RX Spammers Getting Shutdown

Spam Kings covers the recent shutdown of a major internet prescription spamming group.

Good to see that these are getting cracked down upon since a large bulk of the non-bot related spam is for prescription drugs through these places. On the amusing side, apparently this case exposes that someone finally isn't afraid to go after Diaper Deck.

Posted by Eric at 12:31 PM | Comments (0) | TrackBack

Canada's Spam Task Force Releases Report

We had mentioned before that Canada formed a task force to investigate what course of action to take in the legal sense in regards to spam. They have now released their final report on the matter.

(via Slashdot)

Posted by Eric at 12:20 PM | Comments (0) | TrackBack

Schneier on Fearmongering

I have written on here before about how it is frustrating to see so much FUD which goes on around the anti-virus/anti-spam world (in the commercial part of it at least). Just look at nearly any press release for anti-spam/anti-spyware products on a daily basis and you will see claims which would help the makers of said claims were the numbers inflated as much as possible.

Now Bruce Schneier, someone far more interesting and well respected than myself, has posted up something pointing out frustration with the fearmongering surrounding these industries - specifically in this case around the "threat" of bot networks.
Note that the type of fearmongering he is talking about doesn't just mean commercial sales, but it goes into pushing fears of a national threat - which then brings in government types - which makes for very large contracts for anyone involved. So essentially the more important the people you can scare, then the more money you can make off of those who are afraid.

Note that Schneier also recently wrote about spam - specifically spit.

Posted by Eric at 09:10 AM | Comments (0) | TrackBack

Making spammers pay for your attention

Again, from Slashdot, there is a professor at Boston University who is releasing a paper discussing the details of an idea to charge spammers based for your attention. If you read a message and you feel it was a waste of time, then they have to pay you for that time. Otherwise, no fee.
Similar things have been discussed before and generally shot down - I think the very first post on that Slashdot article actually comments towards this very well (and amusingly) as well as the responses to said comment.

Posted by Eric at 08:53 AM | Comments (0) | TrackBack

Washington State Bans Spyware

Slashdot points out that Washington has now outlawed spyware. This is mainly important in that now companies can be sued more easily and successfully for sleazy actions such as making it hard to uninstall the software, or installing without you being aware of it.

Posted by Eric at 08:50 AM | Comments (0) | TrackBack

AOL offers free webmail service

Were you sitting there thinking to yourself that Google, Yahoo, Hotmail, etc all weren't enough for your free email needs? Well then I have great news for you - AOL is releasing AIM Mail, a new free webmail service for those who aren't content to simply use the existing services.

The service does have a spam filter on it, but I haven't tried it out yet to comment on how well it works. If you have used the service and want to comment on it, please do so.

Posted by Eric at 11:32 AM | Comments (0) | TrackBack

The next stage of Sober

We mentioned the Sober virus previously here on Spamblogging and at that time noted the anti-virus community felt that the Sober virus was staged to be infect machines, and then later use those infected machines to send out spam.

Well, this morning I started getting calls from my users with complaints generally along the lines of "I am getting a lot of mail in German".

So now we have our answer - the machines infected with the Sober virus are being used to send German hate messages. They are generally in the vein of political messages, which has been increasingly on the rise in spam these days - no longer just selling sex drugs and pirated software - but now trying to sway voter opinions.
The infected machines download software which is then used to send out spam from that machine.

These new messages being sent are spam, so they should be blocked the same way you would spam. If you don't normally get messages in German, then you might look for common traits in the messages and block based on that.
Or if you have a Bayesian learning type filter, then over the next few days it should learn on its own.

Posted by Eric at 10:01 AM | Comments (0) | TrackBack

FireFox update is out

Relating to the FireFox vulnerabilities we have mentioned recently, there is a new update (v1.0.4) for FireFox out. (via Slashdot)

Posted by Eric at 11:13 AM | Comments (0) | TrackBack

BigPond filters out 6 million spam messages a day

Australia's largest ISP, BigPond, says they filter out 6 million spam messages a day. They are upgrading their systems to be even better as they are currently planning on getting even more subscribers on top of their current 2 million customers.

