Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« January 2007 | Main | March 2007 »

February 27, 2007

99% = 100% (?) Permalink

A Google ad appeared at the top of one of my online spam investigation resources today. The ad is for what I believe a server-side spam blocking service or product. The headline for the ad reads:

We Did It - No More Spam

But then the next line reads:

Block 99% spam everyday, or get your money back.

Call me old fashioned, but when I hear "no more," I think it means "no more," as in zip, nada, zilch. I don't have any elementary school arithmetic texts here to verify this, but I'd wager a sprinkled chocolate donut that blocking 99% of spam is not the same as blocking 100% of spam. There is also no mention in the ad about how much ham (good email) gets sidelined in the process.

Don't get me wrong, I'm a huge advocate for blocking spam at the server. But let's be realistic about the headline claims, please.

Posted on February 27, 2007 at 08:50 AM

February 25, 2007

Stock and Medz Spammers Try New Images Permalink

There has been a lot of discussion among spam fighters about the uptick in the last several months of spam messages consisting of nothing but attached images. Sometimes the images are accompanied by real text extracted from public domain literature or web pages. The text, which avoids spammy words and phrases, is intended to get past content-sniffing filtering, such as Bayesian filters common to a lot of anti-spam products and services (it's too easy to filter all messages that have nothing but an image).

The content of an image, however, is more difficult for spam filters to identify. About the middle of last year, stock spammers (followed closely by prescription medz spammers) started blending their text-in-graphic images with a background whose little specks and dots could be changed almost at random without interfering with the text. Two image spam messages originating from the same bot-infested PC could have the same text in the image, but the background would be different. It would be impossible for a spam filter to predict what the "signature" of that image file could be for every potential combination.

As happens constantly in the spam wars, the spam fighters saw a mole popping up, and whacked it by incorporating optical character recognition (OCR) into their image inspection routines. Stock image spam almost always has some key words in it ("symbol", "trading", "target", etc.) that OCR could read (it's even easier for brand name medications). If the OCR software could "read" the text on the image, the spam was toast (mmmm, toasted SPAM™ sandwich).

Having found one of their mole holes blocked by a mallet, the spammers starting digging yet another hole to get through. This time, the trick is to modify the image enough so that it is hopefully still readable by humans, but not by OCR technology. Here is an example I spotted today (identifiable names/symbols intentionally smudged by me):

Image altered to block OCR

In this example, the text is rotated at an angle, causing the letters to become less distinct. There is also far more background "noise," which is (I suppose) intended to hamper OCR still further.

Several other spam images that have come by here are modified through different techniques. Sometimes the text is barely humanly readable.

Time for the spam fighting technologists to start carving yet another mallet.

Posted on February 25, 2007 at 03:11 PM

February 21, 2007

And Now, The Music Video Permalink

To celebrate the launch of my new onsite Email Safety training courses, let me share with you my latest (and, thankfully, only) music video, titled "Mister Spam Man":

Posted on February 21, 2007 at 12:59 PM
New Training Course Permalink

I'm takin' it to the streets.

I now offer an on-site email safety training course (with a more advanced course on the way) for businesses and organizations of all sizes. The first offering is intended for all email users, regardless of email experience. The Training tab leads you to more information.

Posted on February 21, 2007 at 10:46 AM

February 20, 2007

Another "Drive-By" Malware Infection Plot Permalink

From what I've seen in movies and on the local news, a "drive-by" shooting usually means that the shooter is the one doing the driving, while the victim is stationary. But in the PC malware world, a "drive-by" means that the victim does the driving—driving right into a web site that then silently loads bad, bad, bad software into the visitor's computer.

The Internet Storm Center relayed a report of email messages claiming to be news items about the Australian Prime Minister suffering a heart attack. Such an email message has a link that the recipient is meant to follow. This email attack became sufficiently widespread for the Australian Computer Emergency Response Team to issue an alert about this event.

Today, a couple of these messages found their way to my server, but with new destination URLs in Hong Kong. The domains were registered only a few days ago, and the URLs are to the root address, suggesting to me that the domains and sites were created explicitly for this attack.

If you were tricked into clicking the link and visited the site, you see the following message on the screen:

502 Service Temporarily Overloaded

Server congestion; too many connections; high traffic.

Keep trying until the page loads. This can be a common occurrence at peak news times.

Also try to shutdown your firewall and antivirus software.

It's no mistake or server overload: That is the page you were intended to see. What the casual visitor won't see is that this very page contains a Visual Basic Script (VBScript) program that loads software onto your computer. If the visitor sees the above text in his or her Internet Explorer (for Windows) browser, the script has already run. According to the AUSCERT item, most antivirus products don't yet catch the bad stuff as it is being installed. The advice on the page to try again after turning off your firewall and antivirus software is extra cruel.

I don't know how many Americans know who John Howard is (although he made the news here last week) or would care enough about the Australian Prime Minister to follow the link, but what if the item substituted George W. Bush as the heart attack victim? How many people (who love him or hate him) would rush to click on that link?

This is serious, folks. Very serious. The criminals are working faster than the Good Guys. To bridge the gap, we've got to train the world's email users not to click on links arriving in messages from unknown sources.

