Planet Antispam

Box Of Meat: CAUCE North America: Maybe email IS dead -- part of it, anyway.

2009-11-20T22:35:58+00:00

CAUCE North America: Maybe email IS dead -- part of it, anyway.:

“…bulk email — marketing and otherwise — may indeed on the verge of dying. Increasing spam leads to increasing filtering leads to increasing deliverability problems…. Other technologies are much, much better at disseminating information from one author to multiple willing recipients.”

Box Of Meat: Word to the Wise: Troubleshooting the simple stuff

2009-11-20T21:03:58+00:00

Word to the Wise: Troubleshooting the simple stuff:

“We’ve been having an ongoing conversation recently about the utterly stupid and annoying questions some senders ask…too stupid or lazy to do their own troubleshooting.”

Enemieslist: new pats posted - 20091120 (maintenance pats release)

2009-11-20T20:45:09+00:00

46147 patterns, 11515 right anchor strings, 190116 test IPs.

Some more contribs and updates from a new feed. Working through a big
set of outmx pats now, as well. There were several minor releases on
11/19.

There is a new tech, 'borderware'. Also, 'interscan', for Trend Micro
InterScan servers.

Also note that the rbldnsd zone file now has support for 'cloud', using
response code 127.0.0.12. Currently only a few of these, but the field
is growing, so expect more to come. This may be used via the most recent
sendmail package, and I've updated the SpamAssassin plugin to support it
as well.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091120

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091120

Box Of Meat: Washington Post Security Fix: FDA targets rogue Internet pharmacies

2009-11-20T19:05:51+00:00

Washington Post Security Fix: FDA targets rogue Internet pharmacies:

“The U.S. Food and Drug Administration is pressuring a number of Internet service providers to shut off nearly 12 dozen Web sites alleged to be selling counterfeit or unapproved prescription drugs.”

Box Of Meat: Messaging News: Mega-D/Ozdok Botnet Take Down

2009-11-20T18:04:53+00:00

Messaging News: Mega-D/Ozdok Botnet Take Down:

“…actions included taking down domain names, cutting off the command and control servers, and hosting providers actually shutting off machines.”

Box Of Meat: The Email Wars: Anyone Can Do It – But Should They?

2009-11-20T17:04:31+00:00

The Email Wars: Anyone Can Do It – But Should They?:

“…I am quite tired of the free ESP services. Why? Well they are giving anyone with the ability to upload a list the ability to email me. It opens up the just because you can does not mean you should debate I often have with people new to email marketing (yes there are always people new to it).”

John Graham-Cumming: Parsing a JSON document and applying it to an HTML template in Google Go

2009-11-20T16:58:47+00:00

Here's some simple code to parse a JSON document and the transform it into an HTML document using the Google Go packages json and template.

If you've done anything in a scripting language then you'll probably be surprised by the generation of fixed struct types that have to match the parsed JSON document (or at least match some subset of it). Also because of the way reflection works in Google Go the struct member names need to be in uppercase (and for that reason I've used uppercase everywhere).


import (
  "fmt";
  "os";
  "json";
  "template"
)

type Row struct {
  Column1 string;
  Column2 string;
}

type Document struct {
  Title string;
  Rows []Row;
}

const a_document = `
{
  "Title" : "This is the title",
  "Rows"  : [ { "Column1" : "A1", "Column2" : "B1" },
              { "Column1" : "A2", "Column2" : "B2" }
            ]
}`

const a_template = `
<html>
<head><title>{Title}</title></head>
<body>
<table>
{.repeated section Rows}
<tr><td>{Column1}</td><td>{Column2}</td></tr>
{.end}
</body>
</html>`

func main() {

  // The following code reads the JSON document in 
  // a_document and turns it into the Document structure
  // stored in d

  var d Document;
  ok, e := json.Unmarshal( a_document, &d );

  if ok {
        
    // This code parses the template in a_template places
    // it in t then it applies the parsed JSON document in
    // d to the template and prints it out

    t, e := template.Parse( a_template, nil );
    if e == nil {
      t.Execute( d, os.Stdout );
    } else {
      fmt.Printf( e.String() );
    }
  } else {
    fmt.Printf( e );
  }
}

All the real work is done my main() by calling json.Unmarshal, template.Parse and then Execute.

Here's the Makefile and output:


$ cat Makefile
P := template
all: $P

$P: $P.6
 6l -o $@ $^

%.6: %.go
 6g $<
$ make
6g template.go
6l -o template template.6
$./template

<html>                                                                       
<head><title>This is the title</title></head>              
<body>                                                                       
<table>                                                                      
<tr><td>A1</td><td>B1</td></tr>                
<tr><td>A2</td><td>B2</td></tr>                
</body>                                                                      
</html>

Box Of Meat: CIO.com: The Six Greatest Threats to U.S. Cybersecurity

2009-11-20T16:04:00+00:00

CIO.com: The Six Greatest Threats to U.S. Cybersecurity:

“It’s not a very good day when a security report concludes: Disruptive cyber activities expected to become the norm in future political and military conflicts. But such was the case today as the Government Accountability Office today took yet another critical look at the US federal security systems and found most of them lacking.”

All Spammed Up: We Have Not Won The War On Spam

2009-11-20T15:41:28+00:00

I came across an article today written last week that proclaimed “We won the war on spam”. The general thrust of the article is that “despite continued hysteria, unwanted e-mail is largely a thing of the past”.

This is an interesting point of view which I happen to disagree with, but in thinking further I realize that this is mostly a matter of perspective – business vs personal, or big vs small.

The writer, Mark Gimein, approaches the matter from his own personal experience. Mark has a slightly more complex email setup than the average person – a series of email addresses for various purposes all forwarding into a Gmail account. In Mark’s experience spam has all but vanished from his inbox, although a few false negatives remain.

I’m not disputing Mark’s account, I don’t see very much spam slip through the filters into my inbox either, but the war on spam is most definitely not won. Mark hints at what I’m about to say with this paragraph in his article:

Stopping spam does take effort—without a doubt Yahoo and Google devote resources to it. But that’s just part of their business, no different from all the other things they need to do to keep their e-mail systems running. What matters is that from the point of view of users like me, what’s going on under the hood to keep junk out and legitimate messages in needn’t concern us.

For an email user in a business what goes on under the hood shouldn’t concern them, but it most certainly concerns the business. Businesses spend thousands of dollars each year on protecting their email systems from spam and malware. This is not a trivial expense and in itself stands as solid proof that the war on spam is far from over.

In Australia the ACMA report for 2008-09 stated a 21% rise in email spam complaints from the previous year. They also reported a 71% jump in SMS spam complaints.

If the war had been won then today’s spam filters serve us for decades to come, and further innovation in the field would be unnecessary. One thing is for sure, if the war is over then no one has told the spammers, because they continue evolving new spam techniques and bombarding email systems around the world with billions of spam messages every year.

For a single user receiving a few dozen emails per day spam probably does appear to be a problem that has been solved. For a business of thousands of users who collectively receive hundreds of thousands of emails per day even a 0.5% miss rate on spam is a lot of staff productivity lost dealing with them. And don’t forget the potential for security breach if someone falls for one of the more serious spam variants.

Declaring the war won is premature. As businesses spend hundreds of millions of dollars around the world every year on prevention, as well as costing millions more in breaches, the spammers continue to profit from even the small percentage of spam that slips through. Until that is stopped, the war goes on.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

We Have Not Won The War On Spam

All Spammed Up: Zbot Trojan Ring Busted

2009-11-20T15:36:24+00:00

Authorities in the UK have arrested two people suspected of distributing the Zeus Trojan. The arrests were made by the Metropolitan Police’s Central e-Crime Unit and are the first ever in connection with the Trojan, which has infected hundreds of thousands of computers across the globe.

