Anti spam
Posts about fighting spam
Email security threats rising for SMBs, but leaders fail to focus on anti-spam
Sep 1st
A recent enterprise internet security report found small- and medium-sized businesses lack anti-spam protection.
The study was conducted by PandaLabs, the research branch of Panda Security, and found the email security priorities of 10,470 smaller companies with as many as 1,000 computers did not include Exchange anti-spam technology. According to the study, email was the second most common source for viruses, accounting for 21 percent of malware targeting small- and medium-sized businesses. Also, download-based viruses were significantly less common than those from spam emails, composing just 14 percent of malware that affected SMBs.
The research reveals the email security flaws of emerging SMB trends, as firewalls were much more popular for security investments than anti-spam technology. With an increasing number of viruses coming from spam emails, SMBs can safeguard their email networks with Exchange anti-spam solutions to prevent email infiltration that could result in data loss or computer crashes.
While the study involved businesses from across the globe, the U.S. enterprise sector is particularly prone to spam threats. A study released earlier this summer found the amount of spam coming from the United States grew by 2 percent during the first quarter of 2010.
Study: Businesses see consistent presence of spam messages
Aug 30th
A recently released study on enterprise email management is raising some concerns about email security.
Technology market research firm the Radicati Group recently conducted a study that found 48 percent of responding businesses felt the amount of spam that reaches their networks has remained consistent during the past 12 months. Even more alarmingly, 39 percent of respondents said the amount of spam infiltrating their enterprise email networks has increased during the past 12 months, compared to just 13 percent that reported a decrease.
The study, which included data from 100 global organizations representing more than 300,000 total email users, also found 47 percent of respondents experienced growth in their IT budgets from 2009 to 2010. Businesses with growing IT budgets, and consistent spam threats, may protect their networks with Exchange anti-spam software that can prevent email security issues.
Email management technology is even more critical for businesses based in the United States. A study by security firm Sophos released last month found the U.S. continued to be the world’s most common source for spam email messages during the second quarter of this year, representing 15.2 percent of the worldwide spam market.
Why worry about image spam if you have greylisting?
Sep 21st
MessageLabs recently reported an image spam déjà vu with image spam reaching a new peak in May 2009, and warned that users with outdated spam filters might be the victim of this new wave. Image spam is where spammers place their spam message in an embedded image within the email, therefore bypassing filtering solutions based on Bayesian filtering and heuristic filtering because the email does not contain any text to scan. Image spam first appeared in 2006 and enjoyed considerable success. Anti-spam vendors quickly created new techniques to block this kind of spam, including optical character recognition (OCR) scanning of the text in the image. The effectiveness of this was short-lived since spammers started to obfuscate their images by adding background noise and blurred text, therefore rendering OCR scanning useless. Spammers also easily defeated anti-spam solutions that relied on a database of known spam images by slightly adjusting the image in each spam mail. According to the MessageLabs report, we are now seeing a new type of image spam where the image is not embedded within the image but contains a link to a remote image on a website. It further warns that ‘it is notoriously difficult for traditional anti-spam techniques to safeguard against this type of image spam’.
Should we be worried by this new image spam? The answer is: no, not at all. That is, if you are using a spam filter that uses greylisting. You will not even have to continually upgrade your system to ward off the latest spammer invention; greylisting will continue to happily block tried and tested spam methods as well as new, nifty spamming ways. Instead of trying to analyze each different type of spam message and heavily interpret images using resource-intensive OCR methods, anti-spam filters must deploy more universal methods that deal with any type of spam, whether that is ‘normal’ spam, image spam, pdf spam or Excel attachment spam. Greylisting is a universal approach that can block any type of spam (and even viruses), and is very difficult for spammers to circumvent.
So what is greylisting? Greylisting blocks spam and viruses by temporarily rejecting initial emails from new (non white-listed) senders for one minute. Legitimate emails will still get through, but spam messages will not. This is because unlike spam engines and zombie machines, regular mail servers resend their messages upon initial rejection. Spammers simply cannot afford to resend their messages. If they would do this, it would take much longer to send out their spam. The longer it takes to send out spam, the higher the chance is that their domain is added to a blacklist, effectively blocking all their spam from that point onwards. This is also why it is highly unlikely that spammers will start resending their mails to bypass greylisting ; There simply is not enough time to resend emails before the spammer is blacklisted.
Granted, greylisting does have its disadvantages; emails from new senders are slightly delayed (usually not more than a couple of minutes, but it does depend on how long your greylisting system waits until it accepts a resend), and in rare instances the initial rejection can trigger a delayed message to the recipient, making the recipient think that the message was not delivered. The recipient will then usually resend the message, with the result that you might receive two identical messages. Since this only happens very occasionally it really does seem to be a small price to pay for a clean inbox. For more information on greylisting: http://www.greylisting.org/.
Phishing scams getting more and more sophisticated
Jun 3rd
Phishing scams have been around for some time. Consumers have been warned numerous times not to click on links in emails and give out personal information or passwords. But what if the phishing email really looks genuine, without the usual telltale signs? In the last few days, a number of Bank of America phishing scams have been circulating that seem to be getting more and more sophisticated.
