taint.org: Justin Mason’s Weblog

I think I just got my first spam from a government body! Specifically, VisitWicklow.ie spam from Wicklow County Tourism. It says:

Wicklow County Tourism is launching its sparkling 2008 Christmas campaign this month, with an extensive festive section on our website www.visitwicklow.ie/xmas . Here you will find all the information you need about what is happening in the Garden County this season including Christmas parties, seasonal events, carol singing, festive markets, Santa visits, great accommodation packages etc.

It was sent to a spamtrap address, scraped from an old mail archive. This address is a dedicated spamtrap; I’ve never used it for non-spam-trapping purposes, nor has it ever opted-in to receive mail. So there was no question that I granted permission to anyone to mail it.

The address delivers mail to my personal account — that’s what I do with my spamtraps, until their volumes get too high. So it still qualifies as a “personal email address”. Here’s the full spam with all headers intact.

It appears the message originated at IP address 87.192.126.62:

inetnum:        87.192.126.32 - 87.192.126.63
netname:        IBIS-PA-NET
descr:          BreezeMax-KilpooleHill-Comm-E 3MB 24:1 (2)
country:        IE
admin-c:        IRA6-RIPE
tech-c:         IRA6-RIPE
status:         Assigned PA
remarks:        Please do NOT send abuse complaints to the contacts listed.
remarks:        Please check remarks on individual inetnum records for abuse contacts, or
remarks:        failing that email abuse reports to abuse@irishbroadband.ie.
mnt-by:         IBIS-MNT
source:         RIPE # Filtered

Kilpoole Hill appears to be south of Wicklow town, just the right spot for a wireless tower used for Irish Broadband access from The Murrough, Wicklow Town (mentioned as the address for Wicklow County Tourism in the mail).

Suggestions? Did anyone else get this? How do I report spam sent by the Wicklow County Tourism Board?

Update: they also hit the Irish Linux User’s Group submission address. I wouldn’t be surprised if they scraped the addresses of other ILUG subscribers, then…

Tags: idiots, ireland, spam, wicklow

• Memeorandum Colors: Visualizing Political Bias with Greasemonkey : nice hack
  (tags: hacks greasemonkey ui us-politics election)

• Xen/VPS hosting reviews : good list from Russell Coker. Gandi’s product is amazingly cheap at EUR6 for super-low-end nodes (UPDATE: that’s because the page is wrong! in reality it’s EUR10+VAT)
  (tags: gandi xen vps linux hosting reviews)

• Make-Believe Maverick : ‘A closer look at the life and career of John McCain reveals a disturbing record of recklessness and dishonesty.’ amazingly vicious hatchet-job on John McCain from _Rolling Stone_
  (tags: rolling-stone articles toread vicious john-mccain expose maverick tim-dickinson)

• Spam Volumes Plummet After Atrivo Shutdown : MessageLabs indicates a ’significant drop’ in spam/botnet activity, due to loss of C&C networks located at Atrivo
  (tags: messagelabs atrivo spam botnets cutwail mega-d securityfix)

• Marshal reckon the Storm botnet has dried up : ‘Spam originating from the Storm botnet suddenly dried up in mid-September. Since that time we have not detected a single Storm spam in our traps.’
  (tags: storm spam botnets malware marshal)

• Django test fixtures : handy; load initial test data into the database from JSON files. must start using these
  (tags: fixtures testing django web-apps sql json)

Tags: articles, atrivo, botnets, cutwail, django, election, expose, fixtures, gandi, greasemonkey, hacks, hosting, john-mccain, json, linux, malware, marshal, maverick, mega-d, messagelabs, reviews, rolling-stone, securityfix, spam, sql, storm, testing, tim-dickinson, toread, ui, us-politics, vicious, vps, web-apps, xen

• Vint Cerf interviewed on spam, malware etc. : pretty much the EFF party line, I think: “every man for himself”. also talks about net neutrality
  (tags: vint-cerf internet filtering spam malware abuse network-neutrality anti-spam eff)

• video of a fake e-Passport being accepted by airport security reader : an e-Passport for “Elvis Aaron Presley”, no less, happily scanned by an Amsterdam passport security station. hahahaha!
  (tags: elvis funny security e-passports video via:slashdot rfid)

• Facebook adds Ireland as a Friend : ‘Dublin will be the centre for Facebook’s international operations and will provide a range of online technical, sales and operations support to Facebook’s users and customers across EMEA region.’ good news
  (tags: facebook dublin ireland web2.0 emea)

• RFC-5321 (Obsoletes: 2821) : The newest rev to the Simple Mail Transfer Protocol (via fanf)
  (tags: rfcs rfc-2821 standards internet smtp email rfc-5321)

• RFC-5322 (Obsoletes: 2822) : the newest rev to the Internet Message Format for email (via fanf)
  (tags: via:fanf rfc rfc-2822 rfc-5322 standards email internet)

Tags: abuse, anti-spam, dublin, e-passports, eff, elvis, email, emea, facebook, filtering, funny, internet, ireland, malware, network-neutrality, rfc, rfc-2821, rfc-2822, rfc-5321, rfc-5322, rfcs, rfid, security, smtp, spam, standards, via:fanf, via:slashdot, video, vint-cerf, web2.0

• Linux x86_64 frozen by heavy I/O on Dell PowerEdge 2950 : starting to think we may be running into this on our build machine; annoying. bookmarking for future reference
  (tags: poweredge dell hardware linux drivers performance sysadmin)

• Wikipedia:Articles for deletion/Deletionpedia : hahaha. WP deletion gnomes argued that Deletionpedia should not have an entry due to non-notability, just 24 minutes after that entry was created
  (tags: wp wikipedia funny deletion processes bureaucracy deletionpedia)

• Atrivo/InterCage depeered : the ISP’s AS (AS27595) is now offline, due apparently to coordinated lobbying of its upstreams
  (tags: atrivo isps abuse intercage spam malware hosting)

Tags: abuse, atrivo, bureaucracy, deletion, deletionpedia, dell, drivers, funny, hardware, hosting, intercage, isps, linux, malware, performance, poweredge, processes, spam, sysadmin, wikipedia, wp

• Groklaw – Anonymous Speech in Email Upheld in Spammer Case : Groklaw goes into the detail of how and why the Virginia anti-spam law could be overturned. Ugh. I strongly believe that spam = UBE, not UCE, and political spam is still spam, so this is particularly disappointing for me
  (tags: ube uce spam law legal virginia jeremy-jaynes groklaw anti-spam)

• VMware server tweaks : ugh. quite a lot of voodoo here, need to investigate to see if any of these improve performance on our little build farm vmware server
  (tags: vmware performance linux tweaks kernel)

• consumer tips in response to the XL Airlines collapse : tour operator/airline went bust, leaving its customers well in the lurch. Those who booked flights directly on their website, using a debit card, have lost their money. Most travel insurance doesn’t cover airline collapse. Moral: use a credit card
  (tags: credit-cards safety consumer xl-airlines travel-agents atol flights travel)

Tags: anti-spam, atol, consumer, credit-cards, flights, groklaw, jeremy-jaynes, kernel, law, legal, linux, performance, safety, spam, travel, travel-agents, tweaks, ube, uce, virginia, vmware, xl-airlines

• Va. Supreme Court Strikes Down State’s Anti-Spam Law : argh! IMO the judge has confused misleading forged headers with anonymous speech
  (tags: anonymity legal law jeremy-jaynes spam anti-spam virginia)

• Watch out for that Dropbox Public Folder : Joe has a good point: ‘you hereby grant all other Dropbox users a non-exclusive, worldwide, royalty-free, sublicensable, perpetual and irrevocable right and license to use and exploit Your Files in your public folder.’ wtf
  (tags: dropbox ip backup legal terms-and-conditions legalese)

