In this edition of Spamfoolery, we uncover the all-seeing eye of Sauron to take a sobering look at the state of intelligent thought in the spam world. Hold onto your boots. This one is not for the sense of humor challenged.

Each Sunday, I write my blog post, and while my mind’s always thinking about what I’ll be writing this coming week, I don’t really consciously come up with anything salient until Sunday morning itself rolls around. Sitting with my first cup of coffee, I browse the spam news and discover what nefarious new exploits the scumbags (spambags? I don’t know, it has a nice ring to it) are unleashing on the world; and in the course of that haphazard process, something shakes loose.

This week was no exception as the spam gods smiled upon me once again. This morning, I checked my email to discover that one of my former students sent me messages in Twitter. A nice fellow this former student, I instantly recognized the messages as Twitter intercepts…clearly, his Twitter account has been compromised and, wouldn’t you know it? As I’m writing these words, another message just came through. All the messages are the standard shenanigans one expects from spammers: “you too can be three inches taller,” “The most defiant fillies [sic] will strive for riding your new big Italian stallion” (seriously, that’s a real one. For more, look here), “I saw your wife naked with the village idiot last week, check pictures here,” “I know what you did last summer…” Okay, that last one may have come from a movie, but you get the point.

In the case of my former student, a clear tip-off – beside the apparent lunacy of his messages – was a common factor: a Russian URL at the end of each message. Now, I may be cozied up in the Great White North of Eastern Canada, but the northern climate is my only connection to Moscow. Well, maybe that and I like Borscht, but those are the only two similarities. Vodka too, but those are the only three similarities. Solzhenitsyn, Dostoevsky, Tolstoy, Rachmaninoff, Tchaikovsky, those funny dancing bears, Anna Kournikova…ah hell. Look, as the crow flies, Russia is 5,000 miles due east, okay?

So receiving these messages (you can see them above), I was forced to wonder, once again, just how stupid these spammers think I am – and by association, just how stupid they must be. Anyone following my blog knows exactly what I think of spammers, so it shouldn’t come as any surprise that I have an extremely low regard for these scum-of-the-earth, little-old-granny-scamming, make-my-inbox-flood-with-pure-crap-on-a-daily-basis, scam artists. Try saying that ten times fast.

All this ire forced me to consider, once again, whether spammers really are stupid, or whether they just act stupidly. Once again, I came up with a frustrating answer: it’s all of the above and everything in between. Yes, spammers are stupid and yes, they are wily, calculating and yes, even intelligent. Confused yet? Me too.

Look, it would be so much easier if we could simply write them off as being morons, and the bulk of the spam email sent each day would give any jury an easy way out when deliberating whether these guys are guilty of being just plain dumb. It would be so much easier going to bed each night knowing that we had nothing to fear from these jerks. Reality however, is a harsh mistress, and the simple fact is they’re not as dumb as we want them to be.

Spam IQ, Anyone?

With that in mind, I set out to categorize the spammers in the best possible way I could imagine: the Spam IQ test. Like the widely-criticized Intelligence Quotient, there’s no real science to it, but it is fun to consider. So, without further ado:

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamfoolery: Stupid is as Stupid Does Edition

Anti-spam watchdog The Spamhaus Project is back at it again, providing prime fodder for anyone who appreciates a good brawl. This time, the guardian of all things spam challenges a Dutch ISP to a measure-off, and it looks like the locker room is going to clear out for this one, folks.

Ah, Spamhaus. For anyone with a well-honed sense of humor and irony (and I’m one of them), your 2011 has been a year worthy of a Monty Python sketch, or at least a stint on The Office (the real one, not the spate of so-so spinoffs). If you haven’t been keeping up with the venerable Spamhaus Project, here’s what’s happened so far: a not-for-profit venture based in the U.K. and founded by Steve Linford in 1998, The Spamhaus Project is responsible for identifying and blacklisting spammers, a noble venture to say the least. They made news earlier this year when a five-year long battle with the now defunct e360 Insights, LLC came to an unceremonious if not hilarious close. e360, which filed suit against Spamhaus back in 2006 for defamation to the tune of $130 million, was awarded three U.S. dollars. And they say that bad things don’t happen to bad people (in case that’s unclear, the bad people are e360).

Not Safe for Work?

Not to be outdone, however, Spamhaus has followed up with what appears to be a pending measure-off in the locker room. In a virtual sense, parents, you may want to usher your children out of the room for this one. Spamhaus routinely provides anti-spam DNS blocklists, or DNSBLs, which are widely used by ISPs – almost three-quarters of the Internet, according to Spamhaus – to reduce the amount of spam channeled through their email systems.

What’s in a Name?

Recently, the organization put in for a request to block all the traffic of a German ISP called Cyberbunker, more infamously known as CB3ROB. If you haven’t heard about CB3ROB, here’s a little taste. The ISP is best known for providing services for The Pirate Bay, which has been making news of its own recently.

CB3ROB, by Spamhaus’ accounting, “has long [been] seen involved in hosting cybercrime and spam outfits”. In fact, states Spamhaus, “If the name sounds familiar, it is: CB3ROB A/K/A ‘CyberBunker’ has a long history of run-ins with the law. It was also a host of the infamous “Russian Business Network” cyber-crime gang broken up by the FBI and other law enforcement agencies.”

Spamhaus also notes that their SBL (Spamhaus Block List) listings of CB3ROB have been:

“mounting steadily during 2011 for hosting malware, phishing and websites selling fraudulent goods advertised via spam.”

All in all, the type of pond scum we all know and despise, so no worries, right? Block away, Spamhaus!

But Wait…There’s More!

While there’s nothing unusual about Spamhaus’ treatment of CB3ROB, the real fun begins when a new player enters the arena – in this instance, a small Dutch ISP, A2B Internet. How are they involved, you ask? Well, simply put, cyberscum CB3ROB actually has a few server racks with one of A2B’s partners. Recognizing this, Spamhaus made several attempts to notify A2B, but apparently received no response. According to The Register:

“A2B, as an upstream provider, refused to block the full IP range of Cyberbunker and decided to block only one particular IP address that Spamhaus had identified as a source of spam.”

Not one to be shunned or ignored, Spamhaus decided to include the full range of A2B’s IP addresses in its block list. Not surprisingly, A2B was none too pleased about it, particularly when several of its clients’ services went dark. In fact, according to The Register, A2B Managing Director Erik Bais reported that some of A2B’s clients, “were practically offline as a result and couldn’t send or receive email.”

What’s a Poor ISP to do? Why, Call the Cops, of Course

Desperate, perhaps, A2B responded by filing a complaint with Dutch police, claiming that they were being “blackmailed,” according to The Register. In fact, if your curiosity hasn’t already gotten the best of you, you can go ahead and read Spamhaus’ humorous accounting of the incident, where Spamhaus reports that A2B also accused Spamhaus of “extortion” and “carrying out a ‘DoS attack’ on [A2B’s] network.”

So? Whose is Bigger?

This one’s just beginning, folks, so for now we’ll let you ponder the issues purported by both sides. Please chime in. Has Spamhaus overstepped its boundaries? Is A2B correct in its claims, or is it just clutching at straws? Or is this just another lame episode of “When Male Egos Attack?”