Posted by Eric at 08:48 AM | Comments (0) | TrackBack

Hotmail honeypot helps nab spam gang

Microsoft's Hotmail was used in a honeypot effort which helped nab an international spam gang.
From the article:

The organisation is spread internationally, with operatives in Boston and Russia, domains registered in Monaco, Australia and France and servers in China, Korea, Brazil and Taiwan.

Nine defendants - seven men and two companies - are now at the wrong end of a suit brought by Massachusetts Attorney General Tom Reilly for violations of federal and state law related to their spamming activities.

Posted by Eric at 08:44 AM | Comments (0) | TrackBack

Watching the worms

When malware spreads across the internet, there are a few key figures that are tracked like the rate of spread and the breadth of area covered among others. While those numbers are interesting to some, Slashdot has a post up pointing out that Symantec Research Labs has a program that shows the spread with pictures.

Note that it is a simulator, and also please feel free to make your own Dune reference.

Posted by Eric at 01:16 PM | Comments (0) | TrackBack

Telewest is blacklisted

One million Telewest customers have been blacklisted for spamming. That doesn't mean that they were all sending out spam, but it means that there were many (over 17,000 IP addresses) sending out spam - likely through bot infected machines. Now they are in the SPEWS database and forced to address the problem which they were apparently too lax about previously.

Posted by Eric at 09:52 AM | Comments (0) | TrackBack

Send-Safe is rebranded as Revolution Mailer

The bulk spamming program Send-Safe was recently renamed to "Revolution Mailer" according to the Spam Kings blog. It also sounds like the rebranding was fairly half-assed too, likely in a hurried attempt to sneak under the bad press Send-Safe has been getting.

Posted by Eric at 03:25 PM | Comments (0) | TrackBack

Another browser "hole"

Similar in nature to the FireFox security hole we pointed out earlier, there is a Safari/Dashboard hole with their "widget" system and auto-installation.
Here is a description of what happens when you click the example link:

[a] Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes

This one is Mac only, you have to be in Safari, and it is only under Tiger (Mac OS X 10.4).

This is very similar to the FireFox issue in that it downloads and installs/runs a program on your machine. If you are letting your system do this, that is a bad thing. The issue with these is less that they are allowed to do it, but the larger issue is that they allow it and don't tell/ask you before it installs and runs.
This is exactly the sort of thing that IE used to do and as of late appears to have less of - and during those times myself and others would say to use Safari (if you are on a Mac) and/or FireFox instead. But also as I warned - the Mac itself is not invulnerable to such things, it just didn't have anyone showing an exploit yet.
Now if you are on Tiger (OS X 10.4), you have one exploit available for you.

No word yet on a patch/fix for this yet.

Posted by Eric at 02:15 PM | Comments (0) | TrackBack

Are cellphone virus issues really that bad?

Slashdot has an article up asking if the cell phone virus threat is overblown.

Part of the issue here is that most of the noise in the press about how bad the virus issue on cell phones is comes from Symantec. Since they are an anti-virus software vendor, they stand to benefit directly from said claims being as bad as possible. The bulk of all cell phone viruses at this point don't really do anything, they are more just to show that it can be done.
So the answer to the question of whether it is currently overblown probably is "yes" but it doesn't mean that it should be ignored entirely. It also means that you should look at who is warning you about any given virus and what they stand to gain from you taking action based on what they tell you.

Posted by Eric at 01:54 PM | Comments (0) | TrackBack

Notes on SpamLookup from the creator of MTBlacklist

If you have a blog, then you are likely very familiar with comment spam. If you have a blog running on MovableType, then you are probably familiar with MT-Blacklist. It is what we run here and I am certainly pleased with it for the most part (although its trackback clearing functionality has been essentially crappy since version 3.x of MT).

