Spam

Rise and fall of PDF Spam

Emerald Technology, Inc. — Tue, 25 Sep 2007 17:31:45 GMT

PDF rise and fall

What happened? In June and August PDF spam was attributed to over 20% of all email on the Internet. As of September 1 that number had dropped to less than 1%. Why?

Spam tactic didn't work

Does this mean spam engines have figured out how to block the messages? No. Most spam filters were still not filtering PDF spam as of September 1 very effectively.

Did any of you notice that Outlook does not auto preview PDF's? This means that people started deleting every PDF attached email that didn't include something they knew they needed to handle. And since no one was auto previewing the silly pump and dump scams they were not being profitable for the spammers. Spammers test new theories all the time, when they don't work they drop them like a hot rock and move on. If only normal companies were that smart.

Spammers are more organized that people think

I honestly feel that spammers are more organized that people give them credit for being. There is no way a group of 100's could have all decided at the same time the tactic was not working and dropped it. There is no way to get a few hundred people to agree on anything, let alone to replace all their spam sending software. Makes you wonder where the money is flowing. Who is supplying these companies with their spamming tools? The root providers of this spam sending software must have announced they no longer recommend PDF spam, and their customers all followed their advice.

Is it gone forever?

Don't fool yourself. Spammers will recalibrate and retool. They will continue to look for new ways to get their message in front of users. Outlook is still by far their #1 target. They will continue to look for ways to get around the built in Outlook junk email filter, and for ways to ensure that their messages is auto previewed.

I personally think the next wave will include docx (The new Word 2007 format), xps (the Microsoft alternative to PDF), and other Microsoft specific extentions that many third party companies are ignoring right now. A lot of email virus scanners to not even recognize the XPS format or scan it. There are no known exploits (yet), but I am sure somewhere a group of people is trying to find one.

Until users stop buying and trafficing sites and products that advertise through spam it will continue to be profitable for spammers to send their messages. With the 2007 holiday season right around the corner I expect some new type of attack for the spammers to make their XMas bonus plan profitable. I hope I am wrong.

PDF Spam gone wild

Emerald Technology, Inc. — Fri, 03 Aug 2007 08:36:20 GMT

Is anyone else sick of PDF spam yet?

This has to be one of the dummest forms of spam yet. Outlook does not auto preview PDF files. And since we all know that spammers target Outlook what is the point? You would have to double click the PDF and launch Reader to see the stock image embedded in the PDF. Some of the new ones now include only text, and some are now zipping the PDF to get around the PDF block some companies have put into place.

Sad. I guess not enough idiots bought the pump and dump stock from just PDF spam, now they have to send millions more. I received over 5,000 in ONE email box yesterday. Wow. Like anyone would bother to open all of those and buy some stock that way?

What you should do

First, if you do not need PDF's in your company attachment list, just remove them. Set PDF as a blocked attachment. This is not a great solution, but it works.

Make sure your userlist is uploaded and wildcard receive is turned OFF.

Turn on Relay Delay. Yes, this slows down your first contact from remote users, but it really does work well for this type of spammer. If you can't afford to have email delays during the day, turn it on Friday night and leave it until Monday. That will help you with the huge deluge of spam you see first thing Monday morning.

Up the trust level of the RBLs, and set them to REJECT. Most of these new spammers are smart enough to stay off the RBLs, but it does help some.

Use a nonstandard port on your server. Spammers know that companies like Emerald exist and will try to get around us and connect direct to your server. Especially if your server is named mail.domain they will hit it more and more these days.

Spammers and bot nets getting smarter

They are now getting smarter in their blasting techniques. They will only send 10-20 at a time from a machine, and then let the machine stay idle for an hour or more. It means they have to run more bot nets, but it keeps their bots alive longer. The person with the machine probably does not notice a slight slowdown once an hour, and they stay useful to the spammer longer. I personally applaud the efforts of some of the ISP's now to block outbound port 25 from their residential customers. 99% of this traffic is probably bots sending spam.

