Planet Antispam

Terry Zink: The Story of Conficker, part 3

Sat, 07 Nov 2009 03:00:00 +0000

Setbacks and Triumphs

The domain registration task became exponentially more challenging on March 4, 2009, with the discovery of Worm:Win32/Conficker.D. Investigators reverse-engineered the new variant and determined that it was programmed to generate 50,000 new domain names a day across 110 TLDs, beginning on April 1, 2009. Though this seemed at first like an impossible hurdle to overcome, CWG members immediately began working to counter the effects of the upcoming change. As security researchers continued to analyze the Conficker.D malware, ICANN staffers began contacting the registries responsible for each of the affected TLDs seeking cooperation in registering or blocking the domains, and the CWG compiled “go packs” of information for Internet service providers and enterprises about the steps they should take to help keep their customers and employees safe.

April 1, 2009, came and went, with the world outside the security community noticing little or no change. By that time, however, ICANN had secured the cooperation of all 110 TLDs used by Conficker, and the global DNS community was active and prepared to deal with the Conficker threat. Rapid, effective collaboration across borders and organizational lines had proven instrumental in containing what has been, and remains, a significant threat to the world’s computers and information.

The CWG Today

The CWG remains in place today, with more than 300 member organizations representing law enforcement, academia, and industry, and remains vigilant against new developments. In cooperation with ICANN and the DNS community, the CWG continues to block or register the 50,000 domain names generated each day by the Conficker algorithms. Each month the group supplies the 110 affected TLD operators with an updated list of generated domain names covering the next several months, so they can begin implementing countermeasures well in advance. Automated mechanisms verify that each domain name has been blocked before it is scheduled to be used and alert the CWG for any that have not, so activity for those domains can be closely monitored. Once in a while, a domain name generated by the algorithm happens to correspond to an existing domain owned by a legitimate party; in such cases, the CWG contacts the legitimate domain owner in advance and offers assistance managing the expected spike in traffic coming from infected computers.

In March, the group underwent a reorganization process to add structure and to segment its work by subject area to work more effectively. The group maintains a Web site at http://www.confickerworkinggroup.org with links to information in multiple languages about Conficker and resources that service providers and end users can use to determine if they are infected, and if so, what to do about it. The fight against Conficker is not over. The five identified variants continue to spread to new computers due to a lack of information or action on the part of some system administrators and end users. Even after Conficker recedes into insignificance, there will likely be other threats of similar magnitude to deal with in the future. As such threats appear, though, collaborative efforts, such as the CWG, can provide the global security community with unequaled tools for mitigation and resolution.

Conficker, Part 1
Conficker, Part 2
Conficker, Part 3

Enemieslist: new pats posted - 20091106 (maintenance pats release)

Fri, 06 Nov 2009 22:59:36 +0000

45019 patterns, 11500 right anchor strings, 187816 test IPs.

Some more contribs and updates from a new feed.

Also note that the rbldnsd zone file now has support for 'cloud', using
response code 127.0.0.12. Currently only a few of these, but the field
is growing, so expect more to come. This may be used via the most recent
sendmail package, and I've updated the SpamAssassin plugin to support it
as well.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091106

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091106

Enemieslist: Why I Harbor a Strong Dislike for .PL

Fri, 06 Nov 2009 19:04:06 +0000

This is the regex I have to use to match the second level domain part of domains in .pl (in order to figure out what the domain part of a hostname is):

(aid|agro|atm|auto|biz|com|edu|gmina|gsm|info|mail|miasta|media|mil|net| nieruchomosci|nom|org|pc|powiat|priv|realestate|rel|sex|shop|sklep|sos|szkola| targi|tm|tourism|travel|turystyka|augustow|babia-gora|bedzin|beskidy|bialowieza| bialystok|bielawa|bieszczady|boleslawiec|bydgoszcz|bytom|cieszyn|czeladz|czest| dlugoleka|elblag|elk|glogow|gniezno|gorlice|grajewo|ilawa|jaworzno|jelenia-gora| jgora|kalisz|kazimierz-dolny|karpacz|kartuzy|kaszuby|katowice|kepno|ketrzyn| klodzko|kobierzyce|kolobrzeg|konin|konskowola|kutno|lapy|lebork|legnica|lezajsk| limanowa|lomza|lowicz|lubin|lukow|malbork|malopolska|mazowsze|mazury| mielec|mielno|mragowo|naklo|nowaruda|nysa|olawa|olecko|olkusz|olsztyn| opoczno|opole|ostroda|ostroleka|ostrowiec|ostrowwlkp|pila|pisz|podhale|podlasie| polkowice|pomorze|pomorskie|prochowice|pruszkow|przeworsk|pulawy|radom| rawa-maz|rybnik|rzeszow|sanok|sejny|slask|slupsk|sosnowiec|stalowa-wola|skoczow| starachowice|stargard|suwalki|swidnica|swiebodzin|swinoujscie|szczecin|szczytno| tarnobrzeg|tgory|turek|tychy|ustka|walbrzych|warmia|warszawa|waw|wegrow|wielun| wlocl|wloclawek|wodzislaw|wolomin|wroclaw|zachpomor|zagan|zarow|zgora| zgorzelec)

Yes, really. It's like the shining example of the .us TLD, but they also allow domains in the .pl TLD as well. Oh, wait. So does .us now.

Box Of Meat: FBI: Online Banking Attacks Reach $100 Million Mark

Fri, 06 Nov 2009 16:02:00 +0000

FBI: Online Banking Attacks Reach $100 Million Mark:

“…the typical scenario involves the victims receiving a phishing e-mail with an infected attachment or malicious link. If the recipient falls for the trick, they end up downloading a key logger that swipes their business or corporate bank account credentials. The thieves then create another user account with the stolen data and begin transferring funds via traditional wire transfers and ACH transfers while pretending to be the legitimate user.”

Al Iverson's DNSBL Resource: Status of DSBL: Dead

Fri, 06 Nov 2009 15:15:50 +0000

The DNSBL called "DSBL" is no more. As of March 11, 2009, their website reports: "DSBL is GONE and highly unlikely to return. Please remove it from your mail server configuration." DSBL was an open relay/open proxy DNSBL. From the website: "DSBL relied on volunteers who, upon receiving spam, would test the IP addresses that sent them spam for open relay and open proxy vulnerabilities. "The

Sophos Blog (Spam Category): Fake Facebook e-mail “Subject: updated account agreement”

Fri, 06 Nov 2009 13:46:57 +0000

It has been a busy week so far for the writers of e-mail exploits and this Friday morning they continue to try to trick the public into installing their malware. The latest threat to fall into the Sophos spam traps purports to come from Facebook and requests the user to update their account agreement by unzipping and executing an attached file called agreement.exe.

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

Of course we all know that it is pure folly to unzip and run an unknown executable attached to an e-mail, however the implied threat of finding their access to Facebook restricted by ‘the deadline’, whenever that may be, is obviously severe enough to panic a number of the users of Facebook into falling for this trick.

They really should think twice, by agreeing to install agreement.exe they will install a Trojan.

Sophos detects this threat as Troj/Dloadr-CWS.

