Planet Antispam

Justin Mason: links for 2008-07-04

2008-07-04T23:32:35+00:00

WIX

‘a new text markup format. Its syntax is a blend of Donald Knuth’s TEX and various wiki markup.’ has a formal grammar, rather than an ad-hoc parser (guilty). quite nice, although would have been better if it didn’t reinvent so many wheels (via adulau)

(tags: via:adulau wix markup text html ettext markdown)
Giles Bowkett: “Don’t Be Evil” Was Always Doomed

[the Viacom/Youtube privacy disaster demonstrates] ‘what’s wrong with trusting corporations with your data: if the corporation says “I’m not going to be evil,” and the government says “oh yes you are,” it’s pretty much _the end of the conversation_.’

(tags: giles-bowkett true quotes dont-be-evil privacy google youtube viacom)

Spamnation: There's life in the old worm yet

2008-07-04T16:56:25+00:00

Lately, a malware newcomer has been getting all the attention, with claims that Srizbi may have assembled the world's largest botnet. However, the Storm worm is still out there, and predictions of Independence Day spam sent by the Storm worm have proven correct.

Spam Wars Dispatches: July 4th. Storm. Duh.

2008-07-04T00:26:46+00:00

As night follows day, the Storm guys are doing their thing for the U.S. Independence Day holiday, July 4th:

Subject: Celebrations have already begun

The email message is a simple sentence, such as "Happy Fourth of July" followed by a numeric IP address. The destination page is the same format as the phony Beijing earthquake malware lure:

Content is a false video player image, which is a link to download fireworks.exe, a malware load that VirusTotal shows identification by 15 of 33 antivirus systems. But the page also includes the same hidden iframe element and ind.php program described in Love Hurts Even More. Check the scripting analysis document linked from that post to learn more about this multiple-exploit drive-by attack.

Don't let this M-80 explode inside your PC.

UPDATE (4 July 2008): Just saw this subject line variant: "Stars and Strips forever." Ooh, so close. Sounds more like an ad for a Las Vegas adult revue.

Justin Mason: links for 2008-07-03

2008-07-03T23:37:04+00:00

Identi.ca

alt microblogging platform with a few key wins over Twitter & Jaiku: stability (so far!), open, decentralized, and Affero-licensed OSS. I’m “jm” on it, but not writing there — yet. but looking forward to an API so I can add it to twit.ie

(tags: identica twitter microblogging blogging tweets twit.ie open-source web decentralization xmpp)
politics in the Twitter camp around the Public Timeline XMPP feed

some third-party app developers get access to it, some don’t. one dev says: ‘It’s frustrating to just get locked out after spending so much time making stuff for Twitter users’

(tags: twitter politics ugh xmpp tweets microblogging biz)
Apache Hadoop Wins Terabyte Sort Benchmark

910-node cluster sorting 1TB of data in 209 seconds, using Hadoop and HDFS. I wish we had a Hadoop cluster to do SpamAssassin mass-checks on ;)

(tags: hadoop hdfs map-reduce number-crunching clusters)
Beanstalkd

‘a fast, distributed, in-memory workqueue service’, written in C with libevent, lots of client libs for different languages. Nice lifecycle model. The queues are not persistent yet, though, unfortunately

(tags: beanstalk queueing queues ipc libevent)

Sophos Blog (Spam Category): From Dorf: Happy 4th of July

2008-07-03T23:12:00+00:00

Independence day has always been a big event for our neighbors south of the border. For the Dorf (Storm) authors, this is no exception. After staying dormant for a day, the Dorf botnet launched the latest campaign at 13:00 PST. This time, they are using Independence day fireworks video as the lure. Here’s a partial list [...]

Enemieslist: Belated Links Roundup

2008-07-03T22:25:55+00:00

Enemieslist: new pats posted - 20080703 (maintenance pats release)

2008-07-03T21:44:46+00:00

31406 patterns, 11870 right anchor strings, 108840 test IPs.

A few from the overnight and another correction from Chris "Eagle
Eye" Candreva :)

Was asked to start tracking couplets (pattern class and tech, taken
together as a sort of meta-identifier); there are no new couplets in
this release.

Note that from 20080304 on, we will be including patterns for the
'outmx' tech type again, these should be understood as known legitimate
mail server naming conventions for their domain and you may wish to
exclude them from your use of the distro.

I've made sure to exclude outmx and webhost regexes from the exim and
postfix flat file distributions, so we should be safe there.

Those using the DNSBL interface will note that a return value of
127.0.2.11 now denotes an 'outmx'. This should not affect users of
the sendmail package, as I've not integrated support for scoring on
that basis into the package. Users of other DNSBL-aware tools should
modify their software, as we'll be adding a lot more of these in the
coming weeks.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20080703

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20080703

MailChannels Anti-Spam Blog: Spam in the Cloud

2008-07-03T19:28:00+00:00

Last year I wrote a blog post titled Spammers in Space, describing how webmail spam from Africa often uses satellite internet connectivity. Well, now it seems that Spammers are in the clouds!

Cloud computing is becoming increasingly popular as it allows a business to quickly and cost-effectively deploy additional servers based on demand. Third party providers own huge server farms and share the hardware among users. For new Web 2.0 startups it's an ideal way to effectively rent a server on an hourly basis rather than paying the outright hardware costs. It is an excellent service and we use it to bring up a huge number of machines for short durations of load testing.

However, the model is open to abuse as a new IP address, owned by the cloud computing provider, is typically allocated with a new instance of a server is created. It's been speculated for quite a while that this could be used to send spam but now it's actually happening. The Washington Post covered the use of cloud Services to send malware. Our Technical Advisor, Justin Mason recently blogged about the issue and the story appeared on Slashdot with the comment:

"EC2 space is now actively blocked by Outblaze, and has been listed by Spamhaus in their PBL list [...] However as Seth Breidbart noted in the comments, 'note that Amazon will terminate the instance. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming.' True enough -- as described, instance termination simply isn't good enough."