• Microsoft Open Source inside Google Chrome : namely the Windows Template Library, now distributed under the (OSI-approved) Microsoft Public License. strange days (via reddit)
  (tags: microsoft open-source osi google chrome wtl windows)

• Irishmen buy up island of England : ‘an Irish consortium has emerged as the buyer of the island of England in The World development, a man-made scheme off the coast of Dubai.’ hahaha!
  (tags: funny ireland england dubai unintended-consequences property the-world)

Tags: anonymity, anti-spam, backup, chrome, dropbox, dubai, england, funny, google, ip, ireland, jeremy-jaynes, law, legal, legalese, microsoft, open-source, osi, property, spam, terms-and-conditions, the-world, unintended-consequences, virginia, windows, wtl

• Twitter API Rate Limiting : ‘Clients are allowed 70 requests per 60 sixty minute time period, starting from their first request. This is enough to make just over one request per minute, per hour, which should meet the needs of most applications.’ Fingers crossed this can be lifted for twit.ie
  (tags: aggregation rate-limiting api http twitter twit.ie)

• Pipes: BBC AOD filter : select a BBC radio show, get an RSS feed of “Audio on Demand” RealAMRadio files as they are posted. (”radio4″ works as the station ID for that station)
  (tags: bbc radio4 radio realaudio via:hublog)

• Work at Home . . . for a Criminal? : good round-up of how those “work at home” scam spams work
  (tags: work spam scams fraud teleworking telecommuting)

Tags: aggregation, api, bbc, fraud, http, radio, radio4, rate-limiting, realaudio, scams, spam, telecommuting, teleworking, twit.ie, twitter, via:hublog, work

• Review of bicycle helmet effectiveness studies : quite a few case-control studies consistently demonstrating the protective effects of bicycle helmet use on shared roadways
  (tags: cycling helmets safety health statistics)

• Spammer-X’s numbers on spam profitability : he claimed that he made net $336k per year from spamming in 2004
  (tags: via:tzink spammer-x spam money pay profit motives)

Tags: cycling, health, helmets, money, motives, pay, profit, safety, spam, spammer-x, statistics, via:tzink

• Dublin’s new M50 electronic toll tags : what a mess! there are no less than 8 tag operators and a bewildering array of prices and penalties. typical
  (tags: ireland dublin m50 tolls roads pricing)

• Sustained IO on EBS == No Bueno : worrying stats for Amazon EBS data throughput, dropping from 160 MB/s to a rather paltry 42.4 MB/s
  (tags: amazon ebs ec2 speed networking hosting benchmarks)

• MXLogic on the economics of spam : Sam Masiello of MXLogic works out that phishers may be netting a 7300% profit margin; this is why spam’s not going away. mind you he does this by believing Gartner figures, which is never a good idea
  (tags: sam-masiello mxlogic via:tzink phishing spam money)

Tags: amazon, benchmarks, dublin, ebs, ec2, hosting, ireland, m50, money, mxlogic, networking, phishing, pricing, roads, sam-masiello, spam, speed, tolls, via:tzink

I was away on holidays last week, and when I got back, I found my feed reader full of some good discussion as to whether today’s bigger spam botnets — Srizbi, Rustock, Mega-D, Cutwail/Pushdo — are sharing components, such as “landing” sites, exploits, customers, and even command and control networks. It started with this post on the FireEye Malware Intelligence Lab’s blog noting:

‘Some malware researchers have described Srizbi and Rustock as rival botnets, our data indicates that this apparent rivalry is a sibling rivalry at best. Srizbi and Rustock seem to be supported (controlled) by the same parent (bot herder).’

and in this followup:

‘We can clearly see that Srizbi, Pushdo and Rustock are using same ISP, and in many cases, IPs on the same subnet to host their Command and Control servers. It seems extremely unlikely to our research team that three previously “rival” Botnets would share nearly consecutive IP space, and be hosted in the same physical facility. Of all the data centers and IPs in the world, the fact that they are all on the same subnet is very intriguing. This fact makes the FireEye research team conclude that either the Botnets are operated by the same organization, or that the datacenter (McColo) is a shell corporation that leases out it’s IP space and bandwidth for nefarious actions.’ [...]

‘IPs at a typical datacenter are leased out in a /30 or more commonly, a /29 block. However, here we can see that in a given succession of IPs, the three Botnets have C&C servers dispersed throughout. This gives us an impression that same Bot herder leased out a larger range and then distributed it amongst its different Botnets.’

Marshal say: ‘at the very least, the major botnets have common customers.’

Dark Reading cover it like so:

Rustock, which recently edged Srizbi for the top slot as the biggest spammer mostly due to a wave of fake Olympics and CNN news spam, and Srizbi, known for fake video and DVD spam, have been using the same Trojan, Trojan.Exchanger, to download their bot malware updates, researchers say. “This is the first time” we had seen this connection between the two botnets, says Fengmin Gong, chief security content officer for anti-botnet software firm FireEye. “That’s why when we saw it, it was surprising. They definitely have a relationship,” he says. “There’s not the rivalry we used to think about.” [...]

Joe Stewart, director of security research for SecureWorks, says the Srizbi-Rustock connection is most likely due to a spammer using both zombie networks — not that the operators of the two botnets are actually collaborating. “What is confusing people is that you’re seeing Rustock bots sending out emails that essentially infect people with Srizbi, so they think it must be Srizbi that’s sending it, but it’s not,” he says. “Srizbi is not just one big model. It’s rented out to lots of different spammers.”

A major spammer may be trying to diversify by using the two botnets, he says. “It could be because they want to separate their malware-seeding operation from their spamming operation,” Stewart says. “Maybe their bots are getting blacklisted faster when they’re sending out URLs with fake video files because they’re easy to spot, so their spam doesn’t get through. So they send malware from this botnet, and spam from this one, to keep out of the blacklists longer.”

I agree that Joe’s scenario is very likely; the spammers aren’t always the same people who operate the botnets, and it only makes sense that some of them would spread their business among multiple nets, to minimize the risk that all of their output would be blocked if one ‘net runs into trouble (or indeed, good filtering ;). But seeing C&C servers sharing LANs also strikes me as unusual. One to watch.

Anyway, it’s good to see that the malware research blogs are now actively tracking and posting updates when the botnets change topics and format; this info is very valuable for us in anti-spam, as it allows us to map from the received spam mails back to the sending botnet, and determine which rules are good at detecting each botnet. Thanks, guys.

(image credit: cobalt123, used under CC license)

Tags: anti-spam, botnets, malware, spam

• 30% Of Internet Users Admit To Buying From Spam : ugh. we need a reminder of the Boulder Pledge. Mind you, Marshal have put out what appear to be inaccurate figures in the past regarding the Rustock botnet, so apply a pinch of salt
  (tags: marshal spam boulder-pledge commerce shopping statistics via:techdirt)

• more details on EC2 Elastic Block Store : achieves 70MB/s on an m1.small instance; ‘performance exceeds what we’ve seen for filesystems striped across the four local drives of x-large instances’. pretty good for a network filesystem, although not great compared to fast local SATA disks. also: snapshots are incremental and perform nicely compared to local S3 copy-and-upload
  (tags: ebs amazon performance benchmarks s3 ec2 disks snapshotting filesystems)

• Amazon Elastic Block Store (EBS) : ‘Prior to Amazon EBS, block storage within an Amazon EC2 instance was tied to the instance itself so that when the instance was terminated, the data within the instance was lost. Now with Amazon EBS, users can chose to allocate storage volumes that persist reliably and independently from Amazon EC2 instances.’ — can even snapshot to S3
  (tags: amazon ebs ec2 aws s3 cloud-computing hosting)

