Virginia's Supreme Court on Friday upheld the first US felony conviction for
spamming. The spammer will serve nine years in prison for sending what
authorities believe to be millions of messages over a two-month period in
2003.
While defending Jaynes, his lawyers attempted to argue that a provision of
the Virginia Computer Crimes Act violates constitutional First Amendment rights
to "anonymous speech," as well as the interstate commerce clause of the US
Constitution. The court rejected these claims due to Jaynes' use of fake e-mail
addresses, which breaks the US CAN SPAM law's condition of giving recipients a
means of contacting the sender.
Who has not yet gotten one of those Nigerian Scam or 419 scams? For those who haven't:
This scam usually begins with a letter-form e-mail8 sent to many target recipients making an offer that will purportedly result in a large payoff for the intended victim. The stories behind the offers vary, but the
standard plot is that a person or government entity is in possession of a large amount of money or gold.This person, for myriad reasons, either cannot access the wealth directly or is no longer in need of it. Such
people, who are fictional or impersonated characters played by the scammer, could include the wife of a deposed African or Indonesian leader or dictator, a terminally ill wealthy person, a wealthy foreigner who had
deposited money in the bank just before dying in a plane crash, leaving no will or known next of kin, a U.S. soldier who has stumbled upon a hidden cache of gold, a business being audited by the government, a
disgruntled worker or corrupt government official who has embezzled funds, a refugee21, and similar characters. The money could be in the form of gold bullion, gold dust, money in a bank account, so-called "blood
diamonds", a series of cheques or bank drafts, and so forth. The sums involved are usually in the millions of dollars, and the investor is promised a large share, often forty percent or more, if they will assist the scam
character in retrieving the money from holding and/or dispense of it according to the scam character's wishes. The proposed deal is often presented as a "harmless" white-collar crime, in order to dissuade participants
from later contacting the authorities.
Anyway, since this form of polite request doesn't seem to work well enough anymore, they have changed their technic: They now tell you to give them money or.. they will shoot you dead:
Am very sorry for you my friend, is a pity that this is how your life is going to end as soon as you don't comply. …
I don't have any business with you, my duty as I am mailing you now is just to KILL/ASSASINATE you
and I have to do it as I have already been paid for that."
If people aren't gullible enough to believe in polite help requests are they really fall for those brute death treats?
F-secure is about to start a course called "Malware Analysis and
Antivirus Technologies" at the Helsinki University of Technology. I
really wish we had that kind of classes when I was attending college!
And since F-secure is full of cool people, they provide the slides from the
courses that were already done!
For those not familiar with RBL, the term means Real-time Blackhole List, it
is mainly used for SPAM fighting. I have recently started playing around with
Google as an RBL engine, the idea is that if the search term I use hits too
many hits it is likely to be SPAM
This is actually interesting, i've been googling urls found in spams for a
little while now but those kind of search never return tons of pages, but it
does return a few of them, and most of the time they are security related site.
This "google rbl" could be pretty usefull coupled with a list of trusted
security sites. If the search returns a few urls from those sites, then the
mail is likely to be a spam or malware related. What about a mail with
"http://securityfocus.com" in the body? uhuh...definitely not bulletproof! So
better stick to the IP of the sender and just count the number of hits returned
by google.
"In this post we investigate the distribution of web server software to
provide insight into how server software is correlated to servers hosting
malware binaries or engaging in drive-by-downloads."
Their numbers are slightly different from Netcraft's ones, but they give a
fairly good explanation about it. According to Google IIS and Apache are
sharing the same percentage in the overall malware distributing web
servers.
Interesting facts: in the US Malwares are served at 80% by Apache, in China
at 95% by IIS...
Christopher Smith, the notorious "pharmacy
spam king," has received a 30-year-jail sentence for running an illegal
internet store that sold millions of dollars in prescription drugs.
When trying to build Spamassassin rules to detect a new kind of spam, it's
always usefull to have several copies of the spam so you can check what parts
never changes.
In the case of the pdf/zip/doc/xls/etc. spam, even if the spammer did a lot of
work to try to make it indetectable, he forgot something: the boundary line of
the content-type header is always built the same way and isn't common at
all:
------------ then a random 24 characters alphanumeric string.
I've searched in my INBOX (more than 50 000 messages) and this boundary pattern
only matches the spams.
