Recently in Spam Category

I was going through my Cox inbox and found Viagra spam with a link to http://doc.google.com/View?id=dfpqm7ft_0tt6xhdd2.

Its nothing new that spammers have been taking advantage of Google. Its just kind of annoying to me that this message was sent on October 30th, today is November 10th and the linked Viagra Google doc is still up ("consult a physician if the link stays up longer than 4 weeks"). Am I to believe that no one has reported this link to Google?

The paranoid part of me wonders if when I went to the link Google Docs helpfully checked my Google cookie and provided my Google email address to the spammer who previously only had my Cox email. Next time I'm clearing cookies and using a safer browser when following unsafe links. But I digress, the real point here is Google is woefully slow in responding to spam compared to Yahoo. What's up Google? use some of that 20 percent time to stop hosting spammers.

http://www.washingtonpost.com/wp-dyn/content/article/2008/09/12/AR2008091201211.html?hpid=topnews

In 2004 Jeremy Jaynes was convicted under Virginia's Anti-Spam law for sending 10 million spam emails through AOL servers located in Virginia.

Virginia's Supreme Court has overturned that conviction and struck down the Anti-spam law.
"The court unanimously agreed with Jeremy Jaynes' argument that the law violates the free-speech protections of the First Amendment because it does not just restrict commercial e-mails."

The weak Federal CAN-SPAM law that has done nothing to stop spam remains in effect.

Here is a link to the ruling.

The MessageLabs Intelligence report for August 2008 reports that spammers are using links to Flash/Shockwave files hosted on Picasa (a Google web album service). The Flash then redirects the user to the spammers site.

A couple days ago I received email from Paypal titled "New PayPal Plug-In - Shop anywhere online." That struck me as kind of suspicious so I looked at the mail headers. The headers showed the message did originate with Paypal's servers, and more importantly it contained a domain key (DKIM). According to Wikipedia, "DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity" through the use of a cryptographic hash.

If I had to dive into the headers to determine the message validity, how would the normal user do? Are there mail clients that would have automatically verified DomainKeys and SPF for me?

A quick Google found a product called Iconix. Iconix works with Outlook, Outlook Express and a bunch of webmail providers (No Thunderbird support) to take the guesswork out of which messages are real.

Once installed, Iconix looks at SPF/SenderID and DomainKeys to determine message authenticity. Next it looks at message identification- this is a list of companies that have paid Iconix and registered with them. If both are verified, then the message's "display From" will be altered to present a logo of the sending organizations choosing. This allows recipients to tell at a glance that the message is from who it says it is.

Iconix at first appeared to be a great solution. Its been reviewed in several trade publications. I didn't immediately find anyone disparaging them online. Iconix is installed software. As such you do wonder a bit about privacy and security implications. Their FAQ does say that the sender's email address is sent to Iconix.

The problem is that they only provide this service for the companies that have signed up. I would expect that they could validate the DomainKeys or SPF for anyone using those email technologies. While this product does solve my original question, "how can ma and pa kettle obtain a reasonable level of trust in email", it only does so for companies that have paid Iconix. That is an extensive list, and it provides better assurance that SPF and DomainKeys alone could.

While Iconix is not available for Thunderbird, there are other solutions that plugin to Thunderbird for SPF and DomainKey validation.

- update - 6/11 - fixed above where I refered to Firefox when I meant Thunderbird. Firefox can be used just like IE in conjunction with Iconix at many webmail providers.

MX Logic has a writeup on US Tax Court phishing emails seen today.

The email from noreply@ustaxcourt.org has a link to download "a Copy of the Order, Letter, Notice or Other Document Being Appealed". The website was not online when checked on it.

One of my users is getting some spam that is really annoying to deal with. I've seen users get hit much worse (usually by backscatter) but I still think this is an interesting story to tell.

The spammer typically sends 5-10 emails per day from a gmail account. Usually by the next day he's sending from a new gmail account. Thus the mail is coming from a trusted source and we can't block by sending IP or domain. Blocking the email address is barely worth the effort since he will change again tomorrow.

If we had other tools at our disposal we might have a better chance of blocking. Personally, I feel that the anti-spam service we pay for should block these things and we should rarely have to add manual blocks.

The Display From name is actually consistent so I was able to have the user set up a client-side rule that forwarded the message to abuse as an attachment and delete the message. I dont want to repeat the name and social security number in the from field, but if you google it there are a ton of blog/forum spams of the same crap.

The recipient list is kind of interesting. Its a long list of NASA, Government, military and Voice of America addresses.

The other interesting thing is some of the messages are long repetitive rants that bypass our spam filter because the message size is too big to be considered spam. That seems like a bad idea.