Tags: amazon, aws, benchmarks, boulder-pledge, cloud-computing, commerce, disks, ebs, ec2, filesystems, hosting, marshal, performance, s3, shopping, snapshotting, spam, statistics, via:techdirt

• Dublin bike scheme billboards threat to drivers : JC Decaux’ “free” bikes are now delayed another 6 months — to next spring. in the meantime, the ads are up all over Dublin. what a rip-off
  (tags: jc-decaux bikes cycling dublin advertising spam civic ireland)

• Return Path to Acquire Habeas : that’s the two main legit-email whitelisting reputation dbs merged into one
  (tags: return-path habeas ssc bsp bonded-sender spamassassin anti-spam dnswl dnsbl reputation deliverability)

• scammers buying phones, then wardialing the nearby number-space to scam them : this just happened to Simon Willison, pretending to offer to cancel extremely expensive insurance, but with a “cancellation fee”. great demo of why consecutive assigned numbering schemes are bad for security
  (tags: phishing scams phones uk iphone via:simonw security numbering ids)

• DRI calls for data-breach disclosure in Ireland : +1
  (tags: breach-disclosure security exploits social-welfare ireland identity-theft)

Tags: advertising, anti-spam, bikes, bonded-sender, breach-disclosure, bsp, civic, cycling, deliverability, dnsbl, dnswl, dublin, exploits, habeas, identity-theft, ids, iphone, ireland, jc-decaux, numbering, phishing, phones, reputation, return-path, scams, security, social-welfare, spam, spamassassin, ssc, uk, via:simonw

TechCrunch UK campaigning for a “Digital Hub” I have to say, the Digital Hub is actually a great place to work; it’s well worth duplicating, if such a thing is possible

419eater anti-scammers fool 419ers into performing the Dead Parrot sketch “Possibly, he is pining for the fee-ords”

Google taking action against Nigerian/419 fraud spammers Good news. About time, too ;)

Tags: 419, anti-spam, charts, digital-hub, dublin, fjords, fraud, funny, google, ireland, mail, monty-python, pining, scams, spam, tech, work

Del.icio.us 2.0 goes live yay! I’ve been waiting for this for yonks

10 years of Boards.ie massive ~50GB RDF/XML dump, for open crunching, to generate interesting “SIOC Semantic Web” apps

Postmaster.comcast.net how to get mail delivered successfully to Comcast, the usual stuff

Why we’ll never replace SMTP ‘The reason that e-mail is uniquely useful is that you can exchange mail with people you don’t already know. The reason that spam exists is that you can exchange mail with people you don’t already know.’ +1

“Bikes-for-Billboards” scheme exposes major planning flaws ‘what was initially hailed as “free bikes” has become one of the biggest planning controversies to hit Dublin in years.’ No shit. 70% of sites are on the Northside, rather than the richer Southside; and each bike will cost over EUR300k in ad revenue!

Rob Enderle’s page on Wikipedia detailing this analyst’s hilariously wrong pro-SCO, anti-Apple/Linux predictions over the years. John Gruber: ‘the only way it would be worthwhile for reporters to [quote him] would be if they were willing to describe him as “almost always utterly wrong”‘

Tags: ads, advertising, analysts, anti-spam, apple, bikes, billboards, blogging, boards.ie, comcast, cycling, del.icio.us, dublin, email, enderle-group, funny, fussp, guidelines, history, internet, ireland, isps, jc-decaux, john-gruber, Links, linux, mail, microsoft, oh-dear, planning, postmaster, releases, rob-enderle, scandals, sco, semantic-web, sioc, smtp, spam, tech, urban, via:archiseek, wikipedia

Why Spam Can’t Be Stopped – Emailappenders And Others Sell Bogus Lists Marketing company buys list of addresses, 85% of the 100k addresses bounce, marketer gets booted by ISP for spamming, marketer issues complaining press release. Let’s say it again: opt-in permission can’t be sold, and address list vendors are spammers

Tags: address-lists, e-pending, marketing, spam, via:spamnation

Those INSERT guys who’ve been talking about a GMail security hole allowing spammers to relay spam, have released more previous-redacted details here. (thanks to the MailChannels blog for pointing that out.)

In essence, the attack works by allowing a spammer to set the “forward to” address in GMail to point at a target address, send a spam to the GMail account, then change the “forward to” address to the next target and repeat.

My response:

1. it’d be trivial for Google to impose stringent rate limits on “forward to” address changes, and I’d be surprised if they haven’t already.

2. ditto rate-limiting on the rate of forwarding messages for each GMail account.

3. as they say in the paper — if Google required up-front confirmation of the target address before forwarding any mail, that would also cut this out neatly.

4. It’s worth noting that GMail’s outbound servers may be whitelisted by some recipient sites, others are treating them negatively — word on the anti-spam “street” is that GMail is becoming a festering pit of 419 scammers these days.

Tags: anti-spam, gmail, google, insert, spam

Quoting an old job post: ‘ammado.com are a new online global community with headquarters in Dublin, Ireland. ammado are developing a fun interactive online entertainment platform catering for a huge global market, using the latest technologies.’

Well, using that and spam, it seems. Look what just arrived in my inbox:

• X-Spam-Status: No, score=-8.0 required=5.0 tests=BAYES_50, EXTRA_MPART_TYPE, HABEAS_ACCREDITED_COI, HTML_MESSAGE, RP_MATCHES_RCVD,SPF_PASS shortcircuit=no autolearn=unavailable version=3.3.0-r650054
• X-Spam-Relays-External: [ ip=89.101.128.81 rdns=mail.ammado.com helo=mail.ammado.com by=soman.fdntech.com ident= envfrom= intl=0 id=4856CBA51B8 auth= msa=0 ] [ ip=192.168.11.20 rdns= helo=amsrvmail001.ammado.local by=amsrvmail001.ammado.local ident= envfrom= intl=0 id= auth= msa=0 ]
• From: Peter Conlon <pconlon/at/ammado.com>
• Date: Mon, 26 May 2008 10:45:11 +0100
• Subject: UNHCR asks the blogosphere for help

UNHCR and ammado, http://www.ammado.com are reaching out to the blogosphere in an effort to spread the word for this year’s World Refugee Day on June 20th and raise awareness of the situation of refugees all over the world!

This year, World Refugee Day is about protection, the heart and soul of UNHCR. With rising oil prices, decreasing food supplies, the adverse affects of climate change, the ongoing crisis in Darfur and a high number of unexpected natural disasters including those in Myanmar and China, the world’s refugees have never been more in need of protection.

Another day, another spam. They also spammed Donncha, Michele and Damien, so it sounds like they’re doing the rounds of the Irish blogosphere.

(Update: add Tom, Suzy, Alexia, squid at Limerick Blogger, and Grandad at Head Rambles to that list, too.)

However — the hit on the HABEAS_ACCREDITED_COI SpamAssassin rule means that Ammado are a member of the Habeas Accredited Confirmed-Opt-In program, meaning that they have undertaken a bond to only email people who signed up to receive their communications using “confirmed opt-in”. I have never had any dealings with Ammado, or opted in in any way to receive communication from them — let alone confirmed an opt-in. This is out-and-out unsolicited bulk email, or spam, so this may turn out to be an expensive mistake for Ammado.

If you also got spammed by a Habeas-accredited sender, send a complaint to complaints /at/ habeas.com. This is how the Habeas system works…

PS: This is a good illustration of how spam is not Unsolicited Commercial Email, but UBE — Unsolicited Bulk Email. Even though this is non-commercial, it’s still spam!

Tags: ammado, charity-spam, spam, unhcr

Peter G. Neumann at the RISKS Forum notes that Last Friday was the anniversary of the sending of the first e-mail spam:

[Thanks to Mike Hogsett for noting this event, and Brad Templeton for recording it.]