John Graham-Cumming: Geek Weekend (Paris Edition), Day 2: Foucault's Pendulum

Fri, 06 Nov 2009 13:37:14 +0000

Not very far from The Curie Museum is the former church and now burial place for the great and good men (and one woman) of France: The Pantheon. Inside the Pantheon is the original Foucault's Pendulum.

The pendulum was first mounted in the Pantheon in 1851 to demonstrate that the Earth is rotating. The pendulum swings back and forth in the same plane, but the Earth moves. Relative to the floor (and to the convenient hour scale provided) the pendulum appears to rotate.

The pendulum is on a 67m long cable hanging from the roof of the Pantheon. The bob at the end of the cable weight 27kg. In the Pantheon the pendulum appears to rotate at 11 degrees per hour (which means it takes more than a day to return to its original position). If it were mounted at the North Pole it would 'rotate' once every 24 hours, the pendulum's period of rotation depends on the latitude diminishing to 0 degrees per hour at the equator (i.e. it doesn't 'rotate' at all).

If you take a look at the photograph above you can see that I was there just after 1200. The scale shows the current time measured by the pendulum.

The actual movement of the pendulum is only hard to understand because the common sense assumption is that the floor is not moving, but of course it is. It appears that what we are observing is a pendulum swinging above a fixed floor.

But the floor is actually moving because of the rotation of the Earth. That makes understanding the pendulum's motion harder. The important factor is the Coriolis Effect (sometimes erroneously called the Coriolis Force).

The simplest way to visualize the Coriolis Effect is to imagine firing a gun at the Equator straight northwards along a meridian. Because the Earth rotates the bullet will not land on the meridian, the Earth will have moved and the bullet will land to the west of the meridian. It looks as though a force has acted on the bullet to push it sideways. Of course, there's no actual force, it's just that the frame of reference (i.e. where the observer is) is not stationary.

Essentially the same thing happens with Foucault's Pendulum. The observer and the floor are not stationary and so the pendulum has an apparent motion.

All Spammed Up: Tis the Season for Christmas Spam

Fri, 06 Nov 2009 12:57:02 +0000

Halloween has barely passed but spammers are already flooding the net with their Christmas spam campaigns. The spam messages sport urgent-sounding headlines like “Quantities are low!” and advertise knock offs of designer handbags, watches and jewelry. Anyone who clicks on the included link is taken to a very slick and legit looking site that is actually malicious. It’s a fake storefront designed to steal personal and financial info. Experts say that the Cutwail botnet is responsible.

As if that weren’t enough, believe it or not, Valentine’s Day themed spam has already been spotted as well! The spams are in the form of love letters and hawk male enhancement products and shady internet pharmacies claiming to offer cheap Viagra and Cialis. In addition, spam exploiting the 2010 World Cup, which is over 6 months away. Those spams are thinly veiled 419 or Nigerian scam messages. The Cutwail and Rustock botnets are responsible. It appears spammers are getting a very early jump on upcoming holidays and events and are trying a variety of different scams. This is only the beginning. Expect more holiday themed spam and malware attacks to be unleashed as the season unfolds.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Tis the Season for Christmas Spam

John Graham-Cumming: Some real data about JavaScript tagging on web pages

Fri, 06 Nov 2009 11:58:59 +0000

Since March of this year I've been running a private web spider looking at the number of web tags on web pages belonging to the Fortune 1000 and the top 1,000 web sites by traffic. Using the spider I've been able to see which products are deployed where, and how those products are growing or shrinking.

The web tags being tracked are those used for ad serving, web analytics, A/B testing, audience measurement and similar.

The spider captures everything about the page, including screen shots, and I'm able to drill in to see the state of a page and all its includes at the time of spidering. Here's shot of Apple with all the detail that the spider keeps.

The first interesting thing is to look at the top 1,000 web sites by traffic and see how many different tags are deployed per page. The average is 2.21, but if you exclude those that have no tags at all then the average is 3.10. Here's the distribution of number of tags against percentage of sites.

And of course, it's possible to see the market share of various different products. Here are the top 10 that I am tracking. Google Analytics has an impressive 43% of the top 1,000 web sites by traffic.

Since I've been tracking over time it's also possible to watch the growth (and decline). Here's the growth in the average number of tags on a web page (excluding pages that have no tags) since March 2009.

Since I also keep all the JavaScript and HTML for a page it's a breeze to calculate page weights. Here's a chart showing the size of HTML and JavaScript for the top 1,000 web pages by traffic. The x-axis shows the size of the page (excluding images) in kilo- or megabytes. The y-axis is the percentage of sites in that band.

I was shocked when I saw that list and suspected a bug. How could their be web sites with megabytes of non-image content? It turned out that it wasn't a bug. For example, at the time of downloading the HTML and JavaScript for Gawker was over 1Mb.

In a previous post I showed in detail the tagging on a site and that 29% of the non-graphic content was JavaScript used for web tagging. Here's another chart showing what percentage of web page markup is included JavaScript (this can include stuff like jQuery and web tagging products).

The really surprising thing there is how much JavaScript there is on pages. For many pages it's the majority of non-graphic content. Take for example Subscene where the home page HTML is about 18k but then masses of JavaScript are included (including over 200k from Facebook, a similar amount from UPS and various other bits of code).

If you delve into the tags actually used by various products you'll see that the sizes of JavaScript used for them varies a lot. comScore's Beacon is tiny (just 866 bytes)!

Finally, you might be asking yourself which site had 16 different tags on it. The winner is the celebrity gossip site TMZ.

All Spammed Up: Identity theft is the real thing

Fri, 06 Nov 2009 11:05:53 +0000

Last week, a Wall Street Journal article entitled “The fallacy of identity theft” may have given some people the mistaken impression that there’s nothing to worry about, and that everyone’s identities are safe. Unfortunately, however, that’s not quite the case, and yes, you do need to be paranoid about it. It’s the real deal, and identity thieves can, and do on a regular basis, steal peoples’ identities and wreak havoc on their lives.

The article starts out by deconstructing the term “identity theft” which makes it seem less dangerous than it really is and states that “identity theft” doesn’t steal anybody’s true identity, or personhood of what makes them what they are. When you are a victim of this crime, you remain you, but that’s only a small consolation when a stranger is charging up luxury cruises and fur coats on your credit card. It’s a semantic bit of theory that was actually played out on the “Family Guy” cartoon when actor James Woods stole the identity of cartoon character Peter Griffin, to the point of moving into Peter’s home, sitting at his dinner table and sleeping in his bed. It was a funny episode, but of course, that’s not what identity theft really is.

The article comments about how experts “hounded” people into shredding bank statements and being vigilant about monitoring credit reports, but the fact is, doing so really is a good idea. It’s not a conspiracy by manufacturers of shredding machines, or of companies offering various fee-based monitoring and protection services. And here’s the real kicker, at the end of the article: “It turns out that ‘identity theft’ is one of the most brilliant linguistic constructs ever, with its terrifying specter of losing not just your money—but your soul. Maybe it’s time that we renamed it what it is: a fear campaign designed to get us to buy expensive services that we don’t need.”

Advice like this is what lulls people into a false sense of security and prevents them from taking the precautions that they need to take. Is it a fear campaign? To a degree, yes, it is. But it’s based on fear of something very real. So there is reason to be afraid and one must take the necessary steps to protect oneself – because you could be a victim.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Identity theft is the real thing

John Graham-Cumming: Security Now #221

Fri, 06 Nov 2009 09:37:31 +0000

I was a guest on Security Now this week and the podcast has now been released (as has a transcript). Steve Gibson and some other people asked me to provide the presentation in some relatively readable format.

