Tuesday 19 December 2006

Oh Bum. I got Tagged.

Ann Elisabeth Nordbø (aka The Spamhuntress) tagged me earlier. That means I am duty-bound, dear reader, to tell you three things you may not know. Hmmm...

  1. My first real job was at Thorpe Park -- a theme park in an old gravel pit near Staines. I was a pirate on Treasure Island. 1983.
  2. I first used email and IM in 1985. God bless JANET, BSD, PDP11s, and VT100s.
  3. I've never had measles or mumps. As you may know, I recently got chickenpox (don't follow link if you're of a nervous disposition).
  4. I actually get paid to blog -- by Computerworld (where I write IT Blogwatch) and Ferris Research (where I edit/manage the weblog and occasionally write).
  5. I'm an only child (does it show?)
  6. You are number 6.
My other duty is to blog tag five other poor unfortunates. How about: the Notes-tastic Ed Brill, Karma-chameleon Meng Weng Wong, poly-mathematical Ian Lamont, Irish assassin Justin Mason, and the most mysterious "Ravelox".

Another Challenge/Response Datapoint

Sorry to harp on about challenge/response, but on the topic of C/R causing many false positives, I just noticed this post on The Admin Zone:

I HATE challenge-response spam blocking with a passion. All the time, I get Earthlink members signing up on my message board, but not putting the domain name in their whitelist. When vBulletin sends out a validation email, the following bounces back into my mailbox ... As a matter of principle, the mods and I NEVER respond to email challenges; we NEVER "click the link below" to be added to a whitelist.

If an existing user starts using challenge-response spamblocking, forget to put my domain in their whitelist, subscribe to threads, and as a result fill my mailbox with challenges, they're suspended for a week. Behind spam, it is my number two pet peeve.

Wednesday 13 December 2006

Boxbe: Another C/R Spamhaus

Some buzz today about Boxbe -- a service that promises to forward unsolicited email only from those willing to pay a fee for your attention. I signed up to take a look, and was frankly horrified by what I found.

Boxbe is a front for another of these awful challenge/response setups. Look at the reply I got to a test message:

Subject: Held: testing

The message you sent to richi@boxbe.com regarding "testing" is being held undelivered because he or she has not pre-approved your email address [redacted] for access.

To deliver your message, you can:

* Take a short test (a simple test by following the link below
[link redacted]

* Pay a small fee (USD $0.15) which
Boxbe will share with the richi@boxbe.com. This is intended
for advertisers. To pay, click on the link below:
[link redacted]
Sigh. In case you've not heard the mantra already:
  1. Challenge/response causes spam (because spammers forge the sender)
  2. So if you use C/R, you're a spammer
  3. Filtering your spam is not my job
  4. If everyone used it, email wouldn't work!

Prediction: if Boxbe gets popular, spammers will start sending to it, which will cause backscatter complaints, which will cause blacklisting of Boxbe's servers.

Here's why backscatter is bad, and here's more about the stupid idea that is challenge/response. But don't just take my word for it.

Other Boxbe coverage at Wired, GigaOM, Download Squad.

Tuesday 12 December 2006

Is this a Schadenfreudian Slip?

Don'cha just hate smug robots? Don'cha just love it when they fail?

Poor Asimo-chan. My favourite part is when the minders rush on and pull screens around its confused, flailing body...

I, for one, welcome our new falling-over-embarrassingly robot overlords.

[Hat tip: Howard]

Sunday 10 December 2006

GOOD News: Innocent Woman's PC Seized by Police

What's that you say? Good news? Read on...

Denver woman has PC. PC gets infected by remote-access malware. PC becomes zombie. PC does bad things. Armed police come knocking with warrant. PC seized as evidence. Local ABC news says:

Investigators said someone hacked into [Serry] Winkler's computer ... and used it with a stolen credit card to make fraudulent purchases online ... "Four sheriffs from the Boulder County Sheriff's Office with flak jackets and weapons drawn pounded on my door," said Winkler. "You're just not prepared for it." ... Winkler didn't have a firewall on her computer, which she said was too old. "I've tried it, but it just slows it down so badly that I can't," she said.

Internet security expert Rick Orr of Symantec said that early on, hacking activity was related to fame. "What we've seen in the last few years is a transition from a motivation of fame to a motivation of financial gain," said Orr. He said thieves don't take holidays and when it comes to Internet security, neither should you.

I say: good. I'm glad this happened and that it's getting some publicity (albeit local).

While I'm sad that Ms. Winkler was scared and inconvenienced, a few more of these sort of stories might actually make people more likely to protect their PCs. That ought to put a serious dent in the spam-spewing botnet problem.

Like this post? Digg it.

[Hat tip: Fergie.]

Saturday 9 December 2006

Spam Volumes: What's Really Going on Here?

The sky is falling! The sky is falling! Spam has doubled / spammers are winning / spam is 80% of all mail / 90% of mail / 110%, etc. etc. etc...


I'm getting bored with self-serving anti-spam vendors flinging dubious statistics around. Yes, spam volumes have increased recently, but doubled? Much of this seems to be counting from an artificially-small base during a quiet summer for spam.

Here's my take on what's happening. A bit stream-of-consciousness, so please excuse. Grateful for your thoughts.

The growth in spam is chiefly down to two factors:

  1. Demand-side -- stock kiting gangs wanting access to more and more sending capacity
  2. Supply side -- new, bigger botnets with more sophisticated command and control mechanisms, which are more resistant to being shut down and can send fewer messages per zombie (because they're bigger), so stay under the radar longer
This is compounded by bad statistics, which make the growth seem bigger than it actually is:
  1. New botnets spewing spam from PCs not on blacklists, so a smaller proportion of spam gets rejected (and thus never seen in quarantines)
  2. New botnets resistant to anti-spam techniques such as greylisting (because they have real, autonomous MTAs), so a smaller proportion of spam gets rejected (and thus never seen in quarantines)
  3. New botnets employing content morphing tricks that are fooling many vendors' content filters, so more spam reaches the inbox -- then naive commentators wrongly assume that a doubling of spam in the inbox equals a doubling of spam on the Internet
The image spam messages tend to be about 10x bigger than "normal" (say median 30K compared with 3K), so spam volumes are now much higher in terms of bits on the wire.

Some anti-spam vendors are coping quite adequately with the new techniques, but seem to have broken PR departments ;-)

I trust Commtouch's and MessageLabs's data more than most -- my reading is that spam volumes increased measurably about a month ago, but not to the extent that Chicken Licken would have us believe.


Friday 8 December 2006

Ciao! Interesting Social Engineering Attack

Here's an interesting way of getting your victim to download a Trojan horse. Some users in Italy have been receiving messages "from" a lawyers' office that appear to be replies to a message that the victim never sent.