What is allegedly the very first spam message was sent roughly 30 years over the ARPANET.

In seeing this, Mike was amused because he works with some of the people it was addressed to, of whom a few are still at SRI: NEUMANN@SRI-KA, GARVEY@SRI-KL, MABREY@SRI-KL, WALDINGER@SRI-KL and some of whom are retired: ENGELBART@SRI-KL, NIELSON@SRI-KL, GOLDBERG@SRI-KL (I am always amused when some of these old ARPANET addresses show up in today’s incarnations of spam.)

Also somewhat before Mike’s time, Geoff Goodfellow, Eric Kunzelman, Dan Lynch, and many others at SRI were instrumental in the evolution of the ARPANET.

Also included in the enormous enumerated TO: list (historically interesting in itself by not having been suppressed!) are Bill English (who was the catalyst for much of Doug Engelbart’s innovations being transitioned from SRI to PARC), Dave Farber, Irv Jacobs, Bob Metcalfe, Jon Postel (who by then had moved from SRI to ISI), three Sutherlands, and Lauren Weinstein, to name just a few.

Happy Birthday, Spam! Sorry I cannot wish you many happy returns.

Tags: arpanet, history, spam

Recently, more and more people have been complaining about backscatter; its levels seem to have increased over the past few weeks.

If you’re unfamiliar with the terminology — backscatter is mail you didn’t ask to receive, generated by legitimate, non-spam-sending systems in response to spam. Here are some examples, courtesy of Al Iverson:

• Misdirected bounces from spam runs, from mail servers who “accept then bounce” instead of rejecting mail during the SMTP transaction.
• Misdirected virus/worm “OMG your mail was infected!” email notifications from virus scanners.
• Misdirected “please confirm your subscription” requests from mailing lists that allow email-based signup requests.
• Out of office or vacation autoreplies and autoresponders.
• Challenge requests from “Challenge/Response” anti-spam software. Maybe C/R software works great for you, but it generates significant backscatter to people you don’t know.

It used to be OK to send some of these types of mail — but no longer. Nowadays, due to the rise in backscatter caused by spammer/malware abuse, it is no longer considered good practice to “accept then bounce” mail from an SMTP session, or in any other way respond by mail to an unauthorized address of the mail’s senders.

Backscatter as spam delivery mechanism

I would hazard a guess that this rise is due to one of the major spam-sending botnets adopting the use of “real” sender addresses rather than randomly-generated fake ones, probably in order to evade broken-by-design Sender-Address Verification filters.

There’s an alternate theory that spammers use backscatter as a means of spam delivery — intending for the mails to bounce, in effect using the bounce as the spam delivery mechanism. Symantec’s most recent “State of Spam” report in particular highlights this.

I don’t buy it, however. Compare their own example message — here’s what the mail originally sent by the spammer to the bouncer, rendered:

And here’s what it looks like once it passes through the bouncer’s mail system:

That’s simply unreadable. There’s absolutely no way for a targeted end user to read the “payload” there…

Getting rid of it

I haven’t run into this recent spike in backscatter at all, myself, since I have a working setup that deals with it. This blog post describes it. If you’re using Postfix and SpamAssassin, it would be well worth taking a look; if you’re just using SpamAssassin and not Postfix, you should still try using the Virus Bounce Ruleset to rid yourself of various forms of unwanted bounce message.

Note that you need to set the ‘whitelist_bounce_relays’ setting to use the ruleset, otherwise its rules will not fire.

SPF

There’s a theory that setting SPF records (or other sender-auth mechanisms like DomainKeys or DKIM) on your domains, will reduce the amount of backscatter sent to your domains. Again, I doubt it.

Backscatter is being sent by old, legacy mail systems. These systems aren’t configured to take SPF into account either. When they’re eventually updated, it’s likely they’ll be fixed to simply not send “accept then bounce” responses after the SMTP transaction has completed. It’s unlikely that a system will be fixed to take SPF into account, but not fixed to stop sending backscatter noise.

It’s good advice to use these records anyway, but don’t do it because you want to stop backscatter.

What about my own bounces?

You might be worried that the SpamAssassin VBounce ruleset will block bounces sent in response to your own mail. As long as the error conditions are flagged during the SMTP transaction (as they should be nowadays), and you’ve specified your own mailserver(s) in ‘whitelist_bounce_relays’, you’re fine.

Tags: anti-spam, backscatter, email, smtp, spam, spamassassin

CEAS 2008 is doing another Spam Challenge test of various spam-filters, and as part of this, they need samples of ham mail messages.

As part of the data collection effort, we have set up a website through which it is possible to donate non-sensitive legitimate email, to be used in the evaluation. Any kind of email that the recipient considers legitimate is welcome, including computer generated (non-spam) messages.

After the CEAS evaluation, the benchmark data will be made publicly available to facilitate future reasearch and development in the field of spam prevention.

Here is the collection site; they accept UNIX mbox format, and tar.gz or zip files of same, with an 8MB upload limit.

Tags: anti-spam, ceas, corpora, spam, testing

This is very bad news for North Dakota-based anti-spammers — a guy called David Ritz is being sued there by alleged porn spammer Jerry Reynolds, for performing DNS lookups, a DNS zone transfer and a Whois lookup. It appears the judge has found Ritz guilty.

This is astonishingly bad lawmaking by the judge. These are entirely innocuous tools, part of every network administrator’s toolkit for debugging and examining internet traffic legitimately. There’s nothing remotely criminal or malicious in their use, and the judge has allowed himself to be misled.

North Dakota Judge Gets it Wrong:

‘Ritz’s behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law. A zone transfer is simply asking a DNS server for all the particular public info it provides about a given domain. This is a common task performed by system administrators for many purposes. The judge is saying that DNS zone transfers are now illegal in North Dakota.’

More details from Ed Falk

David’s legal defense fund

Tags: cases, david-ritz, dns, ed-falk, fargo, law, north-dakota, spam

I just received this mail from a friend:

Dear friend

Welcome to stwoxy.com ! We are one of the largest electronic distributors and wholesalers in Beijing China. We offer qualified digital products: Motorcycles?TVs, Notebooks, phones. PSP, projectors, GPS, DVD, DV, DC, MP3/4 and so on, which are of world famous brands, such as Sony, IBM, PHILIPS, NOKIA, DELL and so on. All our items are brand new from the manufactures and they come with 1-3 years’ after service. These days we are expanding our overseas market, and every item is sold in extremely low price. Such chances should never be missed, ladies and gentlemen, do come to stwoxy.com! you will surely have a big surprise! We are looking forward to hearing from you!

It was sent from a HTTP connection into GMail, and was delivered from there using valid DKIM, Domain Keys and SPF signatures. In addition, it was sent to all the addresses in his address book. In other words, this was no run-of-the-mill impersonation spam — for this one, the spammer obtained my friend’s username and password somehow, logged into GMail, scraped the address book, and then sent spam via GMail that way.

My friend says he didn’t access GMail using a desktop mail client, but did have his Google password saved in his web browser (a pretty typical configuration). My theory is that some virus/malware has infected his desktop machine, captured the saved-passwords file from the web browser configuration, and used that to log into GMail. Alternatively, it could also be a guessable username and password which was picked up via dictionary attack, I guess…

This is the first case I’ve heard of where spammers are actively stealing user account authentication tokens, in order to take over the accounts for spamming. (We’d long predicted it, of course, since it’s a natural response to “pay for mail” schemes… but since there’s no widely-used pay-for-mail system available yet, it’s premature!)

It seems this is not just a GMail thing, btw. Here’s a report of the same thing happening to some French guy via HotMail last month (or in english). I don’t speak Dutch, but this forum post looks like it might be the same situation.

