The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Sunday, April 30, 2006

wiki spammers back, hosted by savvis.net this time.

Two days after I cleaned out the wiki that had been flooded by link spammers, the spam was back. This time, the spam was all directed to prohosting.com and redirected to a drug peddling site called kaizen-costing.info which is hosted by savvis.net. I have notified savvis, and prohosting.com. it remains to be seen what action they take.

Google abetting typo-squatting?

The Washington Post has an article this week on the typo-squatting business.

Typo-squatting is the practice of grabbing up domain names which are likely typos of well-known domain names (as an excercise, try the url "aoll.com"). The typo-squatters fill the web pages with advertisement. Enough people click on these ads to make the practice profitable.

In the Washington Post article, The Web's Million-Dollar Typos, it's alleged that Google makes millions of dollars by providing the advertisements used by the typo-squatters. Although Google does not allow trademark-infringing web sites in their advertising network, they allegedly do not enforce the policy as vigorously as they should.

The article includes quotes from noted internet anti-spam researcher Ben Edelman.

Friday, April 28, 2006

Alan Ralsky arrested! May rat out associates.

A wonderful piece of news just crossed my desk. Major spammer Alan Ralsky, most recently connected with convicted drug spammer Daniel Lin, is apparently in custody, and rumored to be ready to rat out his fellow spammers and the "black hat" hackers who help them.

For more details, see ValleyWag.com article Scoop: DOJ jails Spam King! Alan Ralsky might rat out a massive hacker / spammer network and InfoWorld article Hackers quaking over reported Spam King's arrest.

Labels: ,

Wednesday, April 26, 2006

National Spam News

New anti-spam service of the week: SpamSift costs $4.95/month. Once an hour, they connect to your pop-3 mailbox, test your email against their spam filter, and delete the messages judged to be spam.

Spam cripples Yahoo email: There has been discussion on line about the unreliability of Yahoo's email servers. Servers are often down (or at least not answering smtp connections), causing mail delivery attempts to be retried later. Many servers will not attempt to deliver mail more than four times, causing some email to Yahoo customers to be lost completely. Even when the email is succesfully delivered, it may be after a long delay. Read more at TechWeb: Yahoo Plagued By Slow Email, Analysis Shows.

Searchenginelowdown.com predicts that Google Calendar will spawn a new form of spam. They're probably right.

Yet another anti-spam service of the week (it's been a busy week): MailFoundry is a black-box anti-spam device similar to SpamCube, which has been receiving huge amounts of press lately. MailFoundry 1150 costs $800 and bills itself as "enterprise class anti-spam performance". They claim to block 100% of known spam and viruses and to have a false positive rate of 1 in 1,000,000.

Blocking referrer spam with .htaccess. Alan Perkins created a thread in 2003 on ihelpyou.com describing referrer spam and explaining why you shouldn't export your server logs. The discussion is still going strong, and poster "Dave B" has provided a .htaccess file which will help keep referrer spammers away. The .htaccess file essentially keys from known bad user agents (bots) and domain names with spam keywords. Very well done, but like any spam filter will require upkeep. Let's hope that someone invents a way to provide a distributed update service for the filter.

PCWorld reports that computers infected with the "Bagle" virus have begun downloading spam software from a site in Slovakia. The implication being that we can expect a new burst of zombie spam real soon now. See also Security Pro News article.

This week's FUSSP: Useful Technology Corporation claims to have a cure for spam in the form of a new email protocol to replace SMTP. Presumably this is an email protocol with some sort of authentication. Now, don't get me wrong, I'm perfectly willing to believe that the solution to spam might indeed be found in a new email protocol, but where's the RFC? Has the IETF even heard of it?

Did I mention it's been a busy week? Here we have yet another black-box anti-spam solution of the week. This time it's the Deep Six DS200 Email SPAM Appliance. Lot of buzz phrases in this press release; I'll leave it as an excersize to the reader to try and figure out how it's supposed to work.

FTC Calls for International Anti-Spam Efforts. Didn't know if I should classify this as national or world spam news. Still, it's good to read, even if it's a little late. Maybe the FTC can join the world-wide anti-spam efforts already under way.