Detective Inspector Colin Wetherill of the PCeU said: “The Zeus Trojan is a piece of malware used increasingly by criminals to obtain huge quantities of sensitive information from thousands of compromised computers around the world. The arrests represent a considerable breakthrough in our increasing efforts to combat online criminality.”

Zeus records banking account numbers, logins and other personal info and adds the infected computer to the ZBot botnet, which then uses the computer to pump out malicious spam designed to spread the infection.

Authorities would not identify the two suspects, saying only that they are a man and woman in their 20’s. They are being charged under the 1990 Computer Misuse Act and the 2006 Fraud Act.

Security experts say Zeus is spreading so fast because there is a toolkit available that allows anyone to customize the malware, create their own versions, and use it to commit bank fraud.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zbot Trojan Ring Busted

Michael Boyd Clark: InfoAxe Spam

2009-11-20T12:03:08+00:00

This morning I received three separate “invitations” (each to a different email address) from InfoAxe.com. Here is the text of one message (html formatting and links stripped out, my friend’s name removed): 7b1d91231a87fb75e0054e886a0dea57

“Friend’s Name” has added you as a friend

Is “Friend’s Name” your friend?

Click Yes if “Friend’s Name” is your friend, otherwise click No. But you have to click!

Please respond or “Friend’s Name” may think you said no

Click here to block all emails from Infoaxe Inc., Sunnyvale, CA. 94085. Privacy Policy

There is so much wrong with this email:

The link on the “Yes” and the “No” responses to the question ‘Is “Friend’s Name” your friend?’ both go to the same page at InfoAxe.com.
The message is not CAN-SPAM compliant, there is not a full mailing address in the message.
The link in the footer labelled “Privacy Policy” is actually just a link to the site’s home page.
The use of the word “friend” is deceptive. It isn’t a social networking site. This is simply an attempt at using my friend’s name as an endorsement of their service.

I wrote back to my friend:

It looks like you gave InfoAxe permission to email all of your contacts listed in your aol address book. It is really really dangerous to give any third party access to your account. Never give out your account’s password. You never know what some other company is going to do with the info they “borrow” from your account. The privacy policy for Infoaxe is extremely light on details. They don’t address the legal ramifications of giving them access to your entire browsing history for example. Their site is also a bit sketchy in that it looks to not have been updated since at least summer 2008. I’d have to recommend you not use their service. Mike

Looking through the InfoAxe web site, there really isn’t anything there that is encouraging. Their abouttheteam page is a joke. The site is copyright 2008, which is an eternity in web-time. Their job page says you need to be able to start by August 2008. Only five blog posts in a year. Taken as a whole, why would you allow this company’s software to track your web browsing, and to access your address book? Stay away.

Update: 11/20/2009 7:06am: I got a reply from my friend that used the InfoAxe service:

Mike…i didnt fill it out when i reealized what ir was….i cancelled mid way…but it must have spammed everyone….so sorry…

That really says it all. InfoAxe isn’t being very clear and/or up-front with their users about how they are going to treat your address book. Basically, the rule is: you should never give out your password to anyone! Facebook, AOL, Hotmail, Gmail, Twitter, etc… There is never a reason to give your password to any third party site.

216.180.243.10 20/Nov/2009:11:11:29

Copyright © 2009 PlanetMike's Technology Journal. This Feed is for personal non-commercial use only. If you are not reading this material at http://www.planetmike.com or in your news aggregator, the site you are looking at is guilty of copyright infringement. Please contact copyright@planetmike.com so we can take legal action immediately.

InfoAxe Spam

Enemieslist: new pats posted - 20091119 (maintenance pats release)

2009-11-20T00:05:48+00:00

46016 patterns, 11512 right anchor strings, 189946 test IPs.

Some more contribs and updates from a new feed. Working through a big
set of outmx pats now, as well. There were several minor releases on
11/18.

There is a new tech, 'borderware'.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091119

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091119

Box Of Meat: Internet Evolution: The Money Pit of Enterprise Security

2009-11-19T22:57:48+00:00

Internet Evolution: The Money Pit of Enterprise Security:

“There’s good reason CFOs (and everyone else who signs off) chafe when it comes to enterprise security spending — it’s not just a cost center, it’s a gigantic, budget-sucking vortex.”

Sophos Blog (Spam Category): Koobface, new promises?

2009-11-19T17:31:25+00:00

Koobface started life compromising Twitter accounts. It then diversified to attack various social networking sites including Facebook, MySpace, Bebo, hi5, GeoCities, Friendster among the prominent ones.

Recently I came across what could possibly be the next iteration of Koobface, W32/Koobfa-O, which came with Skype hacking functionality and some additional promises for the future. The new variant of Koobface attacks Skype accounts on the compromised machine to get various pieces of information about the victim using the different Skype API commands. The following screenshot demonstrates a few:

W32/Koobfa-O collects information about the user such as HOMEPAGE, ABOUT, PHONE_MOBILE, PHONE_OFFICE, PHONE_HOME, CITY, COUNTRY, BIRTHDAY, FULLNAME, PSTN_BALANCE etc. The collected information is dumped into a file which is packed as a RAR archive and either emailed or uploaded to a remote server. The worm then logs on to Skype chat as the user and starts a conversation with friends online. In the body of the worm there are snippets of conversation in 18 different languages including some Asian languages. The following screenshot shows a snippet of available conversation items in English:

I initially expected that there might be some lexical analysis being done to talk somewhat intelligently with the person at the other end of the chat, but it seems the worm pastes conversation pieces fairly randomly. This will be because the worm supports conversation in 18 languages, and it is too complicated to do a lexical analysis for the different languages. It is easier to just randomly chat. The worm will also paste a link to a compromised domain in the chat conversation, visiting which will download W32/Koobfa-O.

W32/Koobfa-O also does something which promises upcoming functionality in the future.

Koobface already attacks Facebook and MySpace, so those two on the list are no big surprises. The list contains new additions: blogger.com, wikipedia.org, youtube.com, yahoo.com and google.com. The worm doesn’t do much except look to see if some information (possibly credentials) exists for these domains. But is this a promise for the future? Clearly as social networking and collaborative sites/tools multiply in number and become bigger, more malware will attempt to take advantage of them.

Box Of Meat: The Email Delivery Guru: Require a login to opt-out?

2009-11-19T16:03:06+00:00

The Email Delivery Guru: Require a login to opt-out?:

“If you’re wondering if it’s OK to require that recipients must log into your website before they can unsubscribe from your emails, the answer to that is no— it’s prohibited under US Federal law.”

All Spammed Up: Russian Spammers Trying to Cash in On Swine Flu

2009-11-19T15:14:05+00:00

Russian spammers are in the process of cashing in on the swine flu pandemic. Shady pharmacies are advertising Tamiflu for rock bottom prices using massive spam campaigns and search engine manipulation. Hundreds of fake “Canadian pharmacy” sites exist, many run by cybercrime gang Glavmed, whose “affiliates” rake in tens of thousands a day from the sales. The Tamiflu being offered is usually fake or out of date. Sometimes plain old sugar pills are provided, and in some cases, they are made of disturbing and downright dangerous ingredients like rat poison. Glavemed also runs SpamIt, a group of email spam affilates that is thought to be behind the Conficker, Waldec and Storm botnets.