The original presentation is here, but it, ironically, requires JavaScript and Adobe Flash. So here are two additional formats: old style Microsoft PowerPoint and PDF.

Spam Wars Dispatches: Facebook, Part Two

Fri, 06 Nov 2009 06:30:37 +0000

Earlier today we had a Facebook phishing scam to capture login credentials. Now Facebook is being abused as a way to get spam recipients to install a Trojan:

From: "Facebook Support" <confirmation@facebook.com>
Subject: Facebook Password Reset Confirmation.Support Message.
Hey [removed] ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

The attachment is a file named Facebook_Details_11c97.zip. Unfortunately, VirusTotal shows only 5% recognition by antivirus products.

Sophos Blog (Spam Category): How a phish works

Fri, 06 Nov 2009 05:28:00 +0000

Recently we have received a PayPal phishing email and it looks like this.

It is not hard to spot that this email is a phish since clicking on the link does not take us to PayPal.com but to some remote site (which is already blocked by Sophos’s web appliance).

The web page loaded from this site disguises itself as PayPal.com as shown below.

However, this web page is just an image of the real PayPal.com web page. All the tabs and links on this fake web page can not be selected and only the email address and password text field can be used. This is another obvious sign that the web site is fake. By logging in with some fake email address and password we were lead to the following page.

By clicking on the link we were directed to another web page as shown below.

How can we tell that this web page is fake? It is quite simple, this page has the following URL.

We provided some fake account and address information, the site then redirects us to a page asking us to supply our banking details.

We then decided to supply more fake banking information to the web page and see where it will lead us. As a result we were lead to the following page.

Finally, the site will refresh and redirect us to the genuine PayPal.com web page.

Terry Zink: The Story of Conficker, part 2

Thu, 05 Nov 2009 23:10:00 +0000

The Conficker Working Group Is Born

In January 2009, representatives from a number of security research companies and domain registrars, along with the anti-botnet Shadowserver Foundation, began discussing how best to implement a defensive Domain Name Service (DNS) strategy to handle domain registrations. To coordinate the significant amount of e-mail being generated by these discussions, the group established the CONFICKER e-mailing list on January 28, which drew a growing number of security researchers and members from law enforcement, academia, and industry, in addition to members representing each of the eight TLDs used by Conficker. Enlisting the support of the TLD operators would prove to be a vital step in containing the Conficker threat, enabling the group to block domain names more efficiently and at far less expense than would be possible through the commercial registration process.

By early February 2009, working group members had instituted a process for registering as many domain names as possible, before the Conficker operators could register them, and assigning them to IP addresses belonging to six sinkholes (server complexes designed to absorb and analyze malware traffic) operated by organizations belonging to the working group. Infected computers looking for command-and-control servers would contact the sinkholes instead, providing researchers with valuable telemetry for analyzing the spread of the worm. A number of Internet service providers (ISPs) were also able to use this telemetry data to identify infected computers.

Around the same time, the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for allocating IP addresses and managing the Internet domain name system, invited the group to deliver a presentation on its domain registration efforts to a meeting of the ICANN board of directors. The board expressed its support for the program and assigned two staffers to help coordinate it. Despite these efforts, the Conficker operators were still able to register some domains before the working group could get to them. To mitigate this, researchers at Kaspersky Lab, an anti-malware vendor headquartered in Russia, worked with OpenDNS, a free network resolution service used by many organizations and individuals, to compute a year’s worth of Conficker domain names and proactively point them at the group’s sinkholes. Any infected computer belonging to an OpenDNS user would not be able to contact any of the Conficker command-and-control servers, even on domains the Conficker operators had been able to secure.

The formation of the Conficker Working Group (CWG) was officially announced to the public on February 12, 2009, as what a number of news stories characterized as an unprecedented example of global cooperation in the computer security industry, and a potential blueprint for dealing with threats in the future. The CWG had grown from an e-mail list for nine individuals to a group of more than 30 member organizations from around the world, coordinating complex activities through a robust communications infrastructure. On the day the CWG was announced, the group had successfully registered every Conficker domain name for the next 10 days, a genuine—if temporary—victory over the Conficker operators.

Conficker, Part 1
Conficker, Part 2
Conficker, Part 3

Enemieslist: new pats posted - 20091105 (maintenance pats release)

Thu, 05 Nov 2009 22:12:10 +0000

45019 patterns, 11500 right anchor strings, 187816 test IPs.

Some more contribs and updates. There were several interim releases since
11/04; I'll continue to do this and only mention major releases from now
on. Eventually, we will move to a more automated publishing model and
I'll have to figure out whether anyone finds these notices useful or if
I will just stop doing them altogether.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091105

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091105

Box Of Meat: Technology Liberation Front: Google’s Privacy Dashboard: Another Major Step Forward in User Empowerment & Transparency

Thu, 05 Nov 2009 22:10:50 +0000

Technology Liberation Front: Google’s Privacy Dashboard: Another Major Step Forward in User Empowerment & Transparency:

‘Google’s announcement of its Privacy Dashboard…is a major step forward in both informing users about what data Google has tied to their account in each of Google’s many products and in empowering users to easily manage their privacy settings for each product. If users decide they’d rather “take their ball and go home,” they can do that, too, by simply deleting their data.’

Silent Noise: I should receive money transfer?

Thu, 05 Nov 2009 22:10:26 +0000

I know I should not receive any money transfer from Western Union or a parcel from DHL.

Even someone claims so at least a couple of times each day lately.
But look out for the attachments, this is a real cat and mouse race.

The last one I received only a few minutes ago were only detected by 2 AV-vendors.
ClamAV calls it "Suspect.Bredozip-zippwd-4" and Sophos "Troj/BredoZp-L".
All according to VirusTotal.

Box Of Meat: All Spammed Up: ICANN move contributing to URL spoofing?

Thu, 05 Nov 2009 21:09:49 +0000

All Spammed Up: ICANN move contributing to URL spoofing?:

“With the addition of International Domain Names, which ICANN will be expanding next year, phishers found another way to disguise their spoofing by taking advantage of similarities between some of the characters in foreign and Latin alphabets. What makes that approach superior to other typographic tricks is that a target may have no way of knowing that he or she is headed to a spoofed address. That’s because in certain fonts foreign characters look like Latin characters.”

Box Of Meat: Seth's Blog: The unclicking 84%

Thu, 05 Nov 2009 20:08:49 +0000

Seth's Blog: The unclicking 84%:

“…all of the clicks for all the ads online come from only 16% of the surfers, and most of them come from just 4% of all internet users.”

Spam Wars Dispatches: Facebook Login Credentials Phishing

Thu, 05 Nov 2009 19:10:30 +0000

Here's a believable phishing message aimed at capturing Facebook accounts and username/password pairs to accomplish a variety of nastiness:

From: "Facebook" <update+zzbvjrnbpbnx@facebookmail.com>
Subject: New login system
Dear Facebook user,

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.

