Look, like most people I get a lot of spam and a fair amount of it would fall into the phishing scam category I guess. Quite apart from the stuff that has not been sent to one of my email accounts, I also get to see stuff forwarded to me by concerned readers of magazines or websites to which I contribute. A little hint, there is no point sending me copies of your spam so please stop it. The only exclusion being when you have a real news story to throw in my direction, and ‘look at this spam’ is not it.

Anyway, the point of this posting is that it really takes a lot to stand out amongst the phishing crowd these days. Much of it is very sophisticated, using every technique possible to obfuscate the real sender address. Much of it comes in HTML format with the body painstakingly copied from an authentic bank or business communication: branding, logos and house style copied to the last dot. Much of it is very believable, after all that is the whole point of a phishing scam, you have to reel your mark in, make them believe to bite and get caught on your fraudulent hook.

Which is why I just had to ignore my own ‘don’t forward your spam’ advice and share this message from what has to be a candidate for the dumbest phisher in history award.

What you won’t see here is the Japanese script which was left intact at the top of the HTML format email, something of a clue that the letter might not be from Dr Mike Ellis, Group Finance Director of the Halifax bank of Scotland after all. As, indeed, is the free webmail @yahoo.co.jp Japanese return address.

And that is quite before we get to the bit about him happening to find a dormant account in his office, containing £15 million, and for some reason wanting to make a business arrangement with me so that we can share it. Not that ‘Dr Mike’ actually says what he has in mind, nor even that I should contact him about it. I guess he assumes I am smart enough to know a good thing when I see it and compose that eager response.

Do you think I should reply?

mkellis111@yahoo.co.jp

Good day to you,

I am Dr. Mike Ellis, Group Finance Director Halifax Bank of Scotland, I

have urgent and very confidential business proposition for you. I

discovered a dormant account in my office, worth 15,000,000 million

pounds.

- Dr Mike Ellis

Although it seems hard to believe, spam is older than many of the people reading this blog entry. On May 3rd, according to New Scientist, will be 30 years old. It was then that one Gary Thuerk, in his role as a marketing man at the old Digital Equipment Corporation outfit, in his wisdom thought it would be a good thing to use this new fangled email and equally new fangled Arpanet network system to send an advertising message to all its users. Of course, back in May 1978, all its users equated to just 393 poor souls. Even in this small amount the spam was not best received and a number of complaints were received by Thuerk, as well as DEC getting a wrist slapping from the Arpanet admin.

Shame that it did not all end there, isn’t it? Today we have some 120 billion spam messages being distributed every single day across the Internet. Sapping resources in terms of manpower, finance and connectivity.

The 30 year birthday will not be getting a nice cake in the shape of a tin of luncheon meat from my wife, who happens to make very nice novelty cakes it has to be said, because I will not allow it. Not least as I don’t feel much like celebrating anything to with spam right now. Having what you might call a middling to high online profile, there is no point in trying to hide my email address. It has been out there too long, it is too widely known, and changing it does not make sense from the business perspective. Unfortunately this does mean that it gets hijacked every now and then by the spammers, as it has been for the last week or so in fact. About 80 percent of my incoming email, ironically once you have filtered out the spam, is made up of bounce messages from other people’s spam filters telling me they think the message I have sent them regarding a Rolex watch, penis powering drug or top financial tip might be a wee bit spammy. No s*** sherlock, really?

As usual, there is no real defence against this. Spammers will always use a readily available email address in order to try and circumvent filters, and these are chosen almost entirely at random. It could be you next week, or the week after. I have long since stopped chasing my tail and replying to folk in horror with ‘it wasn’t me’ messages or even trying to complain to ISPs and the like. Life is too short, time is too precious, and it does no good anyway. All you, and I, can do in these circumstances is weather the storm. A simple filtering rule in my email client to move bounce messages into the spam filter prevents me from having to wade through them with my delete finger primed for action. It’s about the best there is, really.