The spammers are exploiting the news that global production of flu fighting drugs like Tamiflu is unable to keep up with demand. They are trying to appeal to those who may be likely to order out of panic, and they are finding success. The top countries ordering the fake flu medication are the US, Canada, France, the UK and Germany.

The gang, known as “THE PARTNERKA” has found such success because they are using a mix of methods to deliver their message. In addition to floods of email spam, they are using Black Hat SEO, social networking, and malware, and there are all kinds of software to help them, such as “John22” which generates HTML content for websites at an alarmingly fast rate, links them together, uploads them, and notifies Google. The pages are so good it’s near impossible to tell they were computer generated. Then there’s ZennoPoster, which generates webmail accounts on services like Gmail and Yahoo, and accounts on social networking, free web hosting and blog sites. It also sends text, email and forum/blog spam. This recipe ensures that spam filters and anti-virus programs won’t have much impact on their bottom line.

Security and Health experts alike are advising everyone to stay away from any pharmacy advertised in spam messages or affiliate marketing. If you need medication, get it from your licensed and educated doctor.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Russian Spammers Trying to Cash in On Swine Flu

John Graham-Cumming: Installing Google Go on Mac OS X

2009-11-19T14:44:42+00:00

I decided to have a go with Google Go since I'm an old fogey C/C++ programmer. Any new innovation in the C/C++ family gets me excited and Google Go has quite a few nice features (garbage collection is really nice to have and channels make me think of all the work I did in CSP).

I decided to go with the 6g compiler since gccgo doesn't have garbage collection implemented yet and hence there's no way to free memory. The only way to get 6g is to mirror its Mercurial repository. So...

Step 1: Install Mercurial

For that I used prebuilt packages from here and got Mercurial 1.4 for Mac OS X 1.5 (no, I haven't upgraded to Snow Leopard yet).

Step 2. Set GOROOT

I just did a quick cd ; mkdir go ; export GOROOT=$HOME/go to get me started.

Step 3. Clone the 6g repository

That was a quick hg clone -r https://go.googlecode.com/hg/ $GOROOT followed by the hard part: compiling it. You need to have gcc, make, bison and ed installed (whcih I do since I do development work on my Mac).

Step 5. Set GOBIN

This points to where the binaries will go, for me that's $HOME/bin since I'll be doing local development using Go. And I updated PATH to include $GOBIN.

Step 4. Compile 6g

You first need to set GOARCH and GOOS. For me that's amd64 for the architecture (the Intel Core 2 Duo in my Macbook Air is a 64-bit processor) and darwin for the OS (since this is a Mac).


$ export GOARCH=amd64
$ export GOOS=darwin

Then you can actually do the compile:


$ cd $GOROOT/src
$ ./all.bash

This does a build and test of 6g and it was very fast to build (although I'm used to building gcc which is a bit of a monster).

Step 5. Write a Hello, World! program

Here's my first little Google Go program (filename: hw.go) just to test the 6g compiler.


package main

import "fmt"

func main() {
    fmt.Printf( "Hello, World\n" );
}

To simplify building I made a minimal Makefile:


all: hw
hw: hw.6 ; 6l -o $@ $^
%.6: %.go ; 6g $<

And then the magic moment:


$ make
6g hw.go
6l -o hw hw.6
$ ./hw
Hello, World!

And now for a real project... get SQLite to interface to it.

John Graham-Cumming: Geek Weekend (Paris Edition), Day 4: Institut Pasteur

2009-11-19T10:59:03+00:00

Leaving my SO in bed at the hotel with a nasty bacterial infection and some antibiotics, I went with timely irony to visit the home and laboratory of Louis Pasteur at the Institut Pasteur. (It's pretty easy to find since it has a conveniently named stop on the Paris metro: Pasteur).

At the Institut Pasteur there's a wonderful museum that covers the life and work of Louis Pasteur (and his wife). It's housed in the building (above) where the Pasteurs lived. There's a single room of Pasteur's science and the rest of the house is Pasteur's home; so a visit is partly scienfitic and partly like visiting any old home. I was mostly interested in the laboratory (although seeing how he lived---pretty darn well!---was also worth it).

Pasteur wrote standing up at a raised table (much like old bank clerks used to use) and his lab is full of specimens that he worked on. There's a nice display about chirality which Pasteur had initially worked on while study tartaric acid in wine. (Pasteur determined that there were two forms of tartaric acid by painstakingly sorting tiny crystals by hand).

The rest of the lab covers immunization, pasteurization and the germ theory of disease. There was a nice display of Pasteur's bottles of chicken broth that he used to demonstrate the germ theory of disease. The bottles contain boiled broth and have a long tapering curved neck. Although the neck is open the shape prevents dust from entering and the broth sits undisturbed (as it has for 150 years).

In the same room there's also a big bottle of horse's blood that looks fresh despite its age, and there are detailed displays about immunization (and especially Pasteur's rabies vaccine).

The museum also has a lot of equipment used by Pasteur, such as vacuum pumps and autoclaves. It all has that lovely Victorian feel of wrought iron and brass.

The oddest part of the museum is the Pasteurs' burial chamber built beneath the house and in a totally over the top Byzantine style.

Note that the museum is only open in the afternoons during the week and that you must bring photo ID with you to get in since it is inside the Institut Pasteur.

Spamresource.com: O HAI TAG44 WTF?

2009-11-19T08:04:00+00:00

My friend Mickey Chandler mentioned to me that TAG44 emailed him yet again.

They're apparently still putting a stupid "this is not spam" disclaimer in their email. As with last time, they reference a law that doesn't exist.

"Note: We respect your Online Privacy. This is not an unsolicited mail. Under Bills 1618 Title III passed by the 105th U. S. Congress this mail cannot be considered Spam as long as we include Contact information and a method to be removed from our mailing list. If you are not interested in receiving our E-mails then please reply with a “remove” in the subject line and mention all the E-mail addresses to be removed with any E-mail addresses which might be diverting the E-mails to you. I am sorry for the inconvenience" -- the dumb, factually inaccurate footer from TAG44's email messages.

Free clues for TAG44:

A bill is not a law. Did you catch that? That was a bill from years ago. A proposed law. It never became law, because it never passed the House of Representatives. It has no legal standing. You might as well replace it with This email is not spam because my grandmother wears a fancy hat for all the legal standing it carries.
You're "murking" your own emails? On purpose? That is, uh, how do I put this? That is not a sign of intelligence. Don't take my word for it -- ask anybody who has ever written about the Murkowski disclaimer. What you're actually doing is making your email look like spam, and you're acting like a spammer.
That bill (the one that never became law) is from 1998. That's eleven years ago, friends. Your email marketing expertise is just a tiny bit out of date. Maybe you should hire Mickey, instead of spamming him.

I'm guessing that TAG44 never searches for their company name on Google, or else they would have run across Mickey's post about them, since it's the first hit you find after their own website. Let's see if this one ends up right behind Mickey's post in Google's search results.

John R. Levine: A thought about not-quite-ASCII Top Level Domains

2009-11-19T06:41:04+00:00

ICANN has opened their new fast track process for "countries and territories that use languages based on scripts other than Latin" to get domain names that identify the country or territory in its own language. It's not clear to me what the policy is supposed to be for countries whose languages use extended Latin with accents and other marks that aren't in the ASCII set.