Please click on the link below to update your account online now:

http://www.facebook.com.[removed].eu/globaldirectory/LoginFacebook.php?ref=20244492275620965881064893464436522177812276399621698&email=[removed]@dannyg.com

If you have any questions, reference our New User Guide.

Thanks,
The Facebook Team

It was easy for me to recognize this as a fake from the inbox listing because I'm one of the few remaining people on Earth who doesn't have a Facebook account. But even if you're a Facebook user, any email message that talks about security, logging in, or passwords should set your Suspicion switch to High. This carefully crafted message uses a long URL that looks to be to facebook.com — unless you understand how URLs work, in which case you'd see that the URL is actually to a .eu domain. Moreover, the URL and very Facebook-looking phishing page at the URL destination are wired to display your login name (email address) already filled into the login form — most likely just like a real Facebook login page.

Many malware followers wonder how any user could be fooled into yielding login credentials to a phisher, even after so much publicity about such attacks. This is how.

Box Of Meat: ExactTarget: Real Email Threat #3: Lax Permission

Thu, 05 Nov 2009 19:04:50 +0000

ExactTarget: Real Email Threat #3: Lax Permission:

“The issue of permission presents one of the greatest threats to the future of email marketing. …consumers want greater control over email. They want control over SPAM, they want to be able to unsubscribe from email more easily, and they want greater control over the frequency of commercial email coming to their inboxes. …The belief that marketers can send email to their customers based on a ‘prior existing relationship’—the premise for email appends—is dead. Customers don’t want the practice to continue.”

Box Of Meat: SFGate: Internet gear isn't isolating us, study says

Thu, 05 Nov 2009 18:04:52 +0000

SFGate: Internet gear isn't isolating us, study says:

“Fears that the Internet and other personal technologies are making Americans socially isolated are unfounded…people who use the Internet, instant messaging, mobile phones, photo sharing sites and social networks benefit from being more likely to have a larger, more diverse core of close confidants.”

Box Of Meat: Word to the Wise: Senders need to take responsibility

Thu, 05 Nov 2009 17:04:56 +0000

Word to the Wise: Senders need to take responsibility:

“…senders need to stop waiting for the ISPs to define good practices. Senders need to implement standards and good practices just because they’re good practices, not because the ISPs are dictating the practices. Senders need to stop customers from doing bad things, and dump them if they won’t stop. Senders need to stop relying on ISPs for specific answers to why mail is being blocked. Senders need to take responsibility for the mail going across their networks.”

Box Of Meat: Advertising Age: Latest Ad Scammers: Faux Ad Agency Execs

Thu, 05 Nov 2009 16:03:06 +0000

Advertising Age: Latest Ad Scammers: Faux Ad Agency Execs:

“Ads have long been a gateway for spammers and hackers to distribute malicious code, but now the crooks are showing a new level of sophistication by posing as agency executives walking right into the front doors of well-known publishers.”

All Spammed Up: ICANN move contributing to URL spoofing?

Thu, 05 Nov 2009 15:17:47 +0000

By the middle of next year, the lock that Latin alphabets have had on Internet domain names will be broken, when a plan announced last week by the International Corporation for Assigned Names and Numbers, better known as ICANN, is implemented. That prospect may have phishers licking their lips.

The move–claimed by ICANN as the biggest technical change in the 40-year history of the Internet–will allow domain names to be created in languages such as Arabic, Korean, Greek, Hindi, Japanese and Cyrillic. It was initially approved in 2008, but finalization won’t be completed until the organization wraps up its conference in Seoul, Korea. While the new non-Latin alphabet addresses won’t start appearing until next year, ICANN expects to see applications for the domains appearing as early as next month.

ICANN estimates that more than half of the Internet’s 1.6 billion surfers use non-Latin alphabets and that the acceptance of those alphabets in domain names will save 60 billion to 100 billion keystrokes a day by averting the need to type country codes in Web addresses. Some countries are already using their native alphabets in domain names, but their country codes are in a Latin letter set. Bulgaria, for example, uses Cyrilic, but uses .bg for its country code.

ICANN has been testing the new technology behind the change for two years–a process that phishers are keenly aware of. They’ve exploited a variation of a technique, called URL spoofing, that leverages non-Latin characters in domain names to divert unsuspecting Websters to malicious Internet sites to rip off their personal information and infect their computers with malware.

URL spoofing substitutes an outlaw Web address for a legitimate one. A simple way to do that is to exploit the state of spelling among English-speaking people. A site like eddiebaur.com might fool the eye of a casual Web surfer looking for outdoor gear from Eddie Bauer. Gaps in domain coverage can also aid spoofers. Who can forget the adult website owner who registered whitehouse.com and siphoned traffic intended for whitehouse.gov? Poor screen typography has also been a rich source of exploitation for phishers. For example, g00gle.com can appear to be google.com in some screen fonts.

With the addition of International Domain Names, which ICANN will be expanding next year, phishers found another way to disguise their spoofing by taking advantage of similarities between some of the characters in foreign and Latin alphabets. What makes that approach superior to other typographic tricks is that a target may have no way of knowing that he or she is headed to a spoofed address. That’s because in certain fonts foreign characters look like Latin characters. For example, a Cyrillic “o” will look like its Latin counterpart in many fonts. While a netizen may not be able to distinguish between the two o’s, his or her browser can, and it will act accordingly, taking the unwitting cybertraveler to some Internet back alley where he or she can be fleeced.

ICANN has believed for a long time that homographic attacks that exploit IDNs are a manageable problem. For example, it noted in a statement released in 2005:

“While the recent publicising of the IDN-based homograph attack potential has brought this issue to wider public attention, the possibilities of the expansion of homograph exploits has been a topic of research and discussion within the ICANN community since before the adoption of IDN standards. Significant work has been done to define implementation practices such as IDN Language Registry Tables, and guidelines for restricting or managing mixed-character-set domain name registrations.”

“ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs become more widespread,” it added, “and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs.”

Despite ICANN’s optimism, the verdict will reamin out on how manageable the spoofing problem is until cyberspace starts getting flooded with IDNs and the phishers start working their malevolence on them.

Phishing is becoming increasingly popular among Black Hats as a vehicle for Internet crime. The Anti-Phishing Working Group, in an analysis released last month, noted that unique phishing reports submitted to the organization hit an all time high of 37,758 in May. The number of phishing websites also peaked during the first six months of this year, reaching 49,084, the highest figure since April 2007, when a record 55,643 sites were reported.

The APWG also revealed that the unique instances of domains used to target specific brands reached an all time high of 21,085 in June, a 92 percent increase over January of this year.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ICANN move contributing to URL spoofing?

Sophos Blog (Spam Category): Is it art? Controversy over OSX/LoseGame-A

Thu, 05 Nov 2009 11:12:11 +0000

Last week, SophosLabs released detection for OSX/LoseGame-A and following Symantec’s publishing detection (which they call OSX.Loosemaque) there has been some controversy about whether this is a game or malware (see 1, 2, 3).

From my point of view this is malware. Why?

The warning screen isn’t multi-lingual if English isn’t your first language you will still recognize ‘PRESS ANY KEY TO CONTINUE’.
Even if English is your first language a child looking for games on the computer will not read the warning but press through to the game.

Would our corporate customers want this on their networks?

The concept behind OSX/LoseGame-A is ill conceived and it is likely to have malicious consequences not considered by the author.