URL counts climbing rapidly

Emerald Technology, Inc. — Sat, 30 Jun 2007 23:04:36 GMT

It is interesting for me to note that our URL scheme (we started using URLs in our own spam filter in 1999) is now one of the major ways that spam is detected. A few new trends have started popping up (stock spam) but for the most part it has been a very effective way to block spam.

Over the past four years we have used our Stop and Dig system to pause inbound email and go crawl the site in question before deciding to send the email through or not. This used to be very effective, and lately the effectiveness has dropped. That spawned the question in my mind, Why?

It is no secret that spammers adapt. They are a great study is social darwinism in their ability to adapt increbily rapidly. Over the past 6 months we have seen more and more zombie machines (machines infected by malware or virus software). Recently some of the spammers have been setting up DNS records for these zombie machines. That is amazing to me. They know that any link to an IP will probably be ignored, so they will setup a bogus domain and have the www record point to an infected machine. This tells me a couple of interesting things. #1 They have had control of the box for quite sometime, and #2 they know the machine is on 24 hours a day.

We track the number of Url's we see in email by breaking them down into 15 minute intervals. Over the past year that number has grown dramtically. We used to see 100-150 per 15 minutes. Over the past month we have seen an average of 550-650 new domains per 15 minutes. Think about that. That is 52,000+ new domains in a single day, and these are just the ones we see from our spam traps and customers! The vast majority of them are kited domains (they have not been paid for and never will be).

Over 80% of these domains do not exist within 72 hours. Spammers know that traps will pick them up and they will be blocked. So they simply let the reservation period on the domain expire and never bother to pay for it. Why do registrars still allow this type of behavior? Simple, money. They are getting a flat monthly fee from these spammers to be "an affiliate" for registrations. Yea, right. They are paying for the ability to kite domains. Some spammers pay as much as $125,000 per month for the ability to register and dump as many domains as they want.

There may be a time when an effective spam technique is to just simply ensure the domain has been registered for more than 6 months. That will slow down the spammers, but hurt new legitmate users as well. Something to think about.

Spammers attacking antispam vendors

Emerald Technology, Inc. — Tue, 12 Jun 2007 01:16:11 GMT

There is a new Storm Worm DDoS Attack happening this week against several antispam vendors and support companies.

A number of anti-spam websites came under a distributed denial-of-service attack on January 12, 2007. The trojan responsible for the attack was one of several dropped onto systems infected by a seeding of the email virus which later came to be called "Storm Worm", also W32/Small.DAM and Trojan.Peacomm.

This attack is from the same group that performed last years destuction of Blue Security. They are using a varient of the 'Storm Worm' malware and attacking a number of vendors sites. These attacks use compromised machines (botnets). Typically these machines are infected Windows computers, usually the result of some infection through downloading software from the Internet.

Steve Linford at Spamhaus.org posted a note on the net-abuse newsgroup about it.

Spamhaus's web servers came under a DDoS attack starting yesterday at just after 21:00 GMT. The attack is being carried out by the same people responsible for the BlueSecurity DDoS last year, using the Storm malware.

The attack method was sufficiently different to previous DDoS attacks on us that some of it got through our normal anti-DDoS defenses and halted our web servers.

At 02:00 GMT we got the attack under control and our web servers are now back up, www.spamhaus.org is running again as normal.

The attack is ongoing, but it's being absorbed by anti-DDoS defenses. Also under attack by the same gang are SURBL and URIBL.

Storm is the 'nightmare' botnet, capable of taking out government facilities and causing much mayhem on the internet. It has 3 functions; sending spam, fast-flux web and dns hosting mainly for stock scams, and
DDoS. There is a hefty international effort underway by cyber-forensics teams in a joint effort by law enforcement and private sector botnet and malware analysts to trace the perpetrators.

We at Emerald have been minimally impacted by this through mostly bogus bounce messages to domains owned by our customers. We have not been under direct attack.

Spammers are getting much more sophisticated and are starting to up the price of being an antispam company. Attacks like this require huge resources to combat from the spam vendor. This is a pretty scary phase of the war against spam. It makes me wonder where we will be in a few years time...

