Spam: September 2004 Archives

Yesterday, I saw some spam detected as Trojan/Exploit-DragDrop!link. Today I see in Fsecure posted this to their blog yesterday. If you click on the 'remove' link, you are taken to a website. At the site they use the drag and drop vulnerability to download a trojan to your computer.

Currently there is no patch for this exploit. In Windows XP with Service Pack 2, you can disable "binary behaviors" under the ActiveX security settings. Other than that all you do is the usual advice. Run all client software as a non-privileged user and do not follow links that you have any reason to be unsure of.

The Apache Group and Debian developers have marshalled the anti-Microsoft forces and convinced the IETF to scuttle the proposed SenderID standard. They do this claiming that it is anathema to have a "standard" be encumbered by patent. Somehow I think that this would not have been this first time that a standard would have surrounding patents. Further I would postulate that if this were not Microsoft that narry a word would have been said about it.

The Register article on this has a link to a discussion list archive.

It will be interesting to see what the next step is. Some see SPF separating itself from Microsoft and being implemented as a standard while Microsoft SenderID is available to the MS customerbase.

Not sure why the Slashdot and Register articles are so celabatory. A potential weapon in the war on spam was just handed a defeat. I guess some people will hate anything coming out of Redmond.

Looks like we'll all be implementing Yahoo! Domain! Keys! soon. :(

Nicholas Tombros is reportedly ready to accept a plea deal in the face of CAN-SPAM charges of breaking into another persons computer to send spam.

Tombros drove through beachfront Venice California looking for unsecured wireless networks and used them to send poro spam. Also interesting is how he got the email addresses. He stole them from a Credit Card agregation company where he worked.

So we've got a lesson there about companies needing to secure your data. And the fill out that privacy election form we get once a your from the credit card company. Otherwise our contact info will be shared with a company that doesn't secure our info.

I wish I could find an artile on how this buy was caught. Also kind of curious about why the company who paid for the spam wasn't charged also.

There is an article over at infoworld, , about a ciphertrust study of SPF.

Ciphertrust reports that only 5% of mail is using SPF and of those using it with correct syntax an even number of spammers and legit sites are using it.

Infoworld breathlessly reports this in a manner that would indicate that even before the standard is ratified it has been circumvented by the spammers. Those that continue reading down the page find this really isn't true.

SPF is not intended to end the problem of spam. It is intended to end the problem of mail spoofing. (Sidenote: microsoft's implementation SenderID apparently only checks the visible header, not the envelope header, so this apparently wouldn't solve the problem of the forged envelope from resulting in employees getting virus notices from other companies for messages they didn't even send.) Spammers registering their domain names with SPF doesn't allow them to continue to spoof valid addresses.

The real problem with SPF is the lack of implementation by major players. Even commonly phished credit card companies and banks haven't jumped on board. The article points out only 31 of the Fortune 1000 have SPF records.