Monday 3 March 2008
By ArnY on Monday 3 March 2008, 16:24 - spam
Virginia's Supreme Court on Friday upheld the first US felony conviction for
spamming. The spammer will serve nine years in prison for sending what
authorities believe to be millions of messages over a two-month period in
2003.
While defending Jaynes, his lawyers attempted to argue that a provision of
the Virginia Computer Crimes Act violates constitutional First Amendment rights
to "anonymous speech," as well as the interstate commerce clause of the US
Constitution. The court rejected these claims due to Jaynes' use of fake e-mail
addresses, which breaks the US CAN SPAM law's condition of giving recipients a
means of contacting the sender.
from ars technica
no trackback
Monday 11 February 2008
By ArnY on Monday 11 February 2008, 12:09 - spam
Who has not yet gotten one of those Nigerian Scam or 419 scams? For those who haven't:
This scam usually begins with a letter-form e-mail8 sent to many target recipients making an offer that will purportedly result in a large payoff for the intended victim. The stories behind the offers vary, but the
standard plot is that a person or government entity is in possession of a large amount of money or gold.This person, for myriad reasons, either cannot access the wealth directly or is no longer in need of it. Such
people, who are fictional or impersonated characters played by the scammer, could include the wife of a deposed African or Indonesian leader or dictator, a terminally ill wealthy person, a wealthy foreigner who had
deposited money in the bank just before dying in a plane crash, leaving no will or known next of kin, a U.S. soldier who has stumbled upon a hidden cache of gold, a business being audited by the government, a
disgruntled worker or corrupt government official who has embezzled funds, a refugee21, and similar characters. The money could be in the form of gold bullion, gold dust, money in a bank account, so-called "blood
diamonds", a series of cheques or bank drafts, and so forth. The sums involved are usually in the millions of dollars, and the investor is promised a large share, often forty percent or more, if they will assist the scam
character in retrieving the money from holding and/or dispense of it according to the scam character's wishes. The proposed deal is often presented as a "harmless" white-collar crime, in order to dissuade participants
from later contacting the authorities.
Anyway, since this form of polite request doesn't seem to work well enough anymore, they have changed their technic: They now tell you to give them money or.. they will shoot you dead:
Am very sorry for you my friend, is a pity that this is how your life is going to end as soon as you don't comply. …
I don't have any business with you, my duty as I am mailing you now is just to KILL/ASSASINATE you
and I have to do it as I have already been paid for that."
If people aren't gullible enough to believe in polite help requests are they really fall for those brute death treats?
from STLToday
no trackback
Saturday 26 January 2008
By ArnY on Saturday 26 January 2008, 11:08 - spam
From SecuryTeam:
For those not familiar with RBL, the term means Real-time Blackhole List, it
is mainly used for SPAM fighting. I have recently started playing around with
Google as an RBL engine, the idea is that if the search term I use hits too
many hits it is likely to be SPAM
This is actually interesting, i've been googling urls found in spams for a
little while now but those kind of search never return tons of pages, but it
does return a few of them, and most of the time they are security related site.
This "google rbl" could be pretty usefull coupled with a list of trusted
security sites. If the search returns a few urls from those sites, then the
mail is likely to be a spam or malware related. What about a mail with
"http://securityfocus.com" in the body? uhuh...definitely not bulletproof! So
better stick to the IP of the sender and just count the number of hits returned
by google.
from securiteam
no trackback
Wednesday 23 January 2008
By ArnY on Wednesday 23 January 2008, 10:03 - spam
Looks like the spammers are a little early on that one but here is the
subjects used by this version of storm worm:
- A Dream is a Wish
- A Is For Attitude
- A Kiss So Gentle
- A Rose
- A Rose for My Love
- A Toast My Love
- Come Dance with Me
- Come Relax with Me
- Dream of You
- Eternal Love
- Eternity of Your Love
- Falling In Love with You
- For You....My Love
- Heavenly Love
- Hugging My Pillow
- I Love You Because
- I Love You Soo Much
- I Love You with All I Am
- I Would Dream
- If Loving You
- In Your Arms
- Inside My Heart
- Love Remains
- Memories of You
- A Token of My Love
- Miracle of Love
- Our Love is Free
- Our Love Nest
- Our Love Will Last
- Pages from My Heart
- Path We Share
- Sending You All My Love
- Sending You My Love
- Sent with Love
- Special Romance
- Surrounded by Love
- The Dance of Love
- The Mood for Love
- The Time for Love
- When Love Comes Knocking
- When You Fall in Love
- Why I Love You
- Words in my Heart
- Wrapped in Your Arms
- You... In My Dreams
- Your Friend and Lover
- Your Love Has Opened
- You're myDream
we caught about 67 000 of those in less than 15 days already.. talk about a
storm!
no trackback
Saturday 15 September 2007
By ArnY on Saturday 15 September 2007, 19:45 - spam
We decided to active the greylisting antispam solution for all our mailboxes
at work.. here how it shows on our graphs:
no trackback
Tuesday 7 August 2007
By ArnY on Tuesday 7 August 2007, 18:19 - spam
Christopher Smith, the notorious "pharmacy
spam king," has received a 30-year-jail sentence for running an illegal
internet store that sold millions of dollars in prescription drugs.
via Secure Computing Magazine
no trackback
Wednesday 1 August 2007
By ArnY on Wednesday 1 August 2007, 10:21 - spam
When trying to build Spamassassin rules to detect a new kind of spam, it's
always usefull to have several copies of the spam so you can check what parts
never changes.