If you’re curious, here’s a copy of the spam, delivered to a Yahoo! group; it appears these spammers aren’t too sophisticated in terms of the text they’re sending, since they haven’t morphed that text, HTML, or even the domain in the link yet. It’s just the malware that’s sophisticated, at this stage.

Tags: accounts, gmail, hotmail, malware, passwords, spam, yahoo

According to this Wired story, Google reckons spammers are giving up on spam:

a remarkable trend is underfoot, according to Brad Taylor, a staff software engineer at Google: The number of spam attempts — that is, the number of junk messages sent out by spammers — is flat, and may even be declining for the first time in years.

Actually, this is a wilful misunderstanding of what the Googler in question really said, which was that ‘attempts to spam Gmail users have been leveling off over the last year and more recently, even declining slightly’. In other words, they didn’t make an observation about the state of the spam problem on an internet-wide basis — just about the “local” situation as it pertains to Gmail. Bad reporting there, Wired.

But, in passing…

David Berlind at ZDNet recently blogged a rather grumpy response to InfoWorld coverage of CEAS 2007. He raised a very important point:

If I could say something to the author of that story, it would be that so long as any anti-spam solution is not deployed universally throughout the Internet’s e-mail system (in other words, so long as some anti-spam tech is not a standard), that anti-spam solution actually makes the spam problem worse. You read that right. Worse. Proprietary anti-spam solutions make the global spam problem worse. They are digging us deeper into the hole that the Internet is already in because everyone who makes those solutions is under the false belief that “s/he who is finally successful at filtering out all spam while allowing the legitimate mail in wins.”

Google’s blog post is a case in point: ‘we’re keeping more spam out of your inbox than ever before, so more and more, you can use Gmail for things you enjoy without even realizing that the spam filter is there most of the time.’

That’s great — but it doesn’t help anyone except Gmail. It’s a myopic view of the spam problem, and David’s point stands.

(I disagree with his later conclusion that the only way forward is for Google, MS, AOL and Yahoo! to get together and ‘commit to jointly supporting the same technical solutions’ — when the usual BigCos get together, they tend to focus on their own priorities. Take what happened back in 2005 with nofollow for blog-spam — while it helped the search giants with their own overriding priority, which was to tweak their algorithms to filter out the spam on the search results page, it did nothing to slow the spam flood itself, which has continued unabated.)

We need more open-source, and open-data, anti-spam work.

Tags: anti-spam, aol, ceas, david-berlind, filtering, google, microsoft, nofollow, spam, wired, yahoo

Remember the ‘Russian ‘make penis fast’ spammer murdered’ fake blog posting I wrote about last month? I was right — the site has now become a spammer link farm.

There’s now a new category in the right-hand sidebar of the fake blog post. See if you can spot the odd one out:

• Programming
• Personal
• Web 2.0
• Python
• Penis exercises
• Uncategorized

Sure enough, “Penis exercises” is the only valid outlink from the page (all the others lead to the ’sorry, closed due to too much traffic’ page). It leads to a page discussing the usual ‘make penis fast’ topics, with a batch more links to more pages along the same lines. If you follow the links a little, the whole thing appears to be hawking some device called “Size Genetics”. Totally spammy.

Tags: loonov, make-penis-fast, scams, size-genetics, spam

A US presidential candidate called Ron Paul has been advertised in spam. There’s currently a massive shitstorm raging about the true source of the spam — it was delivered via an infected consumer broadband machine, so the source is of course untraceable from the email alone.

Of course, being spam, I received a copy ;) Here’s a spample, if you’re curious.

The unusual “Content-Type” header format (matching the STOX_REPLY_TYPE SpamAssassin rule) has been seen in a lot of pump-and-dump stock spam recently. (It’s also shown up in Storm output, but this isn’t from Storm.) It’s been around for at least 6 months, so it’s probably a built-in behaviour of a downloaded spamware app, rather than a frequently-updated web-hosted spamware site.

My guess — I’d say the spam was sent using the same spamware application that one of the larger, recent pump-and-dump spammers has been using — so a reasonably sophisticated app, and not just an ancient copy of DarkMailer or whatever.

It’ll be interesting to see how this pans out…

Tags: ron-paul, spam, us-politics

Update: yep, it’s spam.

Earlier today, Digg and Reddit featured this story:

Alexey Tolstokozhev (btw, in Russian his name means ‘Thick Skin’), a Russian spammer, found murdered in his luxury house near Moscow. He has been shot several times with one bullet stuck in his head. According to authorities, this last head shot is a clear mark of russian hit men (known as “killers” in Russia).

Since then, it’s received plenty of attention — I even posted it to my link blog myself. Unfortunately, I’m now certain it’s a fake. (Igor at the McAfee AVERT blog concurs.)

Here are my reasons:

• There are still no corroborating stories in the press, several hours later;

• ‘Alexey Tolstokozhev’ doesn’t appear in ROKSO, or even Google;

• The entire site claims to have been shut down due to load, all except for that one page — there isn’t a single link that can be reached that works;

• Indeed, Google has no other pages indexed on that site, which is pretty odd for a weblog;

• And most fishy of all, the domain was registered yesterday, using a privacy-protection service, on Estdomains (which has a poor reputation).

All very fishy. My guess is that in a week’s time, that page will be a linkfarm, picking up all that Google juice for free. In other words, loonov.com is a spam site…

Update: Greetings, Slashdot comment readers! Hopefully that uncritical article (which was posted after this one) will be fixed to note the hoax soon…

Other voices have since added their agreement — Alex Eckelberry at Sunbelt software added his a few minutes after I posted this, and the Register wrote an article this morning about it.

(BTW, just to save some face — I’d like to note that I smelled a rat at the time I posted it initially, qualifying the link with a sceptical ‘hmm’. I’m not that gullible ;)

Update 2: the /. story was fixed by Zonk: ‘Good story. Unfortunately, probably a fake.’

Tags: doh, hoaxed, hoaxes, loonov, spam

This study of the Storm worm (via) contains this rather terrifying factoid:

Figure 12 illustrates a time-volume graph of TCP packets, SMTP packets, spam messages, and smtp servers. Our analysis of this graph reveals the following findings. First, we find that except for the first 5 minutes almost all the TCP communication is dominated by spam. Second, we measured that hosts generate on average of 100 successful spam messages per five minutes, which translates to 1200 spam messages per hour or 28,800 messages per day. If we mutiply this by the estimated size for the Storm network (which we suspect varies between 1 million and 5 million, we derive that the total number of spam messages that could be generated by Storm is somewhere between 28 billion and 140 billon per day.

While such numbers might be mind-boggling they are inline with observed spam volumes in the Internet, e.g., overall volume of spam messages in the Internet per day in 2006 was estimated to be around 140 billion [2]; Spamhaus claims to have been blocking over 50 billion spam messages per day in October 2006 [10], and AOL was blocking 1.5 billion spam messages per day in its network in June 2006 [5]. These numbers suggest that Storm could be responsible for anywhere between 17% and 50% of all spam that is generated on the Internet.

28 to 140 billion messages per day. That is a lot of spam.

Minor nitpick with the paper — it notes that

Storm retrieves emails found in [certain] files and gathers information about possible hosts, users, and mailing lists that are referenced in these files. In particular, it looks for strings like “yahoo.com”, “gmail.com”, “rating@”, “f-secur”, “news”, “update”, “anyone@”, “bugs@”, “contract@”, “feste”, “gold-certs@”, “help@”, “info@”, “nobody@”, “noone@”, “kasp”, “admin”, “icrosoft”, “support”, “ntivi”, “unix”, “bsd”, “linux”, “listserv”, “certific”, “sopho”, “@foo”, “@iana”, “free-av”, “@messagelab”, “winzip”, “google”, “winrar”, “samples” , “abuse”, “panda”, “cafee”, “spam”, “pgp”, “@avp.” , “noreply” , “local”, “root@”, and “postmaster@”.

