It’s believed that the attack was motivated by revenge after Spamhaus sent out a warning that a WikiLeaks mirror site by the name of WikiLeaks.info was being hosted by Webalta, a Russian ISP known for being bulletproof. They instead recommended visiting WikiLeaks.ch, which it determined was a safe site. Webalta, called bulletproof because it ignores take down orders and actually protects the cybercriminals that use its services, also hosts numerous phishing, carding, and malware delivering sites.

Spamhaus said they initially blamed the group Anonymous, which has conducted attacks against sites like MasterCard, PayPal, and Amazon for dropping WikiLeaks as a customer, because they had received email threats from people claiming to be affiliated with the rogue group. Those threats were later determined to have no connection to Anonymous at all.

         “In addition, in some semi-private forums AnonOps members have denied responsibility for the DDoS,” Spamhaus said in a statement on its website. “They have stated how much they hate spam and would not attack Spamhaus. It would seem some actually read and understood what our warning message was about. Rumors are that they have also distanced themselves from members who were promoting the use of botnets to attack sites.”

Spamhaus says they believe the attack was the work of the Heihachi group, which is a reseller for Webalta, based in Russia and which controls several botnets.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamhaus Hit With DDoS Attack

One of the most frequently asked questions I received in response to my post on 9 ways Exchange 2010 reduces spam is along the lines of “how do I set up IP Blocklist providers?” So I am following up that post with this one, which will not only go over how to set this up in Exchange 2010, but will also provide you with a short list of publicly accessible providers.

Blacklist providers are essentially DNS servers that respond to queries with ip.addrs that indicate a host is a known spammer when they have that host on their list. They use addresses in the 127.0.0.x range, rather that the actual address of the host. While they all function in essentially the same way when queried by your server, they compile and maintain their lists in very different ways. Please consult each of the providers’ individual websites to make sure you understand what they do and how they do it, and that you are comfortable with this. Also, make sure that you identify your mission critical customers and business partners, so that you can  whitelist their systems to be sure there are no unintended issues.

Providers

The following list includes several publicly available providers of block lists. Remember, each of these has their own policies regarding how an MTA gets placed on this list, as well as how someone can request removal of their system. Since there is no industry standard regarding this, you are going to want to read their FAQ to make sure you are comfortable with their policies. You are also going to want to make sure you review their licensing agreements.

One common element is that the ‘free’ services are for you to use on your systems only when they are not commercial (no resellers or hosting companies) and they also have certain limits. If you exceed these you should be using their enterprise class services. You pay for those, but they are scaled for volume, and offer SLAs. Again, read these over. And finally, remember that these services function by responding to DNS queries from your MTA.

While you may configure your systems to query your ISP or other public DNS servers, you should have your MTA either make its own queries directly, or to use DNS servers that can make direct queries. These services are in essence DNS servers that respond with various addresses in the 127.0.0.x range to indicate what type of potential spam system a particular host might be.

• SpamHaus
  The URL for SpamHaus’ comprehensive blacklist service is zen.spamhaus.org. The zen service offers a combination of verified spam services, systems compromised by malware, and ip ranges that should not be sending email (usually residential subnets.) This is the one I currently use.
• SpamCop
  The URL for SpamCop’s blacklist service is bl.spamcop.net. This list is based on reported sources of spam from users, ISPs, and other sources.
• Surriel
  The URL for the Surriel passive spam blacklist service is psbl.surriel.com. Surriel uses a spam trap to compile a list of systems sending spam, and also provides for easy self-service removal, on the premise that accidents can happen, but most spammers will never actually go looking to get themselves delisted.
• Not Just Another Bogus List
  The URL for the NJABL service is dnsbl.njabl.org.

How to use them

When you configure these providers, you have the option to use only some of their response messages, so check their individual sites to be certain you understand which reasons return which ip.addrs. You also need to set whether to reject the email (and what response message to deliver) or you can either delete the email or quarantine it. Deleting the email does just that… it kills spam but gives a legitimate sender who inadvertently finds himself on a blacklist no information that their mail is going in the bit bucket. Quarantining the mail does mean you have to go through it to manually check or purge, but minimizes the chance that valid email might be lost.

In Exchange 2010, you can configure IP Blocklist filtering using either the EMC, or EMS. If you would like to use the GUI, please consult this TechNet article. I prefer to use the EMS for this, as it is much quicker. In either case, these instructions assume you have administrative rights to Exchange.  There are three cmdlets that deal with blocklist providers; Add-IPBlockListProvider, Set-IPBlockListProvider, and Remove-IPBlockListProvider cmdlets. Here are some examples to get you started. Each should be entered as a single line. They just wrap in this post due to formatting.

