pushing out updates in response to new attacks in a matter of seconds. With an infrastructure capable of processing billions of messages per day, they are positioned to handle the ever increasing volumes of email.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Strength in Numbers – Agari

But putting things into perspective, when you consider that on average 5,000 people die from HIV every day, spam email messages just don’t seem all that bad.

By now, you are probably wondering what the two have in common.

On the surface, not much. But behind the scenes, the war on spam has produced some promising advancements towards finding a vaccine for HIV.

Leading the Charge

David Heckerman, Micrsoft’s Senior Director of their eScience Research Group was the inventor of the spam filter that protects Hotmail. However for the past seven years, his focus has been on creating a vaccine for HIV. He draws parallels between fighting spam and fighting the human immunodeficiency virus that make a clear connection between the two without trivializing the disease.

Over the years those who have been tasked with fighting spam have seen it evolve and adapt each time progress is made to eliminate it. At first, rudimentary spam filters blocked keywords found in the message so spammers started using characters and numbers. As the filters grew more intelligent, spammers reacted to stay one step ahead.

HIV evolves in a similar way. Attempts to stop the disease have shown that when attacked, the virus will mutate to beat its adversary (the human immune system).

“We have an adversarial situation going on between spam filters trying to block the spam and the spammers changing and mutating”, Heckerman said in an interview with The Los Angeles Times, “and in the case of HIV, we have the immune system fighting the virus and HIV mutating to try to get through.”

Both, he claimed, can be successfully fought by finding their Achillies’ heel. And for both, that vulnerable point of attack is the part that absolutely cannot mutate.

“In the case of spammers, they want to extract money from you. That’s what they can’t avoid. So our spam filters, at least in part, focus on that,” he said.

So now he is working on finding the spot where HIV is as equally vulnerable.

“It (HIV) mutates a lot, but it can’t mutate to where it stops functioning,” he said. “If it does do that, we win”.

Partnering with Others

Currently, Microsoft Research is working with Bruce Walker from the Ragon Institute of Massachusetts General Hospital, MIT and Harvard, the Centre for the AIDS Programme of Research in South Africa and the KwaZulu Natal Research Institute for Tuberculosis and HIV to study the virus in Durban, South Africa.

Of course drawing a parallel to study how HIV reacts to a vaccine is only a part of the solution.

To develop a working vaccine based on the principles used to fight spam, researchers are cataloging fragments of HIV that are vulnerable to attack by the human immune system to find that piece that cannot mutate. This research generates enormous amounts of data for researchers to analyze. Enough that one computer dedicated to crunching the numbers could take years. However, relying on Microsoft’s data centers, what would take years only takes a few hours.

This is thanks in part to the use of a Microsoft Computational Biology Tool called PhyloD . This software enables efficient data mining which then leads to specific cell analysis that helps detail virus patterns for further analysis. PhyloD contains an algorithm, code and visualization tools to perform complex pattern recognition and analysis – enabling Heckerman and his colleagues to learn how different individual immune systems respond to the many mutations of the virus.

While the research definitely shows some promise, a cure for HIV does not appear to be on the immediate horizon, nor does the eradication of spam.

Yet the nature of this study shows an enormous amount of progress towards how the different disciplines of science and technology are so interrelated that methods used to fight something like malware or spam could wind up someday saving millions of lives worldwide.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

From Fighting Spam to Fighting HIV

Regardless, you can learn quite a bit from stats; and the ones below are listed for just that purpose. Each one will teach you a little something about spam to keep your inbox as safe as possible.

1. The Rustock botnet comprised of up to 1.7 million computers.

Sure, Microsoft engineered the takedown of this botnet but think about this, there were close to two million computers infected with the software that turned them into zombies.

This means that traditional anti-malware isn’t providing the protection that people thought it does. To keep a computer or network as clean as possible there needs to be a comprehensive anti-malware solution that protects the desktop, mobile devices, servers, email and web sites.

2. 90% of spam is in English.

On the surface this may seem insignificant. But a year ago, 96% of all spam was written in English.

What this means for you is that spammers are coming from many different countries so anti-spam laws in places like the United States and Canada won’t be as much of a deterrent to these people.

3. One in 445 emails is a phishing email.

Phishing leads to financial, confidential, and personal information being stolen to the tune of over 2 billion dollars every years. Since the average professional receives more than 100 emails each day odds are you are coming into contact with some type of phishing attempt at least once a week, and possibly more.