Doctor sued over fax spam. Plaintiff asks $10,000.

Microsoft touts Sender ID framework as solution to spam. Another email authentication scheme similar to the one mentioned above, but probably not requiring the adoption of a whole new email protocol. See also CIO Today.

Gregg Keizer of TechSearch claims that porn spam has a 5% response rate.

Sophos reports that the U.S. still generates the most spam. No surprise there.

Spam Kings author Brian McWilliams is moving on to other projects and will no longer be updating his blog. We'll miss him.

Yet Another anti-spam service of the week: LinuxForceMail 3.0 released.

MySpace being exploited by porn spammers.

Panda Software reports that zombies are now the biggest source of spam.

Tuesday, April 25, 2006

Wiki spammers back in less than 24 hours

Within 24 hours of cleaning up the wiki that had been spammed, the spammers came back and restored their spam. Let's see if I can get any action from the spammer's service providers.

So far, all of the spams have been click-throughs to findmorepill.com, which is hosted by nlayer.net

Monday, April 24, 2006

Little bit of good news in ongoing jurisdiction hearing

As you may recall from an earlier post, Harristhal had asked the court for permission to introduce additional expert witnesses and testimony in the middle of the jurisdiction hearing. (The hearing was held in late March and was continued to early May.) This would have meant even more affidavits all around, and would have required us to get our own expert witnesses. This certainly would have resulted in further delays and further costs. As it was, we wasted a lot of time and money filing briefs back and forth over whether this should be allowed.

Harristhal's main argument was that we had "surprised" him in mid-hearing by asserting that there was no conspiracy between myself and Ritz (here's a hint Mr. Harristhal: next time read the affidavits we file; it's what your client is supposedly paying you for.) In addition, Harristhal insisted we had waived argument over conspiracy by not introducing it previously.

Friday, Judge Irby handed down two decisions:

1) Plaintiff's Memorandum request for permission to call additional witnesses on the issues of conspiracy jurisdiction is hereby DENIED.

2) Defendant, Ed Falk has not waived any defense of the issue of conspiracy jurisdiction. The Evidentiary Hearing continued to May 9, 2006, will be held in compliance with this Court's earlier Order dated March 7, 2006.

That's two more decisions in our favor. I haven't been keeping score, but I think that except for the judge's decision to allow Harristhal access to my private emails to my lawyer (from before she was my lawyer), every decision in both cases has been in our favor.

Labels: , , ,

Death to wiki spammers -- the cowbirds of the web

I'm back from my brief hiatus*, and madder than I think I've been since the day I got my first email spam. This time, it's WikiSpam.

I've just spent the last couple hours repairing a wiki that was completely trashed and vandalized by spammers.

Spammers have found yet another way to diminish the value of the internet to all of us.

The latest thing in spam is this: A spammer discovers a wiki page. They then insert a huge number of links to sites they want to promote, often inside html tags that make the text invisible to end-users, but presumably still visible to search engines. The process is automated of course.

What really infuriates me is that some wiki spammers also delete the original content of the page. Just as a cowbird or cuckoo will replace the eggs of another bird with their own, these wiki spammers replace the legitimate wiki content with spam.

Now, recovering from the spam is no longer a simple matter of editing the wiki and removing the spam. Now, you need to go through older versions of the page until you find the undamaged content, copy it, and then go back and restore it into the current version.

What needs to be done:

I predict that this wiki vandalism will reach a crisis point before these steps are taken, but let's list them anyway.

Ideally, service providers need to crack down on their spamming customers. A single verified complaint of wiki spam should be sufficient for a customer to be permanently banned from an ISP. Of course, given the number of spam-tolerant and spam-friendly ISPs out there, we know that this won't work.

Since regulation and enforcement won't work, we must look to self-defense:

All wiki software needs to have a system of user registration and an option to only permit registered users to edit pages. The registration system needs to be something that cannot be automated.

All wiki software needs to have an easy way to revert to an earlier version of a page. I've been cleaning up a mess on twiki today, and I have to say I'm unimpressed. Not only is there no way to simply revert to an earlier version of a page, but the history mechanism doesn't provide an easy way to see any but the most recent few revisions. It looks like MediaWiki is the most capable software in this arena.

