SPAM HOST CUT OFF

The volume of junk e-mail sent worldwide plummeted on Tuesday after a company providing the servers for the spammers was taken offline.

The bad guys install malware on computers that they can control in vast networks, primarily to send spam for counterfeit pharmaceuticals and designer goods, fake security products and child pornography. Approximately 190 billion spam messages are sent every day from more than 1.5 million hijacked computers. The spammers set up servers to control the hijacked computers and to display web pages offering illicit goods for sale.

The spammers don't buy their own servers. They buy server space from hosting companies, which are shielded from liability in many cases and not directly responsible for the actions of their customers. That has made it difficult to find the spammers and prosecute them, leaving law enforcement frustrated and frequently ineffective.

Reports were published recently identifying McColo Corp., a San Jose company, as the hosting company of choice for virtually all the top botnets blasting out spam or malware attacks. The company has offices in a 30-story office tower in downtown San Jose and apparently its entire business is devoted to providing a platform for bad guys and diverting any attempt to pursue the spammers by refusing to cooperate with law enforcement and shifting the spam networks around to help them evade detection. Researchers estimated that networks run through McColo servers were responsible for 75% of the world's spam.

In an interesting twist, security researchers contacted the two companies providing the Internet connection to the building. Both companies became convinced that McColo Corp. was evil and decided to cut off the company's Internet connections on Tuesday without fuss or delay.

The volume of spam worldwide dropped by more than forty percent immediately.

Lots of companies monitor spam and all of them noticed the huge decline, with estimates of drops in global spam from 40%-75% when McColo was forced offline.

This won't permanently reduce the volume of spam. It won't take long for McColo to find other Internet connections or for other companies to step up in its place. Trying to shut down the bad guys is like playing Whack A Mole - a law enforcement victory here, a broken Internet connection there, but they keep popping up.

It's always nice to have a moment of triumph, though, and this was a particularly dramatic one.

It was reporting by Brian Krebs of the Washington Post that got the carriers' attention - here's his article about the effect of the disconnect.

Labels: business, Internet, mail, security, spam

posted by bruceb at 11/13/2008 12:03:00 AM | permalink

HOW SPAMMERS MAKE MONEY

Spammers can turn a profit even if they only get one response from every 12 million emails they send. When you see a ridiculous spam message and think, who in their right mind would respond to that?, the answer is, almost no one - but it only takes a handful of responses for the spammers to think their campaign was worthwhile.

Last year researchers from UC Berkeley and UC San Diego infiltrated a spam network and took over a portion of the network, diverting the spam sent out by over 75,000 hijacked computers (out of more than a million in the entire spam network). They set up a fake pharmacy web site, similar to the ones operated by the spammers, and sent 350 million spam messages in about a month inviting people to buy drugs online.

They only got 28 responses in a month from people who pushed the button to make a purchase. The researchers are good guys, so they didn't capture the credit card details or take any money, but they measured how much they would have made, about $2,700.

The interesting part happens if you scale that up to the size of the full spam network, where the same miniscule rate of return would net $9,500/day or about $3.5 million dollars in a year. That's not a huge amount but it's probably sufficient to earn a profit after subtracting the cost of developing the code to exploit security holes and hijack computers, and to run servers worldwide to sell Viagra and process credit card payments.

Meanwhile, the researchers saw 10% of recipients clicking on a link to download and install the malware that hijacks computers and turns them into bots sending out those spam messages night and day. Ten percent! The researchers estimate that would allow the spammers to add between 3,500 and 8,500 new hijacked computers every day.

Here's a Washington Post article about the UC study, and here's another summary from the BBC.

Meanwhile, security analyst Jesper Johansson wrote a followup to his study of "XP Antivirus," one of the prevalent bits of malware circulating now. Here are my notes about his study. In this scam, you are led to a web site that puts up a very convincing display about viruses on your computer that need to be cleaned off, with details that make the process look genuine and convincing. Almost any click anywhere on the screen leads you to a request for a credit card payment, and one wrong move will install popup bubbles and screens that insistently take you back to the payment demands. Most variations of this malware are not destructive but I've seen it several times and the bubbles are incredibly annoying, making it almost impossible to use your computer until deep surgery is done to remove the offending files. Some variations of the this adware can be removed with a reasonable amount of effort, but some come along with the kind of malware that can only be dealt with by reformatting the hard drive. If you pay the fifty bucks, you'll get some software that claims to have successfully removed the infected files, but the infection was fictitious and the software doesn't do anything.