The messages warn the victim that the lawyer has received pornographic spam from them, threatening the victim with legal action if it happens again. It goes on to say that the victim probably has some sort of virus on their PC and suggests that they download a virus cleanser, to which there's a helpful link in the message.

Of course, the link downloads a Trojan.

Not only that, but the names used for the lawyers seem to be real organizations. I've heard reports that at least one legal firm has four phones permanently tied up with victims calling about these "threatening-yet-helpful" messages apparently sent by the lawyers.

Like this post? Please Digg it, so others can find it.

Hat tip: Symantec's Security Response team.
Also noted by Paolo Attivissimo and Luca Curatola of Neodigital2k.

Tuesday 5 December 2006

"Challenge/response filters have more Achilles' heels than they have feet"

I am such a media whore. That was your humble blogger, quoted in an InformationWeek article:

Spam Filtering Floods Innocent Inboxes
Do challenge/response spam filtering systems create more problems than they solve? One analyst argues against them.
By Thomas Claburn

Two weeks ago, Ferris Research messaging analyst Richi Jennings awoke to find his e-mail inbox filling with spam at a rate of about a message per second. Over the course of two days, a spammer using a bot net -- a collection of PCs that have been subverted through security exploits to send spam -- sent an estimated 10 million messages that purported to come from several of Jennings's e-mail addresses.

That resulted in more than 25,000 bounce messages, from ISPs that return spam to the supposed sender (rather than deleting it) and from challenge/response filters that reply to spam with a note asking the listed sender to answer a challenge question before the initial message gets delivered.
Despite the fact the Symantec's Brightmail service did "an impressively good job" in blocking most of the bounced e-mails, Jennings nonetheless had to deal with hundreds of unwanted messages.
"Over the last year or two, I've spoken to countless challenge/response filter vendors and they all have their own excuse about why their solution is completely different, and really, yes, they agree this is a problem with badly written challenge/response spam filters, but their spam filter would never do anything so stupid and broken," says Jennings. "And of course I'm looking at an example from just about every one of those vendors that I got two weeks ago."
Tal Golan, CTO, president, and founder of Sendio, maker of a challenge/response e-mail appliance used by more than 150 enterprise consumers, disagrees strongly with Jennings's assertion that challenge-based filtering has problems. "Without question, the benefit to the whole community at large drastically outweighs that FUD [fear, uncertainty, and doubt] that's out there in the marketplace that somehow challenge/response makes the problem worse," he says. "The real issue is that filters don't work. From our perspective, challenge/response is the only solution. This whole concept of backscatter is just not true. Very, very rarely do spammers forge the e-mail addresses of legitimate companies anymore."

[Read the full article]

Saturday 2 December 2006

Now! That's What I Call Spamming!

Occasionally, I remember to read Andy Clarke's blog, And all that Malarkey. Doozy of a post earlier this week. Spammers, take note (yeah, right; dream on)...

At about 4.30, the phone rang. Now I've written before about telephone salesmen, but this was a call with a difference ... Not only did [he] identify himself upfront to save me the job of interogating him, he actually asked, and very politely I should add, if it was OK to contact me. My defences came down and, Holy smokes, I even asked him right there what his software did ... So I gave him my email, this guy has class. Now, here is the odd thing. For the next two hours I was actively waiting for this guy to email me! Two hours in which I was wondering about his software ... he made me think about his product and about the experience of dealing with him (hell, I'm even blogging about it).

Tuesday 28 November 2006

I Got 25,000 Spam Messages in Two Days!

Late last week, some idiot spammer decided it would be a neat trick to send a metric boatload of spam messages in my name (see also Joe Job). I estimate that in the space of 48 hours, his botnet spewed a million messages that appeared to come from one of my domains.

Unsurprisingly, a small percentage of those messages bounced. Guess where the bounces ended up? In my email. All 25,000 of them...

What can we learn from this?

  1. Symantec's Brightmail spam filter is really good. OK, I kinda knew this already, but the Brightmail filters that sit in front of my mail service did a near-perfect job of sifting out the bounces from the real email.

  2. Way too many email servers are badly broken, to the extent that they bounce email to unknown addresses, instead of rejecting it. Some of this is down to configurations that accept everything at the perimeter and only later decide the mailbox doesn't exist, but mostly it just seems to be broken software. (If you run a mail system that does this, for the love of all that's holy please fix it.)

  3. Way too many ISP abuse desks seem to think (2) is perfectly acceptable behavior.

  4. Way too many sites allow their users to auto-reply to email willy-nilly. Don't these people have spam filters? Amusingly, some do, as can be seen from the SpamAssassin-like headers added to the bounced spam, yet even though the message scores higher than the spam cutoff, they're still kindly letting me know that they're out of the office.

  5. Way too many ISP abuse desks seem to think (4) is perfectly acceptable behavior, too.

  6. Challenge/Response spam filters are a royal scourge. (See blog posts passim). It's not my job to filter your spam for you.

  7. SpamCop is still an excellent resource.
Some spammer probably thinks he's been jolly clever and put one over an "anti". However, the state of the art in spam filtering is just too good.

Thursday 16 November 2006

PC World's Steve Bass Repents?

Last week, I wrote about how PC World's Steve Bass was promoting those evil, evil challenge/response spam bouncing products. I pointed out in my blog post and also in private email to Steve that these things can get their users blacklisted, because misdirected challenges are as bad as the spam itself.

Today, Steve has a new post up, calling me a "Polite ... self-proclaimed spam expert." Errr, well, those who know me may not agree with the first bit. And I'm not sure the second bit is quite my choice of words, but my clients seem to think so. Never mind. Onwards...

Fortunately, Steve has first-hand experience of the problem:

I get a half-dozen or so of these misguided challenge/response e-mails every day

Unfortunately, Steve links to a Wikipedia explanation of something with a similar name but which is nothing to do with spam. Presumably he meant to link to Challenge-response spam filtering. Oopsy.

In fact, reading his explanation of C/R, I'm not sure he actually understands the problem. See if you agree:

You can set some programs to bounce messages back to spammers and make them think your address is no longer working. Quite often a message from a challenge/response system will get treated as spam and bounced back with the rest of the junk e-mail. And quite often these messages float around the Net when someone using challenge/response also has a computer virus.
The spamming part comes into play when the person sending the e-mail receives a reply from the challenge/response program, challenging the sender to prove he or she isn't a spambot.

Well I'd have put it a bit differently. How about this:

Q:You can set some programs to reply to spammers; great idea, right?
A: No, because the replies hardly ever go to spammers -- spammers forge the message's sender. So they don't work.

Q: But it's only spam and we don't care about those messages, so it's OK... right?
A: No, because the forged senders are often real email addresses, with real people at the end of them. So you're causing unwanted email to be sent to them.