Weigh in and lay your bets before the real measure-off begins.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamhaus to Dutch ISP: Show Me Yours and I’ll Show You Mine

In an increasingly litigious world, it’s easy to tune out when you hear that one company is getting sued by yet another company for infringements – real or imagined. But in this edition of Spamfoolery, you’ll want to stay tuned to hear how much e360 Insight was awarded in the culmination of its long-running feud with the Spamhaus Project.

At very least, the endless litany of lawsuits in the tech world provide great fodder for blog writers. Even better, they also offer up a hearty chuckle once in a while, and the recent verdict in the long-running suit of e360 Insight LLC. v. the Spamhaus Project is no exception.

First, a little background to whet your appetite: in case you weren’t already familiar with it, the Spamhaus Project is a not-for-profit organization based in the U.K. and founded in 1998 by Steve Linford for the sole purpose of identifying and tracking spammers. All in all, pretty good stuff, since most spammers suck. I say ‘most’ because I still contend that the world needs some spammers – in much the same way I hate spiders, yet I acknowledge the need for spiders to keep other nasty vermin from spreading the way the Spanish Flu did in 1918.

Tune in for Another Episode of “As the Spam Turns…”

e360 Insights, LLC, on the other hand, is the alleged vermin in this soap opera. Way back in 2006, American Dave Linhardt, operating under the umbrella of e360, filed suit against Spamhaus for blacklisting his emailings and effectively labelling Mr. Linhardt a – you guessed it – spammer. Initially, the suit was tried in U.S. Federal District Court in Illinois, but the American law firm hired by Spamhaus petitioned the court to relocate the trial to the U.K., arguing that Spamhaus did not fall under U.S. jurisdiction. It gets more interesting from here on in, because the judge at the time ignored the request and British M.P. Derek Wyatt called for the American judge to be suspended from his post. Spamhaus also pulled out of the trial, prompting the judge to award e360 $11.7 million in damages.

Spamhaus refused to accept the judgement, stating that the court’s ruling had, “no validity in the U.K. and cannot be enforced under the British legal system.” Following the ruling, e360 filed suit to force ICANN to remove Spamhaus’ domain records until the matter was settled, inciting another interesting development. ICANN, a U.S. based entity with international responsibility for domain names, refused, stating they didn’t have the authority to cancel a British website’s domain records. In this matter, the same judge who awarded e360 the big chunk of cash sided with ICANN and Spamhaus, and poor little e360 found itself facing new problems.

It Gets Better…

In 2007, Chicago law firm Jenner & Block took Spamhaus’ case pro-bono and had the original damages overturned, thus sending the case back to district court. In early 2008, e360 filed for bankruptcy and terminated operations, citing its excessive legal costs in the matter of e360 v. Spamhaus.

Wait for it…

In 2010, another court reduced the damages from $11.7 million to $27,000, all this in the face of e360 filing for $135,173,577 (adjusted to $122,271,346 a week before trial) in damages!

Keeping in mind that: “the district court cited…Linhardt’s testimony regarding contracts with three customers who collectively paid e360 $27,000 per month for services performed,” it’s no surprise that the new judge in the case blasted e360’s counsel, stating: “this is just totally irresponsible litigation… You can’t just come into a court with a fly-by-night, nothing company and say ‘I’ve lost $130 million.’”

Wins Enough to Buy a Coffee!

Now for the really good part. On September 2, 2011, the soap opera finally came to an end, with the judge in the matter awarding e360 $3 in damages - no, that wasn’t a typo – from an asked $130 million to an award of $11.7 million, to $27,000, to (almost) enough to buy a coffee at Starbucks!

Who Said There’s no Justice for Spammers?

It sucks to be you, e360! It’s fun writing these articles, and I often find myself giggling like a schoolgirl when I write them. The case of e360 v. Spamhaus has been no exception, except that the ear-to-ear grin on my face has been accompanied by outright laughter as I sit alone by the pool, typing like a banshee. A strange sight, to be sure, and if any of the neighbors are watching, they must think me mad.

Maybe I am, but today I’m very happy.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamfoolery: Sucks to be You Edition

Sigh.

Recently, a number of high profile botnet takedowns have made spammers’ migrations to more sophisticated and lucrative endeavors all but a fait accompli. The global law enforcement community, by kicking the hornet’s nest, has made our lives a little more difficult by encouraging the spammers to make their approach a lot more surgical. Almost as if they’re coordinated, à la the mafia or even heavily funded, state-sponsored operations. I know, it’s unlikely that any country is morally bankrupt enough to fund spear phishing, but it is tempting to imagine massive data centers in high tech buildings, filled with workers pounding away at their keyboards, like an infinite number of monkeys working on the perfect scam to take down an infinite number of unsuspecting targets. And that takes money. It’s not like these spammers were independently wealthy to begin with – if they were, then why would they bother? They could already afford their own ketchup. Furthermore, I doubt spammers are walking into banks applying for loans to set up well-funded scams.

A couple of months back, we were warned that spammers are getting smarter and more organized, when Cisco Security Intelligence Operations (SIO) published a report entitled “Email Attacks: This Time It’s Personal.” In it, Cisco SIO points out that spammers have moved away from tried and not so true ‘throw-it-against-the-wall-and-see-if-it-sticks’ method, and instead have become more calculated and yes, even sophisticated in choosing spear phishing over bulk phishing. After all, why cast a net that may yield nothing when you can pluck the fish out of the water, one at a time? That is the theory, and Cisco’s numbers seem to back up the bad news: spammers are getting smart.

Nearly two months after the Cisco SIO report, a new paper published by a security company backs up the speculation. According to marketwire.com, security firm Internet Identity (IID) is reporting that more than half of all enterprises were victimized by spear phishing in the past year. The report also identifies that “phishers are becoming more sophisticated criminal marketers,” and that high profile data breaches on large companies like Sony and Epsilon have only underscored the insecurity of personal data, the lifeblood of spear phishers. Noteworthy too is that security firms themselves have come under attack.

As an example of how sophisticated the phishers have become, the article notes that:

“phishers increasingly used a technique called URL rewriting to target multiple legitimate domains simultaneously through compromised shared servers that host hundreds of unique URL’s at a single IP address. Compromising thousands of legitimate domains with good reputations in their attacks allows phishers to bypass many anti-spam measures and increase deliverability of their lure messages.”

The report also notes a quarter over quarter increase in phishing by 11%, a whopping number which suggests that while our junk email folders may get lighter, our guard is going to have to be raised for the very real possibility that someday soon, someone’s going to try to poke you in the eye with a spear.

On an organizational level, this is a tremendous kick in the pants. As I’ve stated previously, I never worry about myself, because I know what to look for. Last month, I received a phone call from someone claiming to be from Microsoft. The chap informed me that Microsoft was calling all Windows users to help them avoid a security breach in the operating system. In between soft chuckling on my part, I goaded him on a bit before yanking the carpet out from under him. “I’m an IT professional,” I explained. “Why don’t you explain the problem and I’ll fix it myself?” That was enough to get rid of him.

Now, how will you go about giving everyone you know the knowledge they need in order to tell reality from fantasy?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishin’ Magicians: Think the Spammers are Getting Smarter? You’re Right.