All wiki software needs to have a configurable blocking list of domains and/or IP ranges. This should be easy to edit. Ideally, there should be a way for wiki sites to share these lists, similar to the way that MT-Blacklist allows bloggers to share a block list. In fact, simply allowing the wikis to plug into MT-Blacklist would probably do the trick.

All wiki software needs to keep a log of IP addresses from which edits are made.

All links should contain the "nofollow" tag to remove the spammer's motivation.

Note: Twiki does support a Black List Plugin.

A DNS Blocklist for wikis wouldn't be a bad idea either.

Monday, April 17, 2006

Our friends at the FTC nail a couple more

The FTC has filed suit against Matthew Olson and Jennifer LeRoy for spamming and hijacking users' systems as spam vectors. They're being sued under the CAN SPAM act. See Press release for full details.

Sunday, April 16, 2006

Don't give your password to PlayBingoLive.com

Seriously folks, do I have to start taking names? Don't type your personal passwords into strange web pages.

Here's the latest one to cross my desk this week: You get an email that looks like it came from one of your friends, with the subject "Check it out". It contains a link to a web page that lets you find out who invited you. You then enter your first name, your email address at Hotmail, Aol, Yahoo!, or Gmail, and your password.

Tada! Now the phishers have — wait for it — your first name, your email address and your password. And from that, your contact list.

So now your contacts all get "Check it out" emails from you, and the circle of life is complete. And the next week, you don't know why your account was suspended for spamming.

You can see the web page in question at http://followhere01.com/go.asp if you want, just don't fill out the form and you'll be all right.

Read the touching and honest blog entry of one poor soul who fell for it.

Update: Spamhaus project has listed them:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL40489
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL40491
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL40492
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL40493
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL40494

Thursday, April 13, 2006

National Spam News

OK, boys and girls; another busy week. Are you sitting comfortably?

Last week I mentioned a security hole in Internet Explorer that allowed attackers take control of your computer just from visiting a corrupt web site. Well now I find that USA Today reports that the security hole is already being exploited by thieves who use it to download spyware onto your system which captures banking logins and reports them to the thieves. In other words: either stop using Internet Explorer, get it patched now, or be very, very careful which web sites you visit.

c|net and many other news sources report "Feds shut down spam ring for good". Here's the good news: The FTC and the state of California have come to an understanding in which Optin Global will agree to stop spamming and pay a fine. Here's the bad news: the fine was only $475,000 -- a slap on the wrist for a major spammer and we only have their promise to stop spamming. Supposedly the fine jumps to $2.4 million if it's discovered that Optin Global lied about their assets.

Here's a bit of good news: Australian court order in Wayne Mansfield case. Executive summary; it looks like Mansfield has been found guilty under the Spam Act and will be paying some fines.

Spam is on the rise. At least so says Symantec.

But phishing attacks and porn spam are decreasing. This from IT Backbones.

But child porn spam increases. According to Sophos.

Monday, April 10, 2006

Broward County, Florida publishes personal information on internet

Computerworld reports that Broward County, FL has published many thousands of public documents onto the web. The documents include personal information such as bank account or social security numbers, so this information is now available to identity thieves. Among other things, this means we can now look forward to some highly-personalized phishing spam.

For the full story, read Florida county posts residents' sensitive data on public Web site.

SEC slaps pump-n-dump spammers.

The SEC is taking action against pump-n-dump spammers Faisal Zafar and Sameer Thawani. Zafar and Thawani had customized their scams to take advantage of public fears over issues such as terrorism and bird flu. They were able to make over $873,000 in the scam.

The SEC announced a few days ago that they'd issued a temporary restraining order and froze the defendants' assets.

See press release: SEC Files Emergency Action to Stop Ongoing Microcap Stock Fraud; 2006-50; Apr. 6, 2006

World Spam News

As I wrote before, it's been a very busy week in the spam world, and I've fallen a bit behind. Here's the World Spam news:

The cell phone spam problem in Korea has gotten just a little bit worse. Korea Times reports that cell phone spam is hawking phone-specific porn sites that charge prohibitively* high fees. Personally, I don't have a lot of sympathy for people who respond to spam and get burned; they're a big part of the problem in the first place. For the full story, see Novel Spam Hits Mobile Phones.