I do hope that within the next 30 years we have found a way to deal with the spam problem though. Be that through cultural revolt, legislative action or technological advance. I don’t actually care how spam gets stopped, as long as it does…

That, it would appear, is precisely what some fifty volunteers around the world will be doing from April 1st. They have not gone totally mad, but rather are taking part in an experiment to coincide with the 30th anniversary of the first spam e-mail. According to McAfee, the volunteers will live an online life totally unprotected from the scourge of spam, and will blog about the experience. Oh, apparently they have to respond to all the spam they receive as they use the Internet as part of the study. If I did that I would need some kind of time machine to be able to keep up with the volume, to be honest.

The S.P.A.M project, that’s Spammed Persistently All Month in case you cared, will run for 30 days and is designed to “show the devastating effects of spam” what with the proven link between spam and cybercrime, McAfee assures me.

“Cybercrime won’t go away without solving the problem of spam,” said Dave DeWalt, chief executive officer for McAfee.  “McAfee is leading the fight against cybercrime and spam.  This experiment will raise awareness of the problem by showing that a 30-day diet of spam is bad for your online health.”
To track the daily progress of the S.P.A.M. Experiment and read reports from the participants, you can visit the S.P.A.M blog, but I have to admit I have a sneaky suspicion it will just say something like APRIL FOOL.

Surely that is the only explanation for this totally bizarre stunt? McAfee, nor anyone else, needs to convince anyone of how annoying and how dangerous spam is, and it certainly does not need to send fifty innocent souls mad to prove the point.

Ever wondered where all your spam comes from? The Marshal TRACE team reckon they have found out, and the answer is pretty much a total of just six botnets. Indeed, Marshal reports that these six botnets account for the distribution of a staggering 85 percent of all spam at the moment.

The trouble is that the actual botnets doing most trade, and the actual botnets involved per se, tends to change on a regular basis which makes nuking them a lot harder than you might imagine. For example, just three weeks ago it was the Mega-D botnet that ruled the spamming scumbag roost with a 39 percent distribution share, this week it has ‘just’ 21 percent and the Srizbi botnet is king of the (crap) heap with that 39 percent figure. The fluctuation has a lot to do with the discovery and subsequent active protection against the malware which provides these botnets with their zombie PCs. In the case of Mega-D, for example, as soon as researchers discovered that the 35,000 strong botnet was being fed by the Ozdok malware and the control servers traced back the spam distribution hit zero.

“This week, Mega-D returned again to represent 21 per cent of spam after a 10-day period of inactivity. Owing to the break, Mega-D only accounted for an average of 11% of spam during February.  At its peak last month, it was responsible for a third of all the spam we caught in our spam traps. While the recent publicity spooked the Mega-D spammers into taking their control servers offline, they have now clearly re-established themselves elsewhere,” said Bradley Anstis, Marshal VP of Products. “While Mega-D faltered, Srizbi emerged as the leading spam botnet in February. It is advanced and extremely stealthy malware. Lately, Srizbi has been particularly active in attempting to spread itself through spam campaigns using celebrities as lures,” added Anstis.

Strangely though, size isn’t everything in botnet land. Take the Storm botnet, the 85,000 zombie strong Storm botnet, which only manages to account for some three percent of the total spam distribution pool according to Marshal. “The size of a botnet, measured by how many bots it has, does not necessarily correlate with how much spam it sends. Our TRACE team has observed huge variations in the rate at which different spambots pump out spam,” said Anstis.

Symantec has just published the latest State of Spam Report and it highlights a rather worrying trend: namely a shift in the origination of spam from North America to EMEA. Indeed, the percentage of spam originating in the EMEA region by volume has now surpassed that of North America which has traditionally been at the heart of spam distribution.

This has not just happened in January alone, which the report covers in detail, but has been noted for the last three months in total. However, in January Symantec observes that around 44% of all spam email is coming from Europe compared to just 35% heading out of North America.

Mind you, Symantec also admits that the very nature of the spammer means that it is actually rather difficult to pinpoint the geographic origin of spam with 100% accuracy. Spammers do everything they can to obscure this fact, after all they don’t want law enforcement to track them down or DNS block lists either.