In other words, Challenge/Response makes you a spammer.

Update: Steve posted more on this topic. Steve's right on when he says:

Challenge/response ... doesn't work. I'll give you an example. A PC World reader sends me an e-mail and I take a couple of minutes to respond. Then I get an e-mail challenging me, asking me to take an extra step -- click here, go to a Web site, or maybe stand in the corner and whistle a show tune.

Nope, not me, Pal. I've already been a good Netizen and responded to the reader's e-mail; and I'm not about to spend more time on this. If the person sending me the e-mail had a spark or two, they'd have added me to their whitelist before sending me a message. So I watched how I responded to getting a challenge e-mail, figured everyone else would do the same thing, and decided not to bother with it.

And if you're looking for the debate between me and Jeff Hendrickson, it's right here.

Thursday 9 November 2006

Monday 6 November 2006

PC World Offers Dangerous Spam Advice

Meet Steve Bass. Steve blogs at pcworld.com. Watch Steve blog. Blog, Steve, blog. Steve just blogged a bunch of spam filtering resources. Unfortunately, his list is heavy on the challenge/response FUSSP meme. Ooops!

For the record, Choicemail's "unknown-sender registration" and the "bounce" features of MailSnoop and MailWasher are really terrible ideas. (Don't forget that the "sender" of spam is almost always forged.)

I do wish consumer-focused journalists like Steve wouldn't promote these features -- he'll get his readers blacklisted, causing their email not to go through.

Update: Steve has responded. (If you're looking for the debate between me and Jeff Hendrickson, click here to read the latest discussion and follow the link at the end.)

For more background, see:

Thursday 2 November 2006

IP over DAB Digital Radio

Speaking of DAB digital radio, Symantec's Ollie Whitehouse alerts us to the standard for tunneling IP over DAB, ETSI ES 201 735 [PDF]. This sounds extremely cool for broadcast or multicast data to inexpensive devices.

Looks like the HTC Monet uses this, not DVB-H (handheld DVB) to show TV. Virgin Mobile UK is branding it as the Lobster. El Reg has an interesting review.

Ollie is worried about the security aspects though:

Looking at this from a 30,000 ft viewpoint, a number of different and obvious attack surfaces appear to exist:
• The DAB protocol stack
• The IP stack
• Media codecs

Then, your mind starts to work:
• I wonder if they firewall the DAB connection on the device?
• Can I spoof content? If so, how hard is it to attack the media codec with this spoofed content?
• Is it possible to leverage that old IP stack DoS and take out every DAB-IP enabled mobile/cell phone in a 10-mile radius?

You end up with a situation where you could conceivably "broadcast" exploits to a geographic area if you were able to successfully attack any of the attack surfaces outlined above. It makes you think, doesn't it?
Update: also noted at...

Monday 30 October 2006

Woo and Yay for the BBC and the TV "Tax"

Snigger: UNEASYsilence discovers that the UK has a TV licensing regime. Way to go with the up-to-the-minute news, Dan.

Considering the quality of the programming on BBC TV and radio is consistently amongst best available, if not the best (IMHO), I’m really happy to contribute to the BBC this way. The moment “Aunty Beeb” stops giving value for money, that money’s going to be taken away from them. They know it, and the system works.

Also — “because of the unique way the BBC is funded” — the BBC has helped bring us technical leaps such as:

  • PAL colour (when the US had the awful NTSC standard)
  • 576 line TV (when the US had 480)
  • Digital stereo TV sound (when the US was doing analog)
  • RDS data over FM radio (which the US grudgingly picked up in half-hearted way recently)
  • An open DAB digital radio standard (when the US was doing closed, incompatible digital radio)
  • DVB-T digital television at no extra charge, using robust COFDM (while the US mess about with the quite dreadful 8-VSB)
  • 16:9 widescreen TV broadcasts (when the US was still bickering about HD)
The regulatory regime means that the majority of the population have access to 20-30 TV channels, free of charge, from a relatively small antenna, which doesn’t need to be rotated when you change channels. Meanwhile in the US, TV antennae are butt-ugly and often need to be pointed at several different transmitters, hence the popularity of expensive cable TV.

Detector vans are rare anyway — they’re only used to gather evidence for prosecution. If your household doesn’t have a license, you’ll be “invited” to buy one. If you don’t get one, it’s up to TV Licensing to prove that you’re breaking the law.

Monday 23 October 2006

Microsoft Promises Sender ID Remains Open, But There's No News Here

Microsoft today announced that it has added the Sender ID Framework Email Authentication spec. to the list of Microsoft technologies covered under the Microsoft Open Specification Promise (OSP). This essentially means that Microsoft promises not to take action to protect its patents and other intellectual property (IP) related to these technologies.

The idea is to remove objections to implementing against published "standards" that are based on the fear of Microsoft will sue the developer. This was the main stumbling block preventing Sender ID from becoming an Internet standard in 2004 -- the Purported Responsible Address (PRA) algorithm was patented.

Big whoop. As far as I can tell, nothing has changed. There's no news here. Move along.

This promise seems to be exactly the same promise as was made by Microsoft in 2004. It's a promise that didn't prevent the MARID working group from failing to reach consensus -- mainly due to deadlock over the IP issue.

Friday 20 October 2006

Happy Friday

You may know that I write the daily IT Blogwatch column on Computerworld.com. Who knows, you might even read it; perhaps via its RSS feed. For those of you who can't wait for Monday's edition, here's what has to be the funniest And Finally for ages.

Cliquez-vous ici [hat tip: B3ta].

Tuesday 10 October 2006

There May be Troubles Ahead (for Spamhaus)

But while there's moonlight, and music, and love, and romance...

I'm reading some misinformed comment about the latest Spamhaus woes. I wrote today's IT Blogwatch on the topic, but here's my attempt to summarize here...

  1. e360, which describes itself as a legitimate direct marketer [no comment], objected to being described by Spamhaus as a spammer. It sought legal redress in an Illinois state court.
  2. Spamhaus argued that it was a U.K. organization with no business dealings in Illinois, so the court had no jurisdiction. However, before Spamhaus decided on this defense strategy it asked the court for the case to be removed from state court and moved to federal district court.
  3. Because Spamhaus then decided not appear in court, the judge decided he had no choice but to enter a default judgment in favour of e360.
  4. A further, proposed order from the court would have the spamhaus.org domain de-registered. This is potentially a huge problem for Spamhaus -- access to the Spamhaus blacklists is usually via a DNS lookup -- a query to a zone such as sbl-xbl.spamhaus.org.