Recently a hacker broke into an accounting computer run by one of the scammers responsible for distributing XP Antivirus and posted some internal accounting details online. There's a lot of money at stake! Believe it or not, the software is distributed through an affiliate program that pays a significant portion of the sale proceeds to affiliates spreading the malware. The most successful affiliate earned $158,00 in a week, and even the small-time affiliates were making hundreds of thousands of dollars a year. Here's an article about the financial details.

I've cleaned up several computers recently with XP Antivirus and other bits of malware. At the risk of being a nag, let me reiterate:

Antivirus software will not always protect you against malware if you click OK at the wrong time!

Don't click on strange URLs! Follow links with carefree abandon to and from legitimate sites, but don't click on links that arrive in spam e-mail, instant messages, web forums, or IRC chats, or that start from an untrustworthy web site.

Never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.

The bad guys are liars. They will say anything to get past your defenses, without conscience or remorse.

Please, be careful out there!

Labels: business, computers, mail, security, spam

posted by bruceb at 11/11/2008 01:31:00 AM | permalink

INCREASE IN BANK PHISHING ATTACKS

There are reports of increased phishing attacks purporting to be messages from various banks. Be alert! The bad guys create email messages that appear to be from banks, with links to malicious web sites that attempt to install viruses or adware or fool you into entering account information. The messages and web sites are increasingly professional, to the point that they are indistinguishable from the real thing.

The current wave of bank activity might make it plausible that your bank would contact you by email, but I don't want anyone fooled. In today's environment, no bank or other company will ever send you an unsolicited email message about your account; the only communication you will receive from any company will either be advertising or a response to something you initiated. If you're unsure, always doublecheck by phone, or by going to the company's web site directly instead of by clicking on a link in a message.

Be safe out there!

Labels: mail, security, spam

posted by bruceb at 10/08/2008 12:05:00 AM | permalink

FAKE FLASH UPDATE - SPYWARE ALERT!
There is a massive spam attack underway masquerading as messages from CNN.com. The first set of messages had links to the "Top 10 Headlines" and "Top 10 Videos"; now there are new variations presenting a "custom news alert." Clicking on any link in the messages will bring up a dialog that says an incorrect version of Flash Player has been detected that needs to be updated to a newer edition.

You will be caught in an endless loop - if you click "Cancel" another box will immediately appear, over and over. The only way to get out is to force your browser to close with Task Manager, or shut down your computer.

If you click OK, malware is installed. You will immediately get a blizzard of popups, advertisements for fake "antivirus" software, and the likelihood that something more sinister is happening on your computer behind the scenes. It is increasingly difficult or impossible to remove this stuff once it gets on your computer!

At the malicious web sites, you'll see something like this:

Antivirus software will not always protect you against malware if you click OK at the wrong time! Sorry, that's just the way it is.

Here's an article about the spam blitz. Links to the malicious web sites are also being left in comments on MySpace and Facebook, according to this article.

Don't click on strange URLs! Follow links with carefree abandon to and from legitimate sites, but don't click on links that arrive in spam e-mail, instant messages, web forums, or IRC chats, or that start from an untrustworthy web site. Be paranoid and surf carefully!

Labels: IE, Internet, security, spam

posted by bruceb at 8/11/2008 12:05:00 AM | permalink

UPS SPAM

The latest outbreak of virus-laden spam purports to be a message from UPS about an undeliverable package. The attachment is a ZIP file with an executable program inside that does something evil - blows up a cruise boat or something.

These messages appear and morph and tomorrow this might be a message from FedEx or the IRS or anything else. Your first defense is your common sense: never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.

Never.

Many of my clients use Exchange Defender to filter out spam and viruses from incoming mail. Here's the update on ED's struggle with this new outbreak.