We posted on here on Spamblogging before about SpamLookup, but I haven't had a chance to install it yet to see how well it works. The creator of MT-Blacklist has posted his thoughts on it. The key points are:
1) It works and it is awesome
2) If you get a lot of spam all at once, it puts a huge load on your server (it looks like it spawns a new process for each hit on mt-comments.cgi and therefore if you are getting many simultaneous hits on that code, you will have that many simultaneous instances of SpamLookup running - which is where that high load is coming from).

It looks like SpamLookup is very good if you have a MovableType blog and is the way to go - but if you tend to get a lot of comments all at once (I appear to from what I have seen of my logs), then you will want to hold off until an update of the code which is easier on your server. I personally am going to continue to hold off at this point until that next version comes out.

Posted by Eric at 01:44 PM | Comments (0) | TrackBack

Spitzer to go after spam and spyware

The subject isn't particular new, but this article at Wired is: "Spitzer Sets Sights on Spyware".

From the article:

Though Spitzer may get complaints he is attacking legitimate companies, Edelman said, the "fact is, there are lots of surprisingly big companies making serious money from these tactics. So Spitzer's intervention in users' defense is much appreciated and quite helpful."

The problem has become epidemic as people spend more time online and spyware developers get more aggressive. Some repair shops blame spyware, particularly the subset of ad-delivery programs called adware, for more than half the trouble they're seeing. One study found spyware on the computers of 80 percent of participants.

I'm all for more people hearing about this sort of thing since part of the issue is lack of education of the end user. That said, I'm fairly certain the Wired Magazine reader base isn't the big problem with those who are most likely to be clueless about spam and spyware issues.
Hopefully Spitzer can both hit some of these companies and reduce the amount out there, and also bring this into the news more often and raise awareness amongst users. Less letting them know it is out there - they seem to be aware of that - but letting them know how to stop it and why they should want to.

Posted by Eric at 01:29 PM | Comments (0) | TrackBack

Banking trojan "BankAsh-A"

I am not sure if this is vaguely related to this story we just posted, but there is a trojan out there which lies dormant on your machine until you visit a banking site. Then it tries to mimic that site and steal your information. This is nothing new, these have been out there for some time - but it seems this particular one is news due to how sophisticated it is and how prevalent it is.

The article mentions that your best bet is to make sure you use anti-virus and anti-spyware tools, frequently update them, and make sure that they stay running. I would add in there that ideally users would educate themselves about this as well - an educated user is the safest user.
Unfortunately that essentially never happens and worse yet, it hurts all of us as they get infected and spread it out to others.

Posted by Eric at 10:47 AM | Comments (0) | TrackBack

Spam regarding Tony Blair's email

It looks as if there is a phishing group out there focusing on UK email addresses with a message claiming Tony Blair's email has been hacked. There is a link in the email which draws you to a site claiming to have screenshots of the account, but instead installs a trojan on your system and then tries to get personal information like bank accounts and the like.

Posted by Eric at 10:35 AM | Comments (0) | TrackBack

FireFox security hole

There is currently a security hole in FireFox which allows a page to install and run code on your machine. This page shows an example of it working (or not working, depending on your outlook towards such things) - note that it exploits the hole. That page doesn't appear to do anything destructive, but if you don't even want to see the security hole in action - don't bother going there.

If you want to correct this, then you can go to Options -> Web features and uncheck "Allow web sites to install software" in FireFox. Or you can install the latest nightly build - or wait for the next update.

I don't know if this applies to all platforms or just Windows.

Posted by Eric at 02:13 PM | Comments (13) | TrackBack

Symantec releases anti-spyware product, in beta

Slashdot points out that Symantec has released a beta of their anti-spyware software.

Posted by Eric at 02:08 PM | Comments (0) | TrackBack

April resulted in a deluge of spam

The results are in from one analysis group and April resulted in a deluge of spam according to this article.

Spam and viruses combined peaked at 94% and averaged 86% of all email sent. It also notes that the Sober worm resulted in 45 million messages blocked in a single day for that one company (FrontBridge).

Posted by Eric at 09:58 AM | Comments (0) | TrackBack

The new driving force in PDAs? Email.

