Wednesday, October 24, 2007
#
Yes, it happened. Hackers finally found an exploit in PDF files. Remember a while back when I said it would happen? They will look for an exploit and then hit them again. Well, that started today. In the past 24 hours Adobe has released a security fix (which almost no one has), and we have seen over 12,000 new PDF spam mails! That's right, 12,000 PDF spams in less than 24 hours after the exploit was announced by Adobe.
Read the Attack of the PDFs blog entry over at ZDNet.
Symantec and a few others have already updated their virus definitions. But how many IT departments regularly go to the Adobe site and patch? I doubt very many do. I know several companies still running Acrobat version 6 or later because it works for their needs, and the upgrade prices are very high for very little improvement to a typical users "build a PDF" workflow.
So, expect a lot of new PDF spam emails coming your way again... sigh.
Tuesday, September 25, 2007
#
PDF rise and fall
What happened? In June and August PDF spam was attributed to over 20% of all email on the Internet. As of September 1 that number had dropped to less than 1%. Why?
Spam tactic didn't work
Does this mean spam engines have figured out how to block the messages? No. Most spam filters were still not filtering PDF spam as of September 1 very effectively.
Did any of you notice that Outlook does not auto preview PDF's? This means that people started deleting every PDF attached email that didn't include something they knew they needed to handle. And since no one was auto previewing the silly pump and dump scams they were not being profitable for the spammers. Spammers test new theories all the time, when they don't work they drop them like a hot rock and move on. If only normal companies were that smart.
Spammers are more organized that people think
I honestly feel that spammers are more organized that people give them credit for being. There is no way a group of 100's could have all decided at the same time the tactic was not working and dropped it. There is no way to get a few hundred people to agree on anything, let alone to replace all their spam sending software. Makes you wonder where the money is flowing. Who is supplying these companies with their spamming tools? The root providers of this spam sending software must have announced they no longer recommend PDF spam, and their customers all followed their advice.
Is it gone forever?
Don't fool yourself. Spammers will recalibrate and retool. They will continue to look for new ways to get their message in front of users. Outlook is still by far their #1 target. They will continue to look for ways to get around the built in Outlook junk email filter, and for ways to ensure that their messages is auto previewed.
I personally think the next wave will include docx (The new Word 2007 format), xps (the Microsoft alternative to PDF), and other Microsoft specific extentions that many third party companies are ignoring right now. A lot of email virus scanners to not even recognize the XPS format or scan it. There are no known exploits (yet), but I am sure somewhere a group of people is trying to find one.
Until users stop buying and trafficing sites and products that advertise through spam it will continue to be profitable for spammers to send their messages. With the 2007 holiday season right around the corner I expect some new type of attack for the spammers to make their XMas bonus plan profitable. I hope I am wrong.
Friday, August 03, 2007
#
Is anyone else sick of PDF spam yet?
This has to be one of the dummest forms of spam yet. Outlook does not auto preview PDF files. And since we all know that spammers target Outlook what is the point? You would have to double click the PDF and launch Reader to see the stock image embedded in the PDF. Some of the new ones now include only text, and some are now zipping the PDF to get around the PDF block some companies have put into place.
Sad. I guess not enough idiots bought the pump and dump stock from just PDF spam, now they have to send millions more. I received over 5,000 in ONE email box yesterday. Wow. Like anyone would bother to open all of those and buy some stock that way?
What you should do
First, if you do not need PDF's in your company attachment list, just remove them. Set PDF as a blocked attachment. This is not a great solution, but it works.
Make sure your userlist is uploaded and wildcard receive is turned OFF.
Turn on Relay Delay. Yes, this slows down your first contact from remote users, but it really does work well for this type of spammer. If you can't afford to have email delays during the day, turn it on Friday night and leave it until Monday. That will help you with the huge deluge of spam you see first thing Monday morning.
Up the trust level of the RBLs, and set them to REJECT. Most of these new spammers are smart enough to stay off the RBLs, but it does help some.
Use a nonstandard port on your server. Spammers know that companies like Emerald exist and will try to get around us and connect direct to your server. Especially if your server is named mail.domain they will hit it more and more these days.
Spammers and bot nets getting smarter
They are now getting smarter in their blasting techniques. They will only send 10-20 at a time from a machine, and then let the machine stay idle for an hour or more. It means they have to run more bot nets, but it keeps their bots alive longer. The person with the machine probably does not notice a slight slowdown once an hour, and they stay useful to the spammer longer. I personally applaud the efforts of some of the ISP's now to block outbound port 25 from their residential customers. 99% of this traffic is probably bots sending spam.
Saturday, June 30, 2007
#
It is interesting for me to note that our URL scheme (we started using URLs in our own spam filter in 1999) is now one of the major ways that spam is detected. A few new trends have started popping up (stock spam) but for the most part it has been a very effective way to block spam.