"It has been quite an evening at ExchangeDefender as we continue to fight the outbreak of the UPS trojan. You may have seen this:

Subject: UPS Tracking Number 6431834482

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient's address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS

"What is interesting about this is that the message does look fraudulent to the casual observers and people that do domestic business with UPS. However, we have encountered this format (with attachments and all) being used by UPS Commercial shipping departments in the past, which is why messages with the specific patterns received lower SPAM scores and were allowed through.

"We still stripped the attachments but the attachments inside the ZIP file are passing through AV scanners as the variants change. We are now up to over thirty definitions used to track this specific worm and have taken the following steps:

UPS messages are only processed if they come from UPS.

UPS Tracking numbers are only accepted as valid if they start with 1Z.

UPS messages instigate a callback function against UPS servers.

"Dealing with these extended rulesets and checks has made mail move a little slower today as we've dealt with onslaught of messages while this worm becomes more prevalent. UPS is also issuing a warning on their behalf:

"We currently have this issue under control and it should not pose any further problems. However, expect the UPS messages to be taken with higher scrutiny and always warn users not to open executable attachments."

Labels: mail, security, spam

posted by bruceb at 7/24/2008 09:50:00 AM | permalink

EMAIL NO LONGER RELIABLE BUSINESS TOOL

An interesting problem has developed, and there's no good answer in sight. Email is no longer a reliable business tool. We're going to keep using it but there will be more occasions when I have no good answer to mail-related complaints.

Spam is the primary reason that things are falling apart. It's at record high levels and I've seen predictions that this is the calm before the storm.

For a while we could deal with that at the Exchange Server - drop messages that are not addressed to valid recipients in the business, turn off non-delivery reports, rely on Outlook's junk mail filter and supplement it with Exchange's Intelligent Message Filter after Exchange Service Pack 2.

After a while that's not enough. Servers are using processor power and bandwidth just to drop thousands of misaddressed messages. Most of my business clients have now been set up with Exchange Defender, a third party service that filters spam and viruses. That will work for a while. Most people will read the daily reports from ED at first, until the spam builds to a volume that makes the daily reports overwhelming.

The third party services frequently don't filter messages that seem to have been returned as "undeliverable," leading to the recent waves of "NDR spam," flooding mailboxes with hundreds of messages per hour for a day or two. I've gotten a call about this every day or two for the last month or more, helping people set up an Outlook rule to delete any message with "Undeliverable" in the subject. It undermines our confidence in the mail system a little more - and ensures we will never find out that we've accidentally sent a misaddressed message.

Spam is not the only thing undermining our confidence in email. We're dealing with larger and larger files, and at the same time we're doing more work outside the office or collaborating with people all over the world. The world's email systems were not designed for large file attachments! I'm constantly hearing the frustration of people whose messages with 20Mb PDF attachments do not get where they're going. There is no answer - except to learn to use a different method because email is not a reliable business tool to exchange files.

Another problem is going to affect more small businesses in the next year or two. Outlook folders are exploding in size in a way that was never intended by the designers of Exchange Server. It's convenient to exchange huge files with co-workers down the hall by email, or to use email to send the PDFs scanned by the cool copier, but the result is that mailboxes are far exceeding the sizes called for by best practices. Outlook's built-in archiving is confusing and fragile - people just don't understand the process and have no idea what to do with an unruly collection of .PST files. (Not to mention the backup problem - PST files should not be stored on a company server but desktop computers are generally not backed up, putting those PST archives at risk.)

It's wildly expensive to set up a second Exchange Server and maintain it; third party archiving and hosting solutions are out there but not exactly easy or affordable for a small business with no onsite IT employees. But mailboxes that are 4 and 6 and 8Gb in size are going to run slowly and are at far greater risk to become corrupted, either on the local computer (requiring a long, slow process to rebuild the local cached copy), or worse yet, on the server, where the process of recovering a mailbox is painful to think about. Yeah, I can set mandatory size limits and automatically disappear mail after a certain time. I can also be fired, which would be one of the likely side effects if I try that.

I'm watching a slow deterioration in our confidence in business email, with no idea what to do about it.

Labels: business, mail, SBS, spam

posted by bruceb at 5/15/2008 12:29:00 AM | permalink

NDR SPAM

I've gotten several calls recently about an odd type of spam attack that also happened to me a few days ago.