4. One in 284 emails contains malware.

When people stopped falling for the Nigerian scams and the pharmaceutical email advertisements spammers had to look for other avenues in which to make money. Delivering malware via email is one. Think of how many times people fall for fake anti-virus pop-ups or have been infected with various Trojans that turn their computers into zombies that can be rented out with various botnets and you can see why many spammers turn towards these money making opportunities.

5. 91% of all spam emails contain a link.

If the spam you receive doesn’t contain a malicious program that doesn’t mean you are out of the woods just yet. The link you clicked on could be sending you to a malicious website that infects your computer just as easily. What’s worse is that most spam filtering solutions don’t actively block emails that contain links like they do when it comes to executable file attachments.

Users need to be aware that links can be just as dangerous as downloads when it comes to malware. Part of any user education training should include a section about malicious websites and the fact that spammers often send links to them via email.

6. Two thirds of all spam is related to the pharmaceutical industry.

Spammers don’t waste their time sending out advertisements for things they don’t make money on. So when you see so much effort being placed on the Internet pharmacy industry you know that someone is buying from these guys.

The problem isn’t just that these email messages are tying up your inbox, but that people are actually buying medicines that are often unregulated or even counterfeit.

What people should take away from this is the fact that spammers tend to stick with what works for them. When the money dries up from Pharma spam, they will turn to something else.

The thing about statistics is that they can be tweaked to provide facts for whatever it is you are trying to prove. In fact, some statistics show that spam is actually at an all time low. What they don’t tell you is that email spam is at an all time low because spammers have simply taken different approaches to how they send junk emails to their victims.

No matter what the statistics say about spam, the problem still exists and it still costs businesses and individuals time and money.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

6 Spam Stats You Can Learn From

In his article, Mr. Bott relates a couple of anecdotes regarding customers who are signed up on the Office 365 service, who then find out much to their chagrin that they are only allowed to send emails to 500 recipients per day, per user. He paints the picture of how limiting this is to businesses, including the story of one CEO who tried to send an email “to 400 of the company’s customers and prospects” and then discusses what could happen if a business is featured on a national news show or prominent website, and is unable to respond to customer inquiries.

I usually enjoy Ed’s posts, but find myself compelled to be the voice of reason and paint a fair and balanced picture here for admins considering Office 365, or any other outsourced email service. In the case of Office 365, we are discussing what for most customers is a shared service. All shared services should have limits on resources that can be consumed by a single customer in a set time frame; limiting the amount of resources one tenant can consume is a basic protection for all the other tenants. As a tenant, I want that to make sure another tenant cannot deprive me of the services I am paying for.

For an SMB, a user will hit this 500 recipient limit if they send one email per minute all day, taking only 20 minutes for lunch. That’s a lot of time in email. That is an extreme example, and is highly unlikely. What is likely is that a company, trying to save as much money as possible, starts down the path of email marketing, using the Office 365 service to send out bulk email. That is not what Office 365 is for, and they spell that out in the documentation.

In the specific case of the CEO who could not send email; she was a P1 customer, which is a plan targeted at SMBs with 25 or fewer users, and not designed for bulk mailing. She attempted to send a single email to 400 recipients, and was blocked because of the recipient limits detailed in the Office 365 service, which you can find here. Microsoft specifically discusses this limit being in place to restrict spam and control abuse by users. Whether she had already sent 101 messages that day or 499, she hit the 500 in a 24 hour period. That’s a lot of mail no matter how you slice it.

Now I must admit, I seldom read every single thing that is online about a product or service before I buy it; when I hit a limitation I didn’t know about because I didn’t do my homework, that is my fault. Whether I hit the maximum number of shared minutes on my cell phone plan, or the maximum bandwidth on my hosting plan, I opted to try saving money by choosing a smaller plan. When I hit the limits I can either scale back, or upgrade to a larger plan.

Office 365 has suggestions for companies that wish to send higher volumes of messages, which can be found here. For internal use, they discuss distribution groups, which count as a single recipient. For external use, they suggest using an on-premise mail server. That is probably not an ideal solution for most SMBs, but the service limits are in the documentation and they are designed to be fair to the majority. In a shared service, that is only fair.

In the case of sending an email to 400 users, I would counsel any business to use a bulk mail service for fear that, even if my on premise servers could handle the load, the risk of being flagged as a spammer is too high to chance.

When considering any outsourced solution (colo or cloud, co-tenant or dedicated,) make sure you carefully read all of the service descriptions, including service level agreements, limitations, overage charges, etc. and then consider how they apply to your worst case scenario. There are several reasons why such a service is less expensive than doing it yourself. Limitations are a part of that. You need to consider whether or not your business can function within those limitations, and how to address any exceptions.