Over the past four years we have used our Stop and Dig system to pause inbound email and go crawl the site in question before deciding to send the email through or not. This used to be very effective, and lately the effectiveness has dropped. That spawned the question in my mind, Why?
It is no secret that spammers adapt. They are a great study is social darwinism in their ability to adapt increbily rapidly. Over the past 6 months we have seen more and more zombie machines (machines infected by malware or virus software). Recently some of the spammers have been setting up DNS records for these zombie machines. That is amazing to me. They know that any link to an IP will probably be ignored, so they will setup a bogus domain and have the www record point to an infected machine. This tells me a couple of interesting things. #1 They have had control of the box for quite sometime, and #2 they know the machine is on 24 hours a day.
We track the number of Url's we see in email by breaking them down into 15 minute intervals. Over the past year that number has grown dramtically. We used to see 100-150 per 15 minutes. Over the past month we have seen an average of 550-650 new domains per 15 minutes. Think about that. That is 52,000+ new domains in a single day, and these are just the ones we see from our spam traps and customers! The vast majority of them are kited domains (they have not been paid for and never will be).
Over 80% of these domains do not exist within 72 hours. Spammers know that traps will pick them up and they will be blocked. So they simply let the reservation period on the domain expire and never bother to pay for it. Why do registrars still allow this type of behavior? Simple, money. They are getting a flat monthly fee from these spammers to be "an affiliate" for registrations. Yea, right. They are paying for the ability to kite domains. Some spammers pay as much as $125,000 per month for the ability to register and dump as many domains as they want.
There may be a time when an effective spam technique is to just simply ensure the domain has been registered for more than 6 months. That will slow down the spammers, but hurt new legitmate users as well. Something to think about.
Monday, June 11, 2007
#
There is a new Storm Worm DDoS Attack happening this week against several antispam vendors and support companies.
A number of anti-spam websites came under a distributed denial-of-service attack on January 12, 2007. The trojan responsible for the attack was one of several dropped onto systems infected by a seeding of the email virus which later came to be called "Storm Worm", also W32/Small.DAM and Trojan.Peacomm.
This attack is from the same group that performed last years destuction of Blue Security. They are using a varient of the 'Storm Worm' malware and attacking a number of vendors sites. These attacks use compromised machines (botnets). Typically these machines are infected Windows computers, usually the result of some infection through downloading software from the Internet.
Steve Linford at Spamhaus.org posted a note on the net-abuse newsgroup about it.
Spamhaus's web servers came under a DDoS attack starting yesterday at just after 21:00 GMT. The attack is being carried out by the same people responsible for the BlueSecurity DDoS last year, using the Storm malware.
The attack method was sufficiently different to previous DDoS attacks on us that some of it got through our normal anti-DDoS defenses and halted our web servers.
At 02:00 GMT we got the attack under control and our web servers are now back up, www.spamhaus.org is running again as normal.
The attack is ongoing, but it's being absorbed by anti-DDoS defenses. Also under attack by the same gang are SURBL and URIBL.
Storm is the 'nightmare' botnet, capable of taking out government facilities and causing much mayhem on the internet. It has 3 functions; sending spam, fast-flux web and dns hosting mainly for stock scams, and
DDoS. There is a hefty international effort underway by cyber-forensics teams in a joint effort by law enforcement and private sector botnet and malware analysts to trace the perpetrators.
We at Emerald have been minimally impacted by this through mostly bogus bounce messages to domains owned by our customers. We have not been under direct attack.
Spammers are getting much more sophisticated and are starting to up the price of being an antispam company. Attacks like this require huge resources to combat from the spam vendor. This is a pretty scary phase of the war against spam. It makes me wonder where we will be in a few years time...
Tuesday, May 22, 2007
#
Well, it has finally started happening. Spammers are hitting non-standard ports to deliver spam in an attempt to get around spam filters.
It seems that so many people now use a spam filter on port 25, and then open their normal mail server at 2525 that spammers are hitting port 2525 first in many cases. We saw our first relay attempt ever in the month of April, and now in May we have recorded over 100,000 attempts.
Spammers are getting more and more desperate to deliver their spam. We do not recommend port 2525 for your mail server, but we do recommend a non-standard port. A common thing I tell users is to pick your street address. If your office is at 5600 some street, then use that port. It will be easy for you to remember, and spammers won’t try it (not yet).
The real lesson here is to never allow open relay on ANY server, even if you think it is on a safe port that no one will use. Apparently a number of large server side spam filters now automatically remap port 2525 for Exchange (and set it to allow all connections); that is what is causing the huge number of spammers to now try it.
Wednesday, April 18, 2007
#
I sent this to some of you directly, but I wanted to post it here as well.
The jist is that a new RPC exploit has let a lot of botters hit machines and install their own spam bots. We saw a 12% rise in spam the day after this exploit was announced. So please check your DNS servers in Windows Server 2003 and make sure you are patched.