Looks like the shoe is on the other foot. Last week I was chortling that MessageLabs was tar pitting Google in an automatic response to gmail sending out so much spam. Now some of MessageLabs IPs have been blocked by the CBL. Apparently that is rather widely used. I've already seen rejections from Cox and Comcast. CBL is used in SPAMHAUS and other aggregate blocklists as well.

MessageLabs has reported they have worked with CBL to resolve the issue. The latest updates for CBL have removed this block in the latest update of the CBL.

Trend Micro has a blog entry on calendar invite spam. I've been seeing that as well.

My biggest problem is reporting the spam. How do you get headers out of a meeting invite in Outlook? If I open the msg file the user forwarded, the headers are hidden by outlook. If I look in notepad, the text is encoded. Perhaps another mail client will be nicer.

In the examples I've seen the invite is from Google Calendar. Its another example of spam from a semi-trusted host.

My MovableType spam defenses have kind of run amok. It was letting through a ton of spam which led me to disable anonymous comments. For its next trick it decided to trash valid comments.

The first method used for trashing valid comments was a rule that http:// shouldn't appear in the commenter's name field. That wasn't a problem until openID. The crappy OpenID plugin I'm using doesn't put the OpenID displayname in the name field. Instead it pulls a URL including the name and the server. A quick tweak to the ruleset fixed that problem.

The next issue I found was when my own comments were getting blocked (when using a test account not my regular comment account which is set up as a trusted commenter). The Spamhaus zen filter was blocking me. Back in July, MovableType reported that one of the old blocklists was going away and they recommended using zen.spamhaus.org instead. Since I like spamhaus I accepted that recommendation uncritically. Now I find out that "ZEN is the combination of all Spamhaus DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, the XBL and the PBL blocklist". The problem is the PBL is he policy block list. Its like the DUL. Its designed to prevent end users from sending mail directly to recipient mail servers. They should go through the ISP mail server. That is not the sort of list you should be using with HTTP. Endpoint computer should be browsing directly to my website and making comments.

A better Spamhaus list to use is the XBL. Be aware however that according to Spamhaus, "The XBL contains mostly dynamic IP addresses, meaning the user you would be blocking is probably not going to be the user with the exploited computer. Please do not block innocent users."

You're probably better off forcing the user to prove they are human with a Captcha rather than using (misusing) block lists.

One of our users is a victim of backscatter and has been reporting them to the abuse mailbox at work.

Backscatter is the unsolicited mail that occurs when a spammer sends out email as you and poorly configured email server return all manner of notices to you. Its funny to watch the Barracuda spam firewall spamming the employee with the message Undeliverable: **Message you sent blocked by our bulk email filter** and an RFC rejection. Along with that is the usual 'out of office' and non-deliverable reports.

I figured there really isn't much we can do. I decided that maybe its time to adjust the SPF record and change it from a ~all to a -all setting. Surprise, Surprise, I found that there was not a SPF record for the domain in question. I'm not sure if I dropped the ball on that or if our external DNS provider did something crazy again. At any rate, that is getting fixed but given how few people use the SPF record, I dont think it will be a lot of help.

Today's SANS handler diary notes a SPAM storm is effecting the availability of mail servers at some companies in Canada.

Its always amusing to note spammer mistakes in formulating the email addresses. In this case it looks like they are using $firstname$randomword$lastname. That's not going to work very well. :) The sheer volume, is causing some issue though.

The handler suggests that it is a best practice to reject email for bad addresses at your MTA, immediately after receiving the a bad RCPT TO. I agree that will prevent a whole lot of unnecessary mail processing. I am concerned though that in the absence of additional software, this will assist the spammer with address harvesting. If the bad guy can determine that you only accept valid addresses, and you don't have a mechanism to kill directory harvesting attempts, they'll be able to brute force valid addresses. Companies like Postini (Google) and MessageLabs have this sort of feature. I dont know about other MTAs.

F-Secure is reporting in their blog that they are seeing spam in FDF file attachments. FDF files will open in Adobe Reader. Spammers are using this as their latest attempt to bypass spam filters.

Interesting article about an ITWeek writer and an email blacklist.

He learns he's blacklisted. He wonders how this can be, but ultimatly he tracks it down. interesting stuff.

Brian Krebs links to the XRumer auto-submitter in an entry in the Washington Post Security Fix. Its interesting to see the software that is out there for pumping spam into on-line bulletin boards.

XRumer, uses search engines to gather target forums, it then automates the registration and posting of the spam. They brag in the feature list that they can get around captchas, and email verification. There is a long video demonstrating its use.

According to a Government Computing News article, the Coast Guard is requiring all of its computer users to "take mandatory training on how to avoid fake e-mail messages that try to acquire sensitive data in a technique known as phishing and even more highly targeted attacks known as spear phishing."