The following example adds a new IP Block List provider service called “SpamHaus IP Block List Provider,” and configures it to use bitmask matching for 127.0.0.1 (block messages from IP addresses that are on the block list):

Add-IPBlockListProvider -Name "SpamHaus IP Block List Provider" -LookupDomain "zen.spamhaus.org"
-BitMaskMatch 127.0.0.1

The following example configures the same IP Block List provider service to use a custom rejection response:

Set-IPBlockListProvider "SpamHaus IP Block List Provider" -RejectionMessage "Your message was
rejected because the IP address of the server sending your message is in the block list of
contoso.com IP Block List Provider service. No soup for you."

The following example adds another IP Block List provider service called “SpamCop IP Block List Provider”, and configures it to use explicit response matching for 127.0.0.2 and 127.0.0.5 (the host is a known spam source or is an open relay). The command also adds this new provider as the top preferred provider.

Add-IPBlockListProvider -Name "SpamCop IP Block List Provider" -LookupDomain "bl.spamcop.net"
-IPAddressesMatch "127.0.0.2","127.0.0.5" -Priority 1

If you want to remove a provider, you can go into the EMC to delete them, or use the Remove-IPBlockListProvider command in the EMS. As for the custom response messages, of course, the sending admin is going to have to see these messages in his logs, or in a packet trace, but the messages are worth using. I would have never figured out the problem I had with Google if they weren’t using custom messages. Hopefully, this post has given you what you need to get started with IP Blacklists. However, if you have any questions, or comments about the listed or any other providers you use, please leave us a comment.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

How to set up IP Blocklist Providers in Exchange 2010

Credit: Spamhaus.org

The Latvian government is quite upset with Spamhaus and was not shy about showing it. The spat began when Spamhaus placed a block of IPs belonging to a Latvian service provider called Microlines due to a large amount of spam and DDoS attacks traffic originating with them. Spamhaus said when it contacted the provider with a take down demand they were ignored. They also sent the same requests to the router provider, Latnet Serviss and were also ignored. That’s when they blacklisted the IPs. The government agency in charge of top level domains for the country promptly lashed out when the blacklist caused several national institutions and organizations to suffer an outage.

          “No Internet user should be punished for the actions of another Internet user,” the officials said, adding that Spamhaus is impolite, arrogant, and even rude.”

Their ire is the result of the fact that Latnet Serviss is one of the largest ISPs in the country, but the fact remains that they blatantly ignored the communications from Spamhaus, and what’s more, Microlines has been found to be hosting rogue anti-virus apps, the Zeus and Gozi Trojans, and other malware. Several security firms have come to Spamhaus’s defense and blamed Latnet and Microlines for refusing to deal with the issue.

It’s not yet known if the government has taken any action to get Microlines to comply or when/if the block will be lifted. The moral of the story? If you get a take down notices or abuse complaint, take it seriously and respond promptly!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Lativa Upset With Spamhaus Over Blacklisting

Although the technique falls under one general description, there are many different implementations of block lists that can be used to make different determinations about whether an email is spam or not.

Some of the different techniques include:

• URI lists – these are lists of domain names and IP addresses that have been used as hyperlinks in emails that lead a victim to a malicious website, for example a bank phishing scam
• Open Relay lists – these are lists of mail server IP addresses that have been discovered as open relays and can be (or have been) used by spammers to send emails
• IP lists – aside from open relays an IP address that has directly been a source of spam, or is highly likely to be a source of spam (eg an ISP’s customer IP blocks)

The mechanism for each is basically the same – the mail server inspects the SMTP connection, or email message, that it is receiving.  It then queries one of these block list providers with the URIs or IP addresses, and if it registers a hit it then takes the configured action (usually to drop the email).

With so many different block list providers and different techniques the obvious question is whether more than one provider should be configured on the email server that is responsible for blocking spam in your organization.  Naturally this depends on the specific organization and which services are being used.

The biggest benefit to using more than one block list provider is that there are more chances to detect spam thanks to a greater diversity of lists being queried.  If you’ve ever had to troubleshoot a deliverability issue by investigating whether a mail server IP is on a block list you would have discovered that of the dozens of lists available not all of them will give the same result for a given query.

Using multiple block list providers also protects you from the scenario in which the provider is unavailable, which could lead to spam entering your organization when it can’t be checked.

However the biggest drawback is that every additional list provider that you configure means additional resources are consume for every email that is checked, both in terms of server processing and network bandwidth.

This trade-off between effectiveness and performance is one that should be seriously considered, as well as monitored on an ongoing basis.