This is from a ZDNet article:
An zero-day vulnerability in the DNS server service in Windows is under attack, Microsoft warned in a security advisory.
The "limited attacks" are exploiting a stack overflow error in the Windows Domain Name System (DNS) Server's RPC interface implementation when processing malformed requests sent to a port between 1024 and 5000.
The flaw allows remote unauthenticated attackers to execute arbitrary code with SYSTEM privileges by sending a specially crafted request to a vulnerable system.
Affected Windows versions include:
- Windows 2000 Server Service Pack 4
- Windows Server 2003 Service Pack 1
- Windows Server 2003 Service Pack 2.
Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.
There is a followup ZDNet Article today talking about the impact of the BotNets using this exploit.
An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems.
Since the exploit was announced we have seen a steady rise in the stock pump and dump scams, and a large number of bank phishing attempts.
Tuesday, March 20, 2007
#
SEC Suspends Trading Of 35 Companies Touted In Spam Email Campaigns
Wow, the largest suspesion in history of companies that have been the victim of stock spam. The SEC is calling into question whether these firms profited from the pump and dump scams, and whether they may have actually paid for them to occur.
The agency unveiled Operation Spamalot as an example of how the SEC is cracking down on stock spam.
From the release:
The trading suspensions are part of a stepped-up SEC effort - code named "Operation Spamalot" - to protect investors from potentially fraudulent spam email hyping small company stocks with phrases like, "Ready to Explode," "Ride the Bull," and "Fast Money." It's estimated that 100 million of these spam messages are sent every week, triggering dramatic spikes in share price and trading volume before the spamming stops and investors lose their money.
"When spam clogs our mailboxes, it's annoying. When it rips off investors, it's illegal and destructive," said SEC Chairman Christopher Cox. "Today's trading suspensions, and actions that will follow, should send a clear message to spammers: the SEC will hold you accountable."
Horray for the SEC. It is about time they did something about it. There have been a number of companies that have admitted to paying for these so called Pump and Dump scams in the past to inflate earnings, or to bolster company claims to shareholders.
The trading suspensions are from ten busines days. Let's hope they get even tougher with these guys.
Other resources
The SEC has also setup a webpage to discuss trading suspensions and inform the public about them.
SEC Trading Suspensions Website
Take a look at Ryan Naraine's blog at CNet. Microsoft just published some interesting stats on Search Engine spam. This is one of my personal pet peeves. There are some very interesting results.
These same sites are being hit almost constantly for actual email spam as well. They send you to one of these URL's through an email, it auto-clicks on an ad for a product for you. You look like a unique hit to the search engine and they pay up for an ad click to these fraudsters.
Wednesday, March 14, 2007
#
San Diego, Calif. - March 14th, 2007 - Lorant Corporation (d.b.a. Vista Software) is pleased to announce today that Dr. Jason Short and his new entity VistaDB Software, Inc. (Owned by Emerald Technology, Inc.) has signed an agreement today to acquire the VistaDB product line from Vista Software.
“I am very excited to announce that Dr. Short will be taking over VistaDB,” stated Anthony Carrabino, President/CEO, Vista Software. “Jason and his team have a wide range of technical knowledge and organizational skills that will bring VistaDB to new levels as the world’s best managed and embedded SQL database engine for .NET, Compact Framework and Mono. VistaDB customers, our development team and the VistaDB product line will benefit greatly from this acquisition.”
As a long time power user of VistaDB, Dr. Short has used VistaDB, .NET and Mono to develop a commercial cross-platform spam filtering product called Emerald Spam Shield. Emerald’s state-of-the-art spam filtering engine scales to hundreds of concurrent users in real-time and makes extreme use of VistaDB.
VistaDB customers have been benefiting from Jason’s .NET and VistaDB expertise for years on the company’s support forums as the number one contributor. Dr. Short and co-worker Mike McDonald’s in-depth knowledge of VistaDB and .NET is expected to bring a great deal of value to VistaDB customers, stated Carrabino.
“The deep integration of VistaDB into Emerald Spam Shield has given us priceless first hand experience with VistaDB,” stated Dr. Short. “We know exactly what is needed in the product and we finally have the ability to make direct changes. I am very excited to take over the VistaDB product line and look forward to working with the team to make VistaDB better than ever before.”
Dr. Short and his team are expert C# developers that specialize in managed code optimization. According to Carrabino, he expects that Jason and Mike will make immediate contributions to help VistaDB performance and scalability. Other improvements to the VistaDB release and testing process are already taking place, so VistaDB customers can expect to benefit very soon from this acquisition. New and improved VistaDB documentation and technical articles are already in the works as well.
The VistaDB development team that includes Mr. Mike Orlov and Mr. Evgeniy Bhatov have been working closely with Jason for weeks and will be joining VistaDB Software, Inc. Anthony Carrabino, President/CEO of Vista Software has been working closely with the new management team and expects all operations to be completely moved over by April 1, 2007.