As other clients had reported, I began getting "non-delivery reports" - messages from mail servers all over the world that messages from me had not been delivered. Typically the sender is "System Administrator" or the like. Of course, I hadn't sent any such messages.

In the next hour or two, similar messages started coming in faster and faster until they were arriving every minute or two.

They tapered off after a while and stopped in a couple of days.

If you're running current antivirus software, chances are good that you don't have a virus and nothing is originating from your computer. These messages are yet another attempt to get through your spam filter. It works this way:

• The spammer finds an email server that sends NDRs when a message arrives that does not match anyone in the company. The mail server for @fictitiouscompany.com might take a message for john@fictitiouscompany.com, but would send an NDR if a message arrives for oswaldrabbit@fictitiouscompany.com.
• The spammer decides to send you spam. Presumably you and a million others, but you're the most special, right?
• The spammer sends his spam to fictitiouscompany.com. He shows your email address as the sender and intentionally sends it to a bad email address that doesn't exist on the fictitiouscompany.com server.
• Since the server is sending NDRs, it does as it's told and sends a message to you that the message wasn't delivered.
• Here's the trick - the original email (the spam) is usually attached to the NDR. Voila! The spammer has bypassed your spam filter and you have his spam.

Very few people will open the attachment to a non-delivery report, and fewer still will respond to it or click on a link in it, but spammers are working on volume. They only need a very, very small number of people to respond for their scheme to work.

This is nothing new. I don't know why it's happening in volume all of a sudden. There's an easy workaround if it happens to you while you're using Outlook: create a rule that deletes all messages with "undeliverable" in the subject line.

My clients running Small Business Server are not contributing to this problem - I've turned on recipient filtering in Exchange Server. If a message arrives that is not addressed to an active mailbox, the message is dropped with no notice to the sender. More and more servers worldwide are being set up that way but there will always be some servers for the spammers to exploit.

Labels: mail, security, spam

posted by bruceb at 4/17/2008 12:32:00 AM | permalink

BAD GUY UPDATE

Many of you practice safe computing - you install security updates from Microsoft and other vendors, you run antivirus and adware/spyware programs and keep them current, your email program has a spam filter and blocks .EXE and other potentially dangerous attachments, and you don't click on strange links in email messages or on web sites.

You probably haven't seen a virus or gotten adware on your computer in a long time. You may be wondering what the security fuss is about. Is it really necessary to be so paranoid?

VIRUSES

By the end of this year, security experts expect to have identified a total of more than one million viruses. The chief technology officer for Sophos says about 25% of unique malware has been created in the last six months. Another security company executive said it identifies about 25,000 malware samples a day.

As security programs improve, virus writers get less results from email attachments, so they're switching their focus to creating web sites that can infect unpatched computers automatically just by visiting the site. A couple of years ago those attacks were limited to installing advertising programs and popups, but now malicious software is being installed without the user's knowledge.

Google owns Postini, a messaging security company, which recently promised that security challenges will grow exponentially in 2008 as the Bad Guys become more skilled at "social engineering" - presenting you with an email message or web site that in some way convinces you to make a fatal click or divulge personal information. There might be references to current events or messages that purport to be from legitimate business agencies - the IRS or Securities & Exchange Commission for example. The Bad Guys are getting better all the time at presenting messages that appear to be genuine. Their grammar is getting better, too.

BOTNETS

At one time viruses were designed to break computers. If malware is installed on your computer now you might never know it. The latest exploits are designed to hide away undetected and respond to commands from Bad Guy Central.

The most sophisticated malware authors use compromised computers to send spam. A security researcher just examined 11 "botnets" that send spam and estimated that they control over a million computers and are capable of flooding our mailboxes with more than 100 billion spam messages every day.

PHISHING

Identity theft starts with disclosure of personal information. If you can be persuaded to type in a bank account number or a password, the Bad Guys win.

Read this chilling account by a Symantec researcher about a virus that steals bank account details. The sophistication of the scheme is striking.

"Targeting over 400 banks and having the ability to circumvent two-factor authentication are just two of the features that push Trojan.Silentbanker into the limelight. The scale and sophistication of this emerging banking Trojan is worrying, even for someone who sees banking Trojans on a daily basis.