And speaking of novels, Web User News reports that Mikhail Bulgakov's book The Master and Margarita is being used as the hash buster in the latest round of penis spam. The actual spam payload is in the form of an embedded image. See article Russian novel used in sex drug spam.

Along similar lines, Techtree.com reports that the BBC home page has been page-jacked by spammers. Victims receive an abstract of a BBC article. The "Read More" link takes the victim to a real-looking copy of a BBC web page. The fake web page then exploits a security hole in Internet Explorer. Read BBC Being Used to Exploit IE flaw for more. What, are you still using Internet Explorer? What did I tell you about that? Now go wash your hands.

Spam Daily News reports: Four indicted in Nigerian email scam.

And even better, Sophos reports that a German-Lithuanian gang of would-be phishers were busted by German police before they even got started. The phishers were planning to launch an attack involving traditional social engineering and trojan horses. The article does not detail how the police found out about the operation before it even began, but perhaps they were tipped off by the fake bank accounts opened by the phishers. Read International phishing gang busted by police for the full story.

China seems to be making good on its promise to do something about the spam problem. China Tech News reports that Chongqing Telecom says it will cut off network access to spammers. See Chongqing Telecom Takes Measures Against Email Spam.

Barracuda Spam Firewall Remote Compromise

This came in a few days ago: a way was discovered to break into a Barracuda Spam Firewall (another black-box spam filter product). The exploit involves building a specially-crafted ZOO* archive and mailing it to any system inside the firewall. When the Barracuda Spam Firewall sees the ZOO archive, it will open it to search for viruses. The ZOO archive contains long filenames which then perform a classic exploit of a buffer overflow bug.

The advisory does not say that the exploit has actually been seen in the wild, but a proof of concept test has been constructed.

Owners of this firewall should upgrade to firmware #3.3.03.022.

For more information, see the advisory or It Observer article Barracuda Spam Firewall Remote Compromise.

Sunday, April 09, 2006

97% of email is spam?

From a private discussion among system administrators and spam fighters: Anti-spam filters are causing on the order of 97% of incoming email to be rejected as spam. Other admins are reporting similar results.

Sample results:
Failed_Rcptto   6221280 79.23
spamhaus 722754 9.2
njabl 337640 4.3
smtp-delay 177016 2.25
rDNS 72675 0.93
DNS_MF 50419 0.64
bhnc.njabl 9831 0.13
Bad_Helo 9682 0.12
Invalid_Relay 2667 0.03
Virus_Infected 924 0.01
Total rejected 7851995
Accepted 247107
Reject % 96.95

My correspondant tells me that a great deal of the Failed_Rcptto (undeliverable address) is caused by a relative handful of poorly behaved systems repeatedly trying again to deliver mail. The worst of which appears to be trying about 6 times per second to deliver a message to one non-existent user.

Ignoring the Failed_Rcpttos, they'd still be rejecting 84% of mail as spam.

What results are you getting?

Friday, April 07, 2006

FCC clarifies junk fax law

Worst news I've seen all week. Slashdot reports that the FCC has gutted the junk fax law. In particular, junk faxers can claim a pre-existing business relationship with you if they've visited your web site, and if you've ever posted your fax number on the internet, you can no longer sue the faxers as that would have been entrapment. For the full story with links, see FCC Opens Flood Gates for Junk Faxes.

Update: I've received clarification, and it seems that Slashdot got some of the details wrong. In particular, does not count a web page visit as establishing a business relationship nor does it allow you to send junk fax to a phone number just because you found it on a web page. What the law does say, is that if you already have a business relationship, then you may send faxes to a number you discover on a web page. The actual FCC documents are here and here.

Thursday, April 06, 2006

Yahoo! and click fraud

eWeek reports that anti-spyware activist Ben Edelman has published a report on how spyware is used to commit click fraud.

In August, Edelman issued a report entitled How Yahoo Funds Spyware. In this report, Edelman described how Yahoo!'s advertising partners made deals with Claria and other spyware vendors to show Yahoo! advertisements. Connections were also made to eXact, Direct Revenue, 180solutions, and other adware vendors.

