The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Wednesday, February 28, 2007

More on Spamhaus ZEN

Yesterday I wrote about how Al Iverson had observed zero false positives from using the Spamhaus ZEN blocking list. I also noted that the sample set was too small (~2300 emails) to definitively give Spamhaus the Zero False Positives Seal of Approval.

Today, numbers provided by the Dutch ISP XS4All were brought to my attention.

In a nutshell, before ZEN, XS4All was using a combination of SBL + XBL + (ZEN is simply a combination of the SBL, the XBL and the PBL). With this combination, they were blocking about 4 million messages a day, out of 8 million examined. Their abuse@ address receives complaints about false positives about once every two weeks. Assuming that only one false positive in a thousand actually generates a complaint, that's a false positive rate of .00089%. Not too shabby.

(Of course, the one-complaint-in-a-thousand number is plucked straight from the air; I have no idea if anybody has ever done a study to find the actual number, but I think it's a reasonably conservative guess.)

The full article (in Dutch) can be found at Vincent Schönau's blog at XS4All.

Labels: ,

Et tu, Mercury News?

I am the product

A decade ago, I subscribed to the paper edition of the San Jose Mercury News. I foolishly gave them my email address. I wisely made it a tagged address. Today, I received spam from them for 24 Hour Fitness.

I've been sold to spammers by the San Jose Mercury News. Years after I last did business with them.

See my earlier post "You are the product".


Tuesday, February 27, 2007

Spamhaus ZEN: 80% blocking rate, zero false positives

As reported yesterday in Al Iverson's SpamResource web page:

Iverson was becoming overwhelmed by the spam sent to his abuse address. For obvious reasons, it's a very bad idea to filter an abuse-reporting address because legitimate abuse reports are too easily mistaken for spam.

As an experiment, Iverson applied the the Spamhaus ZEN blocking list to his incoming abuse mail — to tag rather than block.

(Spamhaus ZEN is a merger of the three blocking lists maintained by Spamhaus, and thus should be the most aggressive of them all.)

Iverson's results: out of over 2200 spams received in February so far, nearly 80% would have been blocked by Spamhaus, and there were zero, none, nada false positives.

This is encouraging news for administrators who worry if it's safe to use a blocking list. More testing is required though before it's safe to give Spamhaus the Zero False Positives Seal of Approval. At the very least, we need to see results from a variety of different users, and we need to see the results applied to a corpus of many more than 2200 messages.

Labels: , ,

Monday, February 26, 2007

Verizon wins another one against cellphone spammers

As reported in Xchange Online and ZDNet, Verizon has won a case against Specialized Programming and Marketing which sent roughly 98,000 text message spams to Verizon customers. Specialized Programming now has a permanent injunction against spamming Verizon customers, and must pay more than $200,000 in damages.

The suit begain in 2005 as a suit against Passport Holidays. Specialized Prgramming and Marketing was added to the suit when Passport Holidays fingered them as the actual spammers.

Labels: ,

419 scam of the day

Got a cute one in my mailbox this morning. Lawyer is trying to track down the benificiary of a $31M will:
For two years now, l have tried effortlessly to locate the name on the will without success hence l have contacted you.
Well, pal, maybe if you'd put a little more effort into it, maybe you'd have found him.

Friday, February 23, 2007

Update your SpamAssasin to 3.1.8

A bug was found allowing the possibility of dos attacks. See

Wednesday, February 21, 2007

The new whack a mole

Recently brought to my attention: a blog post from November by Cameron and his Spammers vs Free Speech blog. His article, The new whack a mole, discusses how major data centers become spam cesspools.

In a nutshell, there are many large data centers with virtual hosting where you have ten thousand servers hosting a million web sites. Where you have multiple layers of resellers and IP allocations, the big hosters don't know who they're hosting and they don't care. There are countless virtual servers being run by people who are not competent to do so, or are too lazy to update the required security patches. Put this all together and you have an environment very conducive to spammers.

The biggest problem is that the large hosters refuse to take any proactive steps to reduce spam — after all, a spammer (or compromised server) is still a paying customer. They're willing — after a fashion — to take action against spamming sites after they've been informed of them, but by then the spammer has moved on to another compromised server anyway.