That reminds me of a anecdote I heard recently where the Air Force gave anti-phishing training, and then followed up with a test phishing email purportedly from a high ranking officer. Because of the power of the rank of the email they still got a very high click through rate. Obviously more training was needed. That or a better filter.

According to various web reports, Google was using javascript to store your Gmail address book while you're logged in. As a result if you are logged into gmail, any other website you visit could request your Gmail addressbook.

This flaw has now been resolved, but it does give one pause about the danger of javascript.

iDefense is connecting the Stration virus with the recent rise in spam volume according to an article in Information Week.

John Graham-Cumming blogs on a new animated gif techniques spammers have used to thwart OCRing. His entry a day earlier is interesting also.

SANS Handler Swa Frantzen got Joe Jobbed and he's using the bully pulpit of the SANS Internet Storm center to advocate changing SMTP error handling.

I got Joe Jobbed around 1997, I had an address rog@juno.com. Some spammer whose name was apparently also Roger sent out a couple of spam runs as that address. Each time I logged in I had to download 15k bounce messages (and assorted spam complaints). Fortunately there was an 800 number in the email message and the guy stopped using my address after I asked him nicely to stop ruining my life.

Swa says the bounce-backs came in on a catch all address. I'm not sure if he means that the address is one he uses as a spam trap (an address used when registering at public sites) or if he means the more traditional definition a mailbox that accepts all email for the domain that is not specifically sent somewhere else. If he is using a catchall mailbox and then complaining about getting spam, I think he's kind of nuts.

I agree with him that virus notices should never be sent to the sender anymore. Too often the sender is forged. However, you cant notify the recipient easily on most mail systems. Most mail systems are going to strip the virus and send it to the user, so they still get thousands of unwanted messages. That's not a good solution. I've seen some spam solutions that can notify the recipient once per day of quarantined messages, but we really don't want users spending their time reviewing spam. We want a good spam filter. I wouldn't notify the sender of a message that is quarantined as spam either. And that is where SMTP reliability goes down the tubes, when no one is notified that a message has been blocked.

I dont quite understand his complaint about greylisting. I greylist and it doesn't result in a delayed delivery notice being sent to anyone. I'm also not onboard with his idea that recipient mail servers should hold a mail connection open until they have scanned a message and determined that it is acceptable. That just wont work when you're getting 90% spam messages. The solution isn't for everyone in the world to buy a bigger mail server. Besides, you may not want to let a spammer know immediately that his spam run was unsuccessfull.

McAfee's AVERT blog reports that they have seen SPAM emails using Microsoft Word documents.

F-Secure on their blog today asks, should free webhosts such as Geocities, Tripod etc proactively monitor for abuse such as phishing websites hosted on their servers.

Its an interesting question. I'm not a lawyer or a privacy rights person. Currently providers are not expected to monitor content. They are expected to take action when notified. I'm pretty sure that performing some review, such as having moderators on a bulletin board, does not open a provider to the expectation of removing all bad content proactively.

If I were doing it, I'd contract with a filtering firm like Websense Bluecoat or MessageLabs to notify me when a URL from my domain shows up on one of those block lists. Preventing certain hostnames from being used like paypall-redirect.tripod.com seems like a good step. I'd be surprised if the vendors aren't doing this already. I suspect the examples found in their post are just examples of names that slipped through the ban list.

I just saw this linked from the F-Secure blog. In an April 2006 article, the Computer Crime Research Organization reports sightings of Phish that prompt you to call an 800 number. Users may be appropriately suspicious of financial emails yet be less suspicious of a phone number. The 800 number prompted the user for their credit card number and security code.

When contacting your financial institution, it is best to rely on URLs and Phone numbers on your financial statement.

Ever want to block China or Korean spam?

Here's a site with list of IP blocks.

www.Blackholes.us is another site I've gone to in the past to find such lists.

The problem with these lists is IP blocks can be resold to another country so the maintainer needs to be really careful not to paint with too broad a brush.

http://www.nytimes.com/2006/05/21/business/yourmoney/21spam.html?_r=1&pagewanted=all

The ISC handler has a good diary entry today on some phishing he's seen.

I got one yesterday regarding chase. I have a chase credit card and it was sent to the correct email address that is listed with that card. It looked very legit. It said that as someone had accessed my account from two IPs they needed me to visit the website to verify that my account hadn't been 0wned. I often access from both work and home so it sounded plausible.

The link for the phishing is http://www.aweber.com/livesupport/web/.Chase-Online-Verification/ aweber appears to be a real company from first glance. I was thinking of calling Chase to ask for verification, instead I went to the real chase and read their policy of never sending out emails like this. I also noticed the mail headers came from a .ch TLD. I submitted the url to websense. I couldn't find any abuse address for aweber. (plus I'm accessing email through my ISPs webmail and they aren't giving me a good way to get the email in "raw" format which makes it harder to report abuse).