Any country that uses an extended Latin character set can use extended characters in 2LDs right now, and I can't offhand think of any whose current unaccented two-letter ccTLD isn't an adequate mnemonic for their name. But let's say that Serbia feels that .RS is kind of lame, so they apply for and get .Србија which is perfectly reasonable, since that's the Cyrillic character set.

Then Romania decides that .RO is too generic, so they ask for .România with the circumflex over the â, as it is properly spelled in Romanian. That's an IDN, so how can they say no?

Hey, say the Hungarians, they got their country names, we want .Magyar. Oh, no, that's ASCII, that will be $185,000 and a highly uncertain multi-year process. Really?

Sophos Blog (Spam Category): Twitter spam explosion

2009-11-18T23:32:51+00:00

Starting early this morning, we have seen a major uptick in the use of Twitter links inside spam messages. Here are a few different variants of them. Most of the spam refers to online med sites although a few campaigns tout making lots of money:

Following the links will lead a user to arrive at “making-money-with-Google” or Online Pharmacy sites:

The Twitter accounts themselves appear to be legitimate and do not look to be bot-registered. They contain normal-looking tweets in the previous days and months. We’re still looking into how the accounts are compromised. Certain malware such as koobface would steal Twitter credentials. There is also the possibility of the accounts credentials being compromised through phishing.

As for regular users, it’s important now more than ever to scrutinize the links you receive through Twitter. Today these links point to spam sites. Tomorrow these links could be pointing to malware.

Box Of Meat: Techdirt: Crackdown On Loyalty Program Scams Shows How Ridiculously Sucessful They Were

2009-11-18T22:37:48+00:00

Techdirt: Crackdown On Loyalty Program Scams Shows How Ridiculously Sucessful They Were:

‘Many of these are incredibly sneaky, such that many users have no idea they signed up for it until they get their credit card statements. Even worse, many of the “tricks” involve getting legitimate sites to offer these “services” to their users — and those included Continental Airlines, Classmates.com, Priceline, 1-800-Flowers and many others.’

Box Of Meat: The Database Diva: Ditch Me-Me-Itis with Business Email Marketing

2009-11-18T18:14:48+00:00

The Database Diva: Ditch Me-Me-Itis with Business Email Marketing:

A computer-generated video conversation about email marketing best practices, with only one thing missing: the “blast” guy should’ve been bitch-slapped every time he opened his mouth.

Box Of Meat: Joho the Blog: My talk at the Canadian Marketing Association: Markets are networks

2009-11-18T17:14:51+00:00

Joho the Blog: My talk at the Canadian Marketing Association: Markets are networks:

“In short: You can’t step into the same market twice.”

Enemieslist: new pats posted - 20091118 (maintenance pats release)

2009-11-18T17:06:37+00:00

45903 patterns, 11505 right anchor strings, 189747 test IPs.

Some more contribs and updates from a new feed. Working through a big
set of outmx pats now, as well.

There is a new tech, 'borderware'.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091118

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091118

Box Of Meat: threatpost: Security Metrics Are Useless Without a Plan

2009-11-18T16:13:52+00:00

threatpost: Security Metrics Are Useless Without a Plan:

“There has been a big push in recent years in the security community toward metrics, and measurements of all types have become a hot topic in certain corners of the industry. But measurement for measurement’s sake is useless-and perhaps even counterproductive….”

Box Of Meat: Telegraph: Stephen Fry says Twitter lets celebrities bypass media

2009-11-18T15:13:15+00:00

Telegraph: Stephen Fry says Twitter lets celebrities bypass media:

‘While many brands are working hard to have a credible presence on Twitter, in an attempt to make consumers engage more with their products, Mr Fry stressed that the essence of Twitter was “human-shaped” and not a marketing tool for businesses.’

(via tech.blorge, which adds some additional colour)

All Spammed Up: Private registration no defense for spammers

2009-11-18T08:21:06+00:00

A CAN-SPAM court decision may hurt the private domain registration business.

Spammers hiding behind private registration of domain names to spread junk email received a slap in the face recently by a federal district court in California. In their attempt to nullify the U.S. CAN-SPAM Act the garbage pedlars argued, among other things, that the law was unconstitutionally vague because anyone trafficking in private domain registrations could be held liable for materially falsifying an identity under the statute.

Ironically, private domain registrations were created to protect domain owners from spammers, scammers, telemarketers and other unsavory types. Under the process, domain owners who want to keep their personal information private enlist another company, a proxy registrar, to register their domain for them. The domain owner retains control of the domain, but for public purposes, such as listing in the WHOIS directory, the proxy’s contact information is listed as the owner of the domain. The rub to the process, though, is that anyone can use it–even spammers seeking to hide ownership of their domains. It’s a pair of such spammers that found themselves appealing their prosecution before the Ninth Circuit Court of Appeals.

The case, U.S. v. Kilbride, involved a pair of porn spammers operating through a company based in the small African nation of Mauritius. Their spam, which generated 662,000 complaints with the U.S. Federal Trade Commission, violated CAN-SPAM in a number of ways including forged headers, fake email addresses and phony contact information. A jury, after a three week trial, convicted the defendants of criminal CAN-SPAM violations and other charges. One smut circulator received a 6.5 year prison term; the other, five years in the Big House.

In their arguments before the court, the skin merchants asserted that CAN-SPAM is too vague in its definition of material falsification to meet constitutional standards because it criminalizes private registration of domain names. The court, however, wasn’t buying that contention. “We fail to perceive any vagueness on this point,” the judges opined.

Passed in 2003, CAN-SPAM provides penalties for anyone, among other things, who “materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages” or “registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names…”

The court also rejected the notion that the material falsification definition allows innocent people to be investigated for violating the law until their intent can be determined. That, the spammers asserted, invited law enforcement officials to abuse the law. “This may be so, but it does not make the statute
unconstitutionally vague,” the court said.

“As we recently noted,” it continued, ” ‘[w]hat renders a statute vague is not the possibility that it will sometimes be difficult to determine whether the incriminating fact it establishes has been proved; but rather the indeterminacy of precisely what that fact is.’”

“While determining as a factual matter whether the requisite intent for culpability under [CAN-SPAM]exists may prove difficult, this does not demonstrate
that the concept of intent as used in the statute is an entirely indeterminate, subjective one,” it added. “Hence, the problem Defendants identify is irrelevant to the vagueness inquiry.”

Of course, the Ninth Circuit is only one court, and its decisions don’t necessarily carry any weight outside its jurisdiction. Another court could very well find that CAN-SPAM’s falsification provisions are unconstitutional and send the whole issue to the Supreme Court.

For now, however, the question remains will court decisions that discourage netizens from using private registrations or registrars from offering them make a dent in the spam volumes which are consistently over 90 percent of all email on the Internet? Probably not. If the government gets tough in probing private registrations, it will probably discourage the innocent from engaging in the practice while Black Hats, who live by subterfuge, will continue to keep it in their bag of dirty tricks.

One thing is certain, if the courts continue to crackdown on private registrations, it won’t favorably impact the registrars who turn a buck on them. As one attorney waggishly observed in his blog, “I don’t see the domain name proxy business as a growth industry.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Private registration no defense for spammers

Terry Zink: Traveling for the next little while

2009-11-18T01:27:23+00:00

I am going to be traveling in Peru for the next little while, but fear not! I shall still be blogging!

I have written a few posts in advance to entertain you all that shall become publically visible over the next few days. Enjoy.

Enemieslist: new pats posted - 20091117 (maintenance pats release)

2009-11-17T19:53:30+00:00

45734 patterns, 11505 right anchor strings, 189435 test IPs.