From this, we can build our first SA rule:
full __UN_KNOWN_BOUND /boundary="------------\d{24}"/
Now, it's safer if we make sure it's really a spam by adding some attachment
detection:
full __UN_PDF_ATTACH /application\/pdf/i
full __UN_OCTSTREAM_ATTACH /application\/octet-stream/i
full __UN_WORD_ATTACH /application\/vnd.ms-word/i
full __UN_EXCEL_ATTACH /application\/vnd.ms-excel/i
Then you can build a meta rule that will match our spams:
Already found out how to block image
spam included in .xls and .doc documents? Lucky you. Spammer got a new
challenge for you (ok, an easy one): I just received a spam with "pdf" as the
subject, with a pdf.zip file attached, which contains a pdf.txt file with the
actual spam in it... That's not very original, it's even boring (i'm suspecting
it's even counter productive for them to generate all those files when the
victim has to open 3 applications to get the actual spam)
Castelcops.com is a popular site aiming at
providing informations assisting computer security education. Their forums are
particularly useful when you think something fishy's going on. A lot of very
well informed people are participating.
Recently a conversation about rogue domains used by the (nasty) zlob
malware was posted and the malware author came and tried to explain that
his little creation wasn't a malware and that they weren't doing anything bad.
No need to tell you the discussion literally went kaboom.
Facetime
Security Labs, an IM Security focused research lab, recently reported that
IM & P2P attacks were on the rise: a 5% inscrease of incidents targeting
public IM and P2P channels for Q2 2007 compared to Q1 2007. Just to compare,
over the same period in 2006 a 35% decrease was seen.
The SpywareGuide Greynets Blog summarizes:
From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN
and AOL) dropped from 74 total incidents in the first period to 64 in the
second quarter. Attacks spread via AOL dropped by more than half > (from 28
incidents to 13). Overall, the MSN network accounted for 50 percent of the
attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20
percent.
As we predicted earlier this year, attacks spread via Internet Relay Chat
(IRC) continue to account for a growing percentage of all attacks. In fact, the
percentage of attacks that are IRC-based has risen in each of the last six
quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the
current quarter.
Some reports are made that a new kind of spam just appeared. This time the
spam is embedded in a .doc file. I heard people saying they also got .xls and
.zip spams. This is getting interresting..what will they use next?
Didier Stevens conducted a little experiment: What if he used
adword and told people to visit his blog to get infected by a malware? His ad
was saying “Is your PC virus-free? Get it infected here!” and it ran for 6
months. Of course clicking on the link would not infect the visitor's computer,
but still, it could have. Guess how many people clicked? 409.
409 people wanted their computer infected? well, i guess people dont read.
How many person use google to surf, thinking that adwords are actually results
given by google?
Choose an unknown, forgotten,
valueless stock value like DIAAF.OB, quoted at $0.0008 per share. Buy millions
of shares, it will make the value rise (you are creating a demand) to $0.0011.
Now, flood the world with spam, advertizing how the stock value is raising...
you'll create more demand, the share value will rise... And now? Sell. You're
rich.
Ever heard of the Cellphone Cloning method? It's a way of transfering the
identity of a phone to another, generally for the purpose of making fraudulent
calls. It's fun because if you are located near the same transmission tower as
the cellphone you cloned, you'll get copies of text messages and calls made to
the original phone. You'll need to have access to the original cellphone and
clone the sim, then upload the sim data into your phone. No easy thing.
What about being able to get any unencrypted transmission made around your
cellphone directly on it?
Warezov, Spamthru... Virus used by spammers. They are pretty easy to detect
if you can monitor http connections. Indeed more and more viruses will try to
fetch data (spam templates or updates) from dedicaded domains. If you can
monitor those domains, you can can detect infected computers on your
networks.
Here at work, we are averaging 66% of spam, which means that most of our
users get twice as much spam as regular mails. I know some users who even gave
up on email because they were getting 90% of spam. We use spamassassin and
CRM114 so we tag every detected mail (we aren't allowed to delete mails, even
if spamassassin scores it at 1000, security reasons). Still, users like to
complain that they get too much spam.
Anyway.. we decided it was time to test greylisting to try to reduce the
amount of pollution in users' mailboxes.
Christopher Smith, the notorious "pharmacy
spam king," has received a 30-year-jail sentence for running an illegal
internet store that sold millions of dollars in prescription drugs.
Castelcops.com is a popular site aiming at
providing informations assisting computer security education. Their forums are
particularly useful when you think something fishy's going on. A lot of very
well informed people are participating.