One of the emails includes the following message: “The Digital Certificate for your Bank of America Direct online account has expired. You need to update the certificate using Bank of America Direct Digital Certificate Updating Procedure”. These emails have the same look and feel as legitimate Bank of America notification emails, and the link shown in the email seems to go to bankofamerica.com. In fact when you do a ‘View Source’ the link goes to an entirely different domain, but the masked link will be enough to fool non tech-savvy consumers. The email is not full of the usual obvious spelling and grammar mistakes (although the grammar is not quite correct). Another smart trick is that the phishers are spoofing the sender address that is used for legitimate Bank of America alerts. This allows them to bypass any spam filters that have this email address in the white list.
The link in the email, if clicked on (Readers: please do not click on the link!), will take you to a website where you will be asked to log on with your digital certificate. The phishing website is so sophisticated that it will then actually check with Verisign if your digital certificate is valid. If it is not valid, it will not store your information, but it will still infect your computer with a virus. If it is valid, they will record your digital certificate and more nasty stuff will await you. The following article by Gary Warner from his CyberCrime & Doing Time blog includes more details on this latest Bank of America phishing scam: http://garwarner.blogspot.com/2009/06/bank-of-america-digital-certificates.html.
ORDB offline
Jan 15th
In case you have not yet heard; the open relay database ”ordb.org” is now officially offline. For five and a half years the ORDB volunteers maintained a comprehensive list of known open relays. ORDB.org posted the following notice on their website that is now no longer:
“It”s been a case of a long goodbye as very little work has gone into maintaining ORDB for a while. Our volunteer staff has been pre-occupied with other aspects of their lives. In addition, the general consensus within the team is that open relay RBLs are no longer the most effective way of preventing spam from entering your network as spammers have changed tactics in recent years, as have the anti-spam community.”
Whether you used their list or not, it is always sad to say goodbye to a good spam fighting effort.
If you were using ORDB.org to check for spam, it is highly advisable to disable the list in your spam filtering software.
Do people still fall for spam?
Oct 28th
Unfortunately yes, they still do. According to a study conducted by the University of Oxford and Purdue University, the latest lucrative spam practices are stock spamming. You know those messages that warn you that company Xyz is hot right now and will make you a fortune? It turns out that spammers buy up stock before they send out the messages, then whilst people fall for the scam and buy the stock the spammers sell theirs at a profit. It sounds so simple (not to mention highly illegal) and yet people are falling for it. According to the survey, on days that no spam messages about the company stock were circulating, there was a 6% chance of this stock being traded. On days when spam messages were sent out urging people to buy the stock, the chance of the stocks being traded rose as high as 81%. The study also calculated the percentage that investors are losing. On average, investors who fall for the scam are losing 5.25% in the two day period following the stock touting. However for the top 20% of stock scams, investors lose as much as 8% value. . Unfortunately people are still falling for spam, and as long as they do, spam will keep on coming.
Spamhaus litigation: Will spammers get a second wind?
Oct 15th
‘No doubt you have already heard about the court case against Spamhaus by emarketing firm e360Insight. Regardless of the merits of e360′s claims, shutting down Spamhaus cannot be a good idea. Spamhaus currently has 650 million users (including many corporate users) and blocks 50 billion spam messages per day. The majority of these messages are illegal, containing offensive content or propagating scams and phishes. Spamhaus is currently deemed to be one of the most effective and accurate black lists currently available, with a near to 0% false positive rate. If Spamhaus were to be shut down, not only will this cause spam to leak through spam filters, but it could also mean that spammers will get a second wind. Knowing that Spamhaus is no longer blocking their messages, spammers could start firing off spam with increased urgency, in the hope that their messages might now reach a greater audience. I just hope that Spamhaus and e360 are able to sort out their differences, since the community at large only stands to lose if Spamhaus is shut down.
Here is a quick sum up of the Spamhaus litigation events:
June 21: e360Insight, a marketing firm based in Wheeling, IL, files suit against Spamhaus (a UK based organization run by volunteers) for erroneously listing e360 on its Register of Known Spam Operations, the ROKSO list. The plaintiff argues that they only send emails to recipients who have subscribed to their lists and have ‘opted-in’. Also, the plaintiff states that according to the Spamhaus website, to be listed on the ROKSO list a spammer should be terminated by at least 3 ISPs for Acceptable Usage Policy violations. e360Insight claims that they have not been blocked by even one ISP. Spamhaus at first defended the action but then withdrew its answer and has taken no further action to challenge Plaintiff’s allegations. Spamhaus claims that according to U.K. laws e360Insight are sending unsolicited emails and will therefore continue to include them on the ROKSO list. Spamhaus also states that a US court has no jurisdiction over an organization based in the UK.
September 13: Since Spamhaus failed to respond, the Court enters a default judgment against Spamhaus in the amount of $11.7 million.