The purists may suggest that we should never have made things smaller. They might even postulate that the age of innocence is over, and they would probably be right; but a new age is just beginning, and the dinosaur-sized PC that sits on your desk is now just that: a dinosaur. The ‘Big Ol’ Beast,’ as I like to call mine, sits there and stares at me sometimes, seemingly pleading with me: “pay attention to me!” “Use me!” it begs. “Bigger is better!” it pouts.

I just chuckle and Swype my finger across a shimmering sheet of Gorilla Glass, giggling like a school girl when a word is transposed into the message I’m composing, without my finger ever leaving the virtual keyboard.  Holding a fully functional computer in the palm of my hand is surreal and downright unbelievable, especially when I think about my first computer, an Atari 400 with a flat membrane keyboard, 4 Kilobytes of RAM, and the ability to display a whopping 256 different colors onscreen simultaneously. The wonderment I felt while pounding out (literally – you had to press hard on those keys) games in Atari BASIC seems like only yesterday, but the tech world is a time machine and I’ve been transported into the 21st century – where smaller is better, and just when you thought it was safe to download that new Sudoku game for your shiny new mobile device, you should think again. For as our tech gets smaller, so too does the world we live in.

“Mr. Data – Engage”

Allow me to dispense with a formality: it is Android of which I speak. I’m not going to get into a lengthy debate here, but I’m dismissing the iPhone and iOS from this discussion. While there are many millions who would vehemently disagree with me, I believe the Android OS, and the phones that support it, to be vastly superior to Apple’s offerings – and it appears there are many millions who would agree with me. As a developer who strongly believes in sharing over hoarding, I’m an open-source guy and always have been.

The problem with open-source is that while it promotes the highly admirable philosophies of collaboration, sharing, and (often) freeness, it also sends a message to the lowlifes and scum of the earth. You know the types: those who will scam little old grandmothers out of their life savings. The despicable cross-section of society that often makes me ashamed to admit I’m part of that society. The scammers and spammers – the pond-scum phishermen, as I like to call them.

Security Breach

Herein lies part of the problem: society just can’t turn down something that’s free. If the Android OS has one significant problem, it’s that its open-source nature allows anybody to put free or advertising-supported content on the Android Market. It’s no secret that Google has had their share of problems with previously valid applications being reupped to the Market, replete with all sorts of security exploits. And while it seemed strange to me to install a firewall and antivirus software on my phone, in my mind it was a pure necessity and the first thing I did when I set up my phone. (Note: this is where I tip my hat to Apple’s closed, often oppressive, approach to its marketplace. Oppressive or not, I never sensed a security threat to my iPhone).

Spam Magnet

That device in your pocket is infinitely more dangerous than anything you ever plugged a keyboard and mouse into. The open-source feeling and the sense that you’re holding a teeny-tiny little PC in the palm of your hand provides a false sense of security, one that turns your phone into a spam magnet. It’s easy to forget, especially if you’re not an IT professional, that not all spam filters are created equal. Indeed, the very nature of mobile devices means we use them on the go, making that device in your pocket a spam attack waiting to happen.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bigger is Better: Why Your Pocket is Filled with Spammy Goodness

If you have been spending your holiday in a Luddite community, and are only just getting back online after a relaxing summer without Internet connectivity (how could you possibly relax without Internet connectivity???). Google+ is the latest invite only craze from the gang in Mountain View. I have heard it best described as being “like Facebook, but not Facebook” which is really all it took to get me interested, since I don’t do Facebook, but feel like I might be missing something as a result.

Like many of Google’s other product debuts, Google+ is currently in “invite only” mode, which is a great way to build buzz, make people want it if they don’t already have it, and to try to control growth. That last bit didn’t work out so well though, as last weekend the company that offers impossibly large mailbox sizes ran out of storage space on the system that tracks Google+ notifications. When a Google+ user (we’ll call them the lucky ones) adds you to a social circle within their Google+ space or comments on something that you have shared or posted, a notification is sent to you so you are aware of this activity. Think of it as email notifications for your wall as well as your social circle popularity.

Unfortunately, when the notification system ran out of space, it could not log that it had sent a notification, so it continued to do so, again and again, for a period of about 80 minutes. While not all Google+ users were affected, many of its estimated 4.5 to 6 million users were. Vic Gundotra, Google’s Senior Vice President in charge of Google+, issued a short but sweet apology to users.

Please accept our apologies for the spam we caused this afternoon. For about 80 minutes we ran out of disk space on the service that keeps track of notifications. Hence our system continued to try sending notifications. Over, and over again. Yikes. We didn’t expect to hit these high thresholds so quickly, but we should have. Thank you for helping us during this field trial, and once again, we are very sorry for the spam.

The vast majority of responses from users were positive, and understanding of the issue. Since this newest foray into social media is not even being promoted as a beta, but rather as a field trial, bumps in the road such as this one are understandable, and to a degree, expected. Mr. Gundotra’s open and direct apology and explanation were both refreshing, and should be a model for businesses who have similar user experience issues.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Google+ growing pains include brief spam storm

Recent activity indicates a significant reduction in spam levels, but no one should find comfort in this news. Spammers are making it personal, a new report from Cisco suggests, and at fault may be the law enforcement community for taking down the likes of Rustock and other botnets.

If email spam is a recurring nightmare from which you cannot seem to wake, read on. At the half year mark of 2011, some seemingly good news has poked its head over the horizon, with the promise of a brighter future. Unfortunately, the news isn’t all good; in fact, like spammers, it’s a little deceiving.

According to a new (June 2011) report published by Cisco Security Intelligence Operations (SIO) entitled “Email Attacks: This Time It’s Personal,” cybercriminals are dumping the ‘throw it against the wall and see if it sticks’ approach of indiscriminate spam, so much so that Cisco’s reports the, “annualized cybercrime business activity caused by mass, indiscriminate email attacks has declined by more than half.” The report goes on to state that the volume of overall random spam in the past year has declined by more than 80 percent, a figure that sounds a little on the high side, but no one can deny that spam volumes have dipped since the Rustock Botnet takedown in March.

Cisco SIO reports that the financial impact of this decline is significant.

“Cisco SIO estimates that the cybercriminal benefit resulting from traditional mass email-based attacks has declined more than 50 percent: from US$1.1 billion in June 2010 to $500 million in June 2011 on an annualized basis.”  

The direct impact of spam emails is even greater, down from 300 billion spam messages a day in June 2010 to 40 billion a day in June 2011.

Generally speaking, people continue to be smart enough to recognize a scam when they see one, but interestingly enough, those who aren’t are getting taken for more money. While Cisco SIO reports that the average user continues to be smart enough not to click that link, resulting in low user conversion rates (the amount of people who actually end up getting fleeced), that this figure “is partially offset by increases in the average user spending on conversions.” Cisco SIO attributes this increase in the spam artists using personalization tools, better-crafted scams and more effective malicious attacks, and reports that the level of personal information being divulged has resulted in larger paydays for the scammers.

So how much does an errant click cost? $250, according to the report. Cisco SIO explains the methodology used in arriving at this figure:

“This amount is in line with the low-end estimate of recent publicly disclosed scams and malicious attacks. For instance, in June 2011, the U.S. Federal Bureau of Investigation (FBI) announced a scam email directing recipients to send $350 to obtain a Clearance Certificate or else legal action would be taken against the recipient.”