Some more contribs and updates from a new feed. There were several minor
releases on 11/16. Working through a big set of outmx pats now, as well.

There is a new tech, 'borderware'.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091117

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091117

Box Of Meat: PC World: DNS Problem Linked to DDoS Attacks Gets Worse

2009-11-17T17:31:47+00:00

PC World: DNS Problem Linked to DDoS Attacks Gets Worse:

“…the growing number of consumer devices on the Internet that are configured to accept DNS queries from anywhere…can be used in what’s known as a DNS amplification attack.”

Box Of Meat: John Resig: Google Groups is Dead

2009-11-17T16:31:49+00:00

John Resig: Google Groups is Dead:

“The primary problem with Google Groups boils down to a systemic failure to contain and manage spam. Only a bottom-up overhaul of the Google Groups system would be able to fix the problems that every Google Group faces.”

All Spammed Up: Zbot Trojan Unleashes Weekend Spam Campaign

2009-11-17T13:18:46+00:00

A huge weekend spam campaign exploited Verizon Wireless and spread the Zeus/ZBot Trojan. Security experts said the attack started on Friday morning with 200,000 malicious messages an hour being sent. The spam messages claimed to be from Verizon Wireless and told customers they had exceeded their credit limit and to check their accounts via the attached “tool”.

When the attachment was downloaded it installed the Zeus Trojan, notorious for stealing personal and banking info. The Trojan install a keylogger which is activated whenever a banking or financial site is visited and logged into. It also steals login info from popular sites like Amazon, MySpace, Facebook and Ebay. Verizon Wireless released a statement saying they are aware of the incident.

We’re aware of this spam/phishing message being sent to our customers over the past several days, and have taken steps to stop it from occurring,” said a Verizon spokesperson.

The campaign sent over 9 million messages before abruptly shutting down Monday morning. The researchers say the Trojan was repackaged six different time in an effort to evade detection by anti-virus software and firewalls.

Zeus has been around for quite awhile now. Its past spam campaigns included faked password reset requests from MySpace, faked notifications from the IRS, and a fake update from Microsoft.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Zbot Trojan Unleashes Weekend Spam Campaign

Spamresource.com: Loren McDonald on FISUE Syndrome

2009-11-17T12:57:51+00:00

Yesterday, Loren McDonald blogged about "FISUE Syndrome." What is it? It's where a recipient "Forgot I Signed Up for Email." He writes: "Was That Email Spam? Or Just Spam-Like? Earlier this year, I received an email from a presentation company that I was sure I had never heard of nor done business with. [...] I didn't know who this company was or whether I knowingly opted in for email, and I still don't."

He makes good points on how senders can avoid FISUE Syndrome. I'm drawn to one in particular: "From/ Sender Names: Of the six emails I had received, the company used five different "From" names. Bad. Pick a simple, logical "From" name and stick with it."

I'd like to add to that one, because it's a pet peeve of mine. If I sign up for emails from a company, does that mean I'm going to recognize the name of the person who emails me? If you're sending to an email list, do recipients on that list know an individual at the company, or do they only know the company?

I run into this enough that I occasionally blog about it. In that case, Boxee was sending me an email that I had consented to receive, but I had no idea that the head guy's name is Avner Ronen. If I don't recognize you, I'm going to think it's spam, and I'm going to report it as spam. Lack of recognition is going to drive higher spam complaints and deliverability issues are likely to follow.

Terry Zink: Virus attachments vs email classified as malware

2009-11-16T22:27:12+00:00

This probably belongs in the “Well, no kidding” category but I thought I would post it anyhow.

Since near the beginning of this year, I have been tracking how much email our filters classify as malware. I then took those values, broke them down into a weekly chart and compared it to how many mails we received on a weekly basis that contained virus attachments. Is there any relationship between the two? If there is a new malware campaign, is that associated with an increase in spams with links to malware?

It’s hard to measure this because we block so much mail at the network edge (90%). So, all of the data that I have is for post-edge blocked mail. Below is a chart of the amount of mail we classify as malware vs how much mail has a virus attachment, on a weekly basis:

The result is pretty significant, 31% of the variance in the number of viruses in email is associated with the variance in the number of messages we classify as malware. In other words, there is a very strong malware spam/virus correlation (correlation = 0.55) since March of this year.

The problem is that I had to massage the data. There were 4 weeks of outliers that skewed the data set. If you include those, there is a weak relationship between the two of them, and it is negative (r = –0.12):

So on the one hand, I feel that removing the outliers results in an outcome that makes sense and fits the expectation. On the other hand, I feel bad about having to do some data-mining in order to return a result that I was expecting.

Box Of Meat: Graham Cluley's blog: Swine flu fears making millionaires out of Russian hackers

2009-11-16T22:16:50+00:00

Graham Cluley's blog: Swine flu fears making millionaires out of Russian hackers:

“Panic-induced stockpiling by individuals who aren’t officially classified as being at risk of contracting swine flu, and therefore anxious they won’t receive Tamiflu from the NHS, will not only line cybercriminals’ pockets with millions of pounds in cash but also grant them access to sensitive personal data to be used for other crimes.”

Enemieslist: new pats posted - 20091116 (maintenance pats release)

2009-11-16T19:44:35+00:00

45648 patterns, 11505 right anchor strings, 189271 test IPs.

Some more contribs and updates from a new feed. There were several minor
releases on 11/13. Working through a big set of outmx pats now, as well.

There is a new tech, 'borderware'.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091116

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091116

Sophos Blog (Spam Category): Katya, My Queen-To-Be

2009-11-16T05:35:37+00:00

Do you think she’s hot? Her name’s Katya and she is my latest entry to my long list of “girlfriend-wannabe” / “potential one-night-stands”. If my mum were to find out about her, she will definitely give me a hard backhand on my head for letting such a great girl like Katya waiting.

Katya wrote me a really sweet email. However, I am appalled by her English. Let me share snippets of her declaration of love for me :)

1. The agency of acquaintances has a contact to other agencies of acquaintances in other countries and I have received yours e-mail, therefore now I write to you.

I must get hold of her agencies of acquaintances as they do have acquaintances who are pretty young things!

2. I very much like walks on fresh air, I very much love the nature.

She can walk on air! I’m impressed n_n

3. I like the sea and it is pleasant to float, in the summer I like to float and sunbathe.

Floating is easy. Dead people float too.

4. I trust in family and love, and I search for the person to the one whom I will give all heat of my heart and with that whom I will be always together,

I feel for you too girlfriend!

5. My person, clever also has strong spirit, he is kind and magnanimous and generous, he will be do something for me, and will know, that I will be do something for him.

Yup! I do fit her checklist :D

On that I will finish my blog entry. Katya, “if I have interested you then write to me.” :)

Sophos Blog (Spam Category): Malware, but only for a second in a day

2009-11-16T02:09:28+00:00

Malware authors and software-protectionists alike go to great lengths to obfuscate and contort their code in an attempt to hide or obscure its true nature [1,2]. The assumption being that it is difficult for human or machine to make sense of the code, extending analysis time and giving the bad guys a free run.

For the most part, such obfuscations (in particular JavaScript) are relatively easy to unravel because they are static transformations [3]. The more complex encrypted forms require some form of script emulator (or your browser of choice) and a skillfully inserted alert() instead of eval(), however a new form akin to the one-time-pad concept is now being deployed.