I was reviewing my trackback spam. Yes, I review what the system calls spam just to make sure no legitimate content gets sidetracked. Some of the spam had links to a Radford Professor's website. If you followed the link to the University site, and you have javascript enabled, you'll find yourself immediagely redirected to a porn site (not located on the Radford server).

If the spammer had half a brain, he would have social engineered people much better than that. First make it look like a real post. A comment or trackback with tons of links is not going to get through. Second, instead of obvious spam content, the trackback could be a bit more relevent to what is posted. Since the spammer is 0wning a legit domain like Radford.edu use that value. People will trust it more than a link to sexsexsex.more

Yahoo and AOL have announced plans for a preferred spammer program, where by a sender can pay fractions of a cent per email and bypass all filters. Its not clear whether this program will actually whitelist unsolicited commercial email or if it will only whitelist valid email from participating companies.

This new plan would appear to be an abandonment of Yahoo Domain Keys and Microsoft Sender ID.

Microsoft put out a press release yesterday indicating that Bulgarian police have arrested 8. They had performed phishing on MSN accounts.

The FTC report to congress on the CANSPAM legislation is available here. The report has been widely criticized for saying that the CANSPAM legislation was successful.

It says "since (the) enactment of CANSPAM, spam volume has begun to decline as has consumer frustraction." One of the notable aspects of CANSPAM was that the amount of spam skyrocketed after it was passed. Spamming was made legal as long as a legitimate optout address was provided and headers were not forged. Message Labs reports confirm that spam volume skyrocketed after CANSPAM and only since October have they returned to earlier levels. Causation has not been proven.

Consumer frustration has dropped because many ISPs and companies have added spam filters. The spam filter technology has advanced to the point that false positives and false negatives are minimized. Further several spammers have been taken out of the business by state attorney generals rather than FTC action. The FTC correctly reports that ISPs blocking of outbound port 25 except for through their own mail server has hampered the spammers abilities as well.

If you don't use senderbase to keep an eye on your outgoing mail volumes you probably should. You can go to senderbase and search by IP, Hostname or domain name to see how mail volume has averaged for the past day and the past 30 days. For example, you might notice that a system that is not supposed to be sending mail shows up with a lot of mail being sent. If you saw something like that you might want to check into it further.

Of course senderbase only reports about mail that it sees. A full blown NIDS would probably be a better choice. But you have to make do sometimes. The blacklist lookup at senderbase is fine, but I prefer the one over at www.dnsstuff.com

SPIM (Spam over IM) Prevention techniques from the IMLogic threat center: Set your client to not accept messages from people not on your buddy list.

IM Client How to stop messages from anonymous users
AOL IM (v5.9.3690) Sign in
Click "My AIM" > "Edit Options" > "Edit Preferences"
Click "Privacy" in the left-hand column
Click "Allow only users on my Buddy List" under the "Who can contact me" heading

ICQ Lite (v4.1) Sign in
Click "Main" > "Preferences and Security"
Click "Spam Control" in the left-hand column
Check "Accept messages only from users on my Contact List"
Ensure both options under "Not in List Messages" are checked
Check "Do not accept World Wide Pager Messages"
Check "Do not accept Email Express Messages"

ICQ Pro (v2003b) Sign in
Click "Main" > "Security and Privacy Permissions"
Click "Communication Events"
Select the yellow check mark for each line item (be sure to scroll)

MSN Messenger (6.2.0137) Sign in
Click "Tools" > "Options"
Click on Privacy Tab
Check "Only people on my Allow List can see my status and send me messages"
Ensure the "Alert me when other people add me to their contact lists" is checked

Windows Messenger (v4.7.3000) Sign in
Click "Tools" > "Options"
Click on Privacy Tab
Ensure the "Alert me when other people add me to their contact lists" is checked

Yahoo! Messenger (v6.0.0.750) Sign in
Click "Messenger" > "Preferences"
Click "Ignore List" in the left-hand column
Click "Ignore anyone who is not on my Messenger List."

I was pretty happy today to see that my webhost has added SPF to their spam fighting techniques. This needs to see more widespread adoption.

Right now if someone sends out 10 million spams from my domain to 5 million servers on the internet, roughly 80% of the spam will be to a bad address. An NDR would be generated and sent to me. Its a rather effective denial of service attack, assuming you can insulate your self from identification as the attacker. If those servers implemented SPF they would see that the message isn't from a valid sender for my domain, and hopefully drop it. Instead many senders send an NDR without enough of the original message, so it doesn't get caught by my spam filters. Not sure if I've explained that well or not, its pretty late. It is too easy to get your mail servers DoSed indirectly by some spammer.

http://www.pcworld.com/news/article/0,aid,121883,00.asp

What is interesting here to me is that the FTC didn't just go after the spammer, they went after the company paying the spammer.