In the case of the pdf/zip/doc/xls/etc. spam, even if the spammer did a lot of
work to try to make it indetectable, he forgot something: the boundary line of
the content-type header is always built the same way and isn't common at
all:
------------ then a random 24 characters alphanumeric string.
I've searched in my INBOX (more than 50 000 messages) and this boundary pattern
only matches the spams.
From this, we can build our first SA rule:
full __UN_KNOWN_BOUND /boundary="------------\d{24}"/
Now, it's safer if we make sure it's really a spam by adding some attachment
detection:
full __UN_PDF_ATTACH /application\/pdf/i
full __UN_OCTSTREAM_ATTACH /application\/octet-stream/i
full __UN_WORD_ATTACH /application\/vnd.ms-word/i
full __UN_EXCEL_ATTACH /application\/vnd.ms-excel/i
Then you can build a meta rule that will match our spams:
meta UN_ATTACH_SPAM __UN_KNOWN_BOUND && (__UN_PDF_ATTACH ||
__UN_OCTSTREAM_ATTACH || __UN_WORD_ATTACH || __UN_EXCEL_ATTACH)
score UN_ATTACH_SPAM 10
no trackback
Monday 23 July 2007
By ArnY on Monday 23 July 2007, 14:50 - spam
Some reports are made that a new kind of spam just appeared. This time the
spam is embedded in a .doc file. I heard people saying they also got .xls and
.zip spams. This is getting interresting..what will they use next?
via securiteam
Wednesday 21 March 2007
By ArnY on Wednesday 21 March 2007, 21:42 - spam
Choose an unknown, forgotten,
valueless stock value like DIAAF.OB, quoted at $0.0008 per share. Buy millions
of shares, it will make the value rise (you are creating a demand) to $0.0011.
Now, flood the world with spam, advertizing how the stock value is raising...
you'll create more demand, the share value will rise... And now? Sell. You're
rich.
Continue reading...
no trackback
Saturday 10 March 2007
By ArnY on Saturday 10 March 2007, 11:42 - security
Warezov, Spamthru... Virus used by spammers. They are pretty easy to detect
if you can monitor http connections. Indeed more and more viruses will try to
fetch data (spam templates or updates) from dedicaded domains. If you can
monitor those domains, you can can detect infected computers on your
networks.
Continue reading...
no trackback
Tuesday 27 February 2007
By ArnY on Tuesday 27 February 2007, 14:10 - spam
I just got a new piece of image spam and it's not only obfuscated but also
animated
(click on the reduced picture to get to the original one)
Continue reading...
no trackback
Thursday 18 January 2007
By ArnY on Thursday 18 January 2007, 16:40 - spam
68 Gigbaytes is the amount of email addresses f-secure downloaded from a
server used by the medbot spam-virus.
Machines infected with Medbot use a client-server architecture. They connect
to a central server to get further instructions as well as spam content and
address lists. Then they get to the work of actually sending the spam.
The server addresses keep changing. Last week seek21.zootseek.com was used
to serve e-mail addresses to the bots. While investigating the case last week,
we downloaded some 68 Gigabytes of e-mail addresses from
this
Continue reading...
no trackback
Wednesday 10 January 2007
By ArnY on Wednesday 10 January 2007, 18:38 - spam
Security firm SoftScan noticed a 30% drop in spam levels last week
attributing that cut to a "broken" botnet.
SoftScan is still investigating the possible cause of the significant drop
in junk mail volumes it's recording but reckons the most likely explanation is
that hackers have temporarily lost control of a significant network of
compromised machines. It seems unlikely that new computers at Christmas had
much to do with affecting the number of compromised machines out there.
Alternatively the drop in spam might be a result of the recent earthquake in
Asia disrupting spamming activity from that region, but this theory fails to
explain a gradual (rather than more sudden) drop off in spam levels this
month.
By contrast junk mail levels remained much as normal throughout December
including the period around the 26 December earthquakes off Taiwan. Nine in ten
emails processed by Softscan last month (89.4 per cent) were >identified as
junk mail. Only one in 200 emails (0.5 per cent) scanned by the firm last month
were infected by malware, despite the outbreak of a worm that posed as a
seasonal "Happy New Year" greeting late in the month.
Continue reading...
no trackback
Wednesday 13 December 2006
By ArnY on Wednesday 13 December 2006, 09:20 - spam
Marshal a company specialized in mail and internet security has some very
nice statistics about what's going on in the world with spam,
virus and phising. They provide interesting stats:
- percentage of spam detection using their own solution
- percentage of image spams
- average size of spam messages
- spam volume index
- spam by category
- spam sources by country
- (...)
- Image Spam Over Time
Continue reading...
no trackback
Thursday 7 December 2006
By ArnY on Thursday 7 December 2006, 09:16 - spam
Brad Stones from The New York Times writes about the new surge of spam:
You’re not the only one. Spam is back — in e-mail in-boxes and on everyone’s
minds. In the last six months, the problem has gotten measurably worse.
Worldwide spam volumes have doubled from last year, according to Ironport, a
spam filtering firm, and unsolicited junk mail now accounts for more than 9 of
every 10 e-mail messages sent over the Internet.
Much of that flood is made up of a nettlesome new breed of junk e-mail
called image spam, in which the words of the advertisement are part of a
picture, often fooling traditional spam detectors that look for telltale
phrases. Image spam increased fourfold from last year and now represents 25 to
45 percent of all junk e-mail, depending on the day, Ironport says.
Continue reading...
no trackback