"This Trojan downloads a configuration file that contains the domain names of over 400 banks. Not only are the usual large American banks targeted but banks in many other countries are also targeted, including France, Spain, Ireland, the UK, Finland, Turkey - the list goes on.

"The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead. Of course the Trojan ensures that the user does not notice this change by presenting the user with the details they expect to see, while all the time sending the bank the attacker's details instead. Since the user doesn't notice anything wrong with the transaction, they will enter the second authentication password, in effect handing over their money to the attackers. The Trojan intercepts all of this traffic before it is encrypted, so even if the transaction takes place over SSL the attack is still valid. Unfortunately, we were unable to reproduce exactly such a transaction in the lab. However, through analysis of the Trojan's code it can be seen that this feature is available to the attackers.

"The Trojan does not use this attack vector for all banks, however. It only uses this route when an easier route is not available. If a transaction can occur at the targeted bank using just a username and password then the Trojan will take that information, if a certificate is also required the Trojan can steal that too, if cookies are required the Trojan will steal those. In fact, even if the attacker is missing a piece of information to conduct a transaction, extra HTML can be added to the page to ask the user for that extra information. (In the example below the user is asked to enter their encryption key, in addition to the regular information.) . . .

"Add to all of the above the ability to steal FTP, POP, Web mail, protected storage, and cached passwords and then we start to see the capabilities of this Trojan."

PCs VS MACs

Fewer attacks are aimed at Macs than PCs, primarily because PCs have a 90%+ market share. That is sometimes misinterpreted to mean that Macs are less vulnerable and Apple does a better job of addressing security holes. This has not ever been true. Two years ago I highlighted reports that Apple was slow to respond to security flaws when they were discovered, and Apple's products have required a constant stream of updates to fix security problems. Here's Paul Thurrott's report on the most recent study reporting the same results:

"Microsoft actually fixes security vulnerabilities much more quickly than does Apple, meaning that users of Windows are, in fact, better protected by their vendor than are Mac OS X users. Researchers from the Swiss Federal Institute of Technology independently examined six years of data and found that 658 high- and medium-risk vulnerabilities affected Microsoft products during the time period, compared with 738 for Apple products. Then they looked at how well the companies did at fixing these bugs. The conclusion? 'The number of unpatched vulnerabilities are higher at Apple,' a researcher involved in the study said. 'Apple [was] just surprised or not as ready or not as attentive. It looks like Microsoft had good relationships earlier with the security community. Based on our findings, this is hurting [Apple].'"

Labels: Apple, computers, Internet, Microsoft, OneCare, security, spam

posted by bruceb at 4/14/2008 01:46:00 AM | permalink

VIRUS ALERT - IT'S RAINING POSTCARDS
The latest barrage of virus-laden spam e-mails announce that you've received "a postcard from a family member." Here's a security vendor confirming what you already knew - if you click on the links in the messages, you'll be taken to web sites that will attack your computer with dozens of exploits, searching out computers that haven't gotten all of their security updates.

In the last couple of days, the messages have begun morphing to refer to a greeting card or ecard, from a colleague/worshipper/admirer/neighbor etc.

It's been going on for almost a week; I'm getting 20-30/day right now.

My clients have many kinds of protection on their office computers against this kind of attack, but the best defense continues to be your common sense and alertness. As always:

• Never, ever click on an unexpected attachment to an e-mail message.
• Never, ever click on strange URLs. Follow links with carefree abandon to and from legitimate web sites, but don't click on links that arrive in spam e-mail, instant messages, web forums, or IRC chats, or that start from an untrustworthy web site.

Labels: mail, security, spam

posted by bruceb at 7/02/2007 12:05:00 AM | permalink

MASSIVE SPAM BLAST
There's a massive spam blast in progress. ComputerWorld reports that the spam outbreak is setting records, 50 to 60 times the normal volume of spam, with subjects like Worm Alert!, Worm Detected, Spyware Detected!, and Virus Activity Detected!, and carrying ZIP file attachments containing the "Storm Trojan" virus.

"Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through e-mail. Spam rates have jumped as well; Postini said 79% of all e-mail is now spam, while rival MessageLabs Ltd. reported a 13% jump in spam's slice of all messages in just one hour.