Looks like another company wants to generate some good PR buzz by bashing Microsoft and bashing SenderID. This is just like my article from last fall. A company has breathlessly reported that spammers are using SenderID. Its not that bad.

MXLogic's press release is parroted by techwebnews (parent of SecurityPipleline). They say that spammers use SPF to get an air of legitimacy to their email. I would argue that any spam filter that determines legitimacy by the presence of an SPF record is flawed. Its like the old spam assassin problem. SA automatically whitelisted anyone who signed their mail with a digital signature. Does that indicate a problem with the digital signature? No its indicates a bad implementation.

SPF is about reputation and accreditation. A domain owner publishes who is allowed to send mail from that domain. Everyone else is considered questionable. That cuts down on spam and viruses using common domain names or your own company domain name. So the spammer registers throwaway domains and creates an SPF record. You still have your other spam filters. You still have the ability to blacklist.

Meng Wong provides an illustration.

Spamroll blogged earlier this week about a Maryland Public Television webmaster busted for signing his supervisor on internet sites to genenrate annoying emails and telephone calls.

I found a Baltimore Sun article covering this story that gives more detail and attributes its quotes correctly.

I was shaking my head because spamroll left me with the impression someone thought this sort of thing was new. The Baltimore Sun article cleared that up. The AGs office said this is the first time they've prosecuted someone. The EFF said this sort of thing goes on all the time. The article concludes saying that most reputable sites offer a double opt in making this sort of thing harder to do. The problem is that the disreputable sites still dont do that.

So as always, cover your tracks. :) Use a public kiosk to sign your enemies up for spam. Or better yet go to the house of another co-worker and use their insecure wireless connection to sign up the CEO for spam.

Exchange 2003 SP2 includes support for SenderID. I wonder if this will kickstart the usage of senderID and/or SPF. I currently SPF on my personal domains.

Spamroll blogs that phishers are increasingly targeting smaller banks and credit unions.

This is a principle true of the protection of online banking as well. The smaller banks and credit unions do not have the fraud detection departments that larger organizations will have.

While the phish will not be detected as early or persued as vigorously, there just isn't the same bang for the buck on the email distribution. Think of it. If I email one million people the likelyhood of finding Bank of America customer is much better than the odds of hitting members of the Red Apple Credit Union.

A better idea would be for the phisher to attempt to obtain the banks email list somehow. Or better yet, for credit unions, you know the member companies so concentrate the phishing email on domains belonging to that company. This is inline with the theory that the criminals will be attacking smaller groupsso they aren't detected as quickly.

Customers of even small banks must watch out for phishing. Altough i dont see phishing being the fault of the bank, it is imperative for other reasons to make sure that they are on top of the security concerns associated with online banking.

I've been enjoying reading about the bankruptcy hearing involving Scott Richter and Optinrealbig. Microsoft has a large judgment against Scott for spamming. Spamroll has details.

SPAM blocklists are kind of obsolete. They are prone to false positive, and they dont have a very advanced view of a message. Its just a list saying, "I dont want to talk to this IP address". A good blacklist can remove the bulk of the unwanted email and leave the rest of the mail to be scanned by heuristics/Bayesian logic.

The problem comes in when considering who manages the blacklist. For a list to remain trusted, the manager of the list needs to avoid doing stupid things. The RBL is used by RoadRunner, USA.net, BT, Telstra, AOL and Message Labs and many others. So mistakes on this list have huge ramifications. The manager of RBL broke the trust of its users this week when it added AOL to the blocklist. (after complaints, AOL was removed from the list this afternoon)

Reports are that this was one spamming incident and this action was taken by RBL when AOL did not respond within 24 hours. Does that sound like reasonable action when dealing with the email of 30 million people?

RBL has been a rather effective spamfilter (in conjunction with other tests), but now we all have to reconsider whether we can in good confidence continue to use it.

Frequent readers will know that I'm a big fan of Message Labs. They are a company that provides an outsourced email filtering solution. This week Veritest made public their first quarter anti-spam tests and announced that Message Labs had come out on top. http://www.net-security.org/press.php?id=3092

In addition to that, Message Labs has announced a new Anti-Spam Service level agreement. Message Labs has been one of the few companies to offer an antivirus SLA, standing behind their antivirus service. Now they stand behind their antispam service. The new agreement guarantees businesses a spam capture rate of at least 95 percent and the assurance of a false positive commitment of 0.0004 percent. How many other antispam vendors make a similar promise?