An alternative solution is to use a provided that aggregates multiple techniques into a single service.  This is common for most commercial anti-spam solutions, which will be pre-configured with a vendor-supplies block list service that offers the best trade-off between performance, effectiveness, and also reliability.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Should You Use More than One Blacklist to Prevent Spam?

Snowshoe Spam is a growing problem.

Continued growth of snowshoe spam has prompted Spamhaus, a leader in the war on junk email, to craft a specific response to it. Earlier this month, the spamfighters rolled out a CSS component of the organization’s Spamhaus Block List.

The SBL is a database of IP addresses from which the organization recommends blocking email. Mail systems throughout the Internet can query the database in real time. It allows email administrators to identify, tag or block incoming messages from IP addresses blacklisted by the group as being connected to sending, hosting or originating unsolicited bulk email, better known as spam.

According to Spamhaus, CSS is an integral part of the SBL. It’s distinguished, however, by a different return code, 127.0.0.3. Users of the SBL need not do anything to activate the new CSS, other than to make sure that their existing spam filters can handle the additional return code.

Snowshoe Spam gets its name from the way it fans out its malicious behavior over the Web. Just as snowshoes spread the weight of a step on snow to minimize sinking and facilitate travel, snowshoe spammers spread their abhorrent activities across a multitude of IP addresses. By doing that, they can reduce their visibility on the Web and raise havoc with reputation metrics and evade detection by spam filters. The spammers know a percentage of their clutter will be diverted by anti-spam systems deployed by their targets, but by broadening the swath of their efforts, they can increase that percentage.

Launching a snowshoe operation takes some sophistication. That’s because an operator needs to use an assortment of IP addresses, as well as servers and providers to fan out his payload. Analysis of snowshoe spam shows that IP addresses are rarely repeated. That makes isolating the spam more challenging because spamfighters can’t turn off the spigot from a particular IP address. They must analyze the content of each message to capture the junk, a more processor intensive process than just blocking an IP address.

As is typical of byte bandits everywhere, snowshoe spammers hide behind fictitious businesses and phoney names and identities. They frequently change postal dropboxes and voicemail drops. They’re masters of creating fake Whois records, records used to trace the owners of domain names.

One technique used by the spammers to perpetuate their subterfuge is to use tunneled connections between their spam cannons and the IP they use to spread their junk. That way, the IP address of the back-end cannon doesn’t appear in the headers of the spam messages. When a range of “spigot” domains are blocked, the spammers just redirect their cannons to another set of domains and keep pumping out their crud. The tactic makes the spam difficult, but not impossible, to trace.

According to Spamhaus, snowshoe spamming has been around for some time, but last year a few U.S. junk emailers refined the process by adopting scrubbing techniques like listwashing and waterfalling to recycle mailing lists. The practice has become so popular that snowshoe spam accounts for 20 to 30 percent of all connections at a typical generic top level domain server. It is the second largest segment of the mailstream next to botnet spam from compromised machines in the dynamic IP space. Snowshoe spam works in the static IP space.

Some White Hats believe that Spamhaus’s latest move will decrease spam traffic.

“The new list will likely result in a lot of spam being blocked, which is a good thing,” Steven Champeon wrote in the Enemieslist blog.

“[S]o-called snowshoe spam has been an increasingly large component of the spam we see here and in the trap feeds we monitor,” he continued. “In one sense, [snowshoe spam] is a return to old-school statically-hosted spamming, the sort that Spamhaus SBL was created to solve–but representing an evolution in tactics and new levels of obfuscation.”

He added that Spamhaus’s snoweshoe efforts represents an opportunity for Email Service Providers who are solid Netizens. He cited a number of legitimate companies who have been suckered by snowshoe spammers. They include Sears, Brinks, LG, Kraft, Gerber, Dish Network and the AARP. The Spamhaus initiative will encourage legitimate clients of spammers to move to ESPs, he argued. “[I]n the long run,” he reasoned, “[that's] a good thing, because ESPs with transparency and a reputation to protect will educate their new clients.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamhaus targets snowshoe spam

“I found the most effective thing to preventing spam was to start by using a list like Spamhaus…”

So what exactly is Spamhaus, and how do these blocklists work?  To answer this question we must first understand the problem that blocklists were created to solve.

Why Do Blocklists Exist?

Blocklists came about due to the desire by email administrators to easily block spam emails from likely spam sources.  If a particular sending host is known to be a spam source, or is very likely to be a spam source, it is more cost effective to make that determination based on the IP address of the sending host rather than on the content of the email message.