Script obfuscated and encrypted with contextual data

Such [quasi] one-time encryptors function by generating and encrypting the content on-demand while at the same time choosing a key which is a function of the download environment, such as the referer or the last modified time. When the script is rendered it has all the necessary information to correctly decode. However when that script is submitted by the customer for analysis, the environment has long been destroyed making the script nearly impossible to decode.

Thus examining the script on Friday 13th (13/11/2009) at 11:08:23 yields (poorly) decrypted content which does not render.

Script decoded with wrong key

yet behold, on (every) 47th second of the 7th day of each month the script correctly decodes revealing its secrets - here, deciding whether to serve a (quite likely malicious) PDF, or Flash element.

Correctly decoded given context

Static offline analysis of such scripts is easily thwarted, however any scanning engine which has access to the HTTP data stream should be able to cope since it has all the relevant contextual data required at the time of rendering.

Brute-forcing aside, the only real way to tackle this problem is to use “Just in time” detection (otherwise known as on-access), failing that, NoScript remains your best protection.

Spam Wars Dispatches: Using Insecurity Fears to Spread Insecurity

2009-11-15T19:49:49+00:00

As if on cue, one Bad Guy seems to be using very recent news of an unpatched Adobe Flash security flaw to help spread a backdoor Trojan. The campaign begins with a simple email message:

From: flashplayer@adobe.com
Subject: We've created a new version of the famous video Adobe Flash player !!
Hello
A new version of the Flash player for better quality is now available
for download click here

If you bother to inspect the URL in the real message (the one above is blank, and shows the URL of the page you're now reading), it might look sufficiently legitimate to some: http://adobe.us.to/adobe.html.

And if you then click on the link, you get one darned-good imitation of an Adobe web page:

How good is the imitation? Well, here's the real Flash Player download page:

The primary discrepancy, of course, is that the fake page insists on presenting a screen suggesting I'm using Internet Explorer for Windows, even though I accessed the page with Safari on a Mac. The real Adobe Flash Player download page recognized my operating system, and presented the appropriate download. Obviously, someone reaching the phony page on a Windows machine wouldn't see anything wrong.

Unlike the real Adobe page, the Bad Guy's page downloads a file called Flashplayer.exe, which is actually a backdoor Trojan of the Zapchast family. This particular instance is a fairly old one, and most antivirus products identify it for what it is (78% coverage at VirusTotal).

Ultimately, the joke is on the poor user who installs this Trojan. While he or she might believe he or she is heading off potential infection through Flash, in truth, he or she has just granted the Bad Guy an All Access Pass to the entire PC system and data, without ever going near Flash.

Silent Noise: hpHosts: "Crimeware friendly ISP's: Ecatel (AS29073)"

2009-11-15T18:29:36+00:00

A fresh posting today about Ecatel's crimeware friendly hosting:
http://hphosts.blogspot.com/2009/11/crimeware-friendly-isps-ecatel-as29073.html

There is probably a lot of people wondering why Ecatel is still up and running.
I've been wondering about it for a long time. (internal link).

Spamresource.com: Ask Al: What are filters checking?

2009-11-15T13:09:24+00:00

Jerry writes, "Al, a recent email from 'Get to the Point' quoted you as below. My question is this: What, exactly, are spam [content] filters picking up from a generic template that could reduce delivery? Thanks in advance for your reply."

It looks like I was quoted by MarketingProfs: Here's how it happens. "If that partner works with a whole bunch of people sending email," explains Al Iverson in a post at the Spam Resource blog, "[and] if that template is out all over town, then there's a pretty good chance that somebody has sent emails using that template to poorly permissioned lists, causing spamtrap hits, spam complaints, and so forth."

"Spam filters that use content fingerprinting, meanwhile, see the same message coming from your company and lump you in with the abusive senders."

Jerry, thanks for your question. Though, I think a point is being missed here. There is NOT a list I can give you saying "avoid this tag, or avoid this image," or whatever. No such list exists; and it's impossible to compile one.

The thing that these filters catch is commonality. If your content has different variables in common with other messages tagged as bad (for whatever reason), then your messages get tagged as bad, too. What does commonality mean? It can mean a whole bunch of things, and nobody publishes a list of the exact variables that are checked. It probably is all of the following things, and more:

Your from domain.
What domains you link to.
The domain where images are hosted.
What images you use.
What HTML template you use.
What unsubscribe footer you use.

The HTML/text/source/etc overall -- some systems perform message hashing, converting a message to a short numeric or alphanumeric string string of characters, based on the various characteristics of the message. Similar messages will have hashes that are similar or the same, making them easy to identify.

Box Of Meat: BBC News: Feeling grumpy 'is good for you'

2009-11-15T01:50:41+00:00

BBC News: Feeling grumpy 'is good for you'

Terry Zink: Where’s rustock?

2009-11-14T18:01:00+00:00

Win32/Rustock is a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of spam e-mail. First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat. It is the largest spamming botnet that sends mail to our servers.

I decided to take a look at where its spamming IPs were located, geographically, for the date of November 12, 2009. Below is the chart:

In a surprising twist and departure from the norm, the United States is very under-represented in the above chart. South America is strongly over-represented. The top countries are below:

Rank	Country	Distinct IPs
1	Brazil	3274
2	India	2687
3	Columbia	1211
4	Poland	899
5	United States	836
6	Argentina	760
7	Czech Republic	745
8	Romania	731
9	Thailand	630
10	Israel	464
11	Spain	447
12	Italy	440
13	South Korea	419
14	South Africa	379
15	Great Britain	372
16	Germany	372
17	Turkey	368
18	Peru	363
19	Vietnam	361
20	Ukraine	332

Three of the top six countries are in South America. Only one is in Asia, and one is in Europe. This differs significantly from the total spamming IP distribution where the United States has 18% of the total IPs:

For this one day, South America’s representation has doubled compared to its global IP distribution for all spam, the United States is around 1/3, but Asia and Europe are about the same. For some odd reason, the United States seems to be more resistant to relaying spam from rustock than other countries. And for some reason, South America is more prone to relaying it. I’ll take some guesses in my next post as to why this is.

Spamnation: Hotmail Hijack #4

2009-11-14T15:20:03+00:00

We continue to get reports from users who have had their Hotmail accounts taken over by a particular Chinese 'fake-storefront' scammer. The compromised accounts are then used to send out email advertising the fake shopping sites set up by this scammer.

Initial reports of this problem came from Windows users. Since then, however, we've had reports from users of both MacOS and Linux that their Hotmail accounts have been compromised. This makes it very much less likely that the passwords are being stolen by some piece of malware, and more likely that some other mechanism is being used.

Sophos Blog (Spam Category): Alert! Conflicker detected! … or is it?

2009-11-14T03:12:06+00:00

Today we have spotted a batch of messages arriving in our spam systems titled “Conflicker.B Infection Alert”. The message goes like this:

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

The fact that the so-called antispyware program comes attached with the email is a good indication that something is not looking right.

When the attached program was executed, it did not start a “free system scan” as claimed, but instead it simply moved itself into other folders in the system and have set up itself to be automatically started on windows startup.

Not surprisingly, the attached file is detected by Sophos as Mal/FakeAV-AX and the email message has also been blocked.

This is another example of social engineering tricks employed by malware authors to capitalize on fears of the user to entice them into running malicious software.

As always with dealing with emails, think twice before running what came with the attachment.

Enemieslist: new pats posted - 20091113 (maintenance pats release)

2009-11-13T20:00:45+00:00

45548 patterns, 11500 right anchor strings, 188710 test IPs.

Some more contribs and updates from a new feed. There were several minor
releases on 11/11 and 11/12. Working through a big set of outmx pats now.