Now for the bad news:  even though random email spam has experienced a large decline, the amount of money being made by the scammers has quadrupled. Using the estimates explained above, Cisco SIO reports that “scams and malicious attacks (as a sub-category of mass attacks) have grown from US$50 million to US$200 million over the last year on an annualized basis.”

Oh, the irony!

In what feels like a ‘why did they kick the hornets’ nest?’ moment, the Cisco SIO report explains how, in the past year, the face of global cybercrime has morphed into something different, and quite possibly, more dangerous.  “Starting in 2010 and continuing into 2011, the criminal ecosystem has been changing dramatically. Law enforcement authorities and security and industry organizations worldwide have been collaborating to shut down or limit the largest spam-sending botnets and their associates. SpamIt, a large spam-sending affiliate network, ceased operations in October 2010 after its database was leaked and Russian police pressed charges against its owner. Major botnets were severely curtailed or even shut down, including Rustock, Bredolab, and Mega-D.” The end result? “By disrupting the financial and technical business models of key cartels,” Cisco SIO reports, “threat volumes have declined in favor of more lucrative activities.”

Oh, the humanity! If what this report states is true (and it sure sounds about right), then by deposing the former ruler – the incessant glut of email-pushing online pharmacies, instant university degrees, Internet casinos, and secret fortunes waiting to be smuggled out of some foreign country – in its place the law enforcement community has established a new despot: the smarter, more focused scammer!

Evolutionary Change and Survival of the Craftiest

In fact, Cisco SIO reports:

“as part of the evolution of the criminal ecosystem, [the growing number of scams and malicious] attacks are becoming highly focused.”

Scammers are taking greater care in their approach as they carry out schemes designed to rob people of their hard-earned Benjamins. They’re taking to other means – such as SMS, social media like Facebook, Twitter and Tumblr, the tried-and-true telephone scam, and even  eBook readers – and they “are choosing their targets with greater care, using personalized information such as a user’s geographical location or job position.” Examples of these scams, Cisco SIO reports, are:

• SMS financial fraud scams to specific locales
• Email campaigns that use URL shortening services
• Social media scams, where the criminal befriends a user or group of users for financial gain

Spearphishing is on the rise and has experienced its own evolution, Cisco SIO states:

“Spearphishing attacks are aimed at a specific profile of users, often high-ranking organizational users who have access to commercial bank accounts. Spearphishing attacks are typically well crafted; they use contextual information to make users believe they are interacting with legitimate content.”

If the cyber scammers are getting smarter, then it’s imperative that we, too, evolve. Cyber criminals made $150 million this year from spear phishing, according to Cisco, and that kind of return on investment speaks for itself. Spam won’t go away, ever. But like a nasty super virus that evolves and mutates into an antibiotic-resistant strain, spam marches on, even if it’s only to the beat of a new drum.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Reduced, Targeted Attacks on the Rise: Cisco

There are a number of reasons why I believe this is inevitable, which I list out below:

Data leakage of email addresses

Ever signed up for a new social networking service, or online storage provider?  The chances are 10 out of 10 that you will be asked for your email address.  Ditto when signing up for an Internet forum, downloading a “free” white paper or even when posting a comment on a blog (mostly).  While I am not in any way downplaying the trustworthiness of your favorite haunts on the web, every additional website on which your email address is surrendered represents another location from which your email address may be pilfered by unethical employees or stolen outright by hackers.

The latter is not an idle assertion either, given the number of online break-ins that have made the news of late.  Remember, we are not even talking about successful raids that went undetected, or where administrators have decided not to keep quiet.

Use of email addresses as usernames

Every online service that I can think of encourages (or enforces) the use of the email address as a username.  Using fake or throwaway addresses is not an option in many of these situations due to validation procedures as well as their role in recovering from misplaced passwords.  This practice results is more spam, since online services typically include the right to send “important messages” your way as part of the terms and conditions for their use.  While not malicious in nature, users can expect the occasional ads for new services or even regular news updates – which can stack up to a hefty number.

What is frustrating here are the lengthy steps usually required to opt out of them or to shut down the associated accounts.  Moreover, these email addresses could also be resold by unscrupulous service providers, or result in more spam if users unwittingly cede permission for “selected third party” vendors to get “in touch.”  Indeed, the value of such email addresses are higher given that they are validated – more so if they were accessed recently.

Reusing of passwords

The number of high profile breaches in which unencrypted passwords were exposed is clear evidence that not all websites adhere to best practices when it comes to protecting passwords.  I believe that this is but the tip of the iceberg when it comes to reusing passwords across multiple sites.  While not directly related to one’s receipt of spam, it is bad news for the security of email accounts – it will certainly be an easy matter for spammers to log into legitimate email accounts using stolen passwords to distribute spam or nick your email contacts.

Spam campaigns run from botnets

It used to be that spam messages are sent using open relays left there by careless administrators, exploiting the vulnerabilities of existing email servers or by means of backscatter techniques.  However, these vectors are increasingly being dwarfed by the use of infected computers shepherded into sophisticated and resilient botnets for the sending of spam.

For example, consider the TDL-4 botnet which was dissected and found to contain measures that make it “practically indestructible.”  With an estimated 4.5 million nodes in the mega botnet, it is understood that an installation of the TDL-4 botnet also incorporates a spambot.  While blacklists can certainly be used to defend against direct spam originating from end-user IP addresses; the sheer number of nodes does throw the door wide open for a wide variety of indirect attack methods.  Moreover, some of the infected nodes may include legitimate email servers, which can only serve to lower the effectiveness of blacklisting techniques as more mail servers end up being blacklisted.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Why The Spam Threat Will Only Get Bigger

In the most recent spam scam to assault Facebook, users are being greeted with a message advising them to ‘verify’ their account, seemingly a noble act of spam prevention and surely not spam itself, right? Not so fast. Those rascally little hackers have swapped out the ‘Like – Comment – Share’ links with a ‘== VERIFY MY ACCOUNT ==’ link, making clicking eminently attractive and practically unavoidable for the uninformed user. Clicking the link, of course, has exactly the opposite effect advertised by the malware, not only posting the message on the user’s wall, but in fact spreading JavaScript that, according to The Register, is “highly obfuscated.” (If interested, you can check out an interesting analysis of the script here.)

“Facebook has become a veritable cesspool of spam, with fake links promising to show users things like how many people have visited your profile or the never-released photos of Osama bin Laden’s body,” reports the Detroit Free Press.

In fact, it seems that these clickjacking schemes have become the norm and Facebook, by its own admission, has only been able to react to the scams as they appear.

“We’ve been shutting down the scammy pages that are the source of this spam as soon as we detect them or they’re reported to us,” Facebook’s Fred Wolens told the Free Press.

So let’s return to the kingdom of the blind. No disrespect to any Facebook user intended, but knowing how to recognize a genuine security threat often requires three things: experience, specialized understanding in what goes on under the hood, and the requisite savvy that comes with being an IT professional. The first one is easy. Think about the first time you learned that touching an open flame wasn’t such a good idea. Anyone who’s been nailed at least once by a malicious link will testify that they think twice before clicking again. The second and third, however, require specialized information that, simply speaking, aren’t part of the average computer user’s frame of reference. And to be fair to Facebook users everywhere, they shouldn’t need to have that specialized knowledge. It would be counterintuitive to the concept that Facebook is easy to join. Easy to use.