This is because terminating an SMTP (the TCP/IP protocol used for sending email) connection during the initial connection phase has a lower cost than accepting the entire email message and inspecting it for spam.  The “cost” in this case is bandwidth and computational resources.  Server resources and network bandwidth are consumed when an email message is accepted by the receiving server and then inspected with content filtering to determine whether or not it is spam.

The more server and network resources a business needs to provide for email the more costly it will be in dollars.  I examined this in more detail in my blog post Can You Afford The Hardware You Need to NOT Block Spam.

Blocklist providers such as Spamhaus fill this need for email administrators by providing a database of known and likely spam sources that email servers can check before accepting email from a sending host.

What is on a Blocklist?

A blocklist is essentially a database of IP addresses on the internet. These IP addresses will typically fall into three categories:

Known Spammers – these IP addresses belong to known spammers, spam gangs, and spam support services.  An IP address will end up on the list if it is verified as a source of spam emails.

Compromised Computers – these IP addresses belong to computers on the internet that are either misconfigured (e.g. as an open relay) or have been determined as compromised by some kind of exploit (such as a virus).  Typically these addresses will include computers that have been compromised and become part of a botnet.

Unlikely Email Sources – these IP addresses are usually provided by ISPs to blocklist providers to identify parts of the ISP network (e.g. blocks of IP addresses reserved for their customers) that are unlikely to be a source for legitimate email.  Most email sent from home computers is sent via the ISP’s email server or via other services such as web-based email providers.  Email directly sent from an ISP customer’s computer is often spam sent by malicious software that has infected their computer; hence it is reasonably safe to block these IP addresses without impeding legitimate email communication.

How do Blocklists Work?

As mentioned earlier a blocklist provides a database of IP addresses than an email server can check to determine whether or not to accept an email from a sending host.  Blocklist provider Spamhaus describes this process in this simple diagram.

Credit: Spamhaus.org

Basically the email server asks Spamhaus if the sending IP is in one of their databases, and Spamhaus replies with codes that mean Yes or No.  It is then up to the email server to decide what to do with the email based on the configuration that has been set.  Most email administrators will simply terminate the SMTP connection, but some will still accept the email and tag the subject line with “Spam” so that end users can decide what to do with it.

There are other blocklist providers other than Spamhaus, but they all operate in largely the same manner.  Most of the differences will be in how the database itself is managed, e.g. what process a person would have to go through to get their IP address removed from the database.

Do Blocklists Stop Spam?

Email administrators such as Donovan quoted earlier in this blog post will tell you that blocklists are very effective at reducing the volume of spam that an organisation needs to deal with.  Any business that is struggling with a spam problem should certainly look at implementing an anti-spam solution that can utilise blocklist providers to efficiently block spam emails before they reach the email server.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Understanding Blocklist Providers

What is Email Marketing?

Email marketing is quite simply the legitimate use of email for communicating with customers.  The problem today is that many people cannot tell the difference between email marketing and email spam.  In fact some spammers can’t even tell the difference, branding themselves as “internet marketers” and operating with no regard for the problems that they cause.

Kevin Garber from Melon Media in Sydney, Australia says, “Increasingly the determining factor of what is or isn’t ‘spam’ is in the eye of the recipient, so often legitimate email marketing and spam can be lumped in the same bucket.”

With such as grey line between the two, where can email users begin when trying to make the distinction?  “Genuine spam however is often designed to confuse and trick recipients.  It is also usually very difficult to tell who the sender of genuine spam is,” Garber says.  “Legitimate email marketing at least attempts to do everything by the book – including full disclosure of who the email is from and clarity of all commercial offers.”

Adding to the confusion is the problem of email marketing being confused for spam when the end user simply forgets that they signed up to receive it.  As Microsoft’s Terry Zink points out from experience, “It’s not at all uncommon for users to regularly submit non-spam messages as spam.  The most common of these are opt-in newsletters.  Mail the user opted into at one point but no longer wants to receive.”

The Challenge of Email Marketing

Spam presents two significant challenges to legitimate email marketing.  Firstly it hinders the ability of businesses to have their email communications reach interested customers.  Belinda Jackson of Web Chameleon says, “Getting legitimate email marketing delivered has become more of a challenge with more and more spam hitting people’s inboxes.  Tighter spam control at different levels of the delivery process means that some email does not get delivered.  This of course, is a challenge for those of us who wish to only send valued Email Marketing to their clients and opt-in subscribers.”

Sometimes these problems can be technical in nature, caused by an overly aggressive content filter or keyword blacklist configure by the email administrator.  Other times the problem can arise when servers used by email marketers end up on RBLs such as SpamHaus.  This is particularly an issue when the email administrator has an objection to any emails that do not directly relate to their company’s business activities.