For its part, Spamhaus appears nonplussed, stating that:

We think it can not actually happen, due to the effect it would have both on the Internet and on millions of users. We believe a government agency would have to step in before it happened. One U.S. government agency has begun working on a response. Before an event such as this could occur, we believe ICANN would fight the order, as ICANN understands both the technical effect as well as the political one (hint: ITU and U.S. control of the Internet).

In other words, Spamhaus is pointing to the ongoing grumbles from outside the U.S. about the continued control over Internet policymaking by the U.S. government. If Spamhaus were to "go dark" it may catalyze a new, strengthened effort to wrest control of the Internet from the U.S.

This proposed action may seriously reduce the effectiveness of our spam filters. In the meantime, what can you do to guard against the problem?

If your spam filter uses either of the Spamhaus DNS blacklists, you may be able to change the zone it uses to one that isn't under U.S. control. For example, look in your filter's configuration and change sbl-xbl.spamhaus.org to sbl-xbl.spamhaus.org.uk (note that Spamhaus has not yet confirmed that this is supported).

Alternatively, as suggested by Slashdot's The Blue Meanie, you may be able to modify the way you resolve DNS queries. In UNIX-like operating systems, you might add something like this to /etc/named.conf:

zone "spamhaus.org" in {
type forward;
forwarders {;;;; };

Friday 6 October 2006

Lyris or Lie-ris? Suspect Spam Stats. for False Positives

I see Lyris claims that Gmail's spam filters cause 3 percent false positives and they used to cause 44 percent earlier this year. What rubbish. And how sad that a major IT news outlet regurgitated them so uncritically.

There's no way that a real Gmail user is seeing that kind of FP percentage, no matter how they legitimately measure it (and there are several ways used, depending on whether you'd prefer to publish a tiny number or a big, scary number).

My estimate of Gmail's FP performance is about 0.01 to 0.02 percent. That's based on roughly one per week, and measured as a proportion of total email hitting the spam filter.

Reading between the lines of Lyris's report, they're only measuring as proportion of inbound marketing email, which might explain why the headline figures are so high.

Frankly, these crazy numbers cast doubt on the rest of the statistics presented in this report. Lyris clearly has an agenda here -- to instill FUD in the minds of direct marketers so that they'll sign up to Lyris's services. That's nice...

Sadly, ZD were taken in by these shenanigans and presented the figures as an "IT Fact"

Thursday 5 October 2006

Vista Software Protection Platform disables Windows Defender

Let's see if I have this straight. In its ongoing effort to thwart pirates, Microsoft is going to prevent its anti-malware bits from working on a PC running pirated Windows Vista? Sez Computerworld:

Customers who decline to or cannot successfully validate their copy of Vista during installation will be blocked from using certain features [including] Aero ... ReadyBoost ... and Windows Defender, which protects against viruses and spyware.
So it's fine for PCs running pirated versions of Vista to spew spam and malware into my inbox? Stupid, stupid, stupid...

Tuesday 3 October 2006

ISPs Should Fix the Zombie Problem

Zombies are a big problem, but ISPs are in a unique position to fix the problem and should be motivated to do their part. ISPs can detect when one of its customers' PCs starts sending spam, either by outbound content control or by spotting an unusual spike in volume. ISPs may even be able to detect the earlier signs of infection, such as connection to an IRC channel used to control the bots.

When an ISP detects a zombie, it should immediately prevent that subscriber from sending email. It should make contact with affected subscribers and help them clean up their machines. If necessary, ISPs could cut off all Internet access for those subscribers, moving them into a Web "walled garden" -- this would force subscribers to see a web page alerting them to the problem and giving instructions on how to clean up their PC.

ISPs should be proactive in quickly fixing such problems. ISPs may need to modify their Terms Of Service, to contractually allow them to take these actions -- but take them they should, for the sake of their business.

If ISPs don't fix such problems, their reputation and the reputation of their customers may be damaged. The anti-spam industry has woken up to the fact that reputation is a good way to filter incoming SMTP connections, without the expense of content scanning. As this view becomes more prevalent, ISP customers won't want to be associated with an ISP that takes a cavalier attitude to their reputation and that of their customers.

Tuesday 12 September 2006

Domain Assurance Council

The Domain Assurance Council (or DAC) is a new trade body representing organizations that certify or accreditate email sending organizations and customers of those organizations. (Examples of such organizations include Habeas and Goodmail; their customers are typically ISPs and spam control technology vendors.)

With sender "authentication" (authorization) standards such as SPF and DKIM becoming more popular, there's a need for a standard way for a trusted authority to vouch for a domain name. DAC plans to help the industry create a standard way for organizations to "vouch" for a sending domain. They will do that by publishing reputation or accreditation data about a domain name in a standard form. The standard will be known as Vouch By Reference (VBR).

For example, a receiving mail system may be able to use SPF or DKIM to verify that an incoming message was sent by example.com, but it currently has no standard way of deciding if it wants to receive email from that company. Using VBR, a receiving system would be able to look up the domain and decide if it wishes to receive the message.

VBR could also allow smaller, more specialist organizations to vouch for organizations in their own vertical industry or niche (e.g. the pharmacalogical industry). The theory is that specialist authorities will know their industry better; if a sender goes bad, a specialist authority might discover this more quickly than a generalist.

VBR means that there should be no need for proprietary methods, such as Goodmail's. VBR will create a market for organization who vouch for domains; allowing its members to compete with minimum "friction." VBR should also allow customers to switch providers -- i.e. there will be no lock-in to a proprietary provider such as Goodmail.

Current members of DAC are Goodmail, Habeas, Return Path, Trend Micro, and IronPort. DAC is run by John Levine and Paul Hoffman. Paul has plenty of experience running this sort of group, having previously run the Internet Mail Consortium amongst others.

Friday 1 September 2006

New Spammer Tactic: Blipverts

For a while now, stock kiting spammers have been encoding their spam in images and trying new ways to make each image slightly different. That makes it harder for hash-based content filters to spot the images.

Here's an interesting new twist. An animated GIF that flashes subliminal images. Presumably each of these is slightly different from message-to-message. On the right, you can see one of these "blipverts" separated out from the GIF (and resized).

(With apologies to Max Headroom)

Friday 25 August 2006

New Unsubscribe Button in Windows Live (née Hotmail)

ClickZ' Rebecca Lieb reports on the Windows Live Unsubscribe button:

Ironic as it may sound, commercial e-mailers are jubilant about a new feature Microsoft's rolling out: an "unsubscribe" button.

The button is part of Windows Live, the beta service that will replace Hotmail in a few months. If it's as successful as many anticipate, expect similar changes at the other major ISPs.