There is a new tech, 'borderware'.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091113

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091113

Terry Zink: FireEye knocks Mega-d offline

2009-11-13T19:13:18+00:00

From the Register:

A botnet that was once responsible for an estimated third of the world's spam has been knocked out of commission thanks to researchers from security firm FireEye.

After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the legions of zombie machines that make up the network.

Almost immediately, the spam stopped, according to M86 Security blog. Last year, the email security firm estimated the botnet was the leading source of spam until some of its servers were disabled.

…

The takedown effort is significant because it shows that a relatively small company can defeat a for-profit network that took extraordinary measures to ensure it remained operational. Not only did Ozdok reserve a long list of domain names as command and control channels, it also used hard-coded DNS servers. When all else failed, its software was able to dynamically generate new domain names on the fly.

I decided to check this using our own statistics. While I don’t know if Mega-D was at one time responsible for 1/3 of all spam (my stats only go back to late July 2009), it certainly isn’t one of the big ones today. Those slots are reserved for Rustock, Bagle-cb, Cutwail, and sometimes DarkMailer. However, Mega-d certainly does register (no pun intended) on our radar. Below are the stats:

You can see that Mega-d does have a sawtooth-like sending pattern, but we definitely saw a big drop in spam from that botnet that appears to be generating a bit of a recovery today (11/13/2009). Also note that the numbers on the y-axis are not necessarily representative of the full set of spam we see from Mega-d but the general trend is representative.

The good news in all of this is yes, a relatively small company can make an impact into a major spam operation. The bad news is that these takedowns tend to be short lived. Earlier this year, when a Latvian ISP was disconnected due to its abusive practices, it made only a small dent in global spam volumes, and this small dent vanished a few days later. The spam operation is becoming more resilient to disruptions in its service.

Box Of Meat: CAUCE North America: Email’s Not Dead, neither is Spam

2009-11-13T17:42:49+00:00

CAUCE North America: Email’s Not Dead, neither is Spam:

“…spam filters work. Well, duh. If they didn’t, we would all be seeing about 90 for every one spam that gets into the inbox. That doesn’t mean it is over, merely that we are not seeing the vast majority of the spam sent our way. The spam filtering-spam sending war is ever-escalating, and someone has to pay the piper for new technologies and filters.”

All Spammed Up: Why social networking spam reaps more rewards than email

2009-11-13T13:05:30+00:00

Black Hats are finding social networking sites attractive targets for mischief.

As social networks like Facebook, MySpace and Linked-in have gained popularity among Web surfers, they’ve also attracted the attention of the Internet underworld. That’s because the likelihood of infecting a computer with malware distributed through a SocNet is much better than conventional email methods. How much better? Some security experts reported earlier this year that infection success rates were as high as 10 percent for malicious code circulated through a social network. That’s 10 times the infections that could be expected from an email spam campaign.

As Black Hats have turned their attention to SocNets, they’ve begun experimenting with going beyond exploiting the sites for distribution of bad apps and using the webposts for activities such as issuing commands and controlling the operation of botnets.

Just last week, security researchers uncovered a Trojan, dubbed Whitewall, that could use Facebook to coordinate its nefarious deeds. The sinister software is circulated by exploiting known vulnerabilities in Adobe Acrobat and Microsoft Office files. The documents look legit. They may look like communications from courier companies or headlines from news media.

The malware targets the mobile version of Facebook. It receives its marching orders by reading the notes section of that program. If a note contains the title “Wells,” it will contain a timestamp for when a machine is infected. If it’s “WebServer,” the app will execute a URL contained in the note from which it will receive commands. If the title is “White,” the Trojan will follow a URL to a site from which it will download a pernicious payload. If any other words are in the title, the software will do nothing and wait for further instructions.

At this point, White Hats say, the Trojan hasn’t infected a significant number of computers. Its discovery, though, may be important because it may be a proof of concept for hackers mulling ways to use SocNets as command and control servers.

Social networks have also been exploited for more conventional cracker attacks. At the end of October, for instance, more than 350,000 spam mails flooded inboxes claiming to be from Facebook. It told its recipients that their Facebook password had been changed and instructed them to click on an attachment to obtain their new one. The attachment contained malware that turned its host into a zombie on a botnet.

The Facebook password con is just one example of how info highwaymen are leveraging the reputation of SocNets to spread their mischief. Not only are users more apt to engage in insecure behavior when they receive spam masquerading as email from one of their favorite social networks, but spam filters are less likely to scrap the correspondence before it reaches its target. For example, in a recent ethical phishing experiment, a charade purporting to be from LinkedIn evaded all the anti-spam filters it was tested against.

The message concocted by the researchers was a mock invitation from Bill Gates, of Microsoft fame, to join his network on LinkedIn. LinkedIn was chosen because it’s known and trusted among many professionals and as such, mail originating from it would be recognized by many corporate email systems. As is typical in this kind of scam, the link in the email leads the user to a site that mimics a legitimate LinkedIn page, but information collected in the forms at the site is sent to Black Hats. The campaign had a 100 percent success rate, with none of the malevolent mail being filtered out by the target system’s spam filters.

The simple solution to foiling cyberbandits milking the popularity of social networks for their own odious ends would be to shut down network access to such sites. That, however, may not only be an ineffective solution, but an insecure one as well. Younger workers expect to have access to their social networks from work. Failure to meet those expectations could affect a company’s ability to attract the kind of talent it needs to be competitive in its industry. Moreover, shutting down access to SocNets will only drive usage underground where it will open up potential security breaches in a corporate network. A better solution would be to allow access to social networks but carefully monitor and regulate their use, as well as educating employees about “best practices” when using SocNets in the workplace.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Why social networking spam reaps more rewards than email

Sophos Blog (Spam Category): Famous chip shop website battered by malicious Iframe injection

2009-11-13T10:32:14+00:00

Before everybody peruses the ‘net in search of their fish supper this cold and wet Friday night.* Stop!!

Do you have adequate protection?

For your Internet browsing?

Earlier this week SophosLabs spotted that the famous chip shop brand Harry Ramsden’s website had been haked by a malicious iframe. I codn’t believe it when I saw that the mootools.js script on the site is infected with Troj/Iframe-DF meaning that the website isn’t the plaice to visit.

The injected code is all mushed up though so the malicious script may be floundering.

The obfuscated iframe points to a haked site in Germany that when you go there redirects you to a fake Google site registered in the EU. Which triggers Troj/ObfJS-R.

I don’t want to carp on about the responsibilities of Web masters and Web hosters but they really have to protect their sites as well as tuna them up.

All this talk of fish’n'chips has made me hungry for a chip butty.

*Apologies for the puntastic tabloid style of this post but it is Friday :)

Enemieslist: Links Roundup

2009-11-12T16:21:29+00:00

Box Of Meat: MediaPost: Email's Antisocial Sin

2009-11-12T16:03:05+00:00

MediaPost: Email's Antisocial Sin:

‘Seeing “no-reply@” in the “from” address…telegraphs that the email is a one-way street. …29% of consumers want the ability to write back to marketers who send them email. …If marketers were listening via email, would consumers feel the need to post complaints on Facebook or Twitter?’

Sophos Blog (Spam Category): Handing over your password is just an app away

2009-11-12T15:23:47+00:00

I was checking my personal Twitter feed today and saw friends posting how long they’ve been tweeting along with a link. The tweet looked something like this:

“Tweeting for # years, # months, # weeks, # day, # hours, # minutes # seconds (MM DD, YYYY) How about you? <link>

Being curious, I decided to investigate the link.