Spammers finally hitting other ports

Emerald Technology, Inc. — Tue, 22 May 2007 16:32:15 GMT

Well, it has finally started happening. Spammers are hitting non-standard ports to deliver spam in an attempt to get around spam filters.

It seems that so many people now use a spam filter on port 25, and then open their normal mail server at 2525 that spammers are hitting port 2525 first in many cases. We saw our first relay attempt ever in the month of April, and now in May we have recorded over 100,000 attempts.

Spammers are getting more and more desperate to deliver their spam. We do not recommend port 2525 for your mail server, but we do recommend a non-standard port. A common thing I tell users is to pick your street address. If your office is at 5600 some street, then use that port. It will be easy for you to remember, and spammers won’t try it (not yet).

The real lesson here is to never allow open relay on ANY server, even if you think it is on a safe port that no one will use. Apparently a number of large server side spam filters now automatically remap port 2525 for Exchange (and set it to allow all connections); that is what is causing the huge number of spammers to now try it.

Botnet hitting DNS Flaw hard for spam bots

Emerald Technology, Inc. — Wed, 18 Apr 2007 15:02:41 GMT

I sent this to some of you directly, but I wanted to post it here as well.

The jist is that a new RPC exploit has let a lot of botters hit machines and install their own spam bots. We saw a 12% rise in spam the day after this exploit was announced. So please check your DNS servers in Windows Server 2003 and make sure you are patched.

This is from a ZDNet article:

An zero-day vulnerability in the DNS server service in Windows is under attack, Microsoft warned in a security advisory.

The "limited attacks" are exploiting a stack overflow error in the Windows Domain Name System (DNS) Server's RPC interface implementation when processing malformed requests sent to a port between 1024 and 5000.

The flaw allows remote unauthenticated attackers to execute arbitrary code with SYSTEM privileges by sending a specially crafted request to a vulnerable system.

Affected Windows versions include:

Windows 2000 Server Service Pack 4
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2.

Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.

There is a followup ZDNet Article today talking about the impact of the BotNets using this exploit.

An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems.

Since the exploit was announced we have seen a steady rise in the stock pump and dump scams, and a large number of bank phishing attempts.

35 Firms suspended for stock spam emails

Emerald Technology, Inc. — Tue, 20 Mar 2007 23:13:16 GMT

SEC Suspends Trading Of 35 Companies Touted In Spam Email Campaigns

Wow, the largest suspesion in history of companies that have been the victim of stock spam. The SEC is calling into question whether these firms profited from the pump and dump scams, and whether they may have actually paid for them to occur.

The agency unveiled Operation Spamalot as an example of how the SEC is cracking down on stock spam.

From the release:

The trading suspensions are part of a stepped-up SEC effort - code named "Operation Spamalot" - to protect investors from potentially fraudulent spam email hyping small company stocks with phrases like, "Ready to Explode," "Ride the Bull," and "Fast Money." It's estimated that 100 million of these spam messages are sent every week, triggering dramatic spikes in share price and trading volume before the spamming stops and investors lose their money.

"When spam clogs our mailboxes, it's annoying. When it rips off investors, it's illegal and destructive," said SEC Chairman Christopher Cox. "Today's trading suspensions, and actions that will follow, should send a clear message to spammers: the SEC will hold you accountable."

Horray for the SEC. It is about time they did something about it. There have been a number of companies that have admitted to paying for these so called Pump and Dump scams in the past to inflate earnings, or to bolster company claims to shareholders.

The trading suspensions are from ten busines days. Let's hope they get even tougher with these guys.

Other resources

The SEC has also setup a webpage to discuss trading suspensions and inform the public about them.

SEC Trading Suspensions Website

Testimonials from gangsters?

Emerald Technology, Inc. — Mon, 15 Jan 2007 19:30:06 GMT

I spend a lot of time reviewing spam, and staying on top of what our competitors claim to be doing about it. This includes reviewing their sites to see how they advertise, what words they use, etc. I came across one this morning that just really made me laugh. But first a little background...

Keyword advertising in the big search engines is a cut throat business. For example the term "spam filter service" is a big business these days. The cost of a SINGLE CLICK can be as high as $22! Now who can afford to pay that type of price? Well, I periodically look at the ones that I have never heard of before. Are they are a new player with a lot of financing to blow? Or are they a fly by night company?