Will a small business need to send email to 500 users every day? Unlikely, but knowing about that limitation in advance should have been as simple as reading the documentation instead of just skimming the advertising hype. Knowing what you are buying is the customer’s responsibility. Caveat emptor.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Office 365 Recipient Limits – Fighting Spam or Hindering Users?

As you may recall, this was the third such action from Microsoft, but the first time that a named defendant was identified and served with a lawsuit.  A little more than a month after the joint operation that included members of the Trustworthy Computing Team and the Malware Protection System, a settlement has been reached between Microsoft and Kyrus Tech as plaintiffs, and Mr. Piatti and his company as defendants.

During the investigation, it was determined that the command and control systems of the Kelihos botnet resided in domains under the cz.cc domain controlled by dotFREE Group SRO. Microsoft and Kyrus Tech were able to obtain a temporary restraining order to shut down the servers controlling the botnet, which effectively ended a system of over 41,000 compromised computers responsible for sending up to 3.8 billion spam messages per day.

After reviewing evidence gathered from dotFREE Group SRO, it became clear that neither Mr. Piatti nor his company were directly responsible for, or involved in, the Kelihos botnet. The twenty-two John Doe defendants named in the original complaint apparently were using subdomains under the cz.cc domain to conduct their illegal actions without the cooperation or knowledge of Piatti or his company. The use of subdomains to host phishing sites, malware, and c&c systems is a growing problem. Research found that instances of using subdomains nearly doubled last year and continue to climb, with domains in China and Korea being the most commonly used.

While Microsoft has moved to dismiss the complaint against Mr. Piatti and the dotFREE Group SRO, this is not the end of their involvement. The former defendants have agreed to either delete, or to  transfer to Microsoft’s control all of the subdomains involved with the Kelihos botnet. Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit, stated that Piatti and his company will continue to work with Microsoft to “become a role model for the free domain industry, establishing industry best practices in the subdomain space.”

Mr. Boscovich indicated that Microsoft will continue to press legal action against the remaining twenty-two John Doe co-defendants.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Kelihos Followup: Microsoft Dismisses Civil Case Against Some Defendants

The Spam Score is then totaled up and, depending upon the threshold set, the filter determines whether or not the message should be delivered to the inbox or the spam box.

In a recent study, Microsoft did something rather interesting with some of the more common keywords that spam filters use to identify messages as potential threats. They labeled each keyword in a more general category and totaled each instance according to the categories.

While the results are interesting, they probably won’t surprise many people.

The List

1. Pharmacy – Non-sexual: 28%
2. Non-pharmacy Product Ads: 17.2%
3. 419 Scams (Nigerian Prince and other wire transfer scams): 13.2%
4. Financial: 8.9%
5. Gambling: 6.1%
6. Dating/Sexually Explicit Material: 4.8%
7. Phishing: 4.8%
8. Pharmacy – Sexual: 3.8%
9. Malware: 3.4%
10. Image Only: 3.1%
11. Get Rich Quick: 2.5%
12. Fraudulent Diplomas: 2%
13. Stocks: 1.3%
14. Software: 1%

Explaining a Few Things

As always, a majority of the spam comes from product advertisements (pharmaceutical and non-pharmaceutical) because most people don’t fall for the get rich quick schemes and the 419 scams anymore.

The Image Only category may have caught a few second looks as well. This isn’t something that is common to most studies regarding spam because it is a new trick that scammers have been trying lately to trick spam filters.

Remember, spam filters are usually set to look for keywords and phrases so a graphical image with text placed in it won’t see the content flagged as likely spam. Yet while this may seem like a smart ploy by the spammers, the number of instances of this type of spam is actually down from 8.7% a year ago.

The one category that did show the most significant increase was phishing. Its average for the year, 4.8%, includes a January number just under 3% and a June number of just over 7%.

The Blocking of Spam Messages

The same report also looked at how many spam messages were blocked as well for the same time period (July 2010 to June 2011).

While the numbers are down, from 90 billion at the start of the survey period to just fewer than 30 billion at the end, this dramatic decrease is primarily attributed to the takedown of the Cutwail and Rustock botnets that were taken down in August 2010 and March 2011 respectively. However, it should be noted that while the immediately after the Cutwail takedown, the number of blocked messages decreased by over 20 billion, the Rustock closure actually saw an increase from March to April of roughly one billion messages. It wasn’t until May of 2011 that a slight decrease in spam levels was seen.