“Both corporate mail administrators and independent blacklists have at various stages blacklisted us,” says Garber.  “All were resolved but clients suffered periods of inconvenience.”

Engaging in Email Marketing

For businesses that wish to use email marketing they need to plan their strategy correctly to avoid being viewed as a spammer.  Both Jackson and Garber agree on some important steps to take.

• Only send marketing emails to opt-in recipients
• Always include a clear reminder in the email so the recipient knows how you acquired their email address
• Never buy lists of email addresses for marketing purposes
• Have a visible and simple way for the recipient to unsubscribe, and make sure it works
• Use a reputable email marketing service that treats deliverability as a high priority
• Be aware of the anti-spam laws of your jurisdiction and operate within those boundaries

Solving the Problem for Businesses

Because email spam is an international problem the real solution must be a global one.  Garber proposes that global legislation combined with a “global law enforcement team with the mandate to track down all genuine spam campaigns and press charges” could go a long way to resolving the issue.  In the meantime, “Users have generally adapted to the problem, but the industry should continue to be vigilant in seeking a mix of technical and legal based solution to this problem.”

Despite what some email administrators might think, doing away with email marketing entirely is not the solution.  As Jackson puts it, “The reality is that a lot of people actually enjoy getting marketing letters and brochures in their letterboxes much like many people enjoy receiving commercial emails and newsletters that provide value and that they have subscribed to.”

With this in mind it is important to understand that poorly implemented anti-spam systems can ultimately hurt legitimate business activities.  A balance must be struck between preventing spam and allowing businesses to engage in effective email marketing campaigns with their customers.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Using Email Marketing the Right Way

Any anti-spam system that is worth using will contain a range of preventative measures and features that are used to determine whether an email is likely to be spam or not.  As a complete solution they can be very effective, but taken individually and their weaknesses become more apparent.  Here are some examples.

Source IP Filtering

Also known as Connection Filtering, DNSBL, or RBL, this technique compares the source IP of an incoming SMTP connection to a list of suspected spam sources.  The list can be either a manually generated list that the email administrator creates, or can be a subscribed list by a third party provider (such as SpamHAUS).  If the IP address is on the list then the email is considered likely to be spam and the server will drop or reject it.

The weakness of this technique is when IP addresses are mistakenly included in the list.  A legitimate email server may find itself blocked by other systems that are subscribed to a particular IP list, which prevents important business email from being sent to those systems.  Similarly, some regular sources of spam emails such as free web-based email services cannot be blocked by IP address because that would certainly block a lot of legitimate email as well.

Content Filtering

Early anti-spam products made decisions about spam emails using single word matches such as “Viagra” or foul language.  This quickly proved fruitless because spammers would simply vary the word slightly in each email, for example “v1agra” and “via.gra”.  Content filtering then improved to include databases of spam phrases and patterns and would assess more of the content in an email to determine if it was spam.

The weakness of this technique is the constant game of “catch up” that is being played as spammers adapt new strategies to sneak their content past anti-spam systems.  For example, when content filtering was getting very effective spammers suddenly switched to putting all of the email text into an image file instead that the anti-spam system could not read.

Sender Verification

There are several “sender verification” standards such as Sender Policy Framework (SPF) and SenderID, each varying slightly but based on the same principle of using DNS records to verify that the sender of an email is authorized to send email for that domain name.

There are a few reasons why this technique does not perform well on its own.  Firstly, uptake of the systems among email administrators is minimal.  Without everyone participating in such a scheme the effectiveness of it is diminished.  Secondly, it only verifies that the source of the email is authorised to send for a given domain name.  Email systems that are inherently insecure and often exploited by spammers (such as web-based email services mentioned earlier) make it nearly pointless performing sender verification.

Likely Spam vs Definitely Spam

As you can see above no single anti-spam technique performs very well on its own.  However, when you combine a number of different techniques into a single system, with each technique applying a “likelihood” score to each email that is checked, the system can be quite effective.

For example, if an email is from an IP address that is not considered a likely spam source (no score increase), but contains spam-like content (score increased according to severity), and fails sender verification (increases score again) , the combined “likelihood” score may reach the configured threshold for the system and cause the email to be treated as spam.

Choosing an Anti-Spam Solution

Keep all of the above in mind when you are considering an anti-spam solution for your organization.  It can be tempting to look at a “home brew” solution made up of individual system dedicated to each technique, as these associates of mine did recently.  Aside from the administrative overhead the overall effectiveness of the system is going to be far lower than a proper multi-featured anti-spam solution.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Anti-Spam Products Are More Than the Sum of Their Parts