One appeared this morning and sounded legit. I visited their site and looked through their text. It was very clean, well laid out, and everything looked fine. Then I looked at their testimonials page. Hmm, that name rings a bell, hmm, that one too, hmm and another. I finally started searching on the names of their testimonials. Guess what? ALL of them were the "real" names of mobsters! Benjamin Siegel for example is the infamous "Bugsy" Siegel. Michael Spinelli is also known as "Baldy Mike". And on and on. That just goes to show you that you cannot trust what people claim on their sites.

Just remember that ANYONE can write ANYTHING on the web. If you doubt it, do your own research. The number of spam filter companies out there that make claims like "100% Accuracy" are crazy. What if you wanted to get that email on male enlargement? Then it would be a false postive to you. That is the key in spam, how does it work for you?

I personally get around 500 messages a day in my inbox. Today 189 were caught by the built in Outlook 2003 filter (some of them already tagged by us), and an additional 293 were caught by the Emerald Spam Shield. That left me 31 messages in my inbox this morning. Of those most were ads from places like Dell, newsletters I subscribe to, and yes even a few of those annoying stock scams that we missed. Are we perfect? No, but is anyone? I doubt it. We try really hard, and will never ever lie to you about anything. Do you have a question about something and want a real answer? Ask us, we will tell you the truth.

Number of stock scams at all time high

Emerald Technology, Inc. — Sat, 13 Jan 2007 06:58:25 GMT

Wow is about all I can say. We track stock pump and dump scams as a part of our business. We normally have between 5-9 active scams we are tracking. If we see these stock symbols in an email you can be almost postive it is a stock scam. This week we have seen a huge increase in the amount of stock spam. Right now we are tracking over 50 (FIFTY!) stock symbols being pumped and dumped.

Is this a case of spammers finally seeing a decrease in return and so they are trying to hit more people? Or is it a case of more spammers converting to this type of scam to make money? I think it is a little bit of both.

On a normal week we track around 10,000 unique IP addresses attacking our servers with spam. We don't track the type of spam, just that they hit us enough times to be thrown on our bad people list. This week we saw that number peak over 22,800! Almost all of them were stock scams, and a vast majority were from the US.

Zombie machines (machines that have been taken over my a virus or some other method to send spam) have been rising this year. Maybe it is all the Christmas computers kids got over the holidays and tried to download "free" stuff off the net? I don't know. We have never seen this large of a jump in a single month. All I can say is that I hope it goes back down. No one in this industry can sustain this level of growth in spam.

We have one poor customer who receives over 25,000 false bounced emails per day. We will be doing a case study on her domain very soon.

Undersea earthquake means a drop in spam?

Emerald Technology, Inc. — Sun, 24 Dec 2006 01:56:36 GMT

The Internet connection to Taiwan was damaged in an underwater earthquake last week. As a result the Internet to mainland China and Taiwan was dropped to less than half normal capacity for a few days while the repairs were made. Did you notice the drop in spam during that time? We tracked a drop in more than 65% of dictionary attacks, 55% fewer stock spams, and a whopping 91% fewer illegal pill scams. Very interesting don't you think? Within a few hours of the Internet being restored to full speed our servers have reported a doubling of inbound connection attempts.

I personally find this very interesting that such a large amount of spam is coming from the Asian rim. I wonder how much of that is zombie machines, and how much is being routed through Asia from places like India and Russia.

We used to have a foreign country filter a few years ago. Basically it looked at the IP of the machine connecting to us and tried to determine what the country of origin was for that IP address. It was not always accurate because the ICANN does not require an IP Block to be registered to a specific location. Many times the IP is registered where the parent company resides, not where the machine physically are located. A number of the databases still list our servers in New York as being German because the datacenter we use is owned by 1and1 Internet Gmbh (A German company).

We are considering redeploying the system again. For companies that only work with customers in the US it may be effective once again to filter foreign IP addresses. We will investigate it further and do some test runs in our test lab.