Here's how it works: Windows Live account holders have begun to see the "unsubscribe" button replace the dreaded "report spam" button on messages that contain a valid unsubscribe link. When a person clicks the "unsubscribe" button, Microsoft forwards the request to the sender.
Not sure what I think about this. Microsoft claims to be protecting against listwashing, as only "legitimate" senders get the unsubscribe button. Then again, do we trust Microsoft's view of who's legitimate?

Note that if MS thinks the sender is legit., you don't get to see a Report Spam button.

Monday 21 August 2006

Email Cryptography Helps Avoid Bad Debts

If a credit card company were to send statements by email, it might be able to identify which of its customers are getting into financial difficulties. That's the interesting claim made by email encryption company Identum.

The argument goes like this: when card issuers send paper statements to people, they're usually opened quickly. However, when people are getting into financial trouble, they often go into denial. This causes them to ignore card statements, putting them in a pile somewhere, unopened.

What if the card issuer had some way of knowing that statements were going unread? That would be an early warning that there's a problem. This of course relies on card issuers having two important capabilities:

  • A secure way of emailing sending statements to customers
  • A reliable way of getting read receipts back
But what about online banking? Wouldn't people prefer to just read their statements online? Some would, but others seem to prefer to have statements "pushed" to them in email.

Thursday 10 August 2006

Ziff Davis are SPAMMERS

I've had enough. I'm outing Ziff Davis as a spamhaus.

The company sends me several unwanted messages per week. I have diligently unsubscribed several times. It also appears to repurpose lists to an alarming degree.

Its ISPs also appear to ignore abuse complaints.

I'm mad as hell and I'm not holding my tongue any more.

Thursday 27 July 2006

Scalix to go open source

Scalix plans to open the source for their Community Edition. When I was at HP (for 14 years!), we thought it would be impossible to open source OpenMail. The code was thought too polluted with stuff that we didn't have the rights to publish. Things like dbVista and the Microsoft-proprietary TNEF unpacker.

Looks like the ex-OpenMail engineers at Scalix Bracknell have some Interesting Times ahead.

However, it looks like the opened code won't include the MAPI Outlook bits. By specifying the "Community Edition" Scalix is signaling that it won't publish the source of things like MAPI, TNEF, AD integration, and Ajax group scheduling.

Monday 3 July 2006

Hotmail Has Many, Many Spamtraps

Ben Isaacson of ESPC/Experian/CheetahMail fame mentioned something very interesting at last month's Inbox/Outbox conflab. Microsoft has an interesting way of building spamtraps to catch unwary spammers and idiot direct marketers.

Hotmail accounts expire after six months of disuse. This happens often -- people sign up for an account and then soon stop using it. For example because they think they need one to use the MSN Messenger IM system, or because they're using it temporarily as a throwaway address (to give to vendors they don't trust).

Once a Hotmail account expires, mail sent to it will be rejected, normally with 550 Requested action not taken: mailbox unavailable. After a further 6 months (i.e. one year of disuse), the mailbox may be treated as a spamtrap. This means that email sent to old Hotmail addresses may be used as samples to help train spam filters for Hotmail, MSN, FrontBridge, the Outlook Junk filter, etc.

What does this mean for legitimate marketers? It's now more important than ever to detect and eliminate bounces from your lists. If a receiving mail system consistently tells you that an address is bad, remove that entry from your lists. If you don't, your IP range can be blacklisted and/or your message content will seem more "spammy." Of course, this means that your messages are more likely to end up not being delivered to your users.

It used to be simply bad manners for a sender to continually send mail to nonexistant addresses, but now it's actually self-destructive.

Thursday 29 June 2006

Weird stuff found in spamtrap

Check out this oddity that I just found in two of my spamtraps. I've not obfuscated the sender, as it appears to be the genuine address (hosted on the same small ISP, cross-referenced against several usenet posts). I've converted the base64 plain text body, natch...
Received: from virttel.com
([] helo=voip.virttel.com)
by *********** with esmtp
for ***********; Thu, 29 Jun 2006 09:44:32 +0100
Received: from development
(d226-105-226.home.cgocable.net [])
by voip.virttel.com (8.13.6/8.13.1)
with ESMTP id k5T8h70p027899
for <***********>; Thu, 29 Jun 2006 04:43:07 -0400
MIME-Version: 1.0
Date: Thu, 29 Jun 2006 04:42:56 -0400
X-Mailer: Chilkat Software Inc (http://www.chilkatsoft.com)
Reply-To: mworkman@imbroadcasting.net
X-Priority: 1
Content-Type: text/plain;
Content-Transfer-Encoding: base64
To: ***********
From: mworkman@imbroadcasting.net
subject: From (US/ Canadian) Citizen Giving a Hand
This information is being sent to every government email world wide; we have used this technology to Help / heal and Hurt Any Living Plan or Animal.

We offer this information to you freely and if you want more on how to exploit this technology for medical or defense purposes please contact me back at supplied email.

Michael Workman

Makeup up Human body - Minerals in the Blood

Blood is a liquid tissue. This means that it contains cells suspended in a liquid. Red blood cells carry oxygen and help to carry carbon dioxide. White blood cells are involved in the body's defense mechanisms. Platelets are fragments of cells; they help blood to clot. The liquid is called plasma. It contains many important substances which must be carried around the body.

...and so on, for another 60 rambling paragraphs.

Monday 12 June 2006

Why Did Microsoft buy Frontbridge? So It Could Get More Spam!

Last year, Microsoft acquired the hosted (or managed) email security service provider, Frontbridge. For some time, I've been saying that there's an interesting competitive advantage enjoyed by Frontbridge and other services providers, such as Postini, MX Logic, MessageLabs, and BlackSpider.

Companies that offer a service to a large number of customers get to see a lot of spam and other unwanted email. This is very useful to spot new types of spam campaigns and spot them quickly. As spammers shift to a botnet model, spam campaigns are hitting harder, sending more messages over a shorter period of time. The quicker a spam control solution can notice a new campaign and block it, the less spam is actually received by users.

Microsoft says that "92% of all email received at microsoft.com is spam," so the FrontBridge team is now receiving an enormous corpus of new spam, which should help them to be more reactive to new spam campaigns..

Interestingly, Microsoft claims that it's also extracting reputation data from spam sent to hotmail.com and msn.com, but I'm told by my buddies at Symantec that this is still protected by BrightMail technology.

[edited for clarity June 15 4pm BST]

Friday 26 May 2006

See you next week at INBOX

I'll be at INBOX next week in San Jose. I'm moderating the Email Security Shootout panel. Should be fun. You don't need a full conference pass to get in -- the $25 Buyer Pass is enough.

Monday 22 May 2006

Wednesday 3 May 2006

Wired has half the Blue Security story

I see Wired is now talking about the Blue Security situation. It focusses on the spammer retaliation angle.