All Spammed Up: 9 Benefits of Hosted Antispam Services

Thu, 05 Nov 2009 09:41:59 +0000

Cloud computing is a popular topic these days. One of the ways in which cloud computing is being delivered to businesses is by hosted email security services.

A hosted email security provider offers antivirus and antispam protection for their customers using servers hosted off the customer’s premises. This delivery model carries many benefits to the customers.

Equipment Costs – by choosing a hosted service the customer is not required to purchase their own server hardware to run the security product on their own premises.

Support Costs – support is included in the monthly fee to the hosted provider, so the customer is not required to hire and retain staff to manage an on-premise solution. The hosted provider is responsible for all maintenance and upgrades to keep the service running smoothly.

License Costs – because the customer is not running their own server they also save on software licensing costs. Furthermore they are simply paying a per-user license cost to the hosted provider.

Bandwidth – because any virus or spam emails are filtered by the hosted provider that traffic never reaches the customer’s network, saving their bandwidth which is both a cost and a performance benefit.

Scalability – the customer benefits by only having to pay per-user, and then having the flexibility to scale up as necessary by buying more licenses. For on-premises solutions this may eventually lead to outgrowing an existing server, whereas with hosted services the provider manages their overall capacity needs for all of their customers and is responsible for scaling up as necessary to meet demand.

Features – end user control and comprehensive reporting are two features common to hosted services. Some on-premises solutions lack these important features.

Simplicity – for large businesses with multiple network entry points a hosted service offers a single point of entry for email rather than having to manage multiple points of entry each with their own security product installed.

Flexibility – if a hosted service is not performing well or meeting expectations the customer can simply switch to another service without wasting expenditure. For on-premises solutions switching to a new product can be costly because the existing product has already been paid for.

Compatibility – hosted services operate independent to their customer’s normal choice of server operating system or email platform. For on-premises solutions a customer is often constrained by which products will be compatible with their other systems.

The benefits of hosted email security solutions are quite clear and for many businesses a hosted service will be a much more cost effective option than on-premises solutions. Certainly all businesses should carefully consider hosted offerings when they are evaluating antispam solutions for themselves.

TITLE: Benefits of Hosted Antispam Services

Cloud computing is a popular topic these days. One of the ways in which cloud computing is being delivered to businesses is by hosted email security services.

Equipment Costs – by choosing a hosted service the customer is not required to purchase their own server hardware to run the security product on their own premises.

Features – end user control and comprehensive reporting are two features common to hosted services. Some on-premises solutions lack these important features.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

9 Benefits of Hosted Antispam Services

Sophos Blog (Spam Category): You have won a lottery!!!

Thu, 05 Nov 2009 06:48:34 +0000

Malware coming in the form of attachments is not unusual these days.

However, malware can also be found in links provided within e-mails:

According to its name, “You have won!.pdf”, it suggests to people that they have won some kind of a lottery. However, the URLs lead you to a malicious file, which seems to have been taken down (access to which is already blocked by Sophos’s web appliance).

So, please beware of such malicious links and their fake claims that you have won some money ;-).

If you are curious of what you did win, you can always click on the link and win yourself a piece of malware ;-).

Terry Zink: The story of Conficker

Thu, 05 Nov 2009 01:08:00 +0000

One of my favorite stories in the recent edition of the Microsoft Security and Intelligence Report v7, pp 29-32, is that of the story of Conficker. I thought I would repost it here because it illustrates the problem of Conficker and the way the industry worked together to respond to the problem.

Case Study: The Conficker Working Group

The appearance in late 2008 of Win32/Conficker, an aggressive and technically complex new family of worms, posed a serious challenge to security responders and others charged with ensuring the safety of the world’s computer systems and data. (“Win32/Conficker Update,” beginning on page 95, explains the technical details of the Conficker worm and the methods it uses to propagate.) Working together, however, the security community was able to react quickly to the threat and contain much of the damage, in the process establishing a potentially groundbreaking template for future cooperative response efforts. On October 23, 2008, Microsoft released critical security update MS08-067, addressing CVE-2008-4250, a vulnerability in the Windows Server service that could allow malicious code to spread silently between vulnerable computers across the Internet.

The vulnerability affected most currently supported versions of Windows, although architectural improvements in Windows Vista and Windows Server 2008 made them more difficult to exploit than earlier versions. Like the worms that plagued the Internet earlier this decade, malware that exploited the vulnerability would be able to spread without user interaction by taking advantage of the protocols computers use to communicate with each other across networks. For this reason, and because actual attack code that exploited the vulnerability was known to exist in the wild at the time, the MSRC took the unusual step of releasing MS08-067 “out of band” rather than wait for the next scheduled release of Microsoft security updates, which takes place on the second Tuesday of every month. Security Bulletin MS08-067 happened to be released on the last day of the eighth annual meeting of the International Botnet Task Force in Arlington, Virginia, a suburb of Washington, D.C., where attendees agreed to closely monitor developments around what appeared to be the first legitimately “wormable” vulnerability to be discovered in Windows in several years.

The November appearance of Win32/Conficker, the first significant worm that exploited the MS08-067 vulnerability, marked a major challenge for security researchers, due to the aggressive tactics several of its variants used to propagate. Despite this, researchers soon discovered a way to limit or eliminate the Conficker bot-herders’ ability to issue instructions to infected computers. As described on page 96, the authors of the Conficker malware used an algorithm to generate 500 new domain names every day (250 for each of the first two Conficker variants discovered) to use for command-and-control servers. Computers infected with Conficker would attempt to contact each of these generated domain names every day. If the authors had a task they wanted the computers in the botnet to perform, they would simply use the same algorithm to generate domain names in advance and register a few of them, which they could then use to host command-and-control servers.

Fortunately, researchers from Microsoft and other organizations were able to reverse engineer the domain-name-generation algorithms used by the first two variants, designated Worm:Win32/Conficker.A and Worm:Win32/Conficker.B, soon after each variant was discovered. This enabled them to begin registering the domain names before the botnet operators could, thereby impeding the Conficker malware from obtaining new instructions. Initially, the researchers resorted to registering the domains commercially through the domain name registrars for the eight top-level domains (TLDs) (.com, .net, .org, .info, .biz, .ws, .cn, and .cc) used by Conficker, an approach that quickly became unworkable. Registering 500 domain names per day would cost thousands of (U.S.) dollars per day for the foreseeable future—and the cost would only increase if new variants appeared using different name-generation algorithms. It was clear that more help would be needed.

Conficker, Part 1
Conficker, Part 2
Conficker, Part 3

Box Of Meat: Red Pill Email: An Underpants Gnomes View of Email Marketing

Wed, 04 Nov 2009 22:12:53 +0000

Red Pill Email: An Underpants Gnomes View of Email Marketing

Enemieslist: Links Roundup

Wed, 04 Nov 2009 21:09:43 +0000

Box Of Meat: Digital Copyright Canada: Debate on spam became innovation agenda discussion

Wed, 04 Nov 2009 18:07:51 +0000

Digital Copyright Canada: Debate on spam became innovation agenda discussion:

“We laugh about the silly and stupid things we come across in spam day after day, but we need to see the effect that it is having in terms of not just our ability to do our work but the very nature of the threat it is posing to average citizens. Spammers are very tied into a growing level of Internet fraud. They undermine confidence. We do not want to go to a website and leave our email information, because we do not want it to be taken and misused.