So what does this mean? Given that the current Anti-Spam Policy enforcement in cloud services appears to revolve around terminating the instance rather than the account it's very open to spam abuse. The Anti-Spam community need to protect their customers so are forced to list the IP space on blocklists. For example, Spamhaus has marked the EC2 address space in it's PBL - Policy Blocklist which is widely used to block e-mail from dynamic IP space. Any Web 2.0 companies using cloud computing will need to realize that there's a high probability that e-mails generated directly from the cloud to the recipients MTA could be rejected as spam.

The Internet Patrol: The “Receipt for Your Payment to” eBay Paypal Phishing Spam

2008-07-03T17:12:34+00:00

There has been a new rash of phishing spam which is intended to elicit a shock response causing the target to rush to log into their Paypal account to figure out why they are being charged hundreds to thousands of dollars for an eBay purchase which they know that they ...

Sophos Blog (Spam Category): Malicious MySpace Tom!

2008-07-03T14:36:09+00:00

Everyone who’s ever had a MySpace account knows Tom. Tom is everyone’s friend, like it or not. So getting an email telling you Tom has sent you a message is a perfectly plausible notification for any MySpace user. If you look carefully at the following email we saw in our spam queues this afternoon though, [...]

Enemieslist: new pats posted - 20080702 (maintenance pats release)

2008-07-03T02:30:57+00:00

31401 patterns, 11870 right anchor strings, 108839 test IPs.

Contribs from the past few days, plus a few corrections from CXC and
a licensee. Basically caught up from the move. So, whee!

Was asked to start tracking couplets (pattern class and tech, taken
together as a sort of meta-identifier); there are no new couplets in
this release.

I've made sure to exclude outmx and webhost regexes from the exim and
postfix flat file distributions, so we should be safe there.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20080702

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20080702

Justin Mason: links for 2008-07-02

2008-07-02T23:34:56+00:00

ratproxy - Google Code

‘a semi-automated, largely passive web application security audit tool. .. detection and annotation of potential problems based on the observation of existing, user-initiated traffic in complex web 2.0 environments’, by lcamtuf

(tags: proxies web security xss csrf lcamtuf google)
Spammers using Bebo.com as spam hosting

Bebo need to do some anti-abuse work

(tags: via:websense spam bebo social-networking)

Box Of Meat: Slate: What's "Port 25," and what does it have to do with e-mail spam?

2008-07-02T20:40:44+00:00

Slate: What's "Port 25," and what does it have to do with e-mail spam?

Box Of Meat: Seth's Blog: The statesman, the lawyer and the marketer

2008-07-02T19:46:03+00:00

Seth's Blog: The statesman, the lawyer and the marketer:

Is a marketer’s job always to promote their product, no matter how much damage it does to society?

“This attitude leads to spam (hey, it’s not against the law and it helps my client) and to dicey product claims and to awful side effects like obesity, shoddy products and massive debt. If your job is to represent a product and ensure its short-term sales, that’s exactly what you’re sworn to do.

…What happens when marketers stop arguing on behalf of their corporate or organizational client and start arguing on behalf of the customer instead? What happens when marketers become statesmen?”

Ed Falk: Judge rejects Linhardt's request to be dismissed from Comcast lawsuit

2008-07-02T20:40:43+00:00

When a judge's ruling starts with "I have before me a largely misguided motion...", you know it's a bad day for whoever filed it.

In January, E360 filed a lawsuit against Comcast in the hopes that they could force Comcast to accept E360's spam. E360 lost that suit.

In March, Comcast counter-sued E360 and its owner Dave Linhardt for spamming. This suit is still ongoing.

In April, E360 filed a motion to dismiss, asking among other things, that Linhardt be dismissed from the suit under the theory that he was only doing his job as officer of the corporation, and only the corporation should be held liable.

Today, Judge Zagel ruled against E360 on almost every single point. Most significantly, Linhardt will remain part of the lawsuit:

This leaves the final point, which seeks dismissal of the only natural person among the Counter-Defendants, Linhardt. What is offered to support his dismissal from the claims is the rule which protects corporate officers from personal liability for misdeeds of the corporation. However, this rule does not cover corporate officers who are alleged to direct and control the corporation. It is difficult to seek shelter in this rule when one is alleged to be the whole owner and controller of the all the corporations involved, as is the case here. And there are allegations of specific actions by Linhardt which would establish his liability, i.e., that he deliberately lied to Comcast when he orally stated that all intended e-mail recipients have opted in to receive the emails and that he ordered the abuse of process.

The only piece of the lawsuit the judge was willing to dismiss was Comcast's "unjust enrichment" claim which E360 asked to have dismissed and which Comcast didn't even bother to argue. The judge has dismissed this claim, but mentioned — practically invited — that Comcast was free to re-plead this count after discovery.

Also of interest is the Judge's reference to Linhardt's habit of repeatedly dropping and re-filing lawsuits. This is a judge who knows E360 for what they are and won't be letting them get away with any bullshit.

If only Susan Gunn and David Ritz had had judges with this much clue. But then, Comcast is very rich and Gunn and Ritz are not, and in the legal system, you get what you pay for.

(Speaking of which, I would like to take this opportunity to mention that David's legal battles are not over yet, and you can donate to his defense fund here.)

Spam Wars Dispatches: Love Hurts Even More

2008-07-02T17:23:00+00:00

Back in May, my blog entry Love Hurts told the quick story of a Storm-like email message that tried to lure victims to a site that automatically downloaded an executable Windows program. A month later, a new wave of such messages started flowing, but the destination at the end of the email links is far more insidious.