Naturally, there are some spammers who take a dim view of organizations that try to limit the number of mailboxes they can pollute. It now appears that spammers are passing around a list of names that purports to be this secret registry. Not only that, but levels of spam received by members of the Blue Security list have roughly doubled since May 1.

So how can this be?

I've seen the spammers' list. It's not as it seems -- it doesn't include spamtraps and other special addresses or wildcard domain entries that I know to be in there. What's happened is that a spammer has taken his list and "cleaned" it against the Blue Security list. He then compared the original list with the cleaned list to figure out which addresses were removed. He then bragged to his spammer buddies that he's "cracked" the Blue Security list.

Monday 1 May 2006

Blue Security "do not email list" compromised? No!

It had to happen. I'm amazed it's taken so long.

Spammers are passing around a list of names that is purportedly the Blue Frog "do not email" list. Someone is already spamming the list with dire warnings of falling skies.

I've seen the list. It's not complete in the sense that it doesn't include the wildcard domain entries. It also doesn't include spamtraps that I know to be there. Presumably a spammer has taken his list and "cleaned" it against the blue list, then done a diff? Like I say, I'm amazed it's taken so long.

In other words, people won't get spam from these spammers unless they're already getting spam from them.

Blue Security's community forums are down "for maintenance." ;-)

Links (updated as I find them): 1 2 3 4 5 6 7 8 9...

Saturday 29 April 2006

Visit SpamOrHam.org and assist anti-spam research

Last week, John Graham-Cumming launched SpamOrHam.org. If you're familiar with 'Hot or Not' you'll probably get the idea. As Graham-Cumming says:

The basic idea is to get humans (that means you) to read a small number of messages (some are ham; some are spam) and decide what they are. I'm doing this because there are currently two usable corpuses of spam and ham: the SpamAssassin Public Corpus (which was hand sorted) and the TREC 2005 Public Corpus (which was machine sorted) ... Once I've got enough human decisions (I'd love to get 10 per message; that means almost 1,000,000 human classifications) I'll make all the data public.

In other words, if you visit the site, you can vote on individual messages, to say whether or not you think they are spam or legitimate. This voting will be very helpful to spam researchers, because an acurate "corpus" of spam and ham allows them to automatically test new anti-spam techniques. Graham-Cumming continues:

I'll highlight any emails where people disagree with the current classification published by Gordon Cormack ... I expect it'll throw up some interesting data... for example, just how good are humans are sorting spam? Since we'll be able to look at where the corpus and the humans disagree we'll be able to spot machine errors and human errors.

Friday 28 April 2006

Tips for your new anti-spam idea

So you have a fantastic new idea to solve the spam problem once and for all? Of course, you're sure it'll work brilliantly and you're sure nobody else has thought of it.

Sounds like you've come up with what spam fighters call a FUSSP -- a Final Ultimate Solution to the Spam Problem. Vernon Schryver maintains a list of fallacies that appear again and again from FUSSP inventors. It's fairly impenetrable to those outside the spam-fighting clique (as some think of it). So here are a few rephrased highlights. Think of them as tips to prevent making yourself look foolish:

  • Don't assume that spammers are stupid.
  • Don't rely on email recipients changing their behavior with nothing to show for it.
  • Don't rely on other email senders responding to automatic challenges (or on victims of challenges sent to forged addresses not to respond).
  • Don't rely on all ISPs, web hosts, and registrars being active, reponsible, spam-hating net citizens.
  • Don't propose replacing SMTP, DNS, TCP/IP, Microsoft Exchange, Lotus Notes/Domino, or other immovable objects.
  • Know what these terms mean: tarpit, DNSBL, HELO, EHLO, MX, RMX, MTA, MUA, DCC.
  • Know the difference between the SMTP envelope and header.
  • If your scheme requires a new standard, make sure you understand how standards are set on the Internet -- at a minumum, read and understand RFC 2223 and RFC 2026.
  • With few exceptions, strangers won't pay money to send you mail.

Thursday 20 April 2006

Panda Software has a shill?

I just got a spammy comment in my moderation queue linking to pandasoftware.com. (Well, I say "linking" -- in fact the spammer mistyped the link.)

Here's the details:
Referrer was a Google search for blog virus
IP was (looks like customer space in a Spanish ISP called Jazztel)
Computer runs WinXP at 1280x1024 with IE6 and JavaScript enabled.
Spain, huh? In which country is Panda based?

While I'm sure Panda Software will tell me that this person isn't doing this with their permission, let me say ... ¡Este comportamiento no es aceptable!

Wednesday 19 April 2006

SearchSecurity: It's time to fix AV warning messages

SearchSecurity has published an expanded version of my blog post from last month, It's time to fix AV warning messages:

Ever received e-mail from your company's antivirus filter, telling you that someone you've never heard of has sent you a virus? I'm betting you have. If not ... well, consider yourself lucky.
These AV warning messages have become nearly as frequent and as burdensome as run-of-the-mill spam. They're certainly not doing the job they were intended to do. [more]

Friday 31 March 2006

I See It's Already April 1st in Australia

From the Must Try Harder department:

Google's quantum-based spam filtering launch was thrown into chaos today due to Microsoft Windows's inability to cope with Australia's daylight savings changes ... It uses quantum computing to reduce Gmail inboxes to an sub-atomic level, at which point the unusual laws of quantum physics allow Google to analyse infinite amounts of spam instantaneously ... The resulting quantum fluctuations created a feedback loop which engulfed London's Supercomputing Methods Experimental Group (SMEG) research centre where the project is based ... SMEG spokeswoman Shirley Knott was beside herself.
Oh brother.

Thursday 30 March 2006

Virus Alerts are as Bad as Spam

Many email security products or services will warn you if they detect a virus in an incoming message. You'll receive a Virus Alert message in your inbox that either includes the original plain text message with the attachment stripped out, or has just a simple notification that "so-and-so sent you a virus, and click here to read the message in the quarantine." The intention is that you can contact the sender and tell them that they have a virus on their PC.

The problem is that these days, most virus-infected email is been sent not by users, but by other viruses. It's effectively spam, except the motivation is to take over your computer, not to sell you ... uhhh ... things. The viruses will often use the same lists of recipients as spammers do. Naturally, there's no point in contacting the "sender" of the message -- it's probably forged.

The upshot is that these virus alerts messages are now just as bad as spam. Only a tiny proportion of them are any use. Email security solutions should be more selective of which messages they warn about.

Why I've been Quiet

Sorry I've been quiet for a bit. Did you miss me?

It turns out I caught chickenpox on the flight over to the RSA conference (no, I'd not caught it as a child). Once I got home, my body revolted. Don't worry, I'm fine now.

