SANS Handler Swa Frantzen got Joe Jobbed and he’s using the bully pulpit of the SANS Internet Storm center to advocate changing SMTP error handling.
I got Joe Jobbed around 1997, I had an address rog@juno.com. Some spammer whose name was apparently also Roger sent out a couple of spam runs as that address. Each time I logged in I had to download 15k bounce messages (and assorted spam complaints). Fortunately there was an 800 number in the email message and the guy stopped using my address after I asked him nicely to stop ruining my life.
Swa says the bounce-backs came in on a catch all address. I’m not sure if he means that the address is one he uses as a spam trap (an address used when registering at public sites) or if he means the more traditional definition a mailbox that accepts all email for the domain that is not specifically sent somewhere else. If he is using a catchall mailbox and then complaining about getting spam, I think he’s kind of nuts.
I agree with him that virus notices should never be sent to the sender anymore. Too often the sender is forged. However, you cant notify the recipient easily on most mail systems. Most mail systems are going to strip the virus and send it to the user, so they still get thousands of unwanted messages. That’s not a good solution. I’ve seen some spam solutions that can notify the recipient once per day of quarantined messages, but we really don’t want users spending their time reviewing spam. We want a good spam filter. I wouldn’t notify the sender of a message that is quarantined as spam either. And that is where SMTP reliability goes down the tubes, when no one is notified that a message has been blocked.
I dont quite understand his complaint about greylisting. I greylist and it doesn’t result in a delayed delivery notice being sent to anyone. I’m also not onboard with his idea that recipient mail servers should hold a mail connection open until they have scanned a message and determined that it is acceptable. That just wont work when you’re getting 90% spam messages. The solution isn’t for everyone in the world to buy a bigger mail server. Besides, you may not want to let a spammer know immediately that his spam run was unsuccessfull.
Archive for the ‘Spam’ Category.
The SANS Handler and the case of the spam blowback
Spammer using Word to hide
McAfee’s AVERT blog reports that they have seen SPAM emails using Microsoft Word documents.
Phone Phishing
I just saw this linked from the F-Secure blog. In an April 2006 article, the Computer Crime Research Organization reports sightings of Phish that prompt you to call an 800 number. Users may be appropriately suspicious of financial emails yet be less suspicious of a phone number. The 800 number prompted the user for their credit card number and security code.
When contacting your financial institution, it is best to rely on URLs and Phone numbers on your financial statement.
Asian IP Blocks
Ever want to block China or Korean spam?
Here’s a site with list of IP blocks.
www.Blackholes.us is another site I’ve gone to in the past to find such lists.
The problem with these lists is IP blocks can be resold to another country so the maintainer needs to be really careful not to paint with too broad a brush.
Phished
The ISC handler has a good diary entry today on some phishing he’s seen.
I got one yesterday regarding chase. I have a chase credit card and it was sent to the correct email address that is listed with that card. It looked very legit. It said that as someone had accessed my account from two IPs they needed me to visit the website to verify that my account hadn’t been 0wned. I often access from both work and home so it sounded plausible.
The link for the phishing is http://www.aweber.com/livesupport/web/.Chase-Online-Verification/ aweber appears to be a real company from first glance. I was thinking of calling Chase to ask for verification, instead I went to the real chase and read their policy of never sending out emails like this. I also noticed the mail headers came from a .ch TLD. I submitted the url to websense. I couldn’t find any abuse address for aweber. (plus I’m accessing email through my ISPs webmail and they aren’t giving me a good way to get the email in “raw” format which makes it harder to report abuse).
Some interesting trackback spam
I was reviewing my trackback spam. Yes, I review what the system calls spam just to make sure no legitimate content gets sidetracked. Some of the spam had links to a Radford Professor’s website. If you followed the link to the University site, and you have javascript enabled, you’ll find yourself immediately redirected to a porn site (not located on the Radford server).
If the spammer had half a brain, he would have social engineered people much better than that. First make it look like a real post. A comment or trackback with tons of links is not going to get through. Second, instead of obvious spam content, the trackback could be a bit more relevant to what is posted. Since the spammer is 0wning a legit domain like Radford.edu use that value. People will trust it more than a link to sexsexsex.more
Toll Gate on the Information Superhighway
Yahoo and AOL have announced plans for a preferred spammer program, where by a sender can pay fractions of a cent per email and bypass all filters. Its not clear whether this program will actually whitelist unsolicited commercial email or if it will only whitelist valid email from participating companies.
This new plan would appear to be an abandonment of Yahoo Domain Keys and Microsoft Sender ID.
One phishing gang down, n to go
Microsoft put out a press release yesterday indicating that Bulgarian police have arrested 8. They had performed phishing on MSN accounts.