One thing I can agree with Symantec on regarding the European spam issue is that it is most likely to be increase broadband usages that is driving the trend. Look at the figures and you discover that when it comes to the number of broadband users globally, Europe has much of the top ten list wrapped up. The last stats that I saw, which are six months old now, had 6 out of the top ten countries for broadband use being located in Europe.

That said, when you consider the penetration of super-fast broadband, and we are talking 100Mb/sec speeds here, in Asian countries such as Korea, Japan and Singapore, it is somewhat surprising that Symantec reports only 15% of spam originating from that continent. So maybe the broadband thing is a bit of a red herring after all…

McAfee Avert Labs has been compiling a list of the most prevalent email phishing scams as we get stuck into 2008, and as a result can reveal the top 10 emails you most certainly don’t want to be receiving. And so, in time honoured reverse order stylee, here are the email subjects to watch out for:

10.
Data confirmation
9.
Information
8.
JP Morgan Chase - Critical Account Information
7.
Your Online Activity Confirmation
6.
All cards (except the temporary cards) from this account are suspended.
5.
Banking
4.
Eilige Information
3.
Sparkasse informiert Sie
2.
Please confirm your data
1.
Amazon.com Inc. Security Center

Funnily enough, I cannot think of a single instance when I would have even bothered to read any of those emails. They would all have been victims of my itchy delete button finger I am glad to say.
Then again, nor would I have fallen for a complete stranger informing me that they have a terminal illness and asking for financial help. Maybe I am an uncaring heartless b’stard, or maybe I just have too much common sense. Some people are obviously too caring and have no sense whatsoever as three men have pleaded guilty to running just such a scam in New York which netted them more than a million bucks!!! Of course, when you read the detail of the scams you realise that the real common factor that the victims suffered from was being greedy, because the terminally ill person actually wanted to distribute 55 million dollars to charity before they died and needed someone to help out, who would get a percentage naturally enough.
Am I truly alone in thinking that these greedy and gullible idiots deserve everything coming to them? Think of it as a kind of digital evolution, culling the stupid and selfish from the Internet gene pool…

That is the perhaps unsurprising warning contained in the MessageLabs Intelligence 2007 Security Report which was published today. In a double whammy of bad news, MessageLabs warn that spam is the most dominant menace on the IT security agenda with spam levels reaching a whopping 84.6 percent across the course of the year, plus of course the fact that 25 percent of email comes complete with a malicious link to take you directly to something very nasty indeed.

Perhaps the most worrying bit of this is that it is a trend that has stormed along, every pun intended because the Storm botnet attacks have played a huge part in the statistics, with only 3 percent of email-borne viruses containing malicious links at the start of the year. To be honest, I find that figure rather low in any case. My mailbox would suggest, from both the malicious link emails I get and the messages from folk who have received them, the problem has been rife for some time. Still, this trend towards malicious links does serve to demonstrate that virus writers are continuing to develop strategies to distribute malware.

MessageLabs also flag up the dangers of social network targeted threats during 2007, warning that this could increase in 2008. Certainly during 2007 there were several significant waves of such targeted attacks which appeared on the radar. Indeed, the report suggests that levels rose from one attack per day in 2006 to more than 1,100 over a 16 hour period during September 2007. The most recent being in November when the first sector specific attack took place with almost 1,000 individual attacks aimed at the Financial Sector.

looking at the year by the numbers, the reports comes up with the following to brighten your day:

MessageLabs identified an average of 1,253 new web sites per day harboring malware, which equates to almost half a million new malicious web sites appearing throughout the year.

The average virus level for 2007 was 1 in 117.7 emails (0.8 percent) which reflects a fall of 0.6 percent since 2006 where levels averaged at 1 in 67.9 emails.

The number of phishing attacks rose to 1 in 156 emails across 2007, compared to 1 in 274.2 emails in 2006.