As before, the range of message Subject: lines, while all in a romantic vein, are all over the place. Here is a sampling of ones I've seen:

Can't stay away from you

Lucky to have you

My heart belongs to you

I want to be with you

I Wanna Be With You

Crazy in love with you

Lost In Love

For you...Sweetheart!

You make my world beautiful

My heart beats just for you

I'll Still Love You More

Love me tender, love me true

Ugh. I'm getting that bad taste one gets from having eaten one-too-many of those chalky candy hearts with ooey-gooey phrases on them. "I Wuv You."

Message bodies are a continuation of the one-sentence theme employed by not only a lot of recent malware lures, but recent medz and knockoff brand-name goods spammers who use the same address lists. I'd repeat some of the message bodies here, but reciting too many lines in the spirit of "Missing you with every breath" will make me vomit.

What these messages want you to do is visit the URLs at the end of the sickly sweet lines. Some email clients turn anything they recognize as a URL into a clickable link, unfortunately making it easier to go in search of your untrue love. The URLs are to a bunch of plain-language .com domain names, such as makinglovedirect.com (now suspended the last time I checked).

Visiting any of those sites with an unpatched Internet Explorer could land you in a world of hurt. If you ever see the following page, it could be too late for you:

No, I really wasn't the lucky 10,000th visitor. Everyone is the lucky 10,000th visitor. Just as I've written that the assertion "this is not spam" means that it's spam, the assertion that "this is not a joke" means that it's a joke.

Although two downloads require clicking on either the image or "click here" link, there is an unseen iframe element that automatically targets numerous vulnerabilities. The malware distributor uses obfuscated JavaScript to make the initial delivery. Because I've been a JavaScript nut since before Day One, I spent some time deconstructing the delivery mechanism of this iframe. Rather than bore non-scripting blog readers with the gory details, I've created a separate document that shows my findings. You can download the 374KB PDF file here (Creative Commons licensed).

Almost all of us want to be wanted and loved. Malware distributors exploit that desire by making us believe we have secret admirers and might even get lucky with the right connection. With this malware campaign, you won't get laid, but you might well be screwed.

Box Of Meat: Comments

2008-07-02T16:00:00+00:00

I’m working with the staff at Intense Debate to get their blog comment system integrated into Box of Meat. Right now, the “Comments” link doesn’t work — but that’s a known problem, and once it’s fixed I’ll delete this posting. Whee.

— your non-anonoymous pal J.D.

Justin Mason: Amazon EC2’s spam and malware problems

2008-07-02T15:20:07+00:00

Over the past few weeks, I’ve increasingly heard of spam and abuse problems originating in Amazon EC2.

This has culminated in a blog post yesterday by Brian Krebs at the Washington Post:

It took me by surprise this weekend to discover that that mounds of porn spam and junk e-mail laced with computer viruses are actively being blasted from digital real estate leased to [Amazon].

He goes on to discuss how EC2 space is now actively blocked by Outblaze, and has been listed by Spamhaus in their PBL list. A spokesperson for Amazon said:

“We have a clear acceptable use policy and whenever we have received a complaint of spam or malware coming through Amazon EC2, we have moved swiftly to strictly enforce the use policy by network isolating (or even terminating) any offending instances,” Kinton said. She added that Amazon has since taken action against the EC2 systems hosting the [malware].

However as Seth Breidbart noted in the comments, ‘note that Amazon will terminate the instance. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming.’ True enough – as described, instance termination simply isn’t good enough.

My recommendations:

as John Levine noted, it’s likely that Amazon need to treat EC2-originated traffic similarly to how an ISP treats their DSL pools – filtering outbound traffic for nastiness, in particular rate-limiting port 25/tcp connections on a per-customer basis, so that an instance run by (or infiltrated by) a spammer cannot produce massive quantities of spam before it is detected and cut off.

However, I’m not talking about blocking port 25/tcp outbound entirely. That’s not appropriate — an EC2 instance is analogous to a leased colo box in a server farm, and not being able to send mail from our instances would really suck for EC2 users (like myself and my employers).
It would help if there were a way to look up customer IDs from the IP address of the EC2 nodes they’re using — either via WHOIS or through rDNS. Even an opaque customer ID string would allow anti-abuse teams to correlate a single customer’s activity as they cycle through EC2 instances. This would allow those teams to deal with the reputation of Amazon’s customers, instead of Amazon’s own rep, analogous to how “traditional” hosters use SWIP to publicize their reassignments of IPs between their customers.

There’s some more discussion buried in a load of knee-jerking on the NANOG thread. Here’s a few good snippets:

Jon Lewis: ‘I got the impression the only thing Amazon considers abuse is use of their servers and not paying the bill. If you’re a paying customer, you can do whatever you like.’ (ouch.)

Ken Simpson: ‘IMHO, Amazon will eventually be forced to bifurcate their EC2 IP space into a section that is for “newbies” and a section for established customers. The newbie space will be widely black-listed, but will also have a lower rate of abuse complaint enforcement. The only scalable way to deal with a system like EC2 is to provide clear demarcations of where the crap is likely to originate from.’

Bill Herrin: ‘From an address-reputation perspective EC2 is no different than, say, China. Connections from China start life much closer to my filtering threshold that connections from Europe because a far lower percentage of the connections from China are legitimate. EC2 will get the same treatment.’

There’s also an earlier thread here.