Predictions

Based on these numbers, there doesn’t seem to be much that can be said that hasn’t already been said already. Spam levels are down, pharmaceuticals are the number one subject of spam and people will still try the money transfer/lottery winner scams.

But there are some other areas that people often ignore.

With an increase in phishing scams over the year, you can bet that the cyber criminals are looking towards more sophisticated ways of depriving people of their money.

The other number to keep an eye on is where the malware category stands.

According to this report, messages containing malware accounted for a little more than 3% of the spam blocked. In fact, the number was one of the least static of the categories, moving from around 2% to over 4% before settling at 3.4%.

The reason this category is so important is because a significant increase here could mean that a new botnet is being built.

It will be interesting to see how the malware numbers stand six months from now. If history does repeat itself, it is only a matter of time before a new botnet is built to replace those that have been eliminated. If this is true, look for it to be even harder than its predecessors to eliminate.

The game is certainly changing in favor of the good guys; however complacency can certainly make fools of anyone who thinks that the war against spam is one based on a few numbers.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

A Look at Spam: Inside the Numbers

Unfortunately spam protection isn’t one of these things.

One way that spam filtering works is by flagging messages that come from specific domains that are known spammers through blacklisting the bad guys and/or whitelisting the good guys. This method is pretty straight forward except that it is hard to know the domains of all the spammers out there, especially when it is so easy to register a domain and even to spoof an email address.

The other common way in which filters identify spam is through Bayesian filtering. This technique gives certain things a probability of being included in a spam message, for instance the word “mortgage” or more than two exclamation points in a row. If a certain threshold is met, the message is labeled as spam and sent to the junk mail box instead of the inbox.

In most cases, the filter learns which of these things are considered to indicate a high probability that the message is spam by being trained. The more users interact with the filter to manually identify spam, the smarter the system becomes. Combined with heuristics, this type of filtering can offer some pretty good protection against junk.

However sometimes the filters are too smart for their own good.

In a recent article for Computerworld, Preston Gralla took readers through his experience with the updates to Hotmail.

As one of the most heavily used free email systems, Hotmail has to protect its users from spam or they will simply switch over to Yahoo! or Gmail.

But should it be flagging messages from Microsoft as suspicisous?

When you consider that Microsoft owns Hotmail then the answer is definitely not.

And that is exactly what happened to Mr. Gralla who stated:

I logged on to Hotmail this morning, to see if any of the new features, such as better managing graymail such as newsletters had been turned on. To my surprise, the first message in my inbox, from Microsoft’s Windows Phone Insider, with the sending email address microsoft@email.microsoft.com, was targeted as being suspicious. Hotmail placed a red X danger symbol at its top, and included this warning:

“This message looks very suspicious to our SmartScreen filters, so we’ve blocked attachments, pictures, and links for your safety.”

Now Microsoft knows what it is doing when it comes to software. They have some of the most talented engineers on the planet.

The problem here comes from the fact that Microsoft doesn’t specialize in spam filtering. Neither do the other free email providers like Google or Yahoo!. They offer some pretty good protection for the home user but can a business user risk losing out on important emails because the spam filter isn’t up to par?

The advantage of a custom solution

The more advanced spam filters work in similar ways to the ones used by free email services so the technology is not to blame for false positives. It is the management.

When a company puts a solution in place to fight spam, they can customize it to fight spam in a way that is best for their business.

A good example can be a doctor’s office.

Most likely, the inboxes of a doctor and his or her staff are going to commonly receive messages pertaining to pharmaceuticals. It’s a part of their business.

And since most spam filters are set to recognize words like Viagra, Vicodin and other medications as junk, important information regarding these drugs could be missed.

But a solution that allows the doctor’s office to identify messages from the pharmaceutical companies and representatives as legitimate would help prevent false positives because the IT staff has the ability to tune the filtering engine to accept certain things and deny others.

There are many other reasons why an organization would want to choose a more comprehensive anti-spam solution as opposed to something that is just good enough but the mere fact that you have control over how the filters react to messages should be reason enough.

Especially if you are finding that messages from your own company are flagged.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

When Spam Filters Are Too Good

Microsoft has filed a lawsuit against the head of a Czech malware ring that controlled a botnet that infected tens of thousands of computers. The company believes Dominique Alexander Piatti, a Czech resident, is the mastermind behind the Kelihos botnet, and says Piatti rented it out to other cybercriminals. A company named dotFREE Group S.R.O is also named in the suit.

