Recently in Spam Category

Iconix Phishing Protection

A couple days ago I received email from Paypal titled "New PayPal Plug-In - Shop anywhere online." That struck me as kind of suspicious so I looked at the mail headers. The headers showed the message did originate with Paypal's servers, and more importantly it contained a domain key (DKIM). According to Wikipedia, "DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity" through the use of a cryptographic hash.

If I had to dive into the headers to determine the message validity, how would the normal user do? Are there mail clients that would have automatically verified DomainKeys and SPF for me?

A quick Google found a product called Iconix. Iconix works with Outlook, Outlook Express and a bunch of webmail providers (No Thunderbird support) to take the guesswork out of which messages are real.

Once installed, Iconix looks at SPF/SenderID and DomainKeys to determine message authenticity. Next it looks at message identification- this is a list of companies that have paid Iconix and registered with them. If both are verified, then the message's "display From" will be altered to present a logo of the sending organizations choosing. This allows recipients to tell at a glance that the message is from who it says it is.

Iconix at first appeared to be a great solution. Its been reviewed in several trade publications. I didn't immediately find anyone disparaging them online. Iconix is installed software. As such you do wonder a bit about privacy and security implications. Their FAQ does say that the sender's email address is sent to Iconix.

The problem is that they only provide this service for the companies that have signed up. I would expect that they could validate the DomainKeys or SPF for anyone using those email technologies. While this product does solve my original question, "how can ma and pa kettle obtain a reasonable level of trust in email", it only does so for companies that have paid Iconix. That is an extensive list, and it provides better assurance that SPF and DomainKeys alone could.

While Iconix is not available for Thunderbird, there are other solutions that plugin to Thunderbird for SPF and DomainKey validation.

- update - 6/11 - fixed above where I refered to Firefox when I meant Thunderbird. Firefox can be used just like IE in conjunction with Iconix at many webmail providers.

By Roger on June 9, 2008 9:18 PM | | Comments (2) | TrackBacks (0)

US Tax Court Phishing

MX Logic has a writeup on US Tax Court phishing emails seen today.

The email from noreply@ustaxcourt.org has a link to download "a Copy of the Order, Letter, Notice or Other Document Being Appealed". The website was not online when checked on it.

By Roger on May 12, 2008 9:52 PM | | Comments (0) | TrackBacks (0)

Pernicious Spam

One of my users is getting some spam that is really annoying to deal with. I've seen users get hit much worse (usually by backscatter) but I still think this is an interesting story to tell.

The spammer typically sends 5-10 emails per day from a gmail account. Usually by the next day he's sending from a new gmail account. Thus the mail is coming from a trusted source and we can't block by sending IP or domain. Blocking the email address is barely worth the effort since he will change again tomorrow.

If we had other tools at our disposal we might have a better chance of blocking. Personally, I feel that the anti-spam service we pay for should block these things and we should rarely have to add manual blocks.

The Display From name is actually consistent so I was able to have the user set up a client-side rule that forwarded the message to abuse as an attachment and delete the message. I dont want to repeat the name and social security number in the from field, but if you google it there are a ton of blog/forum spams of the same crap.

The recipient list is kind of interesting. Its a long list of NASA, Government, military and Voice of America addresses.

The other interesting thing is some of the messages are long repetitive rants that bypass our spam filter because the message size is too big to be considered spam. That seems like a bad idea.

By Roger on May 7, 2008 6:21 PM | | Comments (2) | TrackBacks (0)

CBL List (partially) Blocks MessageLabs

Looks like the shoe is on the other foot. Last week I was chortling that MessageLabs was tar pitting Google in an automatic response to gmail sending out so much spam. Now some of MessageLabs IPs have been blocked by the CBL. Apparently that is rather widely used. I've already seen rejections from Cox and Comcast. CBL is used in SPAMHAUS and other aggregate blocklists as well.

MessageLabs has reported they have worked with CBL to resolve the issue. The latest updates for CBL have removed this block in the latest update of the CBL.

By Roger on April 10, 2008 10:38 AM | | Comments (0) | TrackBacks (0)

Calendar Invite Spam

Trend Micro has a blog entry on calendar invite spam. I've been seeing that as well.

My biggest problem is reporting the spam. How do you get headers out of a meeting invite in Outlook? If I open the msg file the user forwarded, the headers are hidden by outlook. If I look in notepad, the text is encoded. Perhaps another mail client will be nicer.

In the examples I've seen the invite is from Google Calendar. Its another example of spam from a semi-trusted host.

By Roger on March 19, 2008 8:41 AM | | Comments (2) | TrackBacks (0)
« Policy | Main Index | Archives | Spyware »

About this Archive

This page is a archive of recent entries in the Spam category.

Policy is the previous category.

Spyware is the next category.

Find recent content on the main index or look in the archives to find all content.

Spam: Monthly Archives

Subscribe to feed Subscribe to this blog's feed
Add to Google
Please contact me by leaving a comment where appropriate. Otherwise, you can reach me at blog...@infosecblog.org
Get Safe Online Remember Rick Rescorla Powered by Movable Type 4.1

Search