Anyway, it's an excellent essay (as is the rest of his blog). Joe-Bob sez check it out: The new whack a mole.


Microsoft sells malware from their own site

Spyware Sucks blog reports that The malware commonly known as Winfixer aka Errorsafe is being distributed via MSN Messenger banner advertisements.

APC Magazine also has coverage: Microsoft apologises for serving malware.

And more from SlashDot.

So. Just general incompetence on Microsoft's part, or a greedy salesperson who knew it was malware but doesn't care where their commissions come from?

Tuesday, February 20, 2007

419 Scammer Scammed -- Monty Python style

Oh, this is just precious. Last June, I wrote about how scammer-baiter "Derek Trotter" had convinced would-be 419 scammers to send in wooden carvings in order to win non-existant art scholarships.

Well, last week, thanks to 419eater, the bar has been raised to an all new level. A scambaiter convinced some 419 scammers to re-enact the famous Monty Python "Dead Parrot" sketch.

Enjoy. I know I did.

Labels: , ,

Monday, February 19, 2007

You are the product

Many years ago, when working in mainstream media, a mentor of mine gave me a remarkable insight: Commercial television does not exist to sell products to consumers (the networks don't manufacturer toasters and personal hygiene products after all). No, the commercial television industry exists to sell viewers to advertisers. In other words, the viewer is the product.

This is the rock-solid foundation of advertising: Consumers are the commodity which the media sells. Often, the consumers pay for the privilege of being sold.

About a decade ago, there was travel agency by the name of Starr Tours. They specialized in booking vacations for nudists, advertising regularly in the rec.nude newsgroup. Sign up with Starr Tours, and spend a glorious week basking in the sun in all your glory. Then one day, one of the nudists noticed advertising in the newsgroup. The ads were entitled "See Naked Teens & Pre-Teens LIVE!" and offered bookings to the same destinations as the nudist trips, where you were promised thousands of nubile young girls frolicking naked on the beach. The ad was posted by Starr Tours. In other words, the nudists were the product that Starr was selling to the voyeurs — and the nudists were paying for the privilege.

Thus it is today on the internet. Your attention, and especially your email address, are the valuable commodity which is bought and sold on the internet. In a recent interview with spammer Ronnie Scelson, Scelson claimed that he bought email addresses from mainstream businesses, including banks, for 7¢ each. According to an article in DC Internet, he claimed that AOL had happily sold their entire customer list to him, and in addition, spams their own customers directly. AOL has not denied this. Is Scelson telling the truth? You can never tell with spammers, but it's possible. Valid contact info for people with money is a valuable commodity in the marketing world.

One thing Scelson is telling the truth about: Once you give your email address to a commercial site, there is a good chance it will be re-sold to spammers. If the business doesn't sell your information directly, they'll have an employee willing to do it under the table. In 2005, Ameritrade either sold or leaked its customer list to spammers. That same year, data broker ChoicePoint sold the personal information of 145,000 Americans to Nigerian criminals. In 2006, Gratis Internet sold the personal information of six million people to spammer Datran, in direct violation of their own privacy policy.

I can speak from personal experience here too. I use a big-name internet provider for my DSL service. When I signed up, I was given an email address in their domain. I have never, not even once, used that email address for anything. It's not an easily-guessable name. Other than routine business messages from my provider, it should never receive email. Just now, for the first time in six months, I checked my email account there. There were over 2000 spams waiting for me. How did the spammers get my email address? I can't prove it wasn't a dictionary attack, but given the numbers involved, it sure looks like my provider sold me out. Did they make more money selling me to spammers than they'll lose when I cancel my account? They'll have to judge that for themselves.

Businesses are not all evil of course. I've given tagged email addresses to many businesses over the years, and most of them have never received spam from anyone other than the businesses I gave the addresses to. Some businesses have even kept their promise to only send me the actual newsletters that I asked to received. Powell's Books and American Airlines stand out as examples of ethical businesses in this regard; they've had my email address for nearly a decade without a single unwanted email.