“The Kelihos Botnet operators sell botnet capacity as a service, including the capability of sending spam email to perpetuate fraud, to collect financial and personal data, and to distribute harmful and malicious software,” Microsoft alleged in court papers filed in U.S. District Court for Eastern Virginia.

Last week, Microsoft won a court order that demanded that the U.S. based hosts of the botnet’s  cz.cc domain to cut service to it, thereby severing the domain’s link to the computers it infected. It says this is the first time a botnet operator has been named in a civil suit.

“Naming defendants in this case marks a big step forward for Microsoft in making good on its commitment to aggressively protect its platform and customers against abuse from whomever and wherever it may originate,” a company attorney said in a statement.

This isn’t the first time a botnet operator has been sued, but does it make sense? Winning such a suit really doesn’t achieve much as the likelihood of collecting whatever judgment is levied against the botnet operator is slim to none, and it’s not likely to stop them from committing their crimes either. Are the legal fees and time spent worth it to simply prove a point? Do you think suing spammers and botnet operators is a good practice?  Has your company ever sued a spammer? Please leave a comment and tell us what you think!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft Taking Aim at Kelihos Botnet

Operation b79 is the codename assigned to the investigation, the third major initiative of Project MARS, the Microsoft Active Response for Security program. The DCU worked closely with the Trustworthy Computing Team and Malware Protection Center to combat botnets, which benefits the entire Internet community; not just Microsoft’s customers. Kelihos may not have been as large as Waledac, but with an estimated 41,000 compromised hosts, it was capable of sending out over 3.8 billion spam messages a day. Kelihos was spreading, which means that this takedown probably prevented a larger problem from happening.

The DCU gathered enough evidence against the defendants to obtain an ex parte temporary restraining order, which was issued by the US District Court for the Eastern District of Virginia. Kyrus Tech, Inc., a declarant in this action, is based within that jurisdiction. The restraining order enabled the severing of connections between infected computers and the command and control servers hosted within the cz.cc domains.

Notices of civil court proceedings were served to Piatti the same day. While Kelihos was not as massive a botnet as Waledac, this represents the first time that a named defendant was served notice the same day as the botnet was taken offline. Work is ongoing to identify and serve the other twenty-two defendants.

Microsoft’s Digital Crimes Unit (DCU) analyzed the Kelihos code, and identified large segments of the code in common with Waledac. This indicates that both were developed by the same author(s), or that Kelihos is an updated version of Waledac. The DCU also determined through their investigation that Piatti and the dotFREE Group SRO, along with others, own the cz.cc and subdomains including lewgdooi.cz.cc, and were using them to control the Kelihos botnet. These and other subdomains are associated with other suspect activities, including the delivery of the MacDefender scareware that infected computers running Apple’s operating system. Google had also previously blocked domains under cz.cc from search results because the websites were hosting various types of malware.

Notices of civil court proceedings were served to Piatti the same day. While Kelihos was not as massive a botnet as Waledac, this represents the first time that a named defendant was served notice the same day as the botnet was taken offline.

You can read more about the DCU investigation, and the legal actions taken against the defendants at http://blogs.technet.com/b/microsoft_blog/archive/2011/09/27/microsoft-neutralizes-kelihos-botnet-names-defendant-in-case.aspx.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft Does it Again, Takes Down Kelihos Botnet

Microsoft has included security functionality in the workstation versions of its operating systems for years starting with Windows Vista. The Windows Defender product has also been available as a separate download that could be installed on XP. Windows Defender offers spyware detection and removal, and a pop-up blocker.

Microsoft’s Security Essentials is a free antimalware solution that offers realtime protection, scheduled and on-demand system scanning and cleaning, automatic updates, rootkit protection, and integrates with the Windows Firewall. It has been available as a free download since 2009, and can run on Windows XP SP3, Vista SP1 and SP2, and Windows 7.

Defender is good protection against spyware, but does not offer the full scanning capabilities of full antimalware products. Security Essentials provides much more protection, but must be downloaded and installed by the user, and as we all know, many end users are not sophisticated enough to recognize the importance of malware protection, or to install it themselves.

At the Build Conference, Steven Sinofsky, president of the Windows and Windows Live division, spoke about some of the new security features included in Windows 8. According to Sinofsky:

 ”…we’ve taken Defender, and we’ve actually built a whole new range of protection, all the way up through antimalware, antivirus, all that is built into Defender.”

With antivirus and antimalware protection built into the operating system, all consumer users of the platform will have basic protection against malware from downloads or email attachments. With so much of the spam and phishing messages clogging the tubes today coming from zombie computers, reducing the opportunities attackers have to compromise non-technical users will help everyone.

