» Spam - Roger's Information Security Blog

Archive for the ‘Spam’ Category.

Masked Scheduler Blog Now with Gadgets & Electronics

January 21, 2012, 8:57 am

MaskedScheduler.blogspot.com was once the abandoned blog of a Fox exec who would write about past successes and current failures. It was great reading. For whatever reason, the Masked Scheduler decided to confine his prose to Twitter’s 140 characters and the blog wasn’t used anymore.

Fast forward to today, and I find my RSS reader suddenly has a ton of posts from the Masked Scheduler blog. Instead of the TV commentary, I find spamish gadget/electronic posts. I’m guessing it is trying to take advantage of the link love the former blog enjoyed.

When you decide to terminate a social media account whether a blog or twitter, you should consider taking down the content but holding on to the name. This is true particularly for free sites. You’ve built a brand, you have thousands of inbound links. According to Google Reader there are 200 of us on Reader that got this unintended content because the Masked Scheduler apparently deleted the account and then it was available for reuse after a period. Now I’m guessing here based on the archive.org crawl from last year showing the account is gone, so it doesn’t appear to be a compromised account. Just the case of a username being abandoned and picked up by someone else.

Category: Spam | 1 Comment

SPF Usefulness

May 31, 2010, 9:36 pm

The SANS ISC Handler Diary is asking for your experiences with SPF. Its funny timing because i just configured SPF for my domains last night. I’d been using SPF records previously, but when I left PowWeb for Dreamhost (which changed my authoritative DNS server) I didn’t set up SPF again.

I’m using Google as the mail server for my personal domains. Configuring SPF for google is pretty easy. Just create a txt record for v=spf1 include:_spf.google.com ~all. Like most SPF implementations, they recommend you use “~all” which tells the remote server the list of authoritative servers is merely information and not to reject mail based on this alone. I kind of wonder what use that is. But it seems to take more guts to use a “-all”.

To me, SPF is not exceptionally useful. It just seems like the only thing you can do to prevent yourself from being Joe Jobbed. Sadly through the years remote mail servers are more likely to allow backscatter than use SPF.
At the same time, its never shot me in the foot. ~all instead of -all is probably to thank. I have seen Hotmail headers that indicated that if I was using -all they would have blocked me. They just had a screwed up implementation that couldn’t handle “include” statements in SPF records. SPF is not well liked by *nix folk. It breaks .forward. It breakes mailing lists that send as the message poster.

Tags: DNS, Google, SANS, SPF
Category: Spam | Comment

Google Docs Viagra Spam

November 10, 2008, 2:42 pm

I was going through my Cox inbox and found Viagra spam with a link to http://doc.google.com/View?id=dfpqm7ft_0tt6xhdd2.
Its nothing new that spammers have been taking advantage of Google. Its just kind of annoying to me that this message was sent on October 30th, today is November 10th and the linked Viagra Google doc is still up (“consult a physician if the link stays up longer than 4 weeks”). Am I to believe that no one has reported this link to Google?
The paranoid part of me wonders if when I went to the link Google Docs helpfully checked my Google cookie and provided my Google email address to the spammer who previously only had my Cox email. Next time I’m clearing cookies and using a safer browser when following unsafe links. But I digress, the real point here is Google is woefully slow in responding to spam compared to Yahoo. What’s up Google? use some of that 20 percent time to stop hosting spammers.

Tags: Cox, eMail, Google, Spam
Category: Spam | Comment

Virginia High Court Strike Down Anti-Spam Law

September 12, 2008, 12:01 pm

http://www.washingtonpost.com/wp-dyn/content/article/2008/09/12/AR2008091201211.html?hpid=topnews
In 2004 Jeremy Jaynes was convicted under Virginia’s Anti-Spam law for sending 10 million spam emails through AOL servers located in Virginia.
Virginia’s Supreme Court has overturned that conviction and struck down the Anti-spam law.
“The court unanimously agreed with Jeremy Jaynes’ argument that the law violates the free-speech protections of the First Amendment because it does not just restrict commercial e-mails.”
The weak Federal CAN-SPAM law that has done nothing to stop spam remains in effect.
Here is a link to the ruling.

Tags: AOL, eMail, Spam
Category: Cyberlaw, Spam | Comment

Picasa Spam Redirect

September 4, 2008, 11:57 am

The MessageLabs Intelligence report for August 2008 reports that spammers are using links to Flash/Shockwave files hosted on Picasa (a Google web album service). The Flash then redirects the user to the spammers site.