In the veritest bakeoff Message Labs had a capture rate of 99.29 percent and a false positive rate of 0.00.

According to a Reuters story, AOL has seen a 50 percent reduction in spam detected over the past year. At the same time subscriber complaints due to spam are down 75 percent.

The article (which reads like a press release for AOLs new security initiative) does not speculate about the cause of this decline. One obvious possible cause is a reluctance on the part of spammers to become a test case for tough spam laws in the Commonwealth of Virginia (where AOLs servers are located).

Where I work spam blocks routinely account for 80 percent of all incoming email so I wouldn't make a global generalization about spam based on what AOL is reporting.

The Washington Post reports that the Judge in the case against the AOL employee who stole the AOL Membership list and sold it to spammers has rejected a guilty plea on the grounds that a crime may not have been committed.

While employed at AOL the software engineer stole 92 million email addresses and sold them to spammers for $100,000. However he is charged under the Federal CAN-SPAM act which the Judge says requires proof of deception. Normally this deception is in the form of forged mail headers and return addresses.

I would suspect that this cretin would be seen as a co-conspirator with the spammer and thus the spammers deception would also be his own. So at a re-hearing in January perhaps they can push this thing through.

Still it seems to me that this is illustrative of what happens when Congress creates law for the problem of the day instead of allowing currently law to do the job. I tend to think that if this guy was charged with theft of trade secrets there wouldn't be this grey area. Of course from my cyberlaw class, they would have had to prove that the membership list was really a trade secret and was adequately protected by AOL. At least then they wouldn't have a clearly established area of law instead of creating a potential test case of the CAN SPAM statute and potentially having problems with activist Judges.

http://story.news.yahoo.com/news?tmpl=story2&u=/ap/20041218/ap_on_hi_te/spam_lawsuit
Robert Kramer, whose company provides e-mail service for about 5,000 subscribers in eastern Iowa, filed suit against 300 spammers after his inbound mail servers received up to 10 million spam e-mails a day in 2000, according to court documents.

AMP Dollar Savings Inc. of Mesa, Ariz., was ordered to pay $720 million and Cash Link Systems Inc. of Miami, Fla., was ordered to pay $360 million. The third company, Florida-based TEI Marketing Group, was ordered to pay $140,000.

Kramer's attorney, Kelly Wallace, said he is unlikely to ever collect the judgment, which was made possible by an Iowa law that allows plaintiffs to claim damages of $10 per spam message. The judgments were then tripled under RICO.

"Scammers Exploit DomainKeys Anti-phishing Weapon." So screams the headline in a recent eWeek article.

Oh boy. Here we go again. Another uninformed article from a tech writer who couldn't learn from the response to the uninformed articles about spammers abusing SPF. These articles are really dangerous. They lack any understanding about what SPF and Yahoo! Domain! Keys! actually are intended to accomplish. The articles are read by decision makers and implementers who haven't taken the time to read up on these new technologies and they take the article at face value.

eWeek has an area for comments on its articles. One insightful comments is purportedly by Dave Anderson CEO Sendmail. He says "Authentication does not prevent fraud. It does not prevent spam. It does prevent impersonation. None of the proponents has ever suggested otherwise. Once we have email authentication we know who is sending emails and can take many actions to prevent abuse."

It isn't a shock to anyone but these tech writers that an open standard which can be used by anyone, is used by a spammer. Merely having a SPF record or a Domain Key should not grant passage to a message. Instead it verifies the source of the message.

The article mentions spammers using domain keys with a yahoo account. Great! If every spammer did that, when you saw a yahoo return address, you would be guaranteed the spam came through the Yahoo system and you know who to complain to.

The closing paragraph of the article is the most interesting. And most likely the most factually incorrect part of the article. "They [phishers] then send out normal phishing messages that take the recipient to an attacker-controlled page located on the bank's server. These attacks are insidious because the victim is visiting a legitimate site, security experts warn." According to this the phisher already has hacked the banks server. If this is the case, game over. Phishing is unnecessary, they are inside the banks server. Most likely the author was trying to say the phishing site often uses images from the legitimate server to maintain the same look and feel.

The thing that galls me most about this horrible article is that I learned about it through a SANS newsletter. They passed the URL on and quoted the article without comment. Its as if they were endorsing this article.

Yesterday, I saw some spam detected as Trojan/Exploit-DragDrop!link. Today I see in Fsecure posted this to their blog yesterday. If you click on the 'remove' link, you are taken to a website. At the site they use the drag and drop vulnerability to download a trojan to your computer.

Currently there is no patch for this exploit. In Windows XP with Service Pack 2, you can disable "binary behaviors" under the ActiveX security settings. Other than that all you do is the usual advice. Run all client software as a non-privileged user and do not follow links that you have any reason to be unsure of.