I don't know if I would categorize it as new, but according to this article, email is the driving force in new PDA sales. As the hardware improves as does the wireless network speeds, it makes more and more sense to have a portable device that allows you to check email. It is both a blessing and a curse in that you now can be accessed anywhere (yay!), and you can now be accessed... anywhere (boo!).

While I was on a recent ski vacation I very much enjoyed being able to check the web and my emails while away - but it also reduced the relaxation factor of the vacation having to deal with work issues while I was supposed to be doing nothing (or at least having fun).

The most obvious thing to address - and companies already are - is the threat of viruses and spam to these mobile devices. Especially when you are paying a premium price for the data you download to these devices - you don't want to waste that on spam or get a virus. The key to that is handling it upstream on the server so that it never gets delivered to the handheld (and therefore doesn't waste that precious bandwidth).
But that is easier said than done.

Email on PDAs and phones (which are essentially merging into the same thing these days) has been around for a few years now, but it is currently accelerating at a rate where enough people are starting to use it where it is going to be standard fairly soon.

Perhaps it is time to also make a mobile version of Spamblogging? Anyone interested in such a thing?

Posted by Eric at 09:19 AM | Comments (0) | TrackBack

So then I says "Spammer?! I hardly know her!"

Sophos is reporting that a new trend in spam these days is that spammers are including jokes along with their message.

Part of this is in the hopes of getting more people to open the message - wanting to read the joke and then with that seeing the spam message (what?! this is nearly a content-based system with ads at this point... that would approach legitimacy if it weren't that the people receiving it didn't request it). But it is also just like the other common trend of adding in text from poems, books, and articles so as to make Bayesian filters more inclined to let the spam through the front door so to speak.

Posted by Eric at 09:11 AM | Comments (0) | TrackBack

Phishers moving to keyloggers

This Yahoo article is claiming that phishers are increasingly employing key loggers to gather data which they later use for identity theft (fraud).

From the article it looks like they are mainly talking about software implementations that would get installed on your machine without you knowing it through general lack of awareness. Also note that if you don't have secured space around your computer on which you do business (anything with important data like online banking), it is also possible for someone to put a hardware keylogger on your machine. It is a small device that sits between the keyboard and where it connects to the machine.
It can be installed, collect hundreds of MB of data, and then later physically retrieved and used elsewhere. (I have read that there are also wireless implementations - which are essentially "bugs" in the spy sense)

Note that while Windows is the key target for the software implementation, so Mac and Linux users can be proud about how secure their systems are - the hardware devices work against any keyboard interface (although I haven't seen one for USB keyboards on Macs - but it doesn't mean there isn't one out there).

Posted by Eric at 10:32 PM | Comments (0) | TrackBack

More on the Sober Worm - could lead to new increase in spam

Silicon.com reports that the new Sober worm now accounts for 79% of all virus traffic and 1 in 22 of every email.

Apparently part of its actions include disabling your anti-virus and Windows firewall. This was a major weakness that was raised in the Windows software wirewall built into XP (and automatically enabled post SP2) - it allows software running on your computer to disable it - including malware.

The current thought is that these disabling tactics are to setup the newly compromised machines for an oncoming attack - perhaps to create more spam zombie machines. So we might have a new spam surge on our way.

Note that it so far it appears that the success of this worm seems largely in part of spam tactics of mass mailings and social engineering. It uses phrases and techniques to make users think that the message is something that they really should open, and it also makes them think it is safe and has already been scanned and shown to be free of viruses. When that is not necessarily the case.

I have seen a massive reduction in my home accounts in the number of these Sober messages coming in - but a huge increase in the messages we are seeing blocked at work.

Posted by Eric at 09:02 AM | Comments (0) | TrackBack

WORM_SOBER.S Virus

At my day job, part of my duties are as a sysadmin. That includes managing our mailserver and the flow of mail in and out. We run TrendMicro's ScanMail (and love it) and it checks every hour for new updates. When it scans mail that has a virus, it sends me a report of it and also flags when we have blocked greater than X virus messages over some short time period and then it calls that an Outbreak.

Well, today I noticed a huge number of viruses getting stopped and multiple times it alerted me to an Outbreak.