Anyway, this issue is on fire — Amazon need to get the finger out and deal with it quickly and effectively, before EC2 does start to run into widespread blocks. I’m already planning migration of our mail-sending components off of EC2; we’re already seeing blocks of mail sent from it, and it’s looking likely that these will increase. :(

(It’s worth noting that a block of EC2’s netblocks today will produce a load of false positives, mainly on transactional mail, if you’re contemplating it. So I wouldn’t recommend it. But a lot of sites are willing to accept a few FPs, it seems.)

Justin Mason: Hack: twitter_no_popups.user.js

2008-07-02T09:16:06+00:00

Twitter has this nasty habit — if you come across a tweet in your feed reader containing a URL, and you want to follow that link, you can’t, because Twitter doesn’t auto-link URLs in its RSS feeds. Instead, you have to click on the feed item, itself, wait for that to open in the browser, then click on the link in the new browser tab. That link will, in turn, open in another new tab.

Here’s a quick-hack Greasemonkey user script to inhibit this second new-tab:

twitter_no_popups.user.js

Justin Mason: links for 2008-07-01

2008-07-01T23:34:43+00:00

Amazon EC2 nodes being used to distribute malware?

Amazon really need to sort out some effective anti-abuse policies for EC2 soon, before things go pear-shaped

(tags: amazon ec2 abuse spam viruses malware hosting)
chownat - NAT to NAT communication

awesome; NAT-tunneling without any prior config, even if both ends are behind NAT. written by the author of the MySpace worm, Samy Kamkar

(tags: samy-kamkar chownat tunnelling nat firewalls security tcp tunnels connections networking)
Commtouch implement BATV

interesting, I would have thought they’d be in a good position to just do something like what the SpamAssassin vbounce ruleset does

(tags: rules batv bounces ndr vbounce commtouch anti-spam)
Brian Krebs article on EC2’s spam problems

oh dear. they _really_ need to get proactive on this before the shit really hits the fan, this is not going well

(tags: ec2 amazon aws abuse spam malware hosting brian-krebs)

Box Of Meat: Intellectual Intercourse: ESPC: Simplicity is so complicated

2008-07-01T22:58:29+00:00

Intellectual Intercourse: ESPC: Simplicity is so complicated:

Trevor Hughes of the ESPC is earning his lobbying paycheck by insisting that the new CAN-SPAM rules are bad because they make it too easy to unsubscribe.

It’s a shame there’s no money in lobbying for the recipient.

Justin Mason: How To Eat a Mangosteen

2008-07-01T20:31:59+00:00

‘You’ll know what my riddle means
When you’ve eaten mangosteens.’
– The Crab That Played with the Sea, by Rudyard Kipling

When I travelled through Thailand, I got rightly hooked on the delicious mangosteen, traditionally dubbed the “Queen of Fruit” by the Thais. I’ve been keeping an eye out ever since, through our travels to the US and back, without any luck. (In particular, they’ve been blocked by US customs for a long time, although reportedly this is changing nowadays.)

Finally, last year, they appeared in our local Tesco supermarket here in Ireland — or at least, an empty box appeared, sans fruit! That was it, though, until a couple of weeks ago, when my friend Bob was lucky enough to come across a few, and grabbed 4 for me. (Thanks Bob!)

It appears they’re in season around the start of June, which is when they make it to Tesco’s. Naturally, they’re much more expensive here — Tesco were selling them for about EUR 1.20 each, whereas a bag of 30 were about 50 cents when we used to buy them at the street-side in Ko Chang. But that’s to be expected, really.

Since they’re tricky enough to get hold of, I thought I should document exactly what to do with them once you get ‘em ;)

They start off looking like this, roughly tomato-sized fruit with a thick, papery rind:

Get your thumbnail into the rind, not too deep though!, and tear it off like so:

Look at the rind’s great colour! Watch out for it, though, as it stains clothing easily. Discard the rind, and pluck out the fleshy, juicy white segments:

(Pay no attention to their resemblance to testicles. ;)

Finally you’ll wind up with 6 or so seedless segments, and 1 or 2 seed-bearing segments, larger than the others, containing a large inedible seed along with a fair bit of flesh:

Eat ‘em and enjoy the flavour — it’s a bit like a tart, vanilla-y peach, but juicier, creamier and much smoother in texture. Mmmm, truly delicious. I’m looking forward to picking up some more soon!

I considered planting the seeds, but unfortunately, you can forget about growing a tree in your back yard; the mangosteen tree requires a tropical climate:

‘The mangosteen is ultra-tropical. It cannot tolerate temperatures below 40º F (4.44º C), nor above 100º F (37.78º C). Nursery seedlings are killed at 45º F (7.22º C).’

Ah well. Seems I’ll be at Tesco’s mercy for more.

Box Of Meat: Washington Post Security Fix: Amazon: Hey Spammers, Get Off My Cloud!

2008-07-01T18:06:41+00:00

Washington Post Security Fix: Amazon: Hey Spammers, Get Off My Cloud!:

Amazon’s EC2 is a new favorite with spammers, who enjoy the computing power and anonymity.

Question: why is Amazon allowing outbound SMTP connections from the cloud in the first place?

Box Of Meat: Washington Post Security Fix: Forty Percent of Web Users Surf With Unsafe Browsers

2008-07-01T16:43:06+00:00

Washington Post Security Fix: Forty Percent of Web Users Surf With Unsafe Browsers: “…researchers from Google, IBM and the Communication Systems Group in Switzerland…found that of the 1.4 billion Internet users worldwide at the end of March 2008, 576 million surfed with outdated versions of Web browsers.”

Sophos Blog (Spam Category): Critical Microsoft update via Amazon EC2?

2008-07-01T00:15:32+00:00

This past weekend a fairly typical malware campaign started to arrive on our global network of spam traps, using the common technique of disguising itself as an “Important Windows Update”. Its characteristics are mostly what you would expect from spammed out malware: Varying subject lines: Varying, forged “From” addresses: Advises the reader to “Update” via a link in [...]