Friday, February 16, 2007

Change the password to your home router

New theoretical attack described in Computer Business Review: A phisher loads malicous javascript onto a web site. The javascript connects to your house router using the default IP address and default password, which you were too lazy to change. The javascript configures the router to use the phisher's own dns servers. Later, when you try to connect to your bank, you get connected to the phishing site instead, and there's no way to tell the difference.

The attack hasn't been seen in the wild yet, but it's only a matter of time. Save yourself a lot of hassle now, and secure your routers.

For more on the story, see Drive-By Pharming Attack Could Hit Home Networks.

Labels: ,

Review: An excellent beginner's document on securing your email

I have a confession to make: although I've been fighting the fight against spam for over a decade now, I've never actually configured a mail server, preferring instead to depend on my ISP to manage it for me.

There are good reasons for this. Securing a mail server against spam or other intrusions is non-trivial. Mess it up, and you're deluged with spam at best, or unwittingly hosting phishing or warez sites at worst. If you don't know what you're doing, it's best to leave well enough alone.

I've decided with my new server, to try having a go at it myself. A short web search found an excellent article on the subject: How to set up a mail server on a GNU / Linux system, by Ivar Abrahamsen

Written with Ubuntu Linux in mind, the document is well-written and concise. He tells you what software you need and what it's for. He gives you step-by-step instructions on installing and configuring.

Different revisions of the document are available, customized for different versions of Mandrake or Ubuntu linux. It's currently up to date as far as Ubunto 6.06 LTS, and an edition for Ubuntu 6.10 is in the works.

For the record, here's what he recommends:

OSUbuntu Linux
POP/IMAP serverCourier IMAP
Content checkAmavisd-new — plugin which searches content for spam and viruses
Anti-SpamSpamAssassin — well-renowned spam fighting tool
SMTP AuthenticationCyrus SASL
SMTP EncryptionTLS

I found all of the listed software in the standard Ubuntu distribution.

Once all the software is installed, the document gives step-by-step instructions for configuring postfix, and tells you how to set various security and anti-spam options.

One thing I had to change: his choice of Courier IMAP means that user mailboxes are stored in MailDir format, in which each mail folder is stored in a subdirectory of its own, with each mail message in a different form. If you need to keep your mail folders in mbox format, you should use Dovecot IMAP instead.

Monday, February 12, 2007

Today's new useful resource

Brought to my attention today: Tracking the Spammers at There are some truly excellent tutorials and examples here. He also includes a list of Secretary of State websites, which help you identify the actual owners of a spamming business.

See also his list of small claims court cases, most of which he's won and some of which are still pending. An inspiration to us all.

Labels: ,

More spammers headed to the slammer, part II

Last August, I reported that spammer Joshua Eveloff (along with Michael Steven Twombly) had been indicted for fraud in San Diego.

Today, I'm happy to see that Eveloff has pled guilty. (Twombly pled guilty on Jan 22). Both are scheduled to be sentenced in April. Eveloff could face up to three years in prison, although he's more likely to get 6-12 months.

Among Eveloff's spams were advertisements for software to "steal anyone's password".

For more on the story, see SignOn San Diego story Man pleads guilty in spam e-mail case.


Monday, February 05, 2007

Musings on the Phillips vs NetBlue case

I've been taking a random walk through some of the legal documents in the Phillips vs NetBlue case and reading some of the on-line comentary.

For those of you just tuning in, the gist of the case is this: Ritchie Phillips, owner and operator of a small ISP is suing mass marketer NetBlue for spam.

What makes the case interesting is that very little of the spam was sent by NetBlue themselves. Instead, they operate an affiliate program in which other people or companies drive business NetBlue's way and take a cut of the action. NetBlue can then distance themselves from the spam, effectively saying "Hey, not our fault; we told them not to spam." Nudge, nudge, wink, wink.

NetBlue does in fact have an anti-spam policy in writing, but they tend to enforce it very laxly. Choosing, essentially, to wait until a verified complaint comes to them, and then terminating only the affiliate responsible. Evidence in the case suggests that NetBlue in fact only terminates those affiliates who weren't bringing in much money anyway.