To give Facebook credit, last week the website announced several new features implemented to combat clickjacking:

• Web of Trust (WOT) – Web of Trust is a free service that grades sites based on user experience. Basically a community that relies upon reported links, WOT intercepts links in Facebook, warning the user that the link could be dangerous, if it has been frequently reported by the community.
• Clickjacking Prevention – Since clickjacking is based on tricking the user into thinking they’re clicking on one thing when in fact they’re clicking on another, Facebook has implemented extra security measures to detect whether links are trying to pretend they’re something else. In essence, users will be required to confirm their choices when they click “Like.”
• Cross-Site Scripting (XSS) Protection – Malware often tricks users into pasting malicious code into the browser address bar. Facebook has added an extra layer of protection, providing a popup window advising the user that he or she is trying to address a bad link.
• Login Approvals – Facebook has added an optional – but highly recommended – layer of security by offering two-factor authentication, meaning that whenever a user tries to log on to Facebook from a new device, he or she will also have to enter a code sent via SMS to the user’s mobile device.

If you’re reading this and you have responsibility for office workers who have access to Facebook, you’re probably already copying and pasting into an enterprise-wide email. That would be a wise choice.

Let’s face the facts. Social networking does a great job of bringing people together in cyberspace. The problem: it also makes it way too easy to put hackers, spammers and cyberpunks together with innocent users who are not trained – or even interested in being trained – in how to recognize malicious code and spam when and where it appears. As memberships continue to grow in unprecedented proportions, hackers will continue to figure out how to exploit the system.

You had better hang on. The one-eyed men aren’t going away anytime soon. In fact, they’re fitting themselves for crowns.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Facebook Spam Prevention Scam Propagates, Hackers Rejoice

And then I come across a story like this one.

The mammoth media company Condé Nast – publishers of Vogue, Golf Digest, GQ, Vanity Fair, The New Yorker and Wired magazines, to name a few – was targeted by a spear phishing attack last November that cost the company $8 million in a series of wire transfers sent over several weeks. Last week, the US Attorney’s Office filed a complaint in Manhattan District Court alleging that the publishing giant got hooked by a single phishing email that was fabricated to appear as if it had come from Quad/Graphics, a company that prints Condé Nast’s magazines.

The email came in the form of an attached PDF file. According to one of Condé Nast’s companies, Wired.com, “The e-mail instructed Condé Nast to send payments for its Quad/Graphics account to a bank account number provided in the e-mail, and included an electronic payments authorization form. The e-mail indicated the account was for Quad Graph, a name similar to the real printer’s name.”

The alleged spammer – who has been identified as one Andy Surface of Alvin, Texas – established a bank account under the name Quad Graph and then sent the mail to the publishing company requesting that future payments be made to the new account. Condé Nast’s accounts payable department had no issues with the request, apparently, because someone from the department signed the Electronic Payment Authorization form and faxed it back to Surface, who is alleged to have shown BBVA Compass Bank in Alvin documents establishing that the company Quad Graph had been registered in a different country.

When Condé Nast authorized the form, they effectively gave their bank, JP Morgan Chase, permission to deposit funds in the fake account. Between November 17th and December 30th, they did just that, depositing a little less than $8 million in payables, intended for Quad/Graphics, into Surface’s account. The scam might have gone on longer, but on December 30th, Quad/Graphics (the real one) contacted Condé Nast to ask why the company hadn’t paid its outstanding invoices. According to eWeek.com, “Conde Nast had paid $7,870,530.02 into one account belonging to Quad Graph, and $47,137.91 into another account belonging to Andy Surface.”

Condé Nast was able to recover about $36,000 by reversing one of the wire transfers. The company immediately alerted the authorities and on January 10th, the US Secret Service was able to secure a warrant freezing the accounts before the scammer was able to transfer the money elsewhere. A forfeiture lawsuit is pending, and presumably criminal charges that might include wire fraud and money laundering. Surface has not yet been formally charged, but Wired.com reports that, “Forbes dug up a previous charge against someone with the same name and address who pleaded no contest in December to “terroristic threat of family/household.” The US Attorney’s office declined comment.

“Phishing now makes up 23 percent of all attacks in the realm of social media,” Paul Henry, forensics and security analyst at Lumension, told eWeek.com. “A recent IBM X-Force Trend and Risk Report found that while phishing attacks have declined since 2009, there was an increase in spear phishing in 2010. Spear phishing has become a significant attack vector, according to IBM X–Force.”

As for Condé Nast, it’s not surprising that they’re keeping mum on the whole situation.

“A Condé Nast representative said the company could not comment on a pending investigation,” eWeek.com also reports, and Henry raised an interesting perspective on the whole thing. “What’s most frightening is the fact that this isn’t just an unknowing private citizen being duped by a phony Facebook friend. This is a multibillion dollar corporation that clearly did not do its homework,” he said.

It is frightening. One might write this incident off as a very large corporation with so many transactions to fulfill that it might be ripe for the picking in a phishing scam like the one that netted Condé Nast. But Condé Nast got bilked out of $8 million off of one email. If it is that easy, then are there other incidents like this one – successful scams of other major corporations, scams that we’re not hearing about? Or is this just a blip, a random case of the one that didn’t get away?

The answer is unclear. However it happened, this much is clear: if a big fish like Condé Nast can fall victim to a simple spear phishing scam, what does that say for the state of enterprise wide security to protect against these types of schemes? With phishing schemes becoming more sophisticated (relatively speaking), is anyone safe?

I must make a confession. In 2006, I awoke one morning and while I enjoyed my first cup of coffee of the day, I read my email when I noticed what appeared to be a message from PayPal. The email asked me to update my account information, and without thinking (it was 6:15 AM and it was my first cup of coffee), I clicked the link provided by the email and was routed to a page that looked authentic enough. I proceeded to enter my username and password and after clicking ‘Enter’ I was shown a big ‘Thank You!’ and nothing else. It was only then that I remembered: I had recently changed my PayPal password, but the site had accepted the old one. I got off easy that morning, but as an IT professional, the revelation shook me to the core. Coffee or not, big corporation or not, we’re only one click away from financial mayhem.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spear Phishing Email Nets $8m from Media Giant Condé Nast

While the battle against spammers is a continual one, there might be periods or seasons in an organization where the budget simply does not exist to procure a better spam filtering appliance, or where insufficient manpower is available to implement new IT projects, spam-related or not.  Fortunately, other strategies exist that IT managers and system administrators can adopt to fight spam.

Today, I want to share some email policies that you can implement to help fight spam and which don’t require any capital outlay.

1. Have strict rules against mass-emails

One source of spam that large institutions, especially schools or colleges, are sure to encounter is email messages that are broadcast across the entire organization.  And because larger organizations tend to have a correspondingly higher turnover where headcount is concerned, one is practically assured of a constant supply of “newbies” who will be ignorant of general sensibilities where the sending of email to a large list concerned.

The most obvious step that should be taken would be to limit the number of employees who are allowed to email the entire company; such a capability could be restricted to Heads of Departments or Managers, for example.  In addition, there should also include comprehensive rules that define the topics and frequency where an occasional “mass email” is permitted.  Obviously, these policies should be emphasized to new staffers on their orientation tour of the company and reinforced periodically.