Justin Mason: links for 2008-06-30

2008-06-30T23:39:37+00:00

How to test if your TCP connections are being reset by ISP filter RST packets

a good guide to using Wireshark to diagnose this, as used by Audible Magic and Sandvine

(tags: sandvine audible-magic filtering isps network-neutrality wireshark ethereal comcast)
/. post on beating Comcast’s P2P filters using RST-blocking

in other words, Comcast’s Sandvine appliances use the same technique as Audible Magic. Wonder if this works; I was under the impression that one would have to block RSTs on both ends of the connection, and many commenters agree

(tags: comcast filtering isps sandvine audible-magic network-neutrality)
Detecting SSH tunnels

using a Bayes classifier trained on intra-packet intervals and packet length. nifty! (via /.)

(tags: via:slashdot bayes classifiers ssh tunnels vpn networking security crypto papers)

Terry Zink: The problem of backscatter, part 3 - Legitimate bounces

2008-06-30T23:02:00+00:00

When a mail server accepts a message and later decides that it can't deliver the message, it is required to send back a bounce email to the sender of the original message. There are a few kinds of bounce notifications that a mail server can send:

Recipient does not exist
Recipient's email inbox is full
Your mail server is on an IP blocklist and therefore their mail server is rejecting your mail
Out of office notifications (not technically an NDR but close enough)

I'm sure that there are more but that's all I can think of at the moment. Anyhow, for the first one, let's say you send a message and the recipient you are sending to does not exist; the recipient mail server let's you know by sending you a message back indicating as much.

Some recipient mail servers are nice about this and they attach the original message to their email. For example, the message you get back might look something like this:

Date: Fri, 27 Jun 2008 06:56:00 +0000 (UTC)
From: MAILER-DAEMON (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: Me
Reporting-MTA: dns; mail111-va3-R.bigfish.com
X-Postfix-Queue-ID: CCCDA18680DA
X-Postfix-Sender: rfc822; tzink@frontbridge.com
Arrival-Date: Fri, 27 Jun 2008 06:55:54 +0000 (UTC)

Final-Recipient: rfc822; tzink@microsoft.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host
    winse-6216-mail4.customer.frontbridge.com[231.10.215.112] said: 550 5.7.1
    Email rejected because recipient johnny@fairplay.exaple.com does not exist.
    (in reply to end of DATA command)

Subject: This is a test
From: Guy Incognito
Date: Thu, 26 Jun 2008 23:55:49 -0700
To: Johnny Fairplay <johnny@fairplay.exaple.com>

This is a test to see if I get can generate an NDR.

The above part contains the reason the message was bounced back to you and the bottom part is the original message (usually sent as an attachment but sometimes sent inline). Note the key characteristics of the NDR message:

The message that arrives in your inbox is From: something that you wouldn't initially recognize like the MAILER-DAEMON, or Mail Delivery System, or something similar. Of course, by "you" I mean the average person, not sysadmins or spam fighters.
The Subject: line of the message in your inbox contains the notification that your mail could not be delivered (in this Undelivered Mail Returned To Sender)
The reason that your message could not be delivered is in the bounce message.
Your original message is in the bounce message; usually it is attached but sometimes it is sent inline.

Here's where things get interesting. There is no set format about how NDRs should be structure. The From: address says Mail Delivery System, but it could say Mailer System, Recipient Mailer, or some other type of message that doesn't even contain the word mail.

The Subject: line could say Undelivered Mail, Undeliverable Mail, Your Message could not be Delivered, Delivery Status Notification, 550 Status Notice, etc. The messages are usually in a foreign language if we are Europe. In other words, this subject line could contain a variety of messages.

The reason for the bounce, like the two cases above, could be phrased in a variety of ways, in a variety of languages.

Finally, the bounce message is usually included, but not always. It could be sent inline, it could be an attachment, or it could be truncated (ie, a partial message).

The SMTP MAIL FROM is usually a null sender, that is, the SMTP MAIL FROM is <>. This is legal within the SMTP protocol. Usually an NDR sends mail as a null sender, but not always; sometimes they are <bounce@...> or <postmaster@...> or something similar. To make matters worse, others use null senders for non-NDR messages. This happens often with automated messages that send out reports. So, you can't count on NDRs to have null senders 100% of the time, and you can't count on null senders to be NDRs 100% of the time.

To sum it up, NDRs from legitimate servers can take on a variety of forms. Everyone does it differently.

Box Of Meat: Marian Bantjes: spam one“This drawing was made for the...

2008-06-30T15:19:37+00:00

Marian Bantjes: spam one

“This drawing was made for the centerfold of the Vancouver Review, and is created verbatim from a spam email (you know the kind).”

(via metafilter, which has some interesting comments)

Spamnation: In Soviet Russia

2008-06-30T11:37:20+00:00

Some spammers apparently have a sense of humor. Some of our spam traps were recently hit with a run of test messages with the subject line:

in sov r bot test you

The spamtrap addresses affected were originally 'scraped' by spiders running on servers rented from Everyone's Internet/EV1Servers, and gather the usual mess of penis enlargement, pills and fake watch spam.

Using a distinctive test message rather than simply sending out another batch of pill spams would make sense if spammers were collecting bounces in order to eliminate undeliverables from their spam lists. This doesn't seem to be the case, however: the 'From' addresses on the messages use randomly-generated addresses at other people's domains, so there's no way for the spammer to collect the bounces. They could monitor the actual SMTP transaction — but then there's no advantage to using a distinct test message. It's therefore likely that the messages are no more than they appear to be: simply test data used for checking a botnet or trying out a new email module.