Additional security features include Secure Boot, which can detect malware on bootable media and prevent the computer from starting off of USB sticks, and image based logins to make it harder to guess passwords while facilitating user login.

Microsoft has encountered problems in the past for including their own versions of applications in their operating system. Critics have accused Microsoft of anticompetitive behaviours, prompting the company to release versions of their operating systems in Europe without a web browser, and in Korea without a media player.

While I believe that any user who couldn’t figure out how to install an alternative version browser or media player probably is worse off getting an operating system without anything at all, I hope Microsoft makes it very easy for a user to install a third party antimalware application, and that regulators understand that including this protection makes things better for everyone. With the software due to ship later this year, we won’t have long to wait before we find out how this plays out.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Security Will Be Baked Into Windows 8

Taking down one of the world’s largest and most infamous botnets isn’t enough for Microsoft. Now they want the masterminds behind it and are willing to pay big bucks to get them. According to EWeek, the company is offering $250, 000 to anyone who provides information leading to the arrest and conviction of the individuals responsible for creating and running the Rustock botnet.

“This reward offer stems from Microsoft’s recognition that the Rustock botnet is responsible for a number of criminal activities and serves to underscore our commitment to tracking down those behind it,” Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit, wrote in a July 18 email posted on The Official Microsoft Blog. “The legal action Microsoft has taken in civil court has already been successful, helping us take down the Rustock botnet and disrupt its operations.”

Rustock was taken offline by a joint effort of Microsoft and the FBI earlier this year. At its peak it was responsible for nearly half of the world’s spam volume, with nearly 2 million zombie computers at its beck and call. The botnet’s IP addresses were blocked after the FBI, armed with an injunction won by Microsoft, seized its command and control servers. The servers were located at 5 hosting providers around the country: Denver CO, Scranton, PA, Kansas City, MS,  Dallas, TX, Chicago, IL, Seattle, WA and Columbus, OH.

Microsoft has been taking a very hard line on botnets recently. It also took credit for taking down the Waledec and Coreflood botnets.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Want a Cool $250K? Nab a Spammer!

Seven thousand users across the United States, Canada, the United Kingdom and Ireland were surveyed. Of the respondents, 22% had received at least one phone call from someone pretending to be a security engineer, while 3% were sufficiently fooled into following the attackers instructions.

After convincing the victim that their machine was at risk, the attacker proceeded to attempt one of several attacks. These included convincing the victim to provide him/her with remote access to their computer so that they “can assist with removing the malware”, leading them to download software which contained malware, or providing credit card information to pay for assistance.

Here are some of the key numbers from the report:

• 79% of the victims suffered a financial loss
• The average amount of money stolen was US $875
• 67% of those who lost money were able to recover some of it
• 53% said they suffered subsequent computer problems
• The average cost of repairing damage caused to computers by scammers was US $1,730.
• In the United States, the cost was much higher; $4,800.
• 67% of those who lost money were able to recover, on average, only 42% of it
• 17% experienced some form of identity fraud.

Microsoft included some advice to go along with the report; this included:

• Be suspicious of unsolicited calls related to a security problem, even if they claim to represent a respected company
• Never provide personal information, such as credit card or bank details, to an unsolicited caller
• Do not go to a website, type anything into a computer, install software or follow any other instruction from someone who calls out of the blue
• Take the caller’s information down and pass it to the authorities
• Use up-to-date versions of Windows and application software
• Make sure security updates are installed regularly
• Use a strong password and change it regularly
• Make sure the firewall is turned on and that antivirus software is installed and up to date.

Anyone who believes they may have fallen victim to a similar scam is advised to take the following actions:

• Change their computer’s password, change the password on their main email account and change the password for any financial accounts, especially bank and credit cards
• Scan their computer with the Microsoft Safety Scanner to find out if they have malware installed on their computer
• Contact their bank and credit card companies.

As computer professionals, such calls may be obvious to us, but we owe it to our coworkers, our friends, and our families to get the word out on these sorts of attacks. Scammers are going after the weakest link in security - the end user - and it is by raising awareness of these sorts of attacks that we can provide those who are not IT professionals with the best defense we can - knowledge.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft warns of telephone phishing scam

Microsoft has asked a judge for permission to hack into Rustock’s servers after the company brought the giant botnet to its knees last month. The request came after the botnet’s operators refused to show up in court. Microsoft wants to delve into Rustock’s innards hoping they will reveal information that will lead to the operators’ identities. The servers have had nearly 2 million IP addresses attempt to connect to them for instructions and software updates.