So what about the unavoidable infringements?  Assuming instances of mass emails are manageable, employees who infringe the rules should be sent a private email warning of their offense.  This should be done by someone senior, such as the IT Manager or even the CIO.  Repeat offenders can be punished in accordance with the company policy, and might include a temporary disbarment from email (probably only practical for a non-business environment), a verbal warning, or even formal warning letter.

2. Avoid excessive forwarding of emails and chain emails

While mass-emails are easier to track down, chain emails, or forwarded electronic correspondence that have no practical business value are much harder to track.  This might range from multi-megabytes slideshows, jokes, or even large image files that are not suitable for viewing at work.  As they are distributed within relatively smaller circles, they are also unlikely to be received by the official ‘gate keepers’ such as the IT manager or spam administrator.

On this front, I believe in the need for a properly drafted IT policy that addresses private or inappropriate use of the company’s messaging system.  Properly enforced, it will go a long way to cultivate a culture that frowns on such use of email.  Where it will probably be difficult to completely stamp out such messages, an alternative might be to enforce a policy to restricting large file attachments.  This would at least help reduce wastage of storage and bandwidth resources.

3. Enforce password and encryption to protect laptops and smartphones

This is not directly related to reducing spam, but is nevertheless a pertinent issue for organizations that depends on email as part of their operations.  The increasing use of laptops and smartphones to access corporate emails and resources means that employees are becoming increasingly mobile.  Unfortunately, the sheer portability of these devices also means that they can be easily lost, or stolen.  Practically all smartphones today have encryption capability, while the Enterprise editions of Microsoft’s Windows Vista and Windows 7 operating system has a full disk encryption feature called BitLocker that can protect all correspondences and passwords when utilized.

My suggestion here is to amend IT policies to compel workers to activate these features.  They are easy to enable, and result in little or no discernable deterioration in performance when enabled.  In addition, lost devices should also be reported as soon as possible for the relevant passwords to be reset.

4. Policy of not releasing or asking for email passwords

I suggested the creation of a “Recover forgotten password” feature in a previous post, which can help reduce the amount of time spent by administrators on such matters.  Assuming the presence of such a system, a logical next step would be the implementation of a policy where email passwords is never handled by anyone other than the user, and never requested for – be it by the helpdesk personnel, or an automated system.  More than anything, a policy of not release or asking for email passwords will certainly raise the barrier against social engineering and phishing attempts.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

4 IT Policies to Help Fight Spam

As blogged about earlier the week by my colleague Sue Walsh, Canada finally joined the rest of the G8 nations in passing legislation intended to help fight SPAM. Bill C-28 (complete text here in pdf) should go into effect in September of this year, and contains some provisions that, frankly, I find rather alarming. In reading the bill, an arguement can be made that C-28 provides individuals a license to spam. Read the law yourself, especially sections 6(1)a and 10(9)b, and then see if you agree with me on this.

As mentioned in Sue’s post, one of the first provisions of the law prohibits the sending of commercial emails unless the recipient has opted to receive such messages. In case you don’t have time to read the full bill yourself, here are a couple of excerpts from C-28. As mentioned above, the specific wording that disturbs me the most is found in section 6(1)a.

           6. (1) It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied…

when combined with section 10(9)b

          (9) Consent is implied for the purpose of
section 6 only if
(b) the person to whom the message is sent has conspicuously published, or has caused to be conspicuously published, the electronic address to which the message is sent, the publication is not accompanied by a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address and the message is relevant to the person’s business, role, functions or duties in a business or official capacity;…

Consider how many places on your corporate website an email address appears. Consider how many places your own email address appears. Now, I am not a lawyer, and I did not stay at a Holiday Inn Express last night, but as an IT professional, I think I need to go update EVERYWHERE my email address might appear with a disclaimer or the floodgates of Canadian spam will be opened and my inboxes will be filled by SPAM for a range of products that could arguably be considered as “relevant to my business.” I may need to add a statement that I do not wish to receive unsolicited commercial electronic messages to the signature of every email.

The problem with this law, as with so many others relating to Information Technology, is that it appears to be written by people whose understanding of the law far exceeds their understanding of the technology. And while my own understanding of the law is considerably less than my understanding of technology, as a potential juror on a case involving this law, that wording is open enough that I would have to acknowledge any argument that says the defendent got my email address off of my blog, and on my blog I had a post about getting older, so the emails touting hairloss products were relevant to my business.

What do you think? Am I overreacting, or does the way the bill reads sound to you like it does to me? Leave a comment with your thoughts and let’s get a dialog started on this law and how many ways it could be interpreted, and what we as IT professionals may need to do to ensure that its intent is not circumvented.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Is Canada’s new Law a License to Spam?

I scoured through my spam folder, and will share some of the common characteristics (or “red flags”) of scam spam messages that I’ve identified.

1. Identified or tagged as spam

Many businesses do make use of spam filters these days, even if they tend to be rudimentary in nature.  This capability could either come as part of a hosted service, or incorporated into anti-malware software; well, emails tagged as spam, or sorted automatically into the Junk Mail folder makes them more readily identifiable.  So while false positives are possible, what is important is that users are reminded to be extra cautious of emails identified as spam.

2. Use of bizarre salutations

Ever seen a message addressed to ‘Hello Dear’?  Or how about ‘Good Day To You My Friend’?  Personally, I suspect that many spammers are non-native English speakers, which gives rise to salutations that range from strange to the outright ludicrous.  As such, the use of a bizarre or nonsensical salutation should serve as a warning to users.

3. Mismatch between “From” and “Reply-to”

One popular trick that spammers seem to love doing involves fudging the “From” and “Reply-to” fields in their spam messages in order to trick both antispam filters and users.  The former is usually displayed when you read an email, while the latter contains the information used by email clients as the destination address when replying to an email.  While a mismatch between the two fields does not automatically necessitate the presence of shenanigans (many newsletter providers embed a different “Reply-to” address, in fact), it is often enough reason for a more cautious take on the message.

Those on Gmail simply need click on “Show details” to see both fields.  Microsoft Outlook 2010 users can click on “File” and then the “Properties” button; the “From” and “Reply-to” information can be found within the “Internet Header” text field in the dialog box that appears.

4. An allusion to God

I’ve noticed this in a number of scams that hinted at some form of belief in God – anything to insinuate an additional measure of trust in their scam.

5. They want details about you

You would assume that after having entered you into a lottery or selecting you as a business partner that the other party would know a little more about you.  However, scam attempts usually start with a request for information: your full name, address, and contact details, date of birth, even gender, occupation, age or country.

While giving up the above information does not result in immediate financial loss, do remember that these are very important pieces of information that can be used to obtain other data about you.  Sources could be via social networking sites, and could even lead to social engineering attempts by calling your office or home.  In addition, a “harmless” information request also serves to lower the guard of their target, making them more amenable to an urgent request for some “administration” or “processing” fee at a later date.

6. Beware the links

Hoax lotteries and non-existent business ventures aside, another common tactic of scam perpetuating spammers include attempts to break into your computer.  This is usually done by preparing a malware infested site that spammers try to trick their victims into visiting.  As such, it is imperative that users do not click on links of unknown or suspicious origins.