Terry Zink: The problem of backscatter, part 2 - The legitimate case

2008-06-30T04:04:00+00:00

Before getting into the problem of backscatter, let's look at how the system is supposed to work before spammers ruined it for everyone.

Let's say that you want to mail a letter to your friend. You write the letter, put it in an envelope, and write your friend's address in the center of the front of the envelope. You then put your address on the top left corner of the envelope, put a stamp on it and then walk down to the nearest mailbox and drop it in the slot. The post office comes, picks up the letter and then through some process known as magic, a few days later your friend gets your letter.

However, suppose there's a problem. Let's say you write the letter to your friend and address it this way:

Homer Simpson
771 Evergreen Terrace
Springfield, USA

Aside from the fact that Homer lives at 742 Evergreen Terrace (or 743 depending on the episode), you have not specified either the state or the zip code where Homer lives. The post office sees this and is unable to deliver your mail so they mark it and return it to you since you put your return address at the top of the envelope. On the letter, they put notices like "Bad address" or "Insufficient Postage" or something similar. In other words, they mark the message as non-deliverable.

Email works the same way. You write an email, put your name and email address in the P1 From (SMTP MAIL FROM) and address it to your friend, who you put in the P2 From (SMTP RCPT TO). You hit send in your email client and by a process known as magic, your email eventually gets delivered to your friend in a matter of seconds.

But what happens if you put a typo in your email address? Just like the post office, the email postmaster has ways of letting you know that your message did not go through. Suppose you did this:

From: Homer Simpson <hjsimpson @ fakeDomain.com>
To: Krusty the Klown <krustyClown @ noDomain.com>

But, Krusty's email address is actually krustyKlown @ noDomain.com. Krusty's recipient mail server gets Homer's email, looks at the To: address and then tries to deliver the mail. But oops! It sees that the email address doesn't exist so it sends a notification back to Homer that the message could not be delivered because the email address that he specified was invalid. This is known as a Non-Deliverable Receipt (NDR) or a Delivery Status Notification (DSN). Suffice to say, the email postmaster Homer has been sending to has been kind enough to notify you that your message did not go through. You get the NDR back in your own email inbox so you can take action on it.

In my next post, I'll go into a bit more detail about how this process works in the legitimate case.

Justin Mason: links for 2008-06-29

2008-06-29T23:34:59+00:00

Sunday Business Post | Irish Business News

good interview with Irish Times MD, Maeve Donovan, on their removal of the paywall: ‘it had become clear that there were not sufficient numbers of Irish Times readers prepared to pay for online content.’ seems the example of the Grauniad was influential

(tags: irish-times ireland newspapers paywall journalism via:cianginty)

Spam Wars Dispatches: That E-Card Isn't From Hallmark

2008-06-29T15:13:22+00:00

For many years now, malware distributors have sent email messages telling recipients that they have received an e-card, and that they should "click here" to retrieve it. The links to, and bogus identities of, the e-card holders were typically lesser-known e-card businesses—usually a legitimate Mom & Pop type online business whose name had been abused by the crooks.

One of the best known greeting card brands in North America, Hallmark, is being used today in a lure to get unsuspecting victims to load a well-known Trojan onto their systems:

From: "hallmarkonline.com" <cards@hallmarkonline.com>
Subject: A Hallmark E-Card from your Friend

If you display the message's image, you see this:

It's rich that the message shows steps to follow if "you're concerned about online security," because if you click anywhere on the image, you actually click a link directly to the Trojan file (card.exe) located on a hijacked web server in the U.K. Clicking the link downloads the file, which, if then opened by you, will install a backdoor for crooks to take over your machine.

Not only do you not get a card from "a friend," but you've just given a great gift to a criminal gang. And it's exactly what they wanted.

John Graham-Cumming: Advice to a young programmer

2008-06-29T14:27:49+00:00

I received a mail from an acquaintance who'd come to the realization that his 13-year-old wanted to be programmer, specifically a games programmer. Here's the advice I gave. Perhaps others have things to add:

1. I'm tempted to tell you that the right way to learn to be a programmer is to start with LISP, or the lambda calculus, or even denotational semantics but you can come back to those after a few years getting your feet wet.

2. Lots of programming involves logic (or at least thinking logically) so learning about and enjoying logic is probably a good foundation. You could start by learning about boolean algebra since it's simple and fun and the basis for a lot of what computers do.

3. Since games programmer involves a lot of physics, you should also learn about Newton's Three Laws and Universal Gravitation and play around with things like springs and pendulums.

4. Basic trigonmetry is important to the games programmer. It'll be handy to know about Pythagoras and the relationship with sin, cos and tan.

5. Above all, start with a programming language and a good book and commence hacking: try stuff out, make little simple programs (even if it's a program that prints out "Hello" on the screen, or a program that prints out "Hello" ten times, or asks you for the number of times to print "Hello" and then does it). Just write code, whatever takes your fancy.

6. A good starting language is Python. Get the O'Reilly book Learning Python.

7. Python is dynamic so you'll be able to make progress very quickly, but for games programming you are probably going to need to get a little closer to the machine. And for that you should learn C by reading the classic The C Programming Language.

8. As you learn more there are some great books that will expand on what you can do: read Programming Pearls and The Practice of Programming. Think about getting: Algorithms in C. Read Structure and Interpretation of Computer Programs.

9. Also: avoid debuggers, learn to unit test. Debuggers are useful in limited circumstances, most code can be debugged by using your head and a few 'print's. Unit tests will save your life as you go forward.

10. When you are ready, try to write a version of the first ever computer game: Spacewar!

...

11. When your first company goes public think of me; I'll be an old man and probably won't have saved enough for retirement.