The first thing it does is ask for your screen name and shows a bunch of ads of “How to get more Twitter followers”. Ok, not the best ads, but moving on. You enter the screen name, then hit go. It looks up the name and gives an accurate date, but then it offers to tweet it for you. So you enter in your username and password. Wait a minute. That would be handing over your password to an unknown entity.

I did some initial investigation of the url. It’s only been around two months and is hosted with a fairly dodgy source, a proxy hosting service. This is a private hosting so you can’t see any info on the person/business who actually own the site. Hmmm. Usually, legit sites don’t mind having that info available. I also notice it doesn’t use the OAuth verification that many Twitter sites use to mean they are trying to be legit. Again, seems suspicious.

But how many people have willingly sacrificed their passwords by using such seemingly benign tools or links or applications? They seem totally harmless, don’t they? Like I posted in my previous blog post here there’s great value to malware authors to get that info. Now I’m not necessarily condemning this particular tool, this one may be totally innocent, but I feel compelled to warn people to not just blithely hand over their passwords. PLEASE think about what you are doing, even if it seems like it’s harmless fun.

All Spammed Up: Researchers Knock Mega-D Botnet Offline

2009-11-12T11:29:43+00:00

Researchers have successfully knocked a major botnet offline. The Mega-D botnet was shut down by a team at FireEye. The researchers attacked the botnet by registering some domains meant for the botnet’s command and control servers and shutting down others. As a result it stopped sending spam immediately.

The attack began with abuse complaints being sent to the ISPs where Mega-D was being hosted. Nearly all the complaints were successful. Then the researchers began working with domain registrars to shut down the primary domains of the CnC channels, registered domains on Mega-D’s CnC list and registered some of the not yet generated ones (the botnet is programmed to generate new domains based on the date and time to back up its own list) for a total of three days to further cripple the botnet.

In the process of crippling the botnet, FireEye gained CnC control, which it used to help the owners of the zombie computers in it regain control of their PCs.

While Mega-D has for now completely stopped sending spam, researchers say it is only a matter of time before it comes back to life. To keep the botnet offline for good they’d have to keep registering future domains to stay ahead of it. This is still very good news. Mega-D is one of the largest botnets on the net and is responsible for pumping out billions of spam messages, most hawking fake supplements, shady internet pharmacies, and male enhancement products. FireEye’s experiment has proven that maybe, just maybe, bot herders aren’t quite as smart as they think they are.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Researchers Knock Mega-D Botnet Offline

Enemieslist: new pats posted - 20091111 (maintenance pats release)

2009-11-12T02:38:27+00:00

45381 patterns, 11500 right anchor strings, 188321 test IPs.

Some more contribs and updates from a new feed. There were several minor
releases on 11/10.

There is a new tech, 'borderware'.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091111

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091111

Justin Mason: Met iPhone

2009-11-11T23:46:46+00:00

Irish iPhone users — you may find this useful. I’ve written a web scraper which takes a couple of the more useful pages on Met Eireann’s website — the regional forecast and the rainfall radar page — and reformats them in an iPhone-optimised style. Enjoy:

(updated: supports all the provincial forecasts now)

Terry Zink: Are pirated versions of software more susceptible to malware? Updated!

2009-11-11T21:09:00+00:00

One of the pieces of conventional wisdom that goes through my head is that if you install pirated versions of software, then your computer is more likely to be infected with malware. It makes sense; in order for spammers/malware authors to take control machine, they offer users cheap software. Yet this cheap software comes with a heavy price tag – you relinquish control of it to the whims and fancy of the spammer or malware writer to do nefarious things like spam, host phishing pages, host fast flux, serve as a command-and-control center, and so forth. Furthermore, individuals with pirated software are also much less likely to download security updates and therefore remain exposed and vulnerable for longer periods of time and, therefore, more prone to malware infection.

That’s the theory. But is it true?

To test this, I compared the data in the Microsoft Security and Intelligence Report and the Business Software Alliance Piracy Study. I used Microsoft’s metric of CCM, Computers Cleaned per thousand executions of the Malicious Software Removal Tool. I extracted the countries in common between the two reports and ran two correlation studies, one for 1H 2009 compared to the 2008 piracy rate, and another for 2H 2008 compared to the 2008 piracy rate.

Below are the top 10 countries for CCM in 1H 2009 and the change from 2H 2008 (green is good and represents a decrease, red is bad and represents and increase):

I have removed Serbia and Montenegro as it represented an outlier. Note that 4 of the top 6 countries (Turkey, Spain, Saudi Arabia and Taiwan) have all had substantial increases of malware infection (and removal) compared to the previous six months of the year. Below is a table of rates of piracy for the top ten countries:

For interest’s sake, here are the best countries with the lowest rates of piracy:

You can see that the US has the lowest rate of piracy which surprises me a little bit given that so much spam comes out of the US. Next, to determine if there is any relationship between the two of them, I calculated the statistical correlation between the two and plotted a scatter plot. I did this comparing the 1H 2009 CCM to the rate of 2008 software piracy, and then the 2H 2008 CCM to the rate of 2008 software piracy. Below are the results:

In 1H 2009, 0.8% of the variance of the rate of piracy is associated with the CCM, and in 2H 2008, 1.1% of the variance of the rate of piracy is associated with the CCM. In other words, there is no statistically significant relationship between the national rate of software piracy and the national rate of malware detection.*

* Update!

But is this really the best way to compare whether or not pirated software is more susceptible to malware? All I did was take the malware clean rate (CCM) and the country’s software piracy rate and compare them. But this study does not account for the following:

In this calculation, pirated software is mixed in with legitimate software, lumps it together and then compares it to the CCM. But this cannot differentiate between the two of them. It could be that pirated software contains many more malware infections than legitimate software and by mixing the two pieces of data together, the statistical relationship will show no correlation. In other words, they could be cancelling each other out.

What would have to be checked is a pulling of the data that contains the CCM for legitimate software vs the CCM for pirated software, both within the country and then across countries. That would be a much more accurate comparison.
This study of mine does not account for relationship that update frequency has on rates of malware infection. Does pirated software update less frequently? Or run fewer instances of the Malicious Software Removal Tool? If so, then it should have a higher rate of malware infection. The data in the SIR does have some data points surrounding the rate of update frequency. This should be accounted for in the malware/piracy study, and it is something that I did not include.

Therefore, I am retracting my earlier statement that there is no statistically significant relationship between the rate of software piracy and the rate of malware infection/detection. My earlier methodology is incomplete and right now I do not have enough of a complete data set to measure this with statistical certainty. The non-correlation is spurious.

The experiment I used above, while a good start, does not go far enough and account for enough of the variables that could have an impact on the conclusions.

Box Of Meat: Doc Searls: Beyond Social Media

2009-11-11T18:03:18+00:00

Doc Searls: Beyond Social Media:

‘Missing in action is credit to what goes below private platforms like Twitter, MySpace and Facebook — namely the Net, the Web, and the growing portfolio of standards that comprise the deep infrastructure, the geology, that makes social media (and everything else they support) possible.’

Box Of Meat: danieltenner.com: What problems does Google Wave solve?

2009-11-11T17:03:11+00:00

danieltenner.com: What problems does Google Wave solve?:

“…nobody seems to get what Wave is for. So they compare it to social media. …this is partly Google’s fault: they released Wave to geeks and hackers and social media folks first. But Wave is not a geek/hacker tool, or a social media tool, it’s a corporate tool….”