Of Spam & Men

To content | To menu | To search

Monday 3 March 2008

no free speech to spam

Virginia's Supreme Court on Friday upheld the first US felony conviction for spamming. The spammer will serve nine years in prison for sending what authorities believe to be millions of messages over a two-month period in 2003.

While defending Jaynes, his lawyers attempted to argue that a provision of the Virginia Computer Crimes Act violates constitutional First Amendment rights to "anonymous speech," as well as the interstate commerce clause of the US Constitution. The court rejected these claims due to Jaynes' use of fake e-mail addresses, which breaks the US CAN SPAM law's condition of giving recipients a means of contacting the sender.

from ars technica

Monday 11 February 2008

Nigerian Scam: from help requests to death treats

Who has not yet gotten one of those Nigerian Scam or 419 scams? For those who haven't:

This scam usually begins with a letter-form e-mail8 sent to many target recipients making an offer that will purportedly result in a large payoff for the intended victim. The stories behind the offers vary, but the standard plot is that a person or government entity is in possession of a large amount of money or gold.This person, for myriad reasons, either cannot access the wealth directly or is no longer in need of it. Such people, who are fictional or impersonated characters played by the scammer, could include the wife of a deposed African or Indonesian leader or dictator, a terminally ill wealthy person, a wealthy foreigner who had deposited money in the bank just before dying in a plane crash, leaving no will or known next of kin, a U.S. soldier who has stumbled upon a hidden cache of gold, a business being audited by the government, a disgruntled worker or corrupt government official who has embezzled funds, a refugee21, and similar characters. The money could be in the form of gold bullion, gold dust, money in a bank account, so-called "blood diamonds", a series of cheques or bank drafts, and so forth. The sums involved are usually in the millions of dollars, and the investor is promised a large share, often forty percent or more, if they will assist the scam character in retrieving the money from holding and/or dispense of it according to the scam character's wishes. The proposed deal is often presented as a "harmless" white-collar crime, in order to dissuade participants from later contacting the authorities.

Anyway, since this form of polite request doesn't seem to work well enough anymore, they have changed their technic: They now tell you to give them money or.. they will shoot you dead:

Am very sorry for you my friend, is a pity that this is how your life is going to end as soon as you don't comply. … I don't have any business with you, my duty as I am mailing you now is just to KILL/ASSASINATE you and I have to do it as I have already been paid for that."

If people aren't gullible enough to believe in polite help requests are they really fall for those brute death treats?

from STLToday

Saturday 26 January 2008

Google as an RBL

From SecuryTeam:

For those not familiar with RBL, the term means Real-time Blackhole List, it is mainly used for SPAM fighting. I have recently started playing around with Google as an RBL engine, the idea is that if the search term I use hits too many hits it is likely to be SPAM

This is actually interesting, i've been googling urls found in spams for a little while now but those kind of search never return tons of pages, but it does return a few of them, and most of the time they are security related site. This "google rbl" could be pretty usefull coupled with a list of trusted security sites. If the search returns a few urls from those sites, then the mail is likely to be a spam or malware related. What about a mail with "http://securityfocus.com" in the body? uhuh...definitely not bulletproof! So better stick to the IP of the sender and just count the number of hits returned by google.

from securiteam

Wednesday 23 January 2008

Storm Worm: Early Valentine

Looks like the spammers are a little early on that one but here is the subjects used by this version of storm worm:

  • A Dream is a Wish
  • A Is For Attitude
  • A Kiss So Gentle
  • A Rose
  • A Rose for My Love
  • A Toast My Love
  • Come Dance with Me
  • Come Relax with Me
  • Dream of You
  • Eternal Love
  • Eternity of Your Love
  • Falling In Love with You
  • For You....My Love
  • Heavenly Love
  • Hugging My Pillow
  • I Love You Because
  • I Love You Soo Much
  • I Love You with All I Am
  • I Would Dream
  • If Loving You
  • In Your Arms
  • Inside My Heart
  • Love Remains
  • Memories of You
  • A Token of My Love
  • Miracle of Love
  • Our Love is Free
  • Our Love Nest
  • Our Love Will Last
  • Pages from My Heart
  • Path We Share
  • Sending You All My Love
  • Sending You My Love
  • Sent with Love
  • Special Romance
  • Surrounded by Love
  • The Dance of Love
  • The Mood for Love
  • The Time for Love
  • When Love Comes Knocking
  • When You Fall in Love
  • Why I Love You
  • Words in my Heart
  • Wrapped in Your Arms
  • You... In My Dreams
  • Your Friend and Lover
  • Your Love Has Opened
  • You're myDream

we caught about 67 000 of those in less than 15 days already.. talk about a storm!