In March, I wrote an article about how networks of advertising affiliates can make it very difficult to track adware to the advertisers. It's entirely possible that Yahoo! did not know they were dealing with spyware vendors in August, although they surely know it now.

However, I find it especially disturbing to know that Yahoo! is now forming a partnership with Claria.

In Tuesday's report, Edelman reports that the Yahoo!-spyware connection has grown worse, not better. Furthermore, Yahoo!-sponsored spyware is now comitting click fraud as well. 180solutions, Nbcsearch, eXact Advertising, Look2me, improvingyourlooks.com, and Ditto.com were named as dirty vendors.

Spyware even modifies the contents of third-party web pages when viewed on infected systems. The modifications insert hyperlinks where no such links existed before.

Similar problems were found with Google, although mostly involving bad syndication and not so much click fraud. Edelman plans to release a later report on Google.

Considering that Google recently paid $90 million to settle a click fraud lawsuit, I can only imagine the legal grief Yahoo! could be facing.

Wednesday, April 05, 2006

National Spam News

Wow; it's been a very busy week.

A law in Georgia which would have established a do-not-email list for children has joined similar laws in Connecticut, Iowa, Wisconsin, Illinois, and Hawaii in limbo. This partly in thanks to the Email Sender and Provider Coalition's lobbying efforts. See DirectMag.com article Exclusive: State Kids’ No E-Mail Bills Dead. I have mixed feelings about this one; a no-spam list for children sounds like a good idea, but has at least one obvious flaw, and the laws as written were further flawed.

More lawsuits for spyware company Direct Revenue. Spyware Warrior reports that multiple plaintiffs have filed a lawsuit against Direct Revenue.

And since it seems to be Spyware Week here on the ol' internet, there's an interesting interview with a former 180solutions employee that's worth a read. It's about what you'd expect: the employees managed to blind themselves to what they were doing or even convince themselves that they were in an honorable business. The executives had no moral qualms at all since they were getting rich and that's all that mattered. After the execs made their millions, they could afford to start worrying about the company's bad image, but by then it was too late. Anti-spyware activist Ben Eldelman is mentioned by name.

A critical bug in Internet Explorer was discovered recently which allows users' systems to be compromised by dirty or hacked web sites. Compromised systems are then used by spammers to relay spam. The bug is considered extremely critical, and many windows users aren't willing to wait around for the patch any longer. Information Week reports that over 94,000 users have downloaded a third-party patch just from eEye Digital Security. See article Third-Party IE Patches Moving Fast As Spam Attack Starts for the full story. Meanwhile, ZDNet reports that Microsoft promises to release the real patch on the 11th: Microsoft to slap patch on risky IE hole.

OK, here's a security patch for you: it's called Firefox. Jeez.

I think not a day goes by that I don't hear something new in the spam wars: A game blogger reports that Electronic Arts (EA) now subjects players of Battlefield 2 to advertising when they play on line. See Why does EA spam me for playing XBox LIVE?

CAN SPAM wins another small victory: An online survey company has put together a kit to help their clients comply with CAN SPAM. Ok, so the kit includes help in maintaining an opt-out list, but at least it's a step in the right direction, tiny as it may be. See Yahoo! Finance article WebSurveyor Announces CAN-SPAM Assurance Kit. Remember: spam that complies with CAN SPAM is still spam.

Raise your hand if you didn't see this coming: MediaPost Publications reports that mobile phone spam is on the rise, with 18% of users reporting having received unsolicited ads. See article Mobile Spam Flourishes.

Peopleline cries Joe job: Market Wire reports that VoIP/FoIP vendor Peopleline insists that it did not authorize the spam sent in January. See article Peopleline Responds to Spam.

And speaking of phone spam and VoIP, Red Herring has an article about VoIP will make recorded phone spam a very real problem. See Spam’s New Target: VoIP.

Verizon has lost a class-action lawsuit which accuses them of too-aggressive anti-spam filtering which resulted in the loss of a great deal of legitimate email. The settlement will require them to compensate customers up to $49 each. See hardwareGeeks article Verizon to pay for SPAM blocking methods for more.