Spamnation: Something old, something new

2008-06-29T11:56:56+00:00

After a fairly sharp decline from last year's high, there are signs that stock spam might be creeping up again. We've noticed a slight uptick in the number of symbols advertised, although volumes remain well down. What's interesting is that the new stock spammers appear to be exploring some new tactics.

John R. Levine: ICANN to add new top level domains, World to come to an end

2008-06-28T23:41:05+00:00

The biggest buzz from the Paris ICANN meeting was that the board accepted last fall's proposal for a streamlined process to add new TLDs. A variety of articles in the mainstream press, many featuring inflammatory but poorly informed quotes (from people who probably got a phone call saying "We go to press in five minutes, what do you think about ICANN's plan to add a million new domains?") didn't help. When can we expect the flood of TLDs? Don't hold your breath.

Spam Wars Dispatches: Phishers Will Sniff Out Anything of Value

2008-06-28T18:14:20+00:00

Look at this well-designed phishing email message:

Its goal is to capture login names and passwords for Google AdWords accounts. The bogus destination page is (except for one busted image) an identical twin sister of the actual Google AdWords login page. The page is also written with an added script that uses a browser cookie to prevent your browser from visiting the fake page a second time—if you try, it immediately redirects you to the real page.

If you perform the rollover test of the clickable link in the message (shown in the image above), the link isn't to Google's site, but to a domain that has what may be a convincing alternate name. I mean, it has "ads" in the name, right? That domain, by the way, was created waaaay back on Wednesday. The domain registration has information from someone in Paris, but no crook in his right mind would leave a trail of bread loaves. The fake site is hosted through a Spanish ISP.

The lesson to learn here is that obvious financial targets, such as financial institutions (banks, credit unions, PayPal) and popular e-commerce sites (Amazon, eBay, Best Buy), aren't the only ones that phishers have their eyes on. If there is an account anywhere on the Internet that has one thin dime in it (or has data that can be turned into a dime), you can be sure phishers will root through your emotional defenses for that dough like a pig hunts for truffles.

Justin Mason: links for 2008-06-27

2008-06-27T23:35:15+00:00

PostgreSQL query to display active locks

make the obtuse pg_locks table more useful. ’show any queries that are waiting on a lock, and the query that currently holds the lock on which those queries are waiting.’ haven’t tried it out yet

(tags: postgres deadlocks sql databases locks debugging)
Spanish consumers to pay anti-piracy tax on music devices

The SGAE agency will collect on sales of mobile phones (EUR 1.10), blank CDs (17c each), laser printers (EUR 10), scanners (EUR 9), CD recorders (3.40). I guess Spanish consumers have a license to download freely now, since they’re already paying for it

(tags: spain sgae ladrones via:ontherecord music mp3 downloading piracy tax europe)
how to discard annoying crap from AVG LinkScanner

using a couple of mod_rewrite rules and a redirect to www.avg.com

(tags: avg grisoft robots web mod_rewrite abuse apache)

Box Of Meat: Return Path: MAAWG's Latest Documents Improve Accuracy of Reputation Systems

2008-06-27T20:55:00+00:00

Return Path: MAAWG's Latest Documents Improve Accuracy of Reputation Systems: J.D. explains what MAAWG’s freshly documented best common practices actually mean for email

Box Of Meat: ZDnet: ICANN and IANA’s domains hijacked by Turkish hacking group

2008-06-27T18:27:00+00:00

ZDnet: ICANN and IANA’s domains hijacked by Turkish hacking group:

“The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today…”

David Cawley explains how this attack could used for bad email, too.

MailChannels Anti-Spam Blog: ICANN and IANA’s domains hijacked

2008-06-27T16:46:00+00:00

I've been following the blog posts of security consultant Dancho Danchev for quite a while. I don't usually have an opportunity to mention his posts as this is an Anti-Spam blog and for the most part I try to keep my posts on topic. For example, a few weeks ago he mentioned a Comcast DNS hijack with some speculation of what may have happened. The attackers claimed they accessed Comcast's DNS account through a combination of Social Engineering and a technical hack. It sounds like a phone call, e-mail or fax could have been used to socially engineer some data. I'm not sure which technical hack was used but I'm hoping the registrars protect against brute force login attempts!

Following the attack, ICANN (Internet Corporation for Assigned Names and Numbers) the body responsible for managing the assignment of domain names and IP addresses, published a security advisory with recommendations on how to avoid these types of attacks. I took a very quick look at the document and found it a little strange - take the following paragraph:

The attacker can add or modify the following records in the domain zone data he controls:

• MX, to point to mail hosts under his control and use these to send spam. Using the registrant’s domain is preferable over domain the attacker could register directly because in many cases, the registrant’s domain is “trusted” by other mail systems; i.e., it has no history of originating or reputation for relaying spam and is not blacklisted or otherwise blocked from forwarding email.

Surely the most obvious attack would be to change the MX record to point to a mail host under the attackers control so that confidential inbound e-mail could be captured? I'm not entirely sure how they claim this would be used to send spam, perhaps in the case of a large e-mail provider where the outbound mailserver would use MX records to validate who can relay. However, for most companies this would not be the case.

It doesn't even mention the TXT record which could be another attack vector. The attacker could add one of their own IP addresses to the SPF record. This would allow them to forge the domain of the hijacked company and possibly bypass filtering if the domain is on a whitelist.

Embarrassingly, shortly after releasing the advisory ICANN was victim to such an attack. Both ICANN and IANA domains had their DNS compromised yesterday so they pointed to a different site. From an e-mail security perspective these attacks are quite scary - confidential e-mail could be accessed or very real phishing e-mails could be sent.