Posted on February 20, 2007 at 12:01 PM

February 15, 2007

[Pick Your Special Day] Greeting Scams Permalink

It seems as though every event or holiday that triggers the sending of personal greetings (especially cards and gifts) brings out the crackers who can't wait to trick you into loading all kinds of malware on your PC. St. Valentine's Day is perhaps the most pernicious because it plays on the notion that everyone fantasizes about having a secret admirer—not a stalker, per se, but someone who is too shy to come forth with his or her adoration declaration.

And so, upon receiving an email claiming to be a Valentine greeting from an unnamed admirer, recipients go love crazy to click on attachments or links that might look legitimate.

A tricky one (actually two differently-titled and originated, but otherwise identical messages) landed here today. Perhaps they were a day late for Valentine's Day, but I'm sure that won't stop the lovelorn from falling for this guy's trick. The message claims to come from American Greetings, a real company that has been making greeting cards since 1904. The two titles read:

Subject: I sent you an eCard from AmericanGreetings. Happy Valentine's Day !
Subject: Valentine's Day eCard !

The links that the recipient sees in the HTML email point to americangreetings.com, the real company's site (and, yes, they offer ecards). But the actual link address is to a domain that inserts one character in the name, and it is a .net domain. The real americangreetings.com domain was created in January of 1996; the lookalike domain was created waaaay back on Monday.

I snatched the contents of the phony page without using a browser, allowing me to see what the con is. All visitors get a message saying that they don't have the latest Flash Player installed, and they should click to download the latest. That's where the real trouble begins, especially for users of unpatched and unprotected Windows PCs, because the download isn't Flash, but a program that will soon take over your PC. Happy Bot's Day!

Our con artist took one extra step that has been used in the past (perhaps by the same jerk). Visiting the phony page sets a browser cookie that indicated you've visited the page. If you follow the link in the email message a second time, the phony page reads the cookie that shows you've already been there, and redirects you to the real americangreetings.com web site (hold your ears, or turn down your computer's sound before visiting—ugh!). You'll have a tough time finding the ecard that you're being notified about, because it doesn't exist.

If you're fortunate enough to receive a variety of genuine Valentine's Day (or Christmas, New Years, Father's Day, or Cow Appreciation Day) email greetings, it may be difficult to distinguish the fake from the legitimate. Don't be so fast with that mouse button. Your computer may not be around for the next holiday.

Posted on February 15, 2007 at 12:26 PM

February 07, 2007

Trapped in an Escher Print Permalink

I've always been fond of the mind tricks played by the works of Dutch artist Maurits Cornelius Escher. But when these fantasies transplant themselves into real life, well, that's where I draw the line.

I intended to report to the owner of a hijacked server that his server had been hijacked by a phisher. On his home page and domain record, he declared a yahoo.com email address. Because the fraudulent URL was not in the phishing message (the link led to a redirection page whose ultimate destination was the lookalike form), my message was short and sweet:

To: [hidden]@yahoo.com
Subject: Fraudulent phishing page at [hidden].net

http://[hidden].com/spacanino/admin/inc/us/webscr.php?cmd=_login-run

Please remove ASAP.

When I report a phishing hijacking to a site whose IP address or domain appears in the phishing message, I usually include a copy of the source code of the phishing message as further evidence. But that wasn't an option here.

In quick order, I get a "Returned mail" message from Yahoo with the following advisory:

<<< 554 Message not allowed - UP Email not accepted for policy reasons. Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html[120]

So, dutiful reporter that I am, I visit their page to learn more. Eventually I'm told to fill out a form they provide and include the required details to explain the situation in the hope that they'll allow the message to go through.

Fast forward one day.

Yahoo responds with the following:

Hello,

Thank you for contacting Yahoo! Customer Care.

We like to provide you with fast, efficient support. And the best way to
get straight to your issue (and to get it resolved!) is to start from a
topic in Yahoo! Mail Help that's similar to the problem you're
experiencing.

So, please take a moment to browse Yahoo! Mail Help for a question like
yours:

http://help.yahoo.com/help/us/mail/

If the answer doesn't clear up the issue, scroll to the bottom of the
page and click "Contact Us" to open a form where you can write to us
about what's going on. Please be detailed and give us as much
information as you can about your issue.

Thanks! With your help, we can get Yahoo! Mail working for you as
quickly as possible.

Thank you again for contacting Yahoo! Customer Care.

I check the link they provide, and it doesn't even go as deeply in explaining my problem as the original one I visited the previous day. In fact, this help page is more for Yahoo Mail users, not someone trying to send to them.

Here's the sequence:


  1. Observe problem

  2. Read through help docs to find form

  3. Fill out form

  4. Receive response to return to Step 2

Lather. Rinse. Repeat. Don't Stop!

UPDATE. Day Three. I thought (had hoped, actually) that this was over. But nooooo. Today I get this missive:

Thank you for contacting Yahoo! Customer Care to answer your question. A support representative will get back to you within 48 hours regarding your issue. Until then, feel free to visit our online help center at http://help.yahoo.com/ for answers if you have not already done so.

Even if I really hear from any human about my original query, it will be up to 96 hours past my original phishing report to the yahoo.com mail account holder. If Yahoo should agree to let my report pass through, my email message will look stupid. At this point, I don't want them to pass the message through. I would, however, like to find out why my simple message failed their policy test. In the meantime, I won't bother sending any email to a yahoo.com account.

Posted on February 07, 2007 at 10:23 AM