The Apache Group and Debian developers have marshalled the anti-Microsoft forces and convinced the IETF to scuttle the proposed SenderID standard. They do this claiming that it is anathema to have a "standard" be encumbered by patent. Somehow I think that this would not have been this first time that a standard would have surrounding patents. Further I would postulate that if this were not Microsoft that narry a word would have been said about it.

The Register article on this has a link to a discussion list archive.

It will be interesting to see what the next step is. Some see SPF separating itself from Microsoft and being implemented as a standard while Microsoft SenderID is available to the MS customerbase.

Not sure why the Slashdot and Register articles are so celabatory. A potential weapon in the war on spam was just handed a defeat. I guess some people will hate anything coming out of Redmond.

Looks like we'll all be implementing Yahoo! Domain! Keys! soon. :(

Nicholas Tombros is reportedly ready to accept a plea deal in the face of CAN-SPAM charges of breaking into another persons computer to send spam.

Tombros drove through beachfront Venice California looking for unsecured wireless networks and used them to send poro spam. Also interesting is how he got the email addresses. He stole them from a Credit Card agregation company where he worked.

So we've got a lesson there about companies needing to secure your data. And the fill out that privacy election form we get once a your from the credit card company. Otherwise our contact info will be shared with a company that doesn't secure our info.

I wish I could find an artile on how this buy was caught. Also kind of curious about why the company who paid for the spam wasn't charged also.

There is an article over at infoworld, , about a ciphertrust study of SPF.

Ciphertrust reports that only 5% of mail is using SPF and of those using it with correct syntax an even number of spammers and legit sites are using it.

Infoworld breathlessly reports this in a manner that would indicate that even before the standard is ratified it has been circumvented by the spammers. Those that continue reading down the page find this really isn't true.

SPF is not intended to end the problem of spam. It is intended to end the problem of mail spoofing. (Sidenote: microsoft's implementation SenderID apparently only checks the visible header, not the envelope header, so this apparently wouldn't solve the problem of the forged envelope from resulting in employees getting virus notices from other companies for messages they didn't even send.) Spammers registering their domain names with SPF doesn't allow them to continue to spoof valid addresses.

The real problem with SPF is the lack of implementation by major players. Even commonly phished credit card companies and banks haven't jumped on board. The article points out only 31 of the Fortune 1000 have SPF records.

The FCC has issued a ruling on text message spam. It requires that cell phone and pager service providers provide the FCC with a list of domains used exclusively for text messaging. The FCC will ban spam to these domains. However, with written or oral permission a company will be allowed to send these messages.

One thing that is odd is this does not include SMS messages, those text messages sent directly to the phone rather than via an email address. The FCC says that autodialers are already banned for this purpose thus new rules are not necessary.

Another thing that is a bit funny is that its the opposite of CAN-Spam. In the CAN-SPAM act the default is to allow spam until you opt out. In this ruling, the default for mobile spam is to not permit spam until you opt-in. Of course in the United States there is often a charge per message (or at least a charge per message over a base amount) for text and SMS messages. This is a much more tangible cost to the consumer for spam than occurs with telemarketing or email spam.

I do kind of wish that the FCC had looked at Bluejacking as well. It will not be long before you are walking down the street and your phone gets a message with an offer of 25 cents off at the Starbucks you just walked past. That sort of thing needs to be stopped before it gets started.

I set up SPF (aka Sender Policy Framework, aka Sender Permitted From) on my vanity domain name yesterday.

SPF is a method of publishing a list of servers used to send mail from my domain. If any message arrives from another source it should be treated with extreme suspicion or discarded. It is yet another tool used to authenticate a sending domain. The hope is that this will slow down the amount of spoofed email.

Arial Software performed an audit of the email subscription practices of over 1000 companies. http://www.arialsoftware.com/whitepapers/SpamAudit2004.pdf

What they found in their study is that signing up for a newsletter from a reputable business doesn't get you onto any spammer lists. However, even big name companies have problems in unsubscribe requests and don't follow what Arial feels is a best practice of double opt-in. (They dont describe double opt-in that I saw, but I assume that is where you subscribe via webform and are sent a url via email that you must click on. Then they send you another confirmation that you are really in.)

My personal ISP has started using Greylisting as a method to combat spam.

What is Greylisting?
Greylisting says that until proven otherwise we're not going to trust an inbound mail connection. It takes the envelope from, the envelope to and the source IP address and forms a tuple. If it has previously let that combination through, then it will whitelist in. But for most mail it will give a temporary failure message. Real mail servers will try again at a preset time. Spammers wont. Even if spammer catch on to this game and reattempt delivery, the mail server can be set to not accept the new attempt for delivery for a default time period (20 minutes). This really throws a monkey wrench into the amount of mail the spammer can send. If the spammer is using a mail sender that will retry, perhaps by that point in time he would be blacklisted due to imput from other antispam sources.