Saturday 15 September 2007

Greylist effect

We decided to active the greylisting antispam solution for all our mailboxes at work.. here how it shows on our graphs:


Tuesday 7 August 2007

Spam King gets 30 years in jail

smith.jpgChristopher Smith, the notorious "pharmacy spam king," has received a 30-year-jail sentence for running an illegal internet store that sold millions of dollars in prescription drugs.

via Secure Computing Magazine

Wednesday 1 August 2007

Dectecting doc/zip/xls/pdf spams with Spamassassin

When trying to build Spamassassin rules to detect a new kind of spam, it's always usefull to have several copies of the spam so you can check what parts never changes.
In the case of the pdf/zip/doc/xls/etc. spam, even if the spammer did a lot of work to try to make it indetectable, he forgot something: the boundary line of the content-type header is always built the same way and isn't common at all:

------------ then a random 24 characters alphanumeric string.

I've searched in my INBOX (more than 50 000 messages) and this boundary pattern only matches the spams.

From this, we can build our first SA rule:

full __UN_KNOWN_BOUND /boundary="------------\d{24}"/

Now, it's safer if we make sure it's really a spam by adding some attachment detection:

full __UN_PDF_ATTACH /application\/pdf/i
full __UN_OCTSTREAM_ATTACH /application\/octet-stream/i
full __UN_WORD_ATTACH /application\/vnd.ms-word/i
full __UN_EXCEL_ATTACH /application\/vnd.ms-excel/i

Then you can build a meta rule that will match our spams:


Tuesday 31 July 2007

more stupid tricks from spammer

spampdftxt.pngAlready found out how to block image spam included in .xls and .doc documents? Lucky you. Spammer got a new challenge for you (ok, an easy one): I just received a spam with "pdf" as the subject, with a pdf.zip file attached, which contains a pdf.txt file with the actual spam in it... That's not very original, it's even boring (i'm suspecting it's even counter productive for them to generate all those files when the victim has to open 3 applications to get the actual spam)

Come on spammers! you can do better than that!

Monday 23 July 2007

tired of pdf spams? try the new .doc, .xls and .zip spams!

Some reports are made that a new kind of spam just appeared. This time the spam is embedded in a .doc file. I heard people saying they also got .xls and .zip spams. This is getting interresting..what will they use next?

via securiteam

Wednesday 21 March 2007

Stocks spams do work

diaaf-chart-annotated.pngChoose an unknown, forgotten, valueless stock value like DIAAF.OB, quoted at $0.0008 per share. Buy millions of shares, it will make the value rise (you are creating a demand) to $0.0011. Now, flood the world with spam, advertizing how the stock value is raising... you'll create more demand, the share value will rise... And now? Sell. You're rich.

Continue reading...

Saturday 3 March 2007

greylist experimentation results

Here at work, we are averaging 66% of spam, which means that most of our users get twice as much spam as regular mails. I know some users who even gave up on email because they were getting 90% of spam. We use spamassassin and CRM114 so we tag every detected mail (we aren't allowed to delete mails, even if spamassassin scores it at 1000, security reasons). Still, users like to complain that they get too much spam.

Anyway.. we decided it was time to test greylisting to try to reduce the amount of pollution in users' mailboxes.

Continue reading...

Tuesday 27 February 2007

New Image Spam: obfuscated AND animated

I just got a new piece of image spam and it's not only obfuscated but also animated


(click on the reduced picture to get to the original one)

Continue reading...

Thursday 18 January 2007

68 Gigabytes

68 Gigbaytes is the amount of email addresses f-secure downloaded from a server used by the medbot spam-virus.

Machines infected with Medbot use a client-server architecture. They connect to a central server to get further instructions as well as spam content and address lists. Then they get to the work of actually sending the spam.