I would postulate that those strings are a stoplist — that in fact the worm avoids sending spam to addresses containing those strings. The presence of “abuse” and “postmaster” in particular would suggest that.

Tags: anti-spam, malware, scary, spam, storm, worms

Back in May, I noticed some spam in my Moin Moin wiki, and fixed it.

As this Yahoo! Site Explorer view of taint.org demonstrates, Yahoo!’s search is still showing these results, partly; despite the spam content being long deleted (example ), they still show the spam title and URL, despite the fact that the title and text no longer contains those spam keywords.

Annoyingly, I’m still seeing referrer clickthroughs from search.yahoo.com to these deleted pages from lusers looking for porn, as a result. Come on Yahoo!, fix your search to notice the title change at least, so people don’t think the pages still contain porn!

Tags: moin-moin, porn, search, spam, wikis, yahoo

Spamnation.info links to an interesting article by Computerworld’s Gregg Keizer about the massive PRTH.PK spam run.

As usual, there are no shortage of suckers:

The spam blast did drive up Prime Time’s share price from Monday’s low of around 7 cents to Wednesday’s high of 11 cents, a 57% jump. Thursday morning, however, the bottom dropped out, and the stock fell to under 7 cents. Trading volumes peaked Wednesday as well, at around 1.7 million shares, substantially higher than any day in the month prior. “You can actually see the wave of activity in the stock and compare it with the volume of spam that we trapped,” said [Sophos analyst Ron] O’Brien.

But here’s an interesting new tactic by the good guys:

Last Wednesday afternoon, Prime Time announced that it was ordering a Non Objecting Beneficial Owners (NOBO) list to get a clearer picture of who owned its shares. “The NOBO list will be used to determine the naked short positions in Prime Time Group Inc.,” the company said in a statement. “The finding will then be reported to the [National Association of Securities Dealers] to take action against the violators of the naked short regulations.”

“Naked short” is a investment term that refers to selling short, essentially a bet that the price will drop, but with a twist: “naked” means that the investor sells short without first making sure he can borrow the shares from another investor holding a “long” position on the stock.

I hope this works; it’d be great to see the profit mechanism behind pump-and-dump spam killed off.

Spamnation notes:

Incidentally, the greeting card spam that built the botnet used to promote PRTH.PK and CYTV.OB also continues. It has iterated through another couple of generations: the current incarnation tells recipients to collect their custom Musical ecard or custom Movie-quality ecard or other variants on that theme. We’ve seen about 150 of these in the past three days, suggesting that the unknown senders are probably well on their way to building up another botnet for their next stock spam run.

Spreading trojans via greeting-card spam is a trademark of the gigantic Storm botnet, AFAIK: SecureWorks info, MessageLabs info, spam levels causing DDoS for Canadian networks, DDoS threat for EDU sector.

Tags: anti-spam, botnets, pump-and-dump, security, spam, stock-spam, stocks, storm

A few months back, Blogorrah noted an amazing 419 scam, claiming to be a missive from ex-Taoiseach of Ireland Charlie Haughey’s wife, Maureen. It’s really quite appropriate Charlie becoming the subject of a scam himself, given what he did to this country. But anyway… over the weekend, a new variant on the theme emerged:

From Mrs Maureen Haughey, ROI

My Dear Friend,

I am Maureen Haughey, widow of former Taoiseach of the Republic of Ireland, Charles J. Haughey and daughter of former Taoiseach of the Republic of Ireland and heir to de Valera, Sean F. Lemass.The Press has written a lot about unresolved mysteries and corruption surrounding CharlesÂ’s dealings, but I tell you something,my Charlie was a good man. He was human and he did whatever he did.

People marvel why I stuck with Charlie and didn’t speak during the mess that came with the exposure of his affairs with Terry Keane (I just hate to think of her). I had to stand by him through the tribunal times…. it was to do with what I’m doing now. No one knew the details of all Charlie’s financial dealings but me. I remain the only one who knows all who got loans from Charlie and didn’t come back to pay when he was disgraced. I am the only one who knows about these monies and the other Ansbacher accounts.

I write to you, an old weary woman, sick and almost tired of living. My end is near but I will not depart until my final mission is accomplished and I also write this with an unshaken belief in the power of aspirations and dreams of a human being. The Irish government thinks it can shave and reduce me to a poor widow but I have the winning ace. A few years ago, when we werenÂ’t sure if my Charlie would be convicted, he kept some money in trust for me in a Security and Finance company. He did not open the account in our names so it will not be traced to us to enable the past remain the past. The name on the account is Cedric de Vregille. I never thought Charlie would leave me so soon and it never occurred to me to ask if this name were fictitious or not or a name of any of his friends. I have tried to find this man but to no avail. The amount he deposited in this name is 30,000,000 (Thirty Million Euros).

I want an honest person to come forward and lay claims to this amount, moreover to use the funds as instructed by me. I have all the documents needed, I just need a face for the name. I have mapped out 30% of the funds for you, as you will help us (you and I) execute this job.

As soon as I receive your acceptance for this work I shall give you necessary details of my solicitor who will facilitate the release of the funds in your name. Please reply me via my personal email: maureen_haughey67@yahoo.co.uk

---

For my security and the sake of letting sleeping dogs lie, I strongly advice that you keep our dealings confidential. You can read more about my charlie from:

http://www.ireland.com/focus/haughey/ITstories/story11.htm

http://www.teachersparadise.com/ency/en/wikipedia/c/ch/charles_haughey.html

http://www.everything2.com/index.pl?node_id=548983&lastnode_id=0

Thank You.

---

Message sent using UebiMiau 2.7.2

It was sent via a webmail system at nildram.co.uk, from a proxy in Australia.

The writing is amazingly ornate — ‘I write to you, an old weary woman, sick and almost tired of living’, ‘the Irish government thinks it can shave and reduce me to a poor widow but I have the winning ace’, etc. Very odd stuff. Also, it looks spell-checked. And, once again, poor old cyclist Cedric de Vregille gets dragged into it, too! I wonder what he did to deserve that ;)

If you fancy scambaiting, ‘maureen_haughey67@yahoo.co.uk’ is the one to go for. These guys seem to be having a good go of it — ‘The thought of the Irish government trying to shave an old woman has shocked and appauled me, so I will assist in anyway possible.’ ha!

Tags: 419, advance-fee-fraud, charlie-haughey, fraud, ireland, nigerian-scam, scams, spam

The Register is reporting that ‘Nigerian comedian and actor Nkem Owoh’ has been arrested in Amsterdam as a suspected 419 scammer:

Nigerian comedian and actor Nkem Owoh was one of the 111 suspected 419 scammers arrested in Amsterdam recently as part of a seven month investigation, dubbed Operation Apollo.

Owoh became a well known star within the Nigerian film industry, sometimes colloquially known as Nollywood because of its trite plots, poor dialogue, terrible sound, and low production standards.

Owoh starred in the 2003 film Osuofia, and a year later was one of several actors temporarily banned from appearing in movies by Nigeria’s Association of Movie Marketers and Producers because he demanded excessive fees and unreasonable contract demands.

Owoh became internationally known for his song “I Go Chop Your Dollar”, the anthem for 419 scammers (”Oyinbo man I go chop your dollar, I go take your money and disappear / 419 is just a game, you are the loser, I am the winner”, full lyrics here), which was banned in Nigeria after many complaints.

The song was the title track from the comedy, “The Master”, starring Owoh as a scheming 419er.

The alleged scammers are suspected of running a series of lottery-based (AKA 419-lite) scams.

Here’s the video for “I Go Chop Your Dollar”.