NetBlue has been in and out of SpamHaus listings over time, and for a while SpamHaus was working with NetBlue to help them solve their problems. After a while, SpamHaus decided to stop acting as NetBlue's help desk gratis, and to stop playing whack-a-mole. I suspect that they realized that NetBlue had no intention of taking any real action to stop the spam and were simply trying to appease SpamHaus to buy time.

At any rate, this placed Phillips in the position of suing NetBlue not for spam they sent, but for spam that was sent by their agents. This is a trickier case to win, because it means explaining a more complicated system to both judge and jury. It means explaining the mechanism of affiliate spam, redirectors, temporary web sites and so on.

Now there's no doubt that spam was sent, that it probably violated the CAN-SPAM act, and that it was sent on NetBlue's behalf. What remains to be seen is if the dots can be connected clearly enough for the court to see.

NetBlue's court arguments have been very interesting. For example, they've charged that Phillips failed to preserve evidence as is required. In particular, the spams in question often included embedded images and links to redirector pages. Although phillips saved the actual spams themselves, he didn't download the images or capture the contents of the redirector pages. This information would have strengthened the link between NetBlue and the spam.

Phillips responded that requiring an ISP to not only preserve all the spam it received, but to also follow all the links in the spam and preserve copies of the web pages to which it linked would be an impossible burden. In addition, the law only requires that you preserve the evidence you have — which Phililps has done — but does not require that you go out and gather more; it is only necessary to have the evidence sufficient to prove your case. Furthermore, since the images and redirectors were on servers controlled by NetBlue or its affiliates, it is NetBlue which failed to preserve evidence, not Phillips. Finally, Phillips points out that the missing evidence was material which would have helped his case, not NetBlue's.

Anyway, if you'd like to read some of the documentation yourself, it can be found at One thing is clear; NetBlue's lawyers intend to fight this and make it expensive for Phillips to pursue.

Other readings:

Labels: ,

Beware of new scam telling you that you need to download new software to access your gmail account

This has been circulating for the last few days. A message (in Portugese) entitled "Privacy matters" tells you that you need to download new software if you want to keep accessing your gmail or orkut account. The message is a hoax. Please don't click on the links it contains.


Friday, February 02, 2007

Security alert: Don't visit Dolphin Stadium site with Windows

If you're running an unpatched version of Windows, and probably most of you are, do NOT visit the Dolphin Stadium web site. It's been broken into and malware installed which will download a Trojan keylogger/backdoor to your computer.

See ZDNet article Super Bowl stadium site hacked, seeded with exploits and Websense alert Malicious Website: Super Bowl XLI / Dolphin Stadium

Update: The site seems to be disinfected, but the malicious code is showing up other places as well. If you run Windows, get the damn thing patched.

Thursday, February 01, 2007

How T-Mobile wound up spamming to a list of email addresses bought from eBay

Submitted for your approval: UK Register article Vulture eats his way along a trail of Spam details the marketing trail that led previously white-hat T-Mobile to spam potentially millions of users.

From the article:
So, just to recap, T-Mobile hired Quantum Media who hired Mailtrack Media who hired E-Mail Movers who bought a list from Century Communications who bought it from a bloke on eBay.

OK, so we have a list that describes the chain of responsibility. Now, will anybody actually be held responsible? Will T-Mobile be paying any fines under the British anti-spam laws? Will they be firing Quantum Media for spamming? Will anybody be fired for spamming? Or will it be business as usual with T-Mobile saying "We're shocked, shocked to find spamming going on in this establishment." I expect any day now to see a press release from T-Mobile assuring us that they take these things seriously.

T-Mobile may not have committed the spamming, but they comissioned it. Did they have a contract with Quantum requiring Quantum not to spam? Will some sort of penalties ensue over Quantum's violation of that contract? Or will it be business as usual; sorry about that, we take these things seriously; nudge, nudge, wink, wink?

Mainsleaze spam will continue to be a problem until the corporations who hire the spammers are held responsible.