“As expected, given the nature of the case, the defendants did not appear in court yesterday, meaning that the case will go on,” said Microsoft Digital Crimes Unit senior attorney, Richard Bozcovich, last Thursday.“We will now move the court to allow us due discovery of the evidence gathered from the seizures, including dozens of server hard drives, to learn what we can about the identity of those behind Rustock.”

Microsoft’s investigation led to a hosting service reseller in Eastern Europe. The reseller, who has not been identified, caters to spammers and other cybercriminals. However he was very happy to snitch on his client, who was using the reseller’s services to host over a third of the botnet’s C&C servers, after they skipped out on their hosting bill to the tune of $1600. From there the trail led to a payment service called WebMoney and an account there with links to SpamIt.  Microsoft hopes that by hacking into the service it can learn more and track down Rustock’s operator. They also fear that the botnet could come back to life and further compromise the millions of Windows machines it controls.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft to Court: Let Us Be Hackers!

Blekko, the nascent search engine that launched last November, announced last week that it has identified over a million web domains as spam and blocked them from its search results. Utilizing a technology that Blekko calls its AdSpam algorithm, the move could have tremendous implications, at least for the users of Blekko, which reports a million queries a day and about a half million users each month. Rather than adopting Google’s method of lowering the rank of suspicious sites in its search results, AdSpam instead takes a scorched earth policy by identifying sites that are laden with ads and light on content, and blocking them altogether

The move of blocking 1.1 million domains has the direct effect of removing potentially hundreds of millions of spam pages, an achievement of which Blekko CEO Rich Skrenta is tremendously proud.

“Domains with low quality content plus keyword ads are ‘machines that print money,’ Skrenta has been quoted. “If you make a machine to print money, people will exploit it.”

According to Blekko, AdSpam is “a machine-learning algorithm that examines pages for a specific spam signals — the presence of multiple display ad positions on a single page and thin to zero content. Unlike algorithms used by other search engines, AdSpam is being used in conjunction with human curation to detect [Spam and] continue the War on Spam.”

What makes Blekko unique is its search method utilizing slashtags to pinpoint search and minimize spam results. By targeting content farms that push spam (like eHow.com and answerbag.com), Blekko has managed to provide what it feels is the path to “better search results…by using an algorithm that was created to kill spam, not just crawl it.”

This latest development is just another foray in a war that both Google and Blekko have committed to fighting.

“In the past, our efforts to clean-up search have included our partnership with the Stack Overflow community,” states the Blekko blog, “and our public banning of the top 20 sites most users marked as spam at Blekko.”

What remains to be seen is what both engines have up their sleeves. According to The New York Times, Skrenta hasn’t been squeamish about calling out Google.

“Google didn’t actually take anyone out, they just reshuffled the deck. Instead of demoting these sites to No. 5 or No. 7, we’re just throwing them out.”

It should be stressed that Googoliath hasn’t exactly been sitting on its hands. In the past several months there has been a public backlash on the deteriorating quality of Google’s search results. The company has responded with series of remedies, including updated search algorithms and the penalizing of low quality sites like content farms. In fact, RCR Unplugged reports that the recent ‘Panda’ update to Google’s algorithm caused such a swing in page rankings that how-to site Mahalo had to lay off staff almost immediately.

Most recently, Google reports that it’s adding a ‘Block All Results’ option that will live right next to the ‘Cached’ and ‘Similar’ buttons, so that users can choose to weed out the spam that seems to have mastered the art of worming its way into the top ranks of Google. Even though Google’s blog talks about this functionality as if it’s already here, there’s no indication if or when it will become active – a search performed while this article was written revealed no ‘Block’ link – please feel free to leave a comment if you’ve seen it in the wild.

Admittedly, there are inherent problems with Google’s proposed solutions. First, it’s difficult to identify an entire site as spam simply from search results. Also, sites like Mahalo will suffer from algorithms that box up their criteria in a way that may misidentify legitimate sites. For example, Google’s new algorithms are based on the consistency of content – a site that focuses on one topic, like healthcare, will probably not be flagged whereas a generalized site with content based on a variety of topics may suffer the wrath of the giant G. By its own admission, Google states “generally low quality” of content as a reason to block something. For sites which rely on user-generated content by nonprofessional writers, this could end up being a troubling trend.