The server addresses keep changing. Last week seek21.zootseek.com was used to serve e-mail addresses to the bots. While investigating the case last week, we downloaded some 68 Gigabytes of e-mail addresses from this

Continue reading...

Friday 12 January 2007

Disposable Email Services

A good way to prevent your main email address from being spammed is not using it when creating web accounts or subscribing to websites. Managing different email accounts isn't trivial and dropping a free account when it starts being spammed to open another one in the next minute isn't really usefull either.

What you really need is a temporary email address you can use to prove you're not a robot. One you can throw away as soon as you have used it. That's what disposable email services are for.

Continue reading...

Wednesday 10 January 2007

Mysterious drop in fraud and spam

Security firm SoftScan noticed a 30% drop in spam levels last week attributing that cut to a "broken" botnet.

SoftScan is still investigating the possible cause of the significant drop in junk mail volumes it's recording but reckons the most likely explanation is that hackers have temporarily lost control of a significant network of compromised machines. It seems unlikely that new computers at Christmas had much to do with affecting the number of compromised machines out there.

Alternatively the drop in spam might be a result of the recent earthquake in Asia disrupting spamming activity from that region, but this theory fails to explain a gradual (rather than more sudden) drop off in spam levels this month.

By contrast junk mail levels remained much as normal throughout December including the period around the 26 December earthquakes off Taiwan. Nine in ten emails processed by Softscan last month (89.4 per cent) were >identified as junk mail. Only one in 200 emails (0.5 per cent) scanned by the firm last month were infected by malware, despite the outbreak of a worm that posed as a seasonal "Happy New Year" greeting late in the month.

Continue reading...

Wednesday 27 December 2006

ORDB.org is shutting down

ordb.org was one of the rare open-relay rbl (Realtime Blackhole List) that would actually perform a check on the servers before blacklisting them. You could always remove your servers after correcting the problem since ordb would also perform a check before removing a server from its RBLs. It was my favorite RBL and it's shuting down:

Continue reading...

Saturday 16 December 2006

Catching image spams with Spamassassin

Image only based spam are now for more than 40% of the total spam being sent (here, yesterday: 155833 spams were detected and 67401 of them were image based, that's a nice 43%), how to dected them?

Well, first i want to warn you: there's no 100% safe way to detect that a mail containing an image is a spam or not. Of course you don't want to stop every mail containing a jpg or gif file. No safe rule, but still, you can use several criteriums:

Continue reading...

Wednesday 13 December 2006

Spam Statistics from Marshal TRACE

Marshal a company specialized in mail and internet security has some very nice statistics about what's going on in the world with spam, virus and phising. They provide interesting stats:

  • percentage of spam detection using their own solution
  • percentage of image spams
  • average size of spam messages
  • spam volume index
  • spam by category
  • spam sources by country
  • (...)
  • Image Spam Over Time

Continue reading...

Thursday 7 December 2006

Bypassing Virus Scanners Using MIME Encoding Tricks

Hendrick Weimer talks about how you can fool some virus scanners by unvalidating the base64 encoded data by inserting random characters not in the alphabet:

Base64 encoding for MIME is defined in RFC 2045, which lists such an alphabet and clearly states: All line breaks or other characters not found in the alphabet must be ignored by decoding software. So it shouldn't make any difference if we insert some random characters not in the alphabet into a Base64 encoded version of our good old EICAR string, right? Wrong. Some virus scanners will happily pass viruses once they come in an unusual but still RFC-compliant encoding. This is even more astonishing given such attacks have already been discussed before.

Continue reading...

New York Time on new spam methods

Brad Stones from The New York Times writes about the new surge of spam:

You’re not the only one. Spam is back — in e-mail in-boxes and on everyone’s minds. In the last six months, the problem has gotten measurably worse. Worldwide spam volumes have doubled from last year, according to Ironport, a spam filtering firm, and unsolicited junk mail now accounts for more than 9 of every 10 e-mail messages sent over the Internet.

Much of that flood is made up of a nettlesome new breed of junk e-mail called image spam, in which the words of the advertisement are part of a picture, often fooling traditional spam detectors that look for telltale phrases. Image spam increased fourfold from last year and now represents 25 to 45 percent of all junk e-mail, depending on the day, Ironport says.

Continue reading...

- page 1 of 2