Roger's Information Security Blog

The SANS ISC Handler Diary is asking for your experiences with SPF. Its funny timing because i just configured SPF for my domains last night. I’d been using SPF records previously, but when I left PowWeb for Dreamhost (which changed my authoritative DNS server) I didn’t set up SPF again.

I’m using Google as the mail server for my personal domains. Configuring SPF for google is pretty easy. Just create a txt record for v=spf1 include:_spf.google.com ~all. Like most SPF implementations, they recommend you use “~all” which tells the remote server the list of authoritative servers is merely information and not to reject mail based on this alone. I kind of wonder what use that is. But it seems to take more guts to use a “-all”.

To me, SPF is not exceptionally useful. It just seems like the only thing you can do to prevent yourself from being Joe Jobbed. Sadly through the years remote mail servers are more likely to allow backscatter than use SPF.
At the same time, its never shot me in the foot. ~all instead of -all is probably to thank. I have seen Hotmail headers that indicated that if I was using -all they would have blocked me. They just had a screwed up implementation that couldn’t handle “include” statements in SPF records. SPF is not well liked by *nix folk. It breaks .forward. It breakes mailing lists that send as the message poster.

I was going through my Cox inbox and found Viagra spam with a link to http://doc.google.com/View?id=dfpqm7ft_0tt6xhdd2.
Its nothing new that spammers have been taking advantage of Google. Its just kind of annoying to me that this message was sent on October 30th, today is November 10th and the linked Viagra Google doc is still up (“consult a physician if the link stays up longer than 4 weeks”). Am I to believe that no one has reported this link to Google?
The paranoid part of me wonders if when I went to the link Google Docs helpfully checked my Google cookie and provided my Google email address to the spammer who previously only had my Cox email. Next time I’m clearing cookies and using a safer browser when following unsafe links. But I digress, the real point here is Google is woefully slow in responding to spam compared to Yahoo. What’s up Google? use some of that 20 percent time to stop hosting spammers.

http://www.washingtonpost.com/wp-dyn/content/article/2008/09/12/AR2008091201211.html?hpid=topnews
In 2004 Jeremy Jaynes was convicted under Virginia’s Anti-Spam law for sending 10 million spam emails through AOL servers located in Virginia.
Virginia’s Supreme Court has overturned that conviction and struck down the Anti-spam law.
“The court unanimously agreed with Jeremy Jaynes’ argument that the law violates the free-speech protections of the First Amendment because it does not just restrict commercial e-mails.”
The weak Federal CAN-SPAM law that has done nothing to stop spam remains in effect.
Here is a link to the ruling.

The MessageLabs Intelligence report for August 2008 reports that spammers are using links to Flash/Shockwave files hosted on Picasa (a Google web album service). The Flash then redirects the user to the spammers site.

A couple days ago I received email from Paypal titled “New PayPal Plug-In – Shop anywhere online.” That struck me as kind of suspicious so I looked at the mail headers. The headers showed the message did originate with Paypal’s servers, and more importantly it contained a domain key (DKIM). According to Wikipedia, “DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity” through the use of a cryptographic hash.
If I had to dive into the headers to determine the message validity, how would the normal user do? Are there mail clients that would have automatically verified DomainKeys and SPF for me?
A quick Google found a product called Iconix. Iconix works with Outlook, Outlook Express and a bunch of webmail providers (No Thunderbird support) to take the guesswork out of which messages are real.
Once installed, Iconix looks at SPF/SenderID and DomainKeys to determine message authenticity. Next it looks at message identification- this is a list of companies that have paid Iconix and registered with them. If both are verified, then the message’s “display From” will be altered to present a logo of the sending organizations choosing. This allows recipients to tell at a glance that the message is from who it says it is.
Iconix at first appeared to be a great solution. Its been reviewed in several trade publications. I didn’t immediately find anyone disparaging them online. Iconix is installed software. As such you do wonder a bit about privacy and security implications. Their FAQ does say that the sender’s email address is sent to Iconix.
The problem is that they only provide this service for the companies that have signed up. I would expect that they could validate the DomainKeys or SPF for anyone using those email technologies. While this product does solve my original question, “how can ma and pa kettle obtain a reasonable level of trust in email”, it only does so for companies that have paid Iconix. That is an extensive list, and it provides better assurance that SPF and DomainKeys alone could.
While Iconix is not available for Thunderbird, there are other solutions that plugin to Thunderbird for SPF and DomainKey validation.
- update – 6/11 – fixed above where I refered to Firefox when I meant Thunderbird. Firefox can be used just like IE in conjunction with Iconix at many webmail providers.