Thus far I am very happy about this on my "vanity" domain name. Not sure if it would be good for business use. Some mail server doesn't correctly retry after a transient error. (In my opinion non-RFC compliant mail servers should fix their stuff). Also in business use where a retry interval might be 4 hours minimum, it could really slow delivery. The auto-generating whitelist and manually generated whitelistss for business partners would really help that. It remembers which tuple combinations "reattempted" delivery and adds them to a temporary whitelist. The greylisting server I use also adds people I sent mail TO to my whitelist.

I can see problems caused by things like SPF and ways around it. Greylisting has some interesting potential.

Check out the following links for more info. I certainly cant say everything about greylisting in a brief blog entry. I'm just trying to introduce a cool concept.

www.greylisting.org

http://projects.puremagic.com/greylisting/

George Gardiner weighs in a with a news flash. Not all blacklists are equal. I think the rest of us figured that out a few years ago. But George is a lawyer, so we'll give him a few years to catch up. He's still blustering about his right to be heard being hurt by these blacklisters. How there should be clear steps to exonerate his IP address. Apparently he cant deal with each IP address only having one strike.

The point he doesn't address in this article is why he is sending mail directly from his IP address. As I wrote earlier this week. I think that is a terrible idea. If his mail is so professional and so important, perhaps he should be sending it to a mailserver that can be trusted to attempt delivery.

Many people just flat out don't want mail from dynamic IP blocks. Stopping that mail slows down the spammers quite a bit. Many ISPs are already on board with this concept. They no longer allow their customers to sent mail out. These ISPs include Cox, Bellsouth, Earthlink, Mindspring, Verizon, Mediaone, and MSN.

I wonder who the intended audience is over at vnunet if this sort of article is actually informative. "Black-lists can backfire." Thanks for the newsflash.

Right next to this article is a job posting for a Sysadmin with a Security Specialty in the Cayman Islands. Pay is $47k-58k. Unfortunately applications were due by June 23rd. I thought that was kind of funny. Out of date advice regarding blacklists and out of date job posting information. All available at vnunet.com.

Back on May 24th I wrote about Comcasts plan to combat spam originating on its network. Comcast reported that they planned to terminate the ability of some users to send mail out via port 25. Unlike Cox Communications who turned off port 25 for all customers forcing them to use Cox's SMTP server, Comcast only did this to users who appeared to be used to send high amounts of spam.

News.com reports that spam from Comcast has dropped 35 percent since that time.

The news.com article played it evenly, but I felt that Comcast was trying to trumpet this as a great victory. To my way of thinking that it only dropped 35% shows that targeted disconnects are effective or aren't being done aggressively enough. Comcast should just do what the other major providers have done already. Cut off port 25 to all. That will stop 100% of the Comcast spam, not just 35% of it. If they want to be nice, they can then turn 25 back on for the people who really need it.

As a disclaimer, my ability to send mail outbound not using Cox's server has been cut off by Cox. At the time, I didn't like it. But now, I think its just good internet citizenship. Too many trojaned home systems are spewing forth spam. Its got to stop.

The SANS Internet Storm Center is reporting a new Phishing technique where the body of the message consists of a single image. However if you click in the area of the logon button it does act as a link which takes you to the phishing website. Single image emails are much tougher to detect with antivirus and antispam efforts.

Although authorized by the (YOU)CanSPAM act to create a national email list, the Federal Trade Commission has declined to do so according to news.com. The article quotes commission members as saying such a list would be ineffective and burdensome to the consumer.

Instead the highlighted two emerging mail authentication technologies SPF and Domain Keys as like effective weapons in the anti-spam battle.

I tend to agree with this assessment. Unless your mailbox is already hopelessly over run with spam and cant get any worse, I would never risk giving out my email address to an anti-spam list.

Comcast's users have been one of the largest sources of U.S. originated spam. Other large ISPs (Cox and AOL) have taken to blocking end user access to any mail server other than their own on port 25. While this was annoying at first, there were many workarounds available for most users. As a Cox customer it annoyed me to no end that Comcast customers were protected from Cox spam, but we weren't protected from Comcast spam.

Now, Cox has finally decided to take some action. They feel that blocking outbound 25 to all users would result in too many calls to their call centers, so they are going to be blocking 25 to computers that send out an unusual amount of email. Since a user is breaking the terms of service, I think this is an acceptable action. It doesn't paint all uses with a broad brush the way the Cox action did.

I tend to say lets wait and see. It seems to me that this policy by definition will allow spam out before the computer is blocked. This is still a great improvement over what they were doing.