Tags: Google, MessageLabs, Spam
Category: Spam | Comment

Iconix Phishing Protection

June 9, 2008, 9:18 pm

A couple days ago I received email from Paypal titled “New PayPal Plug-In – Shop anywhere online.” That struck me as kind of suspicious so I looked at the mail headers. The headers showed the message did originate with Paypal’s servers, and more importantly it contained a domain key (DKIM). According to Wikipedia, “DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity” through the use of a cryptographic hash.
If I had to dive into the headers to determine the message validity, how would the normal user do? Are there mail clients that would have automatically verified DomainKeys and SPF for me?
A quick Google found a product called Iconix. Iconix works with Outlook, Outlook Express and a bunch of webmail providers (No Thunderbird support) to take the guesswork out of which messages are real.
Once installed, Iconix looks at SPF/SenderID and DomainKeys to determine message authenticity. Next it looks at message identification- this is a list of companies that have paid Iconix and registered with them. If both are verified, then the message’s “display From” will be altered to present a logo of the sending organizations choosing. This allows recipients to tell at a glance that the message is from who it says it is.
Iconix at first appeared to be a great solution. Its been reviewed in several trade publications. I didn’t immediately find anyone disparaging them online. Iconix is installed software. As such you do wonder a bit about privacy and security implications. Their FAQ does say that the sender’s email address is sent to Iconix.
The problem is that they only provide this service for the companies that have signed up. I would expect that they could validate the DomainKeys or SPF for anyone using those email technologies. While this product does solve my original question, “how can ma and pa kettle obtain a reasonable level of trust in email”, it only does so for companies that have paid Iconix. That is an extensive list, and it provides better assurance that SPF and DomainKeys alone could.
While Iconix is not available for Thunderbird, there are other solutions that plugin to Thunderbird for SPF and DomainKey validation.
- update – 6/11 – fixed above where I refered to Firefox when I meant Thunderbird. Firefox can be used just like IE in conjunction with Iconix at many webmail providers.

Tags: DNS, DomainKeys, eMail, Firefox, Google, Phishing, SPF
Category: Spam | 2 Comments

US Tax Court Phishing

May 12, 2008, 9:52 pm

MX Logic has a writeup on US Tax Court phishing emails seen today.
The email from noreply@ustaxcourt.org has a link to download “a Copy of the Order, Letter, Notice or Other Document Being Appealed”. The website was not online when checked on it.

Tags: eMail, Phishing
Category: Spam | Comment

Pernicious Spam

May 7, 2008, 6:21 pm

One of my users is getting some spam that is really annoying to deal with. I’ve seen users get hit much worse (usually by backscatter) but I still think this is an interesting story to tell.
The spammer typically sends 5-10 emails per day from a gmail account. Usually by the next day he’s sending from a new gmail account. Thus the mail is coming from a trusted source and we can’t block by sending IP or domain. Blocking the email address is barely worth the effort since he will change again tomorrow.
If we had other tools at our disposal we might have a better chance of blocking. Personally, I feel that the anti-spam service we pay for should block these things and we should rarely have to add manual blocks.
The Display From name is actually consistent so I was able to have the user set up a client-side rule that forwarded the message to abuse as an attachment and delete the message. I dont want to repeat the name and social security number in the from field, but if you google it there are a ton of blog/forum spams of the same crap.
The recipient list is kind of interesting. Its a long list of NASA, Government, military and Voice of America addresses.
The other interesting thing is some of the messages are long repetitive rants that bypass our spam filter because the message size is too big to be considered spam. That seems like a bad idea.

Tags: eMail, Google, Spam
Category: Spam | 2 Comments

CBL List (partially) Blocks MessageLabs

April 10, 2008, 10:38 am

Looks like the shoe is on the other foot. Last week I was chortling that MessageLabs was tar pitting Google in an automatic response to gmail sending out so much spam. Now some of MessageLabs IPs have been blocked by the CBL. Apparently that is rather widely used. I’ve already seen rejections from Cox and Comcast. CBL is used in SPAMHAUS and other aggregate blocklists as well.
MessageLabs has reported they have worked with CBL to resolve the issue. The latest updates for CBL have removed this block in the latest update of the CBL.

Tags: Comcast, Cox, Google, MessageLabs, Spam
Category: Spam | Comment

Calendar Invite Spam

March 19, 2008, 8:41 am

Trend Micro has a blog entry on calendar invite spam. I’ve been seeing that as well.
My biggest problem is reporting the spam. How do you get headers out of a meeting invite in Outlook? If I open the msg file the user forwarded, the headers are hidden by outlook. If I look in notepad, the text is encoded. Perhaps another mail client will be nicer.
In the examples I’ve seen the invite is from Google Calendar. Its another example of spam from a semi-trusted host.

Tags: Google, Spam
Category: Spam | 2 Comments

Roger's Information Security Blog