It’s not exactly cut and dried, though. This thread suggests that he wasn’t arrested for fraud; instead that the Dutch authorities detained pretty much everyone at his concert. This article suggests similar:

The Netherlands police were said to have stormed the venue of the show in a helicopter about 2a.m and arrested practically everybody at the venue. [...]

“Over 200 of them (Nigerians) were arrested that night. It was a big haul; they came with helicopter and cars and circled the whole area. As I speak with you, over 70 of those apprehended that night have been deported for possession of expired or fake immigration papers.

“Osuofia was also whisked away but was released hours after,” the source said.

Update: It appears Osuofia was not arrested after all; lots more details here.

Tags: 419, amsterdam, holland, nkem-owoh, scams, spam, the-register

After lolcats and lolbots, it appears we now have lolspam, via kris:

Tags: funny, lolcats, lolspam, spam

Here’s a new trick used by the web spammers — attachments on a Moin Moin wiki. The taint.org/wk RecentChanges list illustrates it well:

2007-05-07  set bookmark
[UPDATED]       UserPreferences         04:17   Info    ?StepStep [1-21]

  #01 Upload of attachment 'big-cocks.html'.
  #02 Upload of attachment 'big-cock.html'.
  #03 Upload of attachment 'big-boobs.html'.
  #04 Upload of attachment 'big-ass.html'.
  #05 Upload of attachment 'bdsm.html'.
  #06 Upload of attachment 'bbw.html'.
  #07 Upload of attachment 'bang-bros.html'.
  #08 Upload of attachment 'bangbros.html'.
  #09 Upload of attachment 'baby.html'.
  #10 Upload of attachment 'asian-porn.html'.
  #11 Upload of attachment 'asian-girls.html'.
  #12 Upload of attachment 'anime-porn.html'.
  #13 Upload of attachment 'anime-girls.html'.
  #14 Upload of attachment 'angelina-jolie.html '.
  #15 Upload of attachment 'amature.html'.
  #16 Upload of attachment 'amatuer.html'.
  #17 Upload of attachment 'adult-videos.html'.
  #18 Upload of attachment 'adult-stories.html' .
  #19 Upload of attachment 'adult-games.html'.
  #20 Upload of attachment '69.html'.
  #21 Upload of attachment '3d.html'.

Great. Lots of spam. This first started appearing on Feb 27 2007, in a multi-upload attack on a single page (”FindPage”), from IP address 212.26.129.162; then reoccurred on Apr 27 and May 7 from the (insecure open proxy) proxy.drevlanka.ru.

Annoyingly my “subscribe to wiki changes” patch doesn’t catch this – these aren’t gatewayed through as “changes” via mail for review. I need to fix that in my copious free time. :(

Also, the RecentChanges RSS feed doesn’t list them, although the HTML form does.

So unfortunately, the only way I can see to block this is either to review by visiting the RecentChanges page in a web browser regularly (how retro!), and delete them retrospectively, or simply to turn off attachments entirely – which is what I’ve done, by editing “wikiconfig.py” and adding:

    actions_excluded = ['AttachFile']

It looks like quite a few other wikis around the web are running into the issue too :(

Tags: anti-spam, attachments, moin, moin-moin, spam, web, wiki

Both Jeremy Zawodny and Dale Dougherty at O’Reilly Radar are expressing some pretty serious frustration with the current state of SMTP. I have to say, I’ve been feeling it too.

A couple of months back, our little server came under massive load; this had happened before, and normally in those situations it was a joe-job attack. Switching off all filtering and just collecting the targeted domain’s mail in a buffer for later processing would work to ameliorate the problem, by allowing the load to “drain”. Not this time, though.

Instead, when I turned off the filtering, the load was still too high — the massive volume of spam (and spam blowback / backscatter) was simply too much for the Postfix MTA. The MTA could not handle all the connections and SMTP traffic in time to simply collect all the data and store it in a file!

Looking into the “attack” afterwards, once the load was back under control, it looked likely that it wasn’t really an attack — it was just a volume spike. Massive SMTP load, caused by spammers increasing the volume of their output for no apparent reason. (Since then, spam volumes have been increasing still further on a nearly weekly basis.)

This is the effect of botnets — the amount of compromised hosts is now big enough to amplify spam attacks to server-swamping levels. Our server is not a big one, but it serves less than 50 users’ email I’d say; the user-to-CPU-power ratio is pretty good compared to most ISPs’ servers.

So here’s the thing. New SMTP-based methods of delivering nonspam email — whether based on DKIM, SPF, webs of trusted servers, or whatever — will not be able to operate if they have to compete for TCP connection slots with spammers, since spammers can now swamp the SMTP listener for port 25 with connections. In effect, spam will DDoS legitimate email, no matter what authentication system that legit mail uses to authenticate itself.

This, in my opinion, is a big problem.

What’s the fix? A “new SMTP” on a whole different port, where only authed email is permitted? How do you make that DoS-resistant? Ideas?

(Obviously, counting on spammers to notice or care is not a good approach.)

Tags: anti-spam, botnets, dos, email, filtering, security, smtp, spam

Wow, here’s a new one — and kind of appropriate, given my surname ;) Masonic spam!

To: xxxxxx at taint.org

Subject: Dear Benefactor Of 2007 Masory Grant,

From: Dr.Lavine Ferdon Ferdon

Date: Wed, 21 Feb 2007 15:40:26 +0100 (CET)

Dear Benefactor Of 2007 Masory Grant, The Freemason society of Bournemout under the jurisdiction of the all Seeing Eye, Master Nicholas Brenner has after series of secret deliberations selected you to be a beneficiary of our 2007 foundation laying grants and also an optional opening at the round table of the Freemason society. These grants are issued every year around the world in accordance with the objective of theFreemasons as stated by Thomas Paine in 1808 which is to ensure the continuous freedom of man and toenhance mans living conditions. We will also advice that these funds which amount to USD2.5million be used to better the lot of man through your own initiative and also we will go further to inform that the open slot to become a Freemason is optional, you can decline the offer. In order to claim your grant, contact the Grand Lodge Office co-secretary Dr.Lavine Ferdon Ferdon Grand Lodge Office Co-Secretary’s email: (lavin_ferd_law at excite.com)

Dr.Lavine Ferdon Ferdon,

Co-Secretary Freemason Society of Holdenhurst Road,

Bournemouth.

Sir David Hurley,

Secretary Freemason Society of Holdenhurst Road,

Brilliant. But why Bournemouth?

Tags: 419, bournemouth, freemasons, funny, mail, scams, spam

Apparently, Wikipedia has (possibly temporarily) decided to re-add the rel=”nofollow” attribute to outbound links from their encyclopedia pages.

There’s been a lot of heat and light generated about this, most missing one thing: there’s no reason why Google needs to pay attention.

Google, or any other search engine, can treat links in the Wikipedia pages any way they like — including ignoring ‘nofollow’, applying extra anti-spam heuristics of their own, or even trusting the links more highly.

‘Nofollow’ has had pretty much no effect on web-spam, and now is generally festooned all over weblog posts across the internet, both spammed and non-spammed posts, at that. It’d be interesting to see if it’s yet flipped to mean a higher correlation with nonspam than spam content…

Update: It appears Wikipedia used ‘nofollow’ before, so this is not exactly new, either.

Tags: anti-spam, google, nofollow, spam, web, wikipedia

Remember SpamArchive.org, the site that allowed random Internet users to upload their spam? It was set up back in 2002 by CipherTrust, one of the commercial anti-spam vendors, to offer a large, ’standard’ database of known spam to be used for testing, developing, and benchmarking anti-spam tools, and for anti-spam researchers. It got a bit of coverage at Slashdot and Wired News at the time.