If we do not have confidence, it undermines our ability to move forward.”

(via CAUCE)

Box Of Meat: Mike Moran in Internet Evolution: The Internet Has Sent Marketing Back to Its Roots

Wed, 04 Nov 2009 17:05:57 +0000

Mike Moran in Internet Evolution: The Internet Has Sent Marketing Back to Its Roots:

“Lots of pixels have been spilled discussing how marketers can adapt to the new world order that the Internet has ushered in. But we have spent relatively little time noticing the changes in the rest of marketing.”

Box Of Meat: A VC: The Double Opt-In Introduction

Wed, 04 Nov 2009 16:04:09 +0000

A VC: The Double Opt-In Introduction:

“When introducing two people who don’t know each other, ask each of them to opt-in to the introduction before making it.”

Enemieslist: new pats posted - 20091104 (maintenance pats release)

Wed, 04 Nov 2009 15:06:11 +0000

44933 patterns, 11494 right anchor strings, 187725 test IPs.

Some more contribs and updates. There were several interim releases since
11/02; I'll continue to do this and only mention major releases from now
on. Eventually, we will move to a more automated publishing model and
I'll have to figure out whether anyone finds these notices useful or if
I will just stop doing them altogether.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091104

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091104

John Graham-Cumming: Geek Weekend (Paris Edition), Day 1: The Curie Museum

Wed, 04 Nov 2009 11:37:12 +0000

So, it was off to Paris for the weekend via Eurotunnel and I managed to fit in four places from The Geek Atlas in four days. I was staying in a hotel in the Latin Quarter which is a
115534058077032750528.0004777a22cae3b756d05">
115534058077032750528.0004777a22cae3b756d05">
115534058077032750528.0004777a22cae3b756d05">stone's throw from... The Curie Museum.

Here's Marie Curie's laboratory:

The museum covers the lives and works of two Nobel Prize-winning couples: Pierre and Marie Curie (they discovered Radium and Polonium) and their daughter Irene and her husband Frederic Joliot (they discovered artificial radioactivity: you could make a substance radioactive by bombarding it with alpha particles).

Their Nobel Prizes are on display as is the equipment that they used (including the apparatus for measuring radiation by measuring ionization of air---which itself had been discovered by Becquerel).

Here are the Nobel Prizes:

Although I love the science section of the museum (including the laboratory where they worked with a piece of paper from one of their notebooks with its radioactive thumb print---they weren't too careful about handling radioactive elements), the best bit is the section on the craze for radium products in the 1920s and 1930s.

Here's an ad for a beauty cream that contains radium and thorium. Gives you that special glow!

Here you'll find make up that contains thorium and radium, special radium wool to keep babies warm, a radium dispenser so you could have a radioactive soak in the bath and more...

Seems stupid now, but back then the dangers were either ignored or unknown, and radioactivity seemed like a wondrous thing (especially since it was discovered early on that it would kill or reduce tumors). I wonder what products we are feeding ourselves that in 70 years we'll consider down right dangerous.

There's a nice web site of radioactive quack cures which make my skin crawl. Yes, I'm going to take a radioactive suppository to boost my sex life tonight! Move over Viagra, here's Vita Radium.

Spamresource.com: Breaking News: Spambag is Still Dead

Wed, 04 Nov 2009 07:13:00 +0000

Mangesh writes, "Can you verify and help me out to remove my exchange server at IP address XXX.XXX.XXX.XXX from blacklist.spambag.org? You can email me on same email address or alternate email address i.e. address@example.com . My contact number is XXX-XXX-XXX."

You bet, my friend. I've got it covered. Here's what you need to do. It's a simple one-step process. It's so simple, I am not sure if I can patent it. I'll share it with you free-of-charge, as valuable as I suspect it is. Are you ready? Here goes:

Don't sweat it.

Seriously, that's all there is to it. Spambag has been DEAD since 2007. If somebody is blocking your mail due to a Spambag listing, they're probably blocking 100% of their inbound mail. Laugh at them for being stupid, or feel sad because they are so incompetent. Call them on the phone and try to educate them, if you like. But, don't expect that I can help you get just YOUR mail delivered through this block. Because there is no more Spambag, and there is nothing for you to be removed from.

Sophos Blog (Spam Category): From Server/Outlook update to FDIC to facebook phish: now with a twist

Wed, 04 Nov 2009 01:06:16 +0000

In the past few weeks, the authors behind Zbot has been busy. Around October 12 we have seen the server upgrade spam with links. Later on the 14th we’ve seen the same campaign with the malware attached to similar-looking server upgrade notices. By the 22nd of October, the spam messages touts Outlook updates.

For a few days during the past week, the group has turned their attention to the Federal Deposit Insurance Corporation (FDIC), spamming out links to malware sites with the message below:

With the global economy as it is, notice of bank failures would certainly draw a lot of attention and irrational behavior. After all, thoughts of hard-earned money being gone forever is going to scare a lot of people. Of course, downloading the “personal FDIC insurance file” would give nothing but grief. The bank deposits are still safe, but the computer would probably get infected.

After the blast of FDIC messages, the Zbot authors turned to facebook as their latest platform to spread malware. However, they added a twist to it. The messages are well-crafted to look like a real Facebook message:

The message asks the user to update their facebook account. The new twist is that, when they get to the linked site, there is no link to download an executable yet. Instead, they’re shown with a fake Facebook login page:

Victims who have entered their facebook login would get their account details phished, probably for the purpose of spreading more malware. Since this is not a real facebook page, any random login info would bring you to this next page:

It is on this page where the malware author provides an executable for download. This file, updatetool.exe is a Zbot executable that is proactive detected as Mal/EncPk-LE.

With the creative social engineering that the Zbot authors have been using, users should be real careful when reading messages, whether it’s in an email or from a social network. Avoid clicking links directly, manually type the address to access the site, and not executing files would do a lot in protecting one’s computer.

Box Of Meat: Washington Post Security Fix: What Windows Autorun Has Wrought

Tue, 03 Nov 2009 22:16:57 +0000

Washington Post Security Fix: What Windows Autorun Has Wrought:

“As a feature first introduced way back in Windows 95, Autorun had…well, a pretty good run, particularly considering how long malware has used it as a propagation method. Frankly, I’m surprised that Microsoft kept Autorun as the default option for as long as it did….”

Box Of Meat: How To Use An Apostrophe

Tue, 03 Nov 2009 21:15:52 +0000

How To Use An Apostrophe:

A simple, useful primer on how to get your punctuation’s right.

Box Of Meat: Word to the Wise: I need IP addresses for reputation

Tue, 03 Nov 2009 20:14:57 +0000

Word to the Wise: I need IP addresses for reputation:

“Reputation is tied to sending IP address, but receiving ISPs aren’t stupid and do recognize attempts to game the system. …The bad customers will drag your reputation as an ESP down more than the good customers will pull it up.”

Box Of Meat: Jart Armin in Internet Evolution: Terror Attacks Now Funded Mostly by Online Fraud

Tue, 03 Nov 2009 19:13:53 +0000

Jart Armin in Internet Evolution: Terror Attacks Now Funded Mostly by Online Fraud:

“Fraud, and Internet fraud in particular, is increasingly used as a source of funding for terrorists, as traditional supply routes from donors are squeezed by tighter regulations….”