Box Of Meat: Freakonomics (New York Times): Why Do You Lie? The Perils of Self-Reporting

2008-06-27T14:08:45+00:00

Freakonomics (New York Times): Why Do You Lie? The Perils of Self-Reporting: “Not only does it deliver a surprising insight into why we lie, but it is also a sobering reminder to naturally distrust self-reported data…”

Box Of Meat: PC World: Woman Gets Two Years for Aiding Nigerian Internet Check Scam

2008-06-27T13:56:56+00:00

PC World: Woman Gets Two Years for Aiding Nigerian Internet Check Scam: “Edna Fiedler pleaded guilty in March to attempting to defraud U.S. citizens in a scheme known as a Nigerian check scam.”

Michael Boyd Clark: Akismet 40,000th Spam Comment

2008-06-27T09:54:42+00:00

On May 1st, I zapped my 30,000th comment spam. Yesterday was the 40,000th. Here’s a chart of the count, recorded daily. 7b1d91231a87fb75e0054e886a0dea57

And here’s the daily rate, with a peak since May 8th (the end of the last storm) at 160 on June 6th, and a low of one on May 19th.

72.232.31.42 30/Jun/2008:09:42:06

Copyright © 2008 PlanetMike's Technology Journal. This Feed is for personal non-commercial use only. If you are not reading this material at http://www.planetmike.com or in your news aggregator, the site you are looking at is guilty of copyright infringement. Please contact copyright@planetmike.com so we can take legal action immediately.

Post from: PlanetMike's Technology Journal

Akismet 40,000th Spam Comment

Spam Wars Dispatches: Backscatter Poo

2008-06-27T01:07:56+00:00

Automated systems can be just so damned dumb (I must reserve the word "stupid" for other purposes in this posting).

It appears that Sony Style's Customer Care system allows any Tom, Dick, and Harry Z. Robot to submit an issue via email without any kind of authentication or proof that the sender is human. I know this because earlier today I received an automated response from Sony, acknowledging "my" request for help:

Allow me to translate. At 01:54 PM today, a Sony email account user name of sonystyle-[removed] received a question from a customer whose name is Kimball Shigeo, and whose email address is...one of my email addresses. The question consisted of a URL to a German web site hosting a file named video1.exe.

In our last episode, you remember, I wrote about the "You look really stupid [so-and-so]" malware lures flooding message space in the last couple of days. Sony received one of these, complete with a forged From: address, and entered it into their system. Their system (actually, a system belonging to the customer relationship management company they use) then spit out the confirmation above.

Stee-rike One.

Since they provided a link to view the question and answer thread and after verifying that the link was legit, I clicked to see what, if anything, they'd show. Oddly enough, I couldn't view it because to do so required an account and password—theoretically one that I would have had to set up to submit the question in the first place.

Hmmm. Something tells me that the Sony email address targeted by the botnet isn't the normal way to submit support questions. It might be some kind of back door address that sneaks past the account-creation process.

Stee-rike Two.

At 4:00 on the button, Sony Style issued another e-missive. This one was titled:

Subject: Your recent Sony Style Customer Care experience

Some relevant excerpts:

Recently you contacted Sony Style Customer Care. In order to enhance the Sony Style customer experience, we invite you to complete a short survey that specifically targets your Customer Care experience. ... You received this email because our records show you contacted Sony Style Customer Care and we wish to improve our service.

Because I understand what's going on here, I simply get pissed off, rant about it in a blog entry, and load up a customer service survey with vitriol. But I'd wager that almost anyone else receiving a confirmation like the one above would be confused beyond belief. Worse still, they might venture to that URL to download and run the Trojan installer. Yikes!

Stee-rike Three. Yer out!

Justin Mason: links for 2008-06-26

2008-06-26T23:34:00+00:00

Shirt.Woot now ships to Ireland

there goes my pocket money. I <3 the woot crew

(tags: woot shirts tees t-shirts apparel ireland shopping consume)
Irish national newspapers not in decline

‘It’s a common enough misconception, but Irish national newspapers have not and are not currently showing the large-scale declines in readership as seen in the UK and US. The market is reasonably stable.’ interesting

(tags: ireland newspapers news journalism future irish-times)
Darklight Film Festival panel discussion on privacy in the digital age

A film festival is putting this on? wtf, does not compute. good line up though. at Filmbase, Curved St, Temple Bar, 10am Friday 27th June

(tags: darklight film privacy future web online social-networking)
Resource Management: A Critical Look at RAII

intro to the EAM (Execute Around Method) closure-based resource-management pattern. I was wondering what this trick was called

(tags: perl closures programming coding eam raii resource-management)

Enemieslist: new pats posted - 20080626 (maintenance pats release)

2008-06-26T22:19:05+00:00

31361 patterns, 11873 right anchor strings, 108779 test IPs.

Contribs from the past couple days, plus a few corrections from CXC.

Was asked to start tracking couplets (pattern class and tech, taken
together as a sort of meta-identifier); there are no new couplets in
this release.

I've made sure to exclude outmx and webhost regexes from the exim and
postfix flat file distributions, so we should be safe there.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20080626

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20080626

Box Of Meat: The Email Wars: Please Remove Me From Your List

2008-06-26T20:03:10+00:00

The Email Wars: Please Remove Me From Your List

Box Of Meat: PC World: Antispam Group Outlines Defenses to Block Botnet Spam

2008-06-26T19:58:33+00:00

PC World: Antispam Group Outlines Defenses to Block Botnet Spam: Jeremy Kirk talks to Richard Cox of Spamhaus about MAAWG’s latest best practices documents

Box Of Meat: A VC: Losing A Phone - A Social Media Security Breach?

2008-06-26T19:54:41+00:00

A VC: Losing A Phone - A Social Media Security Breach?: Fred Wilson muses about (in effect) his habit of saving security credentials on an insecure device