It never really was too useful for its supposed purposes, though, at least for us in SpamAssassin, since:

1. it collected submissions from random internet users, without vetting, and therefore couldn’t be guaranteed to be 100% valid;

2. it ‘anonymized’ the headers too much for the spam to be useful in testing a filter like SpamAssassin, which requires correct header data for valid results;

3. collecting spam has never been a problem; avoiding it is ;)

Anyway, looks like Ciphertrust/Secure Computing have since lost interest, since they’ve allowed the domain to lapse. It has instead been picked up by a domain speculator:

Domain ID:D134033677-LROR
Domain Name:SPAMARCHIVE.ORG
Created On:30-Nov-2006 18:52:13 UTC
Last Updated On:01-Dec-2006 12:42:26 UTC
Expiration Date:30-Nov-2007 18:52:13 UTC
Sponsoring Registrar:PSI-USA, Inc. dba Domain Robot (R68-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:ABM-9376887
Registrant Name:Robert Farris
Registrant Organization:Virtual Clicks
Registrant Street1:P.O. Box 232471
Registrant Street2:
Registrant Street3:
Registrant City:San Diego
Registrant State/Province:US
Registrant Postal Code:92023
Registrant Country:US
Registrant Phone:+1.7205968887
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:domain_whois@virtualclicks.com
Name Server:NS1.DIGITAL-DNS-SERVER.COM
Name Server:NS2.DIGITAL-DNS-SERVER.COM

A visit to http://www.spamarchive.org/ now reveals a parking page, which grabs the browser window, forces it to front, maximises it, attempts to bookmark it, add it to the Firefox sidebar — and who knows what else ;)

Tags: anti-spam, ciphertrust, domains, spam, spamarchive

There’s a common misconception about spam, email, and email authentication; Matt Cutts has been the most recent promulgator, asking ‘Where’s my authenticated email?’, in which various members of the comment thread consider this as an anti-spam question.

Here’s the thing — email these days is authenticated. If you send a mail from GMail, it’ll be authenticated using both SPF and DomainKeys. However, this alone will not help in the fight against spam.

Put simply — knowing that a mail was sent by ‘jm3485 at massiveisp.net’, is not much better than knowing that it was sent by IP address 192.122.3.45, unless you know that you can trust ‘jm3485 at massiveisp.net’, too. Spammers can (and do) authenticate themselves.

Authentication is just a step along the road to reputation and accreditation, as Eric Allman notes:

Reputation is a critical part of an overall anti-spam, anti-phishing system but is intentionally outside the purview of the DKIM base specification because how you do reputation is fundamentally orthogonal to how you do authentication.

Conceptually, once you have established an identity of an accountable entity associated with a message you can start to apply a new class of identity-based algorithms, notably reputation. … In the longer term reputation is likely to be based on community collaboration or third party accreditation.

As he says, in the long term, several vendors (such as Return Path and Habeas) are planning to act as accreditation bureaus and reputation databases, undoubtedly using these standards as a basis. Doubtless Spamhaus have similar plans, although they’ve not mentioned it.

But there’s no need to wait — in the short term, users of SpamAssassin and similar anti-spam systems can run their own personal accreditation list, by whitelisting frequent correspondents based on their DomainKeys/DKIM/SPF records, using whitelist_from_spf, whitelist_from_dkim, and whitelist_from_dk.

Hopefully more ISPs and companies will deploy outbound SPF, DK and DKIM as time goes on, making this easier. All three technologies are useful for this purpose (although I prefer DKIM, if pushed to it ;).

It’s worth noting that the upcoming SpamAssassin 3.2.0 can be set up to run these checks upfront, “short-circuiting” mail from known-good sources with valid SPF/DK/DKIM records, so that it isn’t put through the lengthy scanning process.

That’s not to say Matt doesn’t have a point, though. There are questions about deployment — why can’t I already run “apt-get install postfix-dkim-outbound-signer” to get all my outbound mail transparently signed using DKIM signatures? Why isn’t DKIM signing commonplace by now?

Tags: accreditation, anti-spam, authentication, dkim, domainkeys, email, habeas, reputation, return-path, smtp, spam, spamhaus, spf

Via Steve Champeon’s daily links, the following spam-in-the-news stories illustrate a rising trend:

• Spam causing email delays: NZ Telecom

Huge amounts of spam are said to be responsible for delays in the email network of NZ ISP Xtra.

Several customers have vented their frustrations on an Xtra website message board saying some emails were days late, The New Zealand Herald reports.

… Record volumes of spam meant such problems would be “an unfortunate and on-going reality of the internet not specific to any provider”, he said.

Mr Bowler said Telecom had invested “tens of millions of dollars” in email and anti-spam software and worked closely with two of the world’s leading anti-spam vendors.

• Holiday spam turns e-mail to snail mail for states schools

Holiday spam e-mails are to blame for slowing message delivery to faculty and staff in schools across Kentucky …

• Channel Register: 123-Reg says sorry

“Some 123-reg customers may have experienced intermittent delays in their emails in the last two weeks. We had received a particularly high level of image-based spam attacks over a short period of time,” the Pipex subsidiary said.

• Xtra faces lawsuits over email delays

Small businesses are threatening legal action over continuing glitches with Xtra’s email service and the Consumers’ Institute says they may have a case.

Several people have contacted the Herald complaining that delays and non-deliveries of emails over the past three weeks on the Xtra network are severely affecting their businesses. …

The institute’s David Russell said home users could claim compensation for email delays if they had suffered “a real measurable loss”.

Non-commercial customers were covered by the Consumer Guarantees Act and services they paid for had to be of a “reasonable quality”.

Although it might be more difficult for small business owners, they could also have a case, Mr Russell said. “If there has been a considerable amount of money, they could consider legal action or, if the amount was smaller, they could go through the disputes tribunal.”

In other words, the DDOS-like elements of the spam problem are becoming an increasing worry; even with working spam filtering in place, the record size of zombie botnets means that spammers can now destroy organisations’ computing infrastructure, almost accidentally.

Spammers don’t care if an organisation’s infrastructure collapses while they’re sending their spam to it — they just want to maximise exposure of their spam, by any means necessary. If that requires knocking a company off the air entirely for a while, so be it.

I’m not sure what can be done about this, in terms of filtering. It may finally be time to fall back to a “side channel” of trusted, authenticated SMTP peers, and leave the spam-filled world of random email from people and organisations you don’t know to one side, as a lower-priority system which can (and will, frequently) collapse, without affecting the ‘important’ stuff. What a mess. :(

Alternatively, maybe it’s time for governments to start putting serious money into botnet-spam-related arrests and prosecution.

This has additional issues for ISPs, too, btw — I wonder if Earthlink are taking note of that Xtra lawsuit story above….

Tags: anti-spam, botnets, ddos, delays, filtering, security, spam

Yay! Kudos to Richi Jennings, who’s been trumpeting the dangers of backscatter to InformationWeek recently. It’s a great article. I particularly like how it digs up this impressively off-the-mark quote:

Tal Golan, CTO, president, and founder of Sendio, maker of a challenge/response e-mail appliance used by more than 150 enterprise consumers, disagrees strongly with Jennings’s assertion that challenge-based filtering has problems. “Without question, the benefit to the whole community at large drastically outweighs that FUD [fear, uncertainty, and doubt] that’s out there in the marketplace that somehow challenge/response makes the problem worse,” he says. “The real issue is that filters don’t work. From our perspective, challenge/response is the only solution. This whole concept of backscatter is just not true. Very, very rarely do spammers forge the e-mail addresses of legitimate companies anymore.”

hahahaha. Well, since last Thursday, “very very rarely” translates as “214 MB of backscatter in my inbox”. The facts aren’t on Tal Golan’s side here…

(PS: SpamAssassin 3.2.0 will include backscatter detection.)

Tags: anti-spam, backscatter, bounces, challenge-response, filtering, funny, richi-jennings, sendio, spam