One other trick that I’ve seen involves loading the content of an email with gibberish – usually disjointed text sourced from multiple websites, with a couple of links embedded as bait.  The presence of textual content gives the spam a higher chance of passing through filters, with the idea being that flustered users will simply click the supplied links as they fail to make sense of the content in the message.  As such, users should avoid clicking on shortened or unidentified URLs.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Anatomy of a Scam Spam Message

In the email, the phisher indicates that they came across the user’s information in association with the product or site, and wants to ask a few questions about their experiences with or impressions of the product. As you can see, there is an aspect of social engineering here, as they reference something online that involves the user; enough to rouse anyone’s curiosity. Here are a couple of examples of these emails:

subject: I have a question about website or product
Hello,
 i was searching online to find more info about productX
and I came across your information.
can you tell me, are you still involved with productX?
if you are, how are things going for you?
please let me know.
sincerely,
Some Person

-or-

subject: I have a question about your business
Hello,
I was doing some searching online about Web-based business and I came across your information.
Can you tell me, are you still involved with Web-based business?  If you are, how’s things going for you?
Please let me know.

Sincerely,
Some Person
(708)555-1212

The most common element seems to be the phrase “I have a question about” or some variant of the same words. Unfortunately, this phrase is close enough to a real email subject line that it is enough to get people to open it. I tried to do some research on several of these emails that have hit my systems, and here are some of the common trends.

• The telephone numbers included seem to be in blocks of cell numbers.
• The names are common enough to return thousands of hits when searched.
• Outlook Express seems to be the most common X-Mailer.
• The originating IP addresses are all over the map, though most also all seem to be associated withlarger hosting providers in several different countries. 
• The sending address is usually a bounce address, with a reply to email address that matches the purported sender.
• Since these messages lack any link or other URL, it appears that the emails are attempting to engage the target in a dialogue.

I have personally seen these emails referencing popular websites like Twitter and Zango, so-called business ventures like the Global Information Network, and health and weight-loss related products like Tahitian Noni, Acai berry juice, and others.

Systems admins should consider filtering on subjects containing “I have a question about“ or placing an additional weight on that phrase in Bayesian filters used in their automated spam analysis systems. Admins should also inform their users about this, raising awareness about this potential phishing attack to make sure that no users reply to these messages with well-intended responses informing the senders of their mistakes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New ‘I have a question’ spam may be a phishing expedition

As we enter the holiday season, one thing we are already starting to see is a surge in seasonal spam. Spammers will try to take advantage of shoppers’ hopes, sympathies, gullibilities, and in some cases, their fears, to trick users into giving away personal information, credit card details, and more.

I recently came across a study of holiday spam that inspired me to warn my own users about this chronic issue. By informing them that Mr. Grinch and all his ilk are out there, and that just because you got an email you cannot take what it says on face value, I am helping to raise awareness, and protect them from the bad guys. I ask you to do the same with yours.

As the holiday season begins to gain speed, taking a few moments to educate your users on these sorts of scams may be the nicest Christmas present you can give them. While you may be able to block most of the Grinch’s message from ever getting into your users’ inboxes, they may still encounter some of these in their personal email, and forewarned is forearmed.

1. Free product offers

There is no such thing as a free lunch, and free product giveaways are even less likely. Offers of free laptops, tablets, or smartphones in exchange for taking quizzes or becoming a mystery shopper are typically schemes to get you to give up personal information or your credit card details.

2. Relatives in distress

Here, an email is sent, apparently from a relative who is stranded in another country, or who has had an accident, and is asking for money to be wired to get a ticket/make bail/cover medical expenses. Usually, the Grinch has already compromised another person’s account and is able to target his victims with enough personal information to make these emails seem legitimate. Warn users to confirm all travel details with friends and relatives.

3. Gift cards and purchases

Emails made to look like purchase confirmations are sent, typically showing a very large purchase, with links intended to fool a user into a hurried logon to the vendor’s site to cancel the bogus purchase. Of course, what the victim is really doing is entering their credentials into a fake site. Others appear to be confirmations of charges against gift card balances, again, intended to trick an unwary user into entering their credentials into a fake site.

4. Fake SMS messages

Taking advantage of relatively no spam protection on SMS messages, and playing upon fear, these fake messages are made to look like warnings from your bank, with a short URL to log on to to check your account. Raise the awareness of these scams by informing users.

5. Seasonal employment

With so many out of work and seeking employment, these emails play on people’s desperation to get a job. They request personal information to apply for non-existent positions with fake companies. Again, awareness is the key to protecting users from these scams.

6. Holiday travel specials

With the increase in travel, many scams promote discount airline tickets or accommodation. Caution your users against taking these offers at face value, and to confirm fares and promotions with the carrier or hotel.

7. Low interest loans and credit cards

Everyone is looking to save anywhere they can. These fake offers purport low interest credit cards, refinance offers, or loans. All of these, of course, require the user to enter their personal information to make sure they qualify, or even to start the process. Remind users to always confirm such sites, and to check that a potential application site is secured with a valid SSL certificate.

8. Electronic greeting cards

It’s the holiday season, so of course people are going to send e-cards. Unfortunately, many of the e-cards coming in contain malware, or links to malicious sites. Make sure users know not to click links contained in emails, and to keep up to date on their patches and antivirus definitions.

9. Unbelievably low prices

If the price they are advertising is a quarter of what it costs anywhere else, then the deal is probably too good to be true. Remind your users to use common sense when presented with incredible offers.

10. Charity appeals

That spammers take advantage of people’s charitable tendencies is reprehensible, but also very commonplace. Users should confirm any messages from charities with the organisation’s website…finding that with a search engine, instead of clicking on a link in the email appeal.

11. Holiday downloads

Screensavers, animated wallpapers, and holiday themed games are all very popular at this time of year. Frequently, they carry malicious payloads, often taking advantage of unpatched Flash installs. Warn users about downloading executables, and to make sure they are up to date on their patches and antivirus definitions.

12. Chain emails

Forwarding Christmas stories may seem like a festive thing to do, but these emails with hundreds of email addresses inline not only clog up mail servers, it also spreads email addresses to countless others whose systems may be infected. If users must forward these, please suggest that they edit out all the early addresses and BCC the people they forward these messages to in order to protect their inboxes.

By reminding people that there are still some Grinches on the Internet, and warning your users ahead of time about these twelve scams of Christmas, you can make sure they will still have some holiday cheer this season, and you guarantee yourself a place on Santa’s nice list.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

12 Email Scams the Grinch Loves to Send Out

In a fashion, the battle against spam is a lopsided and unfair one; all it takes is for one’s email address to be harvested and stored into a spammer’s database once, where it literally translates into a lifetime – of the email address at least – of having to combat an unending influx of digital trash.

While system and email administrators around the world dream of the ultimate anti-spam appliance capable of eradicating all spam with absolute accuracy, the truth is that such a device does not exist.  The vast profit that awaits successful spammers means that they are continuously conniving to conjure up new methods of overcoming various antispam defenses.  As you can imagine, it is usually a matter of time before the first unsolicited email makes it through the best filters.

Dealing with this state of affairs does require adhering to a number of long term strategies and approaches that I shall explore in the next few weeks.  The first and most important of these however, is this: protect your email address.  Put plainly; it is far better that email addresses not get harvested in the first place than trying to protect them from spam.  So what are some methods that the system administrator or IT manager can adopt to better protect the email addresses in your organization?