Box Of Meat: Washington Post Security Fix: Uptick in 'money mule' scams

Tue, 03 Nov 2009 18:12:53 +0000

Washington Post Security Fix: Uptick in 'money mule' scams:

‘The Federal Deposit Insurance Corporation (FDIC) is warning financial institutions about an uptick in scams involving unauthorized funds transfers from hacked online bank accounts to so-called “money mules,” people hired through work-at-home scams to help cyber criminals overseas launder money.’

The article goes on to explain exactly how this works, with detailed examples.

Box Of Meat: Email Service Guide: Protect Yourself Against Phishing

Tue, 03 Nov 2009 17:11:14 +0000

Email Service Guide: Protect Yourself Against Phishing:

“As fraudulent email scams become more sophisticated, the average user must become proactive regarding their online security. Armed with common sense and the knowledge of what you should be looking out for, anyone can learn to avoid phishing scam and protect themselves from becoming another victim.”

This is one of the best articles I’ve seen on the subject.

Spamresource.com: The Legitimate Email Marketer Isn't

Tue, 03 Nov 2009 17:01:29 +0000

As Laura Atkins points out, everybody who uses the phrase "legitimate email marketer" seems to have some huge horrible problem caused by their own bad practices. And she's right. Actual legitimate marketers don't need to brag. They're too busy making money and friends. Those in the know recognize that waving the phrase around is gauche; a badge of honor worn only by those who don't deserve it.

Box Of Meat: Spamhaus Blog: Some Good News From Downunder

Tue, 03 Nov 2009 16:09:12 +0000

Spamhaus Blog: Some Good News From Downunder:

“Two New Zealanders…have been fined for their roles in the biggest pharmaceutical spamming operation in the history of the internet…. The operation paid affiliates around the world to send spam emails marketing Herbal King, Elite Herbal and Express Herbal branded pharmaceutical products….”

Box Of Meat: Graham Cluley's blog: Hacked iPhones held hostage for 5 Euros

Tue, 03 Nov 2009 15:07:44 +0000

Graham Cluley's blog: Hacked iPhones held hostage for 5 Euros:

“Many iPhone owners have jailbroken their devices to allow it to run unofficial code, avoiding Apple’s official App Store. However, some users forget to change the default root password on their device (which is common to all iPhones) - opening a door for potential intruders.”

Enemieslist: new pats posted - 20091102 (maintenance pats release)

Mon, 02 Nov 2009 23:00:34 +0000

44862 patterns, 11493 right anchor strings, 187603 test IPs.

Some more contribs and updates. There were several interim releases since
10/31; I'll continue to do this and only mention major releases from now
on. Eventually, we will move to a more automated publishing model and
I'll have to figure out whether anyone finds these notices useful or if
I will just stop doing them altogether.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20091102

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20091102

Box Of Meat: CyberCrime & Doing Time: Facebook Safety & Million Member Facebook Groups

Mon, 02 Nov 2009 22:15:47 +0000

CyberCrime & Doing Time: Facebook Safety & Million Member Facebook Groups:

‘Would you like to see the secret truth about why people create “million user groups”?

Enter the seedy world of the online advertiser. Not the Madison Avenue advertising companies, but the punks who sit at home and devise ways to advertise their wares through spam, SEO (search engine optimization), and social network spam. They are making more money than you, and filling our lives with virtual junkmail, and in many cases, malware.’

Box Of Meat: MIT news: Secure computers aren’t so secure

Mon, 02 Nov 2009 21:15:46 +0000

MIT news: Secure computers aren’t so secure:

“The time it takes to store data in memory, fluctuations in power consumption, even the sounds your computer makes can betray its secrets. MIT researchers centered at the Computer Science and Artificial Intelligence Lab’s Cryptography and Information Security Group (CIS) study such subtle security holes and how to close them.”

Al Iverson's DNSBL Resource: Status of dnsbl.karmasphere.com: SHUTTING DOWN

Mon, 02 Nov 2009 20:36:04 +0000

As messaged to the Karmasphere-Users and Karmasphere-Announce mailing lists, the Karmasphere Reputation Services data feeds are being retired. This means that the associated blacklist(s), including the karmasphere.email-sender.dnsbl.karmasphere.com DNSBL zone, and any other DNSBL/DNSWL zones under karmasphere.com. It is unclear to the author if karmasphere.org is similarly affected. Karmasphere

Box Of Meat: Google Operating System: Why It's a Bad Idea to Send Huge Files by Email

Mon, 02 Nov 2009 20:15:46 +0000

Google Operating System: Why It's a Bad Idea to Send Huge Files by Email:

“People who demand large message size limits rarely understand the limitations of the email transmission.”

This article describes those limits in a way normal email users might understand. (Kinda. Maybe.)

Box Of Meat: John R. Levine: How do you test spam filters?

Mon, 02 Nov 2009 19:15:18 +0000

John R. Levine: How do you test spam filters?:

“Everyone who uses e-mail needs spam filtering, and some filters definitely work better than others. Some people we know were trying to design tests of filter quality, which turns out to be extremely difficult.”

Box Of Meat: Веб безпека: Dark side of bookmarks

Mon, 02 Nov 2009 19:04:04 +0000

Веб безпека: Dark side of bookmarks:

“Bookmarks create conditions for conducting of persistent attacks, because bookmarks are saving at computers of the users. So every of above-mentioned attacks is persistent attack, which can trigger in any time, when user will choose bookmark in his browser.”

Spam Wars Dispatches: Party Pooper

Mon, 02 Nov 2009 18:40:50 +0000

Here's another guy who, depending on his business relationship with the final destination web site, could make a bundle by simply spamming the notion of a party:

Subject: Party reminder
Hello dannyg,

Party reminder
http://www.[removed].cn/

Best regards,

Tatum Hikel
2009-11-02

If you put this message into the mailbox of every single-ish Gen-[late letter of the alphabet]er, how many would follow the link? I'll bet it's a pretty high percentage, despite the Chinese domain name. And how many of those responders have ever heard of Tatum Hikel? Zero percent.

I can't tell you for sure what's at the end of the link — whether it's selling medz/warez/knockoffz or performing a drive-by malware download — because the spamvertized site uses a server redirect to the actual destination. I chose not to follow the redirect (I don't use a typical browser for these initial investigations) because it's possible that the spamvertized web site pays for referrals: Let some poor schlub take the risk and expense of spamming, while the seller pays a pittance for every visitor whose referring web site (automatically tracked by almost every web server) belongs to the schlub. I simply don't want the spammer to gain the tiniest fraction of a yuan from my curiosity.

Unfortunately, such will not be the case of all those whose main mission in life is to party hearty.

Box Of Meat: louisgray.com: The Blurry Picture of Open APIs, Standards, Data Ownership

Mon, 02 Nov 2009 18:03:14 +0000

louisgray.com: The Blurry Picture of Open APIs, Standards, Data Ownership:

‘Companies are practically falling over one another to show they have embraced developers or users, letting data stream in and out of their products, while avoiding words like “proprietary” and “closed”, which are PR death. But as you might imagine, the very definition of “open” can vary depending on who you talk to, what the service’s goals are, and how they may leverage existing standards on the Web.’