For someone who's never even had the flu, being bedridden for a week was a bit of a culture shock, I can tell you.

disgusting picture of richi

Friday 17 March 2006

Esther Dyson is Wrong -- Most Email Will Remain Free

I like Esther Dyson. I first met her in the early '90s, and found her thoughtful, insightful, and straight talking. But I can't let her op-ed piece in Friday's New York Times go unchallenged.

Dyson begins with a refreshingly accurate, measured description of Goodmail and its partnerships with AOL and other email providers. She goes on to belittle those who aim to boycott Goodmail and their partners. Those who keep up with my blog will know that I fully agree with her on this point.

However, Dyson goes on to say, "Pretty soon sending most e-mail will cost money, but I think that's only right." I disagree -- it won't and it isn't.

Her argument stands or falls on the assertion that today's spam filters aren't working -- Dyson asserts that, "The senders of 'bad' mail are getting better and better at defeating them." However, it's clear to me that, although the smarter spammers are making their messages trickier to filter, the filters are also getting better.

All in all, today's state of the art in spam control solutions is far ahead of where it was, say, two years ago. Improved spam filters being available to more people -- plus laws that allow the citizenry to penalize spammers -- will cause the scourge of email spam to whither and die.

Tags: .

Wednesday 1 March 2006

Free Speech is No Excuse to Spam

It seems that some bulk email senders are getting spun up about developments such as Goodmail and Bonded Sender. For example, MoveOn.org says it's, "Threatening the Internet as we know it ... The very existence of online civic participation and the free Internet as we know it are under attack."

Balderdash and piffle, say I. Nothing's really changed -- if users are complaining about some email, service providers will block the sender, whether or not they pay some sort of a bond or fee. There's no substantive change here. If you're an existing sender with a good reputation, you should have nothing to worry about -- well, nothing new anyway.

I suspect there's an underlying agenda to some of the moaning. There are some quasi-political and religious groups emailing indiscriminately, and hiding under the flag of Free Speech. That's no excuse -- people will still click the This Is Spam button, and so future mail will get blocked. Just because the message isn't commercial, it doesn't mean that users won't perceive it as spam. I've no sympathy for senders who use those tactics.

My advice to groups who are concerned about their continued ability to communicate legitimately is this: if you find that your email's being blocked, work with your email service provider and that of the recipient to figure out how you should act in the future. Don't act as if it's your deity-given right to send email to whomever you wish. Those that run email services are perfectly entitled to act on user spam complaints. As the saying goes, "My server -- my rules."

Saturday 25 February 2006

Additional Thought on Phishing Complaints

Last week, I wrote about what brand owners should do about phishing. You may recall me saying that owners should have a mailbox where they can receive copies of phishing spam forwarded to them by consumers and (ahem) security researchers. I also said that owners could run spamtraps to pick up phishing attacks as they happen.

One aspect of this that I didn't mention, but perhaps it's not obvious -- the mailboxes used should not be spam filtered. A surprising number of banks and other brand owners get this detail wrong (cough Barclays cough). This causes them to ignore complaints and under-estimate the scale of the problem.

Friday 17 February 2006

What brand owners should do about phishing

If you're a bank, or other organization that's worried about having your brand spoofed in a phishing attack, first you need to detect the attacks, and then you need to act. Here are some of the things you can do:

  1. Receive complaints from consumers -- publish an email address for consumers to forward suspected phishing emails to. The abuse desk can reply to the consumer to confirm whether this was a legitimate message or a phishing attempt (e.g. spoof@paypal.com, internetsecurity@barclays.co.uk).
  2. Run spamtraps -- publish email addresses for the sole purpose of receiving spam. Scan the incoming spam for phishing attempts on your brand.
  3. Detect remote image loading -- scan your web server logs for the telltale signs of your images being displayed in web sites that don't belong to you.
  4. Takedown -- get the phishing web sites removed from the Internet. Work with:
    1. The ISP responsible for the email sender
    2. The hosting company hosting the phishing website
    3. The domain registrar responsible for a bogus copycat domain (e.g. paypalverify.com)
  5. Block -- inform consumer protection services to protect consumers while the sites are still available. For example:
    • Google's anti-phishing toolbar
    • Cloudmark's anti-fraud toolbar
    • Microsoft's anti-phishing protection in IE7
If you're worried about your brand's vulnerability to phishing, contact me. I can help.

Tuesday 14 February 2006

RSA here we come

This week, I shaaall mostly be at the RSA Conference. Hanging out in the press room quite a bit of the time for Ferris Research, more's the pity. Do say hi.

Friday 10 February 2006

BlackBerry? BlackCherry? StealthBerry? -- Workaround or death rattle?

RIM -- Canadian maker of the seminal BlackBerry wireless email-and-other-things device -- has been talking about its proposed workarounds for alleged patent infringement issues. (Quick summary: patent holding company NTP seeks injunction preventing RIM offering BlackBerry service in U.S., cites patent infringements on "push" email.)

There are confused reports, but it seems there are two separate issues, each with their own workaround:

  1. What happens when the user is out of coverage -- where is the incoming message queued? Workaround #1 queues the message at the server on the customer premises. Currently, messages are queued at RIM's network operations centers (NOCs).
  2. What happens when a message arrives -- does the user need to do anything to receive it? Workaround #2 involves turning the BlackBerry "push" model into a "push/pull" model. Users will only get the message headers pushed to them. Some reports indicate that users will need to press a button to request that the message body be downloaded.

RIM's public position is that NTP's patents are invalid. However, in case of legal injunction, workaround #1 is all that is necessary. However, it looks like RIM is also secretly readying workaround #2 just in case. I've not been briefed by RIM on #2 -- this information is coming from anonymous RIM customers.

The user isn't likely to perceive any impact from workaround #1 -- it will simply delay some messages by a few seconds. However, workaround #2 is a different matter. If the anonymous reports are to be believed, #2 basically breaks the BlackBerry secret sauce. If the user needs to think about receiving messages, it isn't a BlackBerry any more -- it's just a wireless email device just like any other, except with a rather ugly on-screen graphic design. Users who are, say, riding the subway won't be able to read messages unless they explicitly pulled them before moving out of the coverage area.

RIM needs to avoid workaround #2 at all costs.

Does HP Regret Killing OpenMail?

An interesting quote from the HP Annual Report. Mark Hurd, HP CEO and President wrote in his covering letter:

The best way to steer a company toward growth is to look out four or five years at the big market trends evolving, and then work backward to identify opportunities ... People will become increasingly mobile — and we see this trend accelerating. The convergence of voice and data services is inevitable. People will be able to receive e-mail via voicemail or receive voicemail via e-mail. The ability to have a mobile office and personalized services delivered to individuals no matter where they are will become a reality.