MX Logic has a writeup on US Tax Court phishing emails seen today.
The email from noreply@ustaxcourt.org has a link to download “a Copy of the Order, Letter, Notice or Other Document Being Appealed”. The website was not online when checked on it.

One of my users is getting some spam that is really annoying to deal with. I’ve seen users get hit much worse (usually by backscatter) but I still think this is an interesting story to tell.
The spammer typically sends 5-10 emails per day from a gmail account. Usually by the next day he’s sending from a new gmail account. Thus the mail is coming from a trusted source and we can’t block by sending IP or domain. Blocking the email address is barely worth the effort since he will change again tomorrow.
If we had other tools at our disposal we might have a better chance of blocking. Personally, I feel that the anti-spam service we pay for should block these things and we should rarely have to add manual blocks.
The Display From name is actually consistent so I was able to have the user set up a client-side rule that forwarded the message to abuse as an attachment and delete the message. I dont want to repeat the name and social security number in the from field, but if you google it there are a ton of blog/forum spams of the same crap.
The recipient list is kind of interesting. Its a long list of NASA, Government, military and Voice of America addresses.
The other interesting thing is some of the messages are long repetitive rants that bypass our spam filter because the message size is too big to be considered spam. That seems like a bad idea.

Looks like the shoe is on the other foot. Last week I was chortling that MessageLabs was tar pitting Google in an automatic response to gmail sending out so much spam. Now some of MessageLabs IPs have been blocked by the CBL. Apparently that is rather widely used. I’ve already seen rejections from Cox and Comcast. CBL is used in SPAMHAUS and other aggregate blocklists as well.
MessageLabs has reported they have worked with CBL to resolve the issue. The latest updates for CBL have removed this block in the latest update of the CBL.

Trend Micro has a blog entry on calendar invite spam. I’ve been seeing that as well.
My biggest problem is reporting the spam. How do you get headers out of a meeting invite in Outlook? If I open the msg file the user forwarded, the headers are hidden by outlook. If I look in notepad, the text is encoded. Perhaps another mail client will be nicer.
In the examples I’ve seen the invite is from Google Calendar. Its another example of spam from a semi-trusted host.

My MovableType spam defenses have kind of run amok. It was letting through a ton of spam which led me to disable anonymous comments. For its next trick it decided to trash valid comments.
The first method used for trashing valid comments was a rule that http:// shouldn’t appear in the commenter’s name field. That wasn’t a problem until openID. The crappy OpenID plugin I’m using doesn’t put the OpenID displayname in the name field. Instead it pulls a URL including the name and the server. A quick tweak to the ruleset fixed that problem.
The next issue I found was when my own comments were getting blocked (when using a test account not my regular comment account which is set up as a trusted commenter). The Spamhaus zen filter was blocking me. Back in July, MovableType reported that one of the old blocklists was going away and they recommended using zen.spamhaus.org instead. Since I like spamhaus I accepted that recommendation uncritically. Now I find out that “ZEN is the combination of all Spamhaus DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, the XBL and the PBL blocklist”. The problem is the PBL is he policy block list. Its like the DUL. Its designed to prevent end users from sending mail directly to recipient mail servers. They should go through the ISP mail server. That is not the sort of list you should be using with HTTP. Endpoint computer should be browsing directly to my website and making comments.
A better Spamhaus list to use is the XBL. Be aware however that according to Spamhaus, “The XBL contains mostly dynamic IP addresses, meaning the user you would be blocking is probably not going to be the user with the exploited computer. Please do not block innocent users.”
You’re probably better off forcing the user to prove they are human with a Captcha rather than using (misusing) block lists.