Blue Security's star continues to rise: Business Wire reports that Blue Security and Firetrust will be joining forces, with Firetrust's MailWasher anti-spam program integrating with Blue Security's Blue Frog software. The partnership will allow users to automatically and seamlessly report spam. I first wrote about Blue Frog in January, and again a couple weeks ago when it was announced that spamware Send-Safe would integrate Blue Frog compliance into its product.

I would be remiss if I didn't at least mention all of the press attention that Spam Cube has been receiving lately. There are too many articles to reference in this space, but suffice to say that their PR department is doing an excellent job. The gist of the on-line reviews seem to be that Spam Cube is too aggressive at the moment but has great potential. Chosen more or less at random, here's engadget's review.

Phishers exploit eBay

Another technique worth mentioning. This one just crossed my desk: phishers will create auctions on eBay, and then send messages to the bidders. The messages will contain links to what looks like an eBay sign-in page, but is in fact a phishing page. The idea is to lull you into a false sense of security with the fact that it's a message from a seller you are, in fact, doing business with. In effect, the phish leaches trust from eBay's good name.

What to do about it: As always, if money is involved always give every url a good looking over before you visit it. You might try contacting spoof@ebay.com, spam@ebay.com, or abuse@ebay.com.

Update: c|net has also written about the problem; see Phishers set hidden traps on eBay

Tuesday, April 04, 2006

Spitzer Sues 'Spyware' Co. Over Pop-Up Ads

My hero, New York attorney general Eliot Spitzer is suing Direct Revenue LLC for installing adware/spyware on millions of users' systems. See Yahoo news article: Spitzer Sues 'Spyware' Co. Over Pop-Up Ads

Monday, April 03, 2006

Fighting phishing by poisoning the database

c|net has an article about a denial of service attack being used to fight phishers: Fighting fraud by baiting phishers.

In short, the Cyota division of RSA Security monitors spam traps for phishing sites. Along with the usual procedure of contacting the phisher's service provider and having the web site taken down, Cyota also floods the phisher's form with thousands of bogus entries. The idea being that any data obtained from the genuine victims of the phish is lost in the bogus data, making the data acquired in the phish impractical to use. The technique is called dillution.

I wrote about a similar technique in January. There are a number of spam-fighting tools, such as FormFlood, which floods a mortgage spammer's leads database with so many bogus entries as to make it useless.

There is some discussion on Cyota on the net-abuse newsgroups on whether or not fighting phishing with such dos attacks constitutes fighting abuse with abuse. The concensus (and my own opinion) is that database poisoning is a legitimate, and even admirable technique.

Another site that performs the same service is PhishFighting.com.

Claria and Yahoo and Softbank, oh my.

Two weeks ago, I wrote about how Claria (formerly Gator) had announced that they were quitting the adware business. Well today, BusinessWeek reports that Claria is teaming up with Japan's Softbank and Yahoo. The article quotes Claria Executive Vice-President Scott Eagle as saying the moves represent the clearest steps yet in a campaign to rehabilitate the company's image. I'm not so sure about that; maybe it represents Yahoo's campaign to lock in the "Be Evil" market.

I'm willing to give Claria a chance on this one, but frankly, I won't be holding my breath. Read it yourself: Gator is Dead. Long Live Claria

Saturday, April 01, 2006

World Spam News

New Zealand's largest service provider Xtra is going to start filtering outgoing port 25 (email) connections. This will stop its customers from sending email spam (or at least slow them down), but will have the unwanted side-effect of inconveniencing many customers with legitimate needs to send email. The ability to send email to the mail server of your choice was a useful thing and now its loss is one of the hidden costs of spam. See NewstalkZB story Xtra targets spam.

UPI reports that Israel is being swamped with political spam. According to the article, 59% of email reaching the average Israeli's inbox were spam, and 36% of the spam was political. See Report: Israelis report election spam.

The Age, Australia, reports that The Australian Communications and Media Authority is threatening to hit email service providers with massive fines -- up to $10 million -- if they do not provide spam filtering. See World first code to crackdown on spam. It may sound draconian, but it works. The article reports that Australian spam has dropped from 2% to 1% of the world's total. The article also goes on to mention that the spammers themselves face fines up to $1 million.