October 5: e360 submits an order to suspend www.spamhaus.org since Spamhaus failed to comply with the court’s previous order. If signed, the order will call for ICANN and/or Tucows (Spamhaus’ Registrar) to take the Spamhaus website down.
October 9: ICANN makes a statement warning that they do not have the ability nor the authorization to suspend www.spamhaus.org.
Top 10 spam characteristics (#1-5)
Oct 2nd
‘In a bid to stop spam, Red Earth Software has compiled a list of the most commonly found characteristics in current spam mails. Last week we saw the top spam characteristics in position #10 to #6. Today we are counting down to the #1 spam characteristic, the characteristic that Red Earth Software has found to be the most common in today’s spam messages.
#5. From: and Reply To: address are different: This is a common feature of spam mails, but it is also very common with newsletters. The importance of this characteristic should be minimized since it is also found in legitimate emails.
#4. Message body contains remote image: In order to avoid spam messages from being blocked by word filters, spammers include an image in their message that cannot be filtered for words. In addition, upon opening the email message the image is downloaded from the spammer’s website. Since each message contains a unique ID, the spammer will know exactly which recipient has viewed the mail. This indicates which email addresses are ‘live’ and can be sent even more spam.
#3. Message contains only HTML body: HTML messages usually include a plain text version of the email so that recipients with email clients that cannot read HTML can still view the message in plain text. However, many spammers tend to send HTML messages without this plain text body part. This is done to save on size and to force recipients to read the HTML version which automatically opens an image and connects to a web site when the message is opened. Newsletters also tend to send messages without a plain text body part, so it is important to use a white list of allowed newsletters so as not to catch any false positives.
#2. Message contains many or only tags: Some spammers try to circumvent content filters by placing lots of HTML comment tags within the email body text. In this way, content filters will not recognize the spam words since they are separated by comment tags. The recipient however, will not see the comment tags since these are not displayed when viewing the message in HTML. Therefore it is important to use an email filter that can filter emails by removing HTML tags first.
#1. Recipient’s email address is not in the To: or Cc: fields: Red Earth Software found this to be the most commonly found characteristic in current spam messages. The reason for this is that the recipient’s email address is hidden in the Bcc: field or X-receiver field, along with a substantial number of other email addresses. Spammers do this in order to conceal the fact that the mail was sent to a large number of recipients, and presumably so as not to publish their email list. Some persons might add recipients to the Bcc: field for sending out ‘legitimate’ mailings, but these will tend to be of a more personal nature (which you might wish to block anyway) since most professional companies do not use this method for sending newsletters or mailings. Note however that if you do block emails without a local recipient in the To: or Cc: field, you will be blocking all bcc: messages.
Bottom line: Many spam filters check for the existence of these characteristics (and more) and use these to determine whether the message should be identified as spam. Some characteristics are strong indicators that a message is spam, others really cannot be taken into account at all since they can also exist in legitimate emails. A system checking for spam characteristics can be very effective, but must make use of a sophisticated scoring system in able to flag spam correctly, applying a different weight for each characteristic.
The top 10 spam characteristics (#6-10)
Sep 27th
‘Even though some spam messages are hard to distinguish from legitimate emails, most spam mails include ‘tell-tale’ signs that can be used to filter them out. In the next few days I will be discussing the Red Earth Software list of current top 10 spam characteristics and how they can be used to detect spam. Remember that these spam characteristics must not be used in isolation, since some characteristics can also be present in legitimate mails. Therefore it is important to use a weighting system that provides an individual score for each spam characteristic. If a message includes several spam characteristics and reaches a ‘spam threshold’, the email can safely be considered as spam.
I have numbered each spam characteristic according to the frequency in which it is found in today’s spam mails, where #1 is the spam characteristic that Red Earth Software found to be most common. Today I am posting #10 through #6. Keep a look out for the top 5 coming soon in this blog.
#10. Illegal HTML exists: Some spam messages include a code for identification in the text of the message. The text is entered outside the HTML tags so as to hide the code from the recipient. There is no legitimate reason to add text outside HTML tags, so the mere presence of illegal HTML can be treated as suspicious.
#9. Message body contains small font size: In order to circumvent Bayesian filters and filters that block messages with only images, spammers enter ‘normal’ text at the bottom of the message in order to appear legitimate. Some spammers include this text in small font size.
#8. Message subject contains email address or recipient name: Either the complete email address or part of the email address (the part before the domain) is added to the subject in order to personalize the message and trick the recipient into thinking that it is a legitimate message. For legitimate mails there is no reason to enter the recipient’s email address in the subject, so the presence of this is a pretty sure sign of spam.
#7. Message body is base64 encoded: Spammers use base64 to encode the message headers and body so that spam filters are not able to read the content and perform any filtering. Most email clients will decode the message so that the message can still be read by the recipient.
#6. Sender address contains number or character sequence: Spammers use automated programs to register thousands of email addresses. Since they are generated in bulk, they often include number or character sequences such as FRfJIrqOpV@hotmail.com or bob36189624@gmail.com. At first spammers used number sequences but when most spam filters started to block these types of addresses they changed to using character sequences which are harder to detect.