Which was exactly where plans for OpenMail were heading, sadly. (HT: Stuart "strawberry" Barry)

Tuesday 7 February 2006

More on Goodmail's wasted opportunity

As I said in my previous missive, Goodmail adds no practical value from the user's perspective. Goodmail deliberately misses the opportunity to protect them from phishing.

Goodmail could do so much more to warn users about scams involving sender impersonation ("phishing"). Right now, it's only certifying legitimate mail as "good." It's not spotting scam mail as "bad" -- even though it should be perfectly capable of doing so. It's very little use to consumers to simply reinforce the good, without issuing warnings about the bad. You're asking people to infer that scam email is bad (because it's not "good"). That simply doesn't work -- the psychology is all wrong.

Let's imagine that your mom's bank is a Goodmail customer. When she gets email from her bank, there's a comforting icon promising that the email is authentic. However, if a Russian mafia gang sends her some email pretending to be her bank, Goodmail says nothing -- even though they should be fully capable of popping up a big red, flashing warning.

The lack of phishing warnings is a huge missed opportunity. Both for consumers and for Goodmail's customers. Neither you, your mom or her bank want your mom to be fooled by criminals.

Monday 6 February 2006

I'm going to be on TV today

In case you care, and if you're anywhere near CNBC today at 4.15-ish (EST), I'm going to be interviewed live from London. Topic is the ongoing AOL/Yahoo/Goodmail thing.

Hopefully it'll be more contentful than my soundbite on NPR's Marketplace show
this morning.

GoodMail Systems and AOL -- What's Going On?

Goodmail Systems has announced that AOL will be using its "postage stamp for email" approach to replace or augment AOL's current "enhanced whitelist" functionality. What's going on?.

In essence, AOL has outsourced some of its whitelist to Goodmail. Goodmail will impose a "tax" on commercial senders, if they wish to have first class delivery to AOL users' inboxes. First class in this context means bypassing spam filters and having images and links function correctly without the user being warned of their potential danger. A portion of the tax revenue is returned to AOL (the amount is undisclosed, but we believe it to be at least half) and the rest is retained by Goodmail.

This is an interesting service provided to senders by Goodmail -- the value provided in return for the fees is that senders get better delivery rates and more accurate feedback about whether messages got delivered and/or opened. However, there are also negative implications.

Some senders will object to being "held to ransom." The danger to Goodmail and AOL is that one of the big senders will be big enough to encourage AOL users to use a different email service. Alternatively, they may simply put more emphasis on their own portal messaging systems, like eBay is beginning to. Then they just have to send short text-only mails to AOL users to ask them to check the eBay site.

And what of the poor AOL customer? As I've said before, Goodmail adds no practical value from the user's perspective. Goodmail (and Iconix) deliberately miss the opportunity to protect them from phishing -- there's no big red flashing warning icon when a phishing email is received.


Sunday 5 February 2006

Need a place to stay in SF?

If you need an comfy alternative to a hotel for a few nights in San Francisco, check out The 23rd & Castro Retreat... "Located in desirable Noe Valley minutes from the The Castro district, surrounded by eclectic shopping and fabulous restaurants. The 23rd & Castro Retreat offers the best of San Francisco with all the comforts of home."


Correction to Saturday's NY Times story

Saturday's New York Times contained a story quoting my opinion on the Goodmail debacle. (I was wearing my Ferris Research hat, natch.) It also had a pie chart, attributed to Ferris Research, illustrating the proportions of legitimate email that are sent to businesses, sent to consumers, and sent by spammers. The caption of the chart implied that 20% of email gets accidentally deleted or quarantined by spam filters. Ouch. While "false positives" are still a significant problem, this figure is of course far too high. Unfortunately, the sense of the original statistic seems to have been lost in the editing process.

Typical false positive rates experienced by spam filter users are closer to 0.1%. State-of-the-art filters can achieve 0.001% -- equivalent to about one legitimate message per month.

The figure that I gave the NYT was the "lost" proportion of legitimate, bulk email -- e.g. legitimate direct marketing and transactional messages. This is roughly 20%, but dropping fast as better spam filters are implemented. While the Times' caption wasn't wrong, it was apparently misleading without the original context, as illustrated by the requests for clarification I've since received!

Tags: .

Monday 30 January 2006

Fewer spammers forging the From header

It's a truism that the "From" or "Sender" of a spam email message is almost always forged -- it's hardly ever the actual sender. That could be changing. I've noticed an increasing volume of spam hitting my spamtraps that appears to have a valid return address.

Why would this be? I can think of at least four reasons:

  • It's illegal in some countries -- but many other actions related to spamming are also illegal
  • Increasing use of sender authorization technologies such as SPF, Sender ID, and DKIM by spam filters -- spammers think that a valid return address makes it more likely that their spam will get delivered
  • Increasing use of "call to action" filtering -- spam that invites the user to reply by email is harder to filter than spam that quotes a web site or phone number
  • Lower likelihood of being cut off -- people are unused to sending complaints about the owner of the sender domain; overworked abuse desks are less likely to notice that the spam implicates the sender domain

Tags: .

Friday 27 January 2006

Evidence of 419 Scam Targeting Using Google

419 scams are typically initiated by sending email to a list of potential victims. The scammer hopes that one recipient -- the so-called mugu -- will be so greedy that he'll overlook the obvious illegality of the deal proposed. You've probably seen these come-ons in your inbox. For example:

I am MR MOHAMMED NASSER, the director in charge of auditing and accounting section of Standard trust bank of Benin cotonou Rep ublic of Benin in West Africa with due respect and regard. I have decided t o contact you on a business transaction that will be very beneficial to bot h of us at the end of the transaction .
During our investigation and auditing in this bank,my department came across a very huge sum of mon ey belonging to a deceased person who died in (beirut-bound charter jet) pl ane crash on the 25th December 2003 here in cotonou (replublic of benin) an d since his untimely death the funds has been dormant in his account with t his Bank without any claim of the fund in our custody either from his famil y or relation before our discovery to thisdevelopment...

It goes on to suggest that you might be able to help steal the money. In return for your help, you'll get a sizable proportion of the ill-gotten gains. It later transpires that the scammers need you to lend them some money for "expenses," which of course you'll never see again.

One of the ways the scammers find target their victims is by using Google and other search engines. Those of us who own websites and read our webserver logs can often find some hilarious search terms being issued from the Ivory Coast, Nigeria, Senegal, the Gambia, Uganda, and even Greece. My favorite recent examples are:

  • 2006 fine me email contact directors companies in uk
  • contact smash email addresses 2005 hotmail
  • +1 november 2005 email contact @% hotmail.com
  • 2005 premier league email directory
  • american people in england+2005 contact adress
  • i want to buy achieve email contacts pages please give me there email contacts 2005

Tags: , .