(via Persona Prime)

Terry Zink: Microsoft’s Security and Intelligence Report, v7, now available

Mon, 02 Nov 2009 17:41:48 +0000

Every 6 months or so, Microsoft releases its Security and Intelligence Report for the previous 6 months of the year. SIRv7 is now available here. This is a very comprehensive document covering topics from the entire threat landscape that Microsoft is involved with combating. This year’s report contains three key messages:

The redistribution of knowledge – Microsoft’s level of security intelligence will be unmatched and provided to individuals and organizations to help them make better security decisions.
OK, so what else is new? – The SIR contains the information that is relevant to people right now.
What do I do now? - The SIR allows people to assess where they are and what action they need to take.

I thought I would post an excerpt from the Executive Foreword. I think that this highlights the theme of this current SIR.

Welcome to the seventh installment of Microsoft’s Security Intelligence Report, which I hope you will find is the most extensive and comprehensive edition to date. The cover story in this report looks back at the major threats that have attacked customers over the last 10 years, and then the report drills deeply into the current threats that you need to understand and includes what you can do to best manage your risks.

At Microsoft, we remember the pain past incidents caused our customers and we reflect on them frequently. In particular, the Slammer and Blaster attacks that disrupted the Internet in 2003 are vivid reminders of the responsibility we have at Microsoft to ensure our products are as secure and privacy enhanced as possible.

As you can see from the timeline above, 2003 and 2004 were difficult times. [tzink note: see the report for a better image] But, you can also see that since then, major security incidents have become less and less frequent. From the data in this report, you’ll also note that the scope and impact of major events have changed, as well. For example, from the press surrounding the Conficker worm that has been attacking customers over the past year, it’s easy to conclude that Conficker is just as widespread and impactful as Slammer or Blaster—but in most respects, it hasn’t been. In 2003, Blaster became one of the most prevalent threats impacting home PC users. Six years later, Conficker didn’t even make the Top 10 list among this audience. I don’t want to minimize the pain that many of our customers experienced fighting Conficker, because, as you’ll read in the report, it was the top threat detected and cleaned in enterprises in the first half of 2009, but Conficker emerged in a much different software industry than Slammer and Blaster.

Indeed, the software industry has matured a great deal since the days of Slammer and Blaster. Since 2003, the software industry has improved its ability to mobilize and coordinate resources to fight threats… The Conficker Working Group (CWG) was founded earlier this year, establishing a new model for how the collective industry can work together to mitigate global threats.

The industry was able to proactively get ahead of Conficker by discovering the vulnerability before attackers could use it in widespread attacks. The Security Science team at Microsoft was able to find the MS08-067 vulnerability, which Conficker uses to propagate, and work with the Microsoft Security Response Center (MSRC) to release its update before attackers could use it for a Blaster-type attack. Our industry partners helped protect many customers from attack via the Microsoft Active Protections Program (MAPP). MAPP supplies Microsoft vulnerability information to security software partners prior to security update releases from Microsoft… This program enabled the majority of MAPP partners to provide protections to their customers for Conficker 24 hours after the MS08-067 security update was released. This meant that many customers were protected up to a week earlier than traditionally possible, and certainly much earlier than customers could obtain such defense-in-depth protections and threat mitigations in 2003.

With the vulnerability that Slammer exploited, many administrators didn’t know whether they needed to apply a security update or that it had to be applied manually. Today, customers are notified and protected much faster; multiple communications channels exist to help customers find and understand information on security vulnerabilities. Security advisories help draw attention to security issues as they unfold, and provide customers with critical information before security bulletins become available. Microsoft’s advanced notification service provides customers with an insight into the number and nature of security updates that Microsoft will be releasing each month so they can plan more effectively for the deployment of the updates. Security bulletins provide information on vulnerabilities, along with workarounds and mitigations.

…

The progress that the software industry has made to better protect systems and customers might be small consolation to the users of those 5 million systems that were infected with Conficker in the first half of 2009. Still, it is a significant step forward, given that more than 100 times as many systems were protected from Conficker. This is in stark contrast to the Slammer and Blaster attacks of 2003 where many, many more systems were infected. The industry will continue to work together to make the frequency, scale and scope of emerging threats as minimal as possible.

We thank you for your help and efforts to protect the ecosystem, and look forward to continuing to work with you to create a safer, more trusted Internet.

George Stathakopoulos
General Manager, Trustworthy Computing Security
Trustworthy Computing Group

More excerpts to come over the next few days highlighting global trends in the threat landscape.

Box Of Meat: TechCrunch: How To Spam Facebook Like A Pro: An Insider’s Confession

Mon, 02 Nov 2009 17:03:18 +0000

TechCrunch: How To Spam Facebook Like A Pro: An Insider’s Confession:

“…being able to dynamically insert user data into an ad, disguising the ad to seem like part of the application, lack of enforcement by the social networks, and billing the parents’ cell phone – well, it’s no secret what happens next.”

A fascinating look into how deceptive advertising appears on Facebook and other social sites, and how the perpetrators fool both Facebook and their users into letting it continue.

Box Of Meat: TechCrunch: Scamville: The Social Gaming Ecosystem Of Hell

Mon, 02 Nov 2009 16:03:22 +0000

TechCrunch: Scamville: The Social Gaming Ecosystem Of Hell:

“Major media can’t stop applauding the companies long enough to understand what’s really going on with these games. The real story isn’t the business success of these startups. It’s the completely unethical way that they are going about achieving that success.”

Spamresource.com: Karmasphere Reputation Services Shutting Down

Mon, 02 Nov 2009 13:46:28 +0000

Karmasphere, founded in 2005 by Meng Weng Wong as a reputation service provider, provided some neat tools, allowing any Joe internet user to publish their own blacklist or whitelist. Neat! How does one make money doing that? Sounds like they weren't too sure, either, based on the email I received on Monday, November 2nd, 2009.

D.J. Stewart of Karmasphere posted the following message to the Karmasphere Users and Karmasphere Announce lists:

As a registered user of Karmasphere Reputation Services, we wanted to let you know that we are discontinuing the service, effective November 16, 2009. If you are using the services through DNS, BQuery or email plugins, please make plans to adjust your configurations ideally prior to November 9 and no later than November 16, 2009.

On that final date, we will disable the reputation servers so that you can no longer query them. Anybody who still has not removed Karmasphere's reputation service from their mail configuration when this happens may find that their mail servers appear to slow down while they wait for their queries to Karmasphere to time out.

You may be thinking "why are they doing this?". The answer is that we are moving the business in a different direction. We have applied the experience gained in manipulating and analysing large data sets in reputation services into developing software that makes it easier to use Hadoop.

This change in focus means that we no longer have the time nor resources to give the reputation service the attention it deserves. Rather than letting the service slowly decay, we are ending them.

This end of service will proceed in the following stages.

Stage 1: To November 9, 2009
Our services will continue as they have for the past 4 years.
This gives you a chance to remove karmasphere's feeds and feedsets from
your mail server configurations.

Stage 2: November 9 - November 16, 2009
Our servers will continue to respond but our feedsets will whitelist
everything.

Stage 3: November 16, 2009
The reputation servers will be turned off.

Thank you for using our services.

The Karmasphere Team.