The virus that we are seeing an Outbreak of is the WORM_SOBER.S virus. On TrendMicro's main page they are listing it as their top threat (I think top in terms of most hits, not as in most dangerous since it is listed as a "medium" severity virus. Itslisted aliases are "W32.Sober.O@mm", "W32/Sober.p@MM", "W32/Sober-N", "Sober.P", and "Email-Worm.Win32.Sober" - which pretty much just depends which virus scanner catches it as to what it is named.

I'm seeing this one on some of my home accounts too - it will add in a note that it has been scanned by whatever your domain is, which is designed to make you think it is safe to open the attachment. Then when you do, it grabs your addresses and propagates itself that way.

As is very common these days, only Windows machines are susceptible to this at this time. Also note that it doesn't appear to do any damage to your machine, aside from angering the people who get it from you, and taking up bandwidth.

Normally I don't mention these sorts of things, but in this case the volume I am seeing right now is much larger than most outbreak conditions I have seen here in the past.

Posted by Eric at 04:03 PM | Comments (21) | TrackBack

Half of internet users have experienced phishing

According to this article over at the Scotsman, 'Phishers' try to hook half of internet users with spam e-mails.
From the article:

Of those who had lost money as a result of phishing e-mails (one per cent), the majority (53 per cent) were not compensated by either their bank or credit card provider. A further 11 per cent are still waiting for compensation.

Banks are seldom under obligation to provide compensation, with many terms and conditions.

I'm actually fairly surprised that the numbers aren't higher.

Posted by Eric at 03:57 PM | Comments (0) | TrackBack

Spam Arrest seeks nearest memory hole

Over at the excellent spam blog Spam Kings, there is a write-up about Spam Arrest and their attempts to erase that which doesn't paint them in the best light.

While editing the past for your own benefit, ala 1984, is frowned upon by many - the larger issue here is that Spam Arrest is a company which supposedly exists to stop spam and yet they were repeatedly accused of spamming. That is what makes this a big deal - the fact that not only were there many reports of that, but the fact that they now want to erase those reports.
To their credit, from what I have seen and heard from others, they don't spam any longer, if they did in the first place.

Posted by Eric at 09:37 AM | Comments (0) | TrackBack

5,600 phishing sites

Slashdot has a post pointing out that Netcraft is claiming to have blocked 5,600 phishing sites since its introduction of an anti-phishing toolbar in December 2004.

Hmm, I am torn - I am loathe to see Yet Another Toolbar, but I am pleased to see that someone is doing something about phishing. Since we apparently can't educate the end user, perhaps this sort of thing will make it easier for them to use the web.
How long before there is a fake version of it which assists the phishers, and how long before my mom installs it on her system?

Posted by Eric at 04:14 PM | Comments (0) | TrackBack

Should email be considered a reliable system?

This article at the Washington Post is about AOL blocking emails sent out warning of hurricanes and other dangerous weather patterns. There should be an easy way around this and that is to whitelist the group sending the emails (and it looks like that is what AOL is saying they should do - add that address to your address book and it will get through).

But a larger question is whether or not email should be treated as a guaranteed delivery system? If you send something, should you assume that the intended recipient received it and read it? I would submit that even without the issues of spam filters, this is still a dangerous and perhaps even silly way of viewing the email delivery system. But there are many who do feel this way about email - even though even with regular (non-registered) snail mail, you can't assume that it will reach its end destination.

There are companies who are trying to cash-in on this concept with software that is running on your machine and will receive updated content deliveries - ensuring that the end user gets the data sent to them and can reliably note if it has been read or not. This would be perfect for this sort of scenario. There are still many problems with that though - the largest being that it opens up an avenue for spyware and more ads. Either through unscrupulous companies who want to make (more) money off of it, or through users who mistakenly install the wrong thing (this is actually a very common thing with weather programs).

In the end, as long as email isn't viewed as a perfect system, then you can avoid issues like this. It is when it is assumed to be a reliable delivery method that you run into issues like this.

Posted by Eric at 10:23 AM | Comments (0) | TrackBack