So who has the right formula? Bing and Yahoo! haven’t really entered the fray as of yet, perhaps waiting to see what Google has to say on the whole matter of spam sites. Blekko, on the other hand, has chosen to lead and not to follow, a move that could greatly benefit the company as searchers seek alternatives to the millions of results being passed back to the end user. By being proactive, they certainly seem to be taking the war to the content farms and the unending battle between search engine and spam.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Blekko Identifies Over a Million Domains as Spam

The Rustock botnet was estimated to control over one million zombies (infected computers) and was capable of sending billions of spam messages per day.

Operation b107 was a cooperative effort between the DCU, the Microsoft Malware Protection Center and Trustworthy Computing. After several months of investigation, cooperation with legal authorities, and a hearing before the U.S. District Court for the Western District of Washington state, U.S. Marshalls accompanied DCU staff to serve warrants at multiple hosting providers. Servers were taken off-line and seized after Microsoft files suit against the anonymous person or persons responsible for operating the Rustock botnet.

In Case C11-022 “Microsoft Corporation v. John Does 1-11 Controlling a computer botnet thereby injuring Microsoft and its customers,” Microsoft alleged several violations of computer related laws and the abuse of Microsoft’s trademarks. Laws cited included the Computer Fraud and Abuse Act (18 U.S.C. § 1030,) CAN-SPAM Act (15 U.S.C. § 7704,) and multiple violation of the Lanham Act (15 U.S.C. § 1114 and 1125) made possible by the number of spam messages that purported to be from Microsoft or offering Microsoft software.

The 48 page PDF of the complaint opens with this

Plaintiff MICROSOFT CORP. (“Microsoft”) hereby complains and alleges that JOHN DOES 1-11 (“Defendants”) are controlling an illegal, notorious, and world-wide computer network known as the “Rustock botnet,” made up of end-user computers connected to the Internet, which Defendants have infected with malicious software, and which Defendants consequently can and do direct and control for nefarious and illegal purposes through servers connected to the Internet.

The suit goes on to describe the laws violated, and asserts jurisdiction based on the damages done to residents of Western Washington state and the costs incurred by Microsoft both to protect customers and to assist with disinfecting those machines which we infected. It also includes a detailed description of the muti-tier architecture of the Rustock botnet, and shows the traffic generated by a ‘baseline’ Windows computer connected to the Internet and idle, then compares that to the traffic generated by a Rustock infected zombie, which includes hundreds of DNS lookups and over a thousand email messages sent in a 24 minute period.

The complaint goes on for a total of 35 paragraphs before getting to the meat, which includes eight claims for relief to include compensatory and punitive damages to be determined at trial. It also includes an appendix listing all of the Internet Service Providers hosting servers that controlled the botnet, and a listing of the domain names involved, which goes on for 18 pages three columns each.

It is actually a fascinating read if you have any interest in the legal working of such an action, and I recommend it to you if you do. If you want a little more technical information, and a little less legalese, the DCU maintains a website at http://www.microsoft.com/presspass/presskits/DCU/. On that site you can read more about the DCU’s activities, as well as learn more about how they took down one of the largest sources of SPAM on the Internet.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Takedown: Microsoft’s Digital Crimes Unit helps take down Rustock

Rustock is dead, thanks to Microsoft. As of 11:30am Wednesday, March 16^th, it has ceased sending spam completely. The company, with the help of the U.S. Marshalls, killed the giant botnet by raiding ISPs and Internet hosting facilities in Kansas City, Mo.; Scranton, Pa.; Denver; Dallas; Chicago; Seattle and Columbus, Ohio. The company seized computers and hard drives which it claimed where the botnet’s command and control servers. The court order granting them the right to do so was granted as a result of a lawsuit they filed against the still unknown criminals behind Rustock.

“This botnet is estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day,” Richard Boscovich, senior attorney in the Microsoft Digital Crimes Unit, wrote in a blog post today.

Microsoft claims the owners of Rustock have infringed on their trademark by sending advance fee fraud spam that claimed the recipients had won a lottery sponsored by the company, and also that the pharmaceutical spam pumped out by the botnet taxed Hotmail’s servers and exploited vulnerabilities in Microsoft products like Office and Outlook.

This is the company’s second victory against spammers. Last year they confiscated thousands of IP addresses being used by the Waledec botnet and managed to bring that spam operation to its knees as well.

Will Rustock rise again? That remains to be seen, but it’s likely that if it doesn’t a new one will be happy to take its place. In the meantime, its death has knocked spam levels down significantly, so let’s enjoy it while we can!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft Brings Rustock Down