"'Expect this to grow much larger,' Swidler said. 'It should top out at 60 million messages within the next 24 hours.'"

With luck, most of you will never see these reach your mailbox, and your up-to-date security programs will keep you safe. Still, it always bears repeating: never never never open unexpected e-mail attachments.

Labels: mail, spam

posted by bruceb at 4/13/2007 04:21:00 PM | permalink

EARTHLINK & MISSING E-MAIL
Remember Earthlink? It's still in business but not particularly relevant. (Companies providing dialup access became an anachronism when the telcos and cable companies shut them out of broadband access. Earthlink all but disappeared, and AOL is following it down the same path - AOL is just taking longer to go away.)

Well-known tech columnist Robert X. Cringeley has written an interesting tale of a friend who discovered almost by accident in June that Earthlink was dropping 9 out of 10 of his e-mail messages - they weren't being bounced, they were just disappearing. Messages were supposed to be delivered to his Earthlink mailbox and also forwarded to a Blackberry address; for every 10 messages during a bunch of testing, 1-2 would get to the Earthlink mailbox, 1-2 would get to the Blackberry (but not necessarily the same ones), and all would appear in a GMail mailbox used for comparison. An Earthlink tech support rep eventually acknowledged that Earthlink's mail servers were so overloaded that some users with Earthlink-hosted domains or aliased addresses were missing up to 90% of their incoming mail.

A spokesman for Earthlink turned up today with an unapologetic description of what sounds like a completely different problem - "Yup, our equipment was overloaded and crapped out in October but we fixed it right away, you betcha!"

There are three lessons.

• If you are still an Earthlink subscriber, it's long past time to move on. If you are considering signing up with Earthlink, your computer should be confiscated while you attend classes bringing you up to date on developments in technology and communications companies in the last ten years.
• This is not just an Earthlink issue. Other ISPs are going to drop mail periodically without admitting it. If you have mail that isn't delivered, it is very, very hard to figure out where it has gone.
• Finally, this may happen with increasing frequency because of the recent onslaught of spam, predicted to get worse next year. It is hard to comprehend the volume of spam but my impression is that it's worse than we have any idea, simply mind-boggling. ISPs are struggling and will sometimes fall down; ultimately the fault belongs with the bad guys sending the crap.

Labels: Internet, mail, spam

posted by bruceb at 12/08/2006 11:36:00 AM | permalink

SPAM IS BACK
You've probably noticed it, and here's a New York Times article to confirm it: after a respite for a year or two, the volume of spam has risen sharply in the last few months; worldwide spam volumes have doubled since last year and it currently accounts for more than 9 out of every 10 e-mail messages delivered worldwide.

The article has some fascinating details about the "image spam" flooding your inboxes with penny stock offers. It's all about evading spam filters - that's why the text is hidden in an image, that's why the image has speckles or designs in the background, that's why the image has a few pixels changed in each and every message.

You've probably wondered who in their right mind would buy a penny stock based on a bizarre piece of e-mail spam. The answer is that e-mail is not sent only to people in their right mind. The spammers buy the penny stock, then send their messages by the millions; enough people buy the stock that the spammers can sell their shares in one or two days and make a 5-6% profit. Amazing, isn't it?

There's no magic bullet - the bad guys are outracing the good guys again. As always, your best friend is the Delete key.

Labels: mail, spam

posted by bruceb at 12/06/2006 03:45:00 PM | permalink

AOL & YAHOO ALLOW BIG SPENDERS TO AVOID SPAM FILTERS
AOL & Yahoo are going to allow spam to reach mailboxes if the senders pay a fee for each message. Here's an article about the new system.

It's hard to predict the result, but my gut feeling is that it's a disaster for consumers. AOL & Yahoo will pitch it as a "service" to distinguish legitimate offers from true junk and phishing scams. Naturally its first real effect will be windfall profits for AOL & Yahoo. It may take a while to iron out the pricing, but the result will be that the volume of junk mail will build up again - this time presented with a veneer of respectability as if users should be glad to see it.

Labels: business, spam

posted by bruceb at 2/06/2006 10:21:00 PM | permalink