Avoid publishing email addresses on the Web

One of the biggest mistakes I’ve seen made by organizations is the placing of their email addresses in plain text format on their websites.  While I acknowledge that certain situations and job positions do necessitate being easily contactable – such as in Public Relations for example – doing so in most cases only serves to facilitate the ability of spammers to harvest your digital address.

Unfortunately, this is a situation that I’ve witnessed time and again, even in larger institutions that should know better.  For example, it is fairly common for education institutions to have a “Staff” page where biographies, which includes contact numbers and email addresses, are published for viewing by the public.  While most do attempt to limit the ease of extraction by limiting the number of profiles per page, it is a laughably easy matter for spammers to quickly harvest email addresses exposed this way using an automated tool.

Use alternative means of communicating

While companies should be careful about publishing their email addresses in text format, the use of image elements can be used to protect staff contact details from automated tools.  Of course, the use of advanced OCR (optical character recognition) or paying workers from third-world countries to manually read them means that the effectiveness of this technique has declined over the years.  Still, this is far better than not having any barriers in place at all.

Another solution would be to make use of web forms that will submit customer feedback to the correct email accounts.  These should obviously be protected by the use of CAPTCHA and other antispam measures.

Train employees not to give out their email addresses

Protecting one’s email address is a shared responsibility, and it should be emphasized to staffers that they should not carelessly give out their email addresses on any web form that asks.  Likewise, sites that offer “lucky draw” giveaways and other freebies are probably turning a profit from the reselling of the furnished information.

Discourage chain emails, excessive forwarding

Have you ever received one of those annoying chain emails that exhort you to forward it to 10 other friends?  Or do certain colleagues constantly forward you emails containing jokes or various general knowledge trivia?  The danger of such behavior resides in how these forwarded mails end up containing a long list of valid email addresses.  An infected or hijacked computer along the chain could see your email address harvested – this applies even if you do not participate in propagating such mails, but are merely one of the recipients!

Administrators and IT managers can play an important part here by actively discouraging such activities within the company.  And where there are good reasons to forward emails to a group of colleagues or friends, employees should be taught to do so in a defensive manner where possible.  For example, to first strip out the pertinent email information before hitting the “Send” button, or to make use of the BCC (Blind Carbon Copy) feature found in all email clients.

I hope the above tips were of help to you.  I shall be exploring more evergreen methods of reducing spam next week.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Evergreen Tips to Help Reduce Spam

          “I was sitting on the couch one night and I got this email entitled ‘Delete this at your peril’. It was a particularly funny scam which didn’t make any sense, so I decided to reply. It kicked off a six-month period where I started talking to spammers all over the world but, as I didn’t want to use my own name, I opened an email account in the name of Bob Servant. That was largely because I found it funny to sign off the emails ‘Your Servant, Bob Servant,’ and the more I spoke to them, the more I built up the character around it. Spammers would ask about my life, so I created this character of a 62-year-old window cleaner and cheeseburger van operator in Dundee.”

Forsyth went on to strike up friendships with the scammers he was corresponding with and even pretending to fall in love with one of them, a Russian woman named Olga. The scammers kept responding hoping to get money out of him.

Forsyth’s experiences make for entertaining reading, and he’s not the first to turn the tables on these scammers. A few years ago a group did a similar thing culminating in them sending the scammer, who was expecting a shiny new MacBook,  a pizza box containing a fake laptop made of bricks.

However, responding to spam, especially Nigerian spam, is not recommended. You don’t want to encourage them. At the least you’ll label yourself an easy mark and get even more, and at worst, you could get hurt. There are many stories of people who have gotten kidnapped and even killed by these scammers. Most of these incidents happened when the person traveled overseas in search of the money promised to them but since many of these scams are conducted by criminal gangs, you can never be too careful.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

How One Man Scammed the Spammers

          I would like inform you that Scarlett Johansson “actress” (as much as Vanessa Johansson) actually is a clone from original person Scarlett Galabekian last name, who has nothing with acting career, surname Galabekian, because of adoption happened in 1992. Cloneswas created illegally by using stolen biological material. Original person is very nice (not d**n sexy), most important – CHRISTIAN young lady! I’ll tell you more, those clones (it’s not only one) made in GERMANY – world leader manufacturer of humans clones, it is in Ludwigshafen am Rhein, Rhineland-Palatinate, Mr. Helmut Kohl home town. You can not even imaging the scale of the cloning activity. But warning! Helmut Kohl clone staff strictly controlling all their clones spreading around the world, they are very accurate with that, some of them are still NAZI type disciplined and mind controlled clones, so be careful get close with clones you will be controlled as well.

It goes on with more rambling about evil clones and how they all must report to Cedar-Sinai Medical Center in Los Angeles. Truly bizarre. The spammer gives no clue as to his identity and researchers haven’t yet been able to trace the messages.

It’s unclear what the exact purpose of the messages is and if they contain any malicious content. While it’s not at all unusual for celebrities to be exploited by spammers, I do believe this is the first time one has been accused of being a “Nazi-type” clone!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Actress Scarlett Johansson Subject of Bizarre Spam Campaign

1. Resume – The messages pumped out by this spam campaign look like they are from someone the recipient sent a resume to and tells them an edited and cleaned up version is attached. If that attached zip file is opened, a hidden .exe will quietly contact a remote server and download malware. This exploit is clearly designed to take advantage of the unemployment problem in the U.S. and is often sent to addresses harvested from job search sites like Monster and CareerBuilder. These messages are particularly sneaky because they are well written with no grammar or spelling errors, which is unusual for most spam.
2. Docs – This campaign pumps out malicious spam that looks like it came from a legit company. The attachment claims to be important corporate documents but is actually malware. These messages even include a real company’s name, fax, and phone number. (It’s not yet known if that company knows it’s being exploited)
3. Air France – This is a more traditional spam campaign that uses the tried and true trick of exploiting a recently headline or pop culture phenomenon. In this case it claims to be providing exclusive photos of the Air France plane crash. Unlike the previous two threats, this one has the usual hallmarks of spam including broken English and is easy to spot.

In other spam news for August, the United States continues to hold the number one spot as the most spammed country in the world.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Top 3 Email Threats for August

Canadian Pharmacy, which dubs itself the #1 internet pharmacy, isn’t Canadian or even a pharmacy at all. It’s run by a Russian cybercrime group that hides behind a rogue affiliate program called GlavMed. The site sells fake versions of well known prescription drugs such as Viagra, Cialis, Vicodin, and Oxycontin, a practice so dangerous the FDA issued a warning about it, as well as fake vitamins and male enhancement products. There’s no actual pharmacist overseeing things and they take and fulfill orders without asking for a prescription. The fake drugs are made in, and shipped from, India and China.

The GlavMed group uses botnets to pump out its spam and has been known to control up to 8 of them. They avoid being shut down by using so-called bulletproof hosts that ignore all take down requests and complaints.

The so-called “Replica Products” spam campaign may comprise only 7% of global spam volume but look for that to rise as the holidays approach. Those spammers will be out in full force hawking fake Rolex watches, Louis Vuitton and Coach handbags, Rayban sunglasses, and more as they try to appeal to cash strapped shoppers looking for bargains. With the economy still on shaky ground you can be sure they’ll do what they can to take advantage.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Canadian Pharmacy Dominates Spam