I like to think that I am as on top of the spam situation as anyone else with a decent understanding of the technologies and strategies of both the spammer and the available solutions. I see relatively little real spam these days, thanks to decent server and client side filtering services doing their respective jobs respectfully well. These fully trained and tailored systems are efficient enough to ensure that false positives are all but extinct. Not that this stops me having to check my junk folders far more often than I’d like, simply to satisfy my paranoia that the statistical 1 in 1000 genuine emails to get classified wrongly will be sitting there costing me money in lost business.

And there lies the rub: spam still annoys the hell out of me even if it has all but vanished from my sight.

Unlike, it would appear, the average user of email according to a new survey from the highly respected Pew Internet research team. When asked about how spam impacted upon their online lives, 25% of people said it was a big problem back in 2003. This year that number has dropped down to just 18%. So despite the volume of spam increasing, the impact it has upon the recipient is diminishing. Could this be just because we are getting used to it, getting used to ignoring it as well, and accepting spam as part of the Internet experience?

Despite 71% of those asked using ISP or employer provided filters to block spam, the report suggests that 37% of people were receiving more of the stuff than ever before, up from 24% three years ago. Only 10% said they were getting less spam, although porno junk mail has declined from 71% then to 52% now. This, I believe, is the real reason that people are ‘not bovvered’ as much by spam. Whereas drug related or financial junk stays fairly constant, the drop in explicit sexual mail is matched by a drop in people saying spam is not as bigger a problem as it used to be when porn was more prevalent.

Another trend that I have been picking up upon, is for people overwhelmed by their inbox backlog to go ‘email bankrupt’ which is when someone deletes the entire content of their inbox and starts afresh with a clean slate. I don’t recommend it, but I can certainly see why increasing numbers are turning to it. Just as I can understand why a growing minority of business users are shunning email in favour of the telephone once more when it comes to corporate communication.

The bottom line, as far as I am concerned, is not so much that more people are finding spam less of a  big problem, but rather that 55% of those surveyed no longer trust email as a medium because of it. Combine that with the whole email bankruptcy thing, and that ‘bovvers’ me a great deal.

Look out folks, the SpamThru Trojan which has been out in the wild for some months has just got even more dangerous, or so my security vendor research lab insiders tell me, and it was already one mean mother. The latest version of the thing has all the trappings of being backed by one of the better funded criminal gangs, it is no script kit concoction that is for sure, despite it being based on an already existing exploit.

Indeed, it uses pirated copies of Kaspersky Lab AV software to clean the bots that it infects and so get rid of competing infections that would otherwise use CPU resources that it wants total ownership of. One really cannot help but to have just the slightest tinge of admiration for the pond-life that come up with these things, purely from the devious use of technology perspective of course. These guys figured out that by using the same API as embedded within the WinGate proxy software they could get Kaspersky software to do their dirty work for them. The code being developed now is not your typical back bedroom spotty oink stuff of a few years back, but of a quality right up there with games developers, application software developers and the like. Indeed, one has to suspect that talented coders are making the conscious decision to take the dark-development route, most likely spurred on by a hefty financial incentive.

Indeed, SpamThru is so clever that it actually encrypts all the spam message templates that it distributes to the bot network, and even uses a fully custom P2P protocol for inter-bot machine communication. This allows it to avoid the problem that some spam botnets encounter when a central control server is knocked out of play. SpamThru can simply and quickly update all bots with new control server details using the P2P network.

So should you be worried? You betcha. Ignore the small size of the botnet as it stands currently, which I am led to believe is between 2000 and 3000 bots, it is the technology being used that concerns me and should concern you. This, plus the fact that some researchers are pointing to links between these small botnets and a much larger controlling botnet in the background. Spam is big business that is bad for your business, that is the bottom line. But it is likely to be the smaller business that is infected, as enterprise level protection should kick SpamThru out of the field before it could do any damage. By forcing host based firewalls to click through ‘allow executables’ dialog boxes, the giveaway being they appear only briefly on-screen with the yes box already ticked, the Trojan can get on with the job all but unnoticed.

And unnoticed also applies to the original infection methodology in this case. Nobody I have spoken to seems to know for sure how the infection is spread, although the clever money is on a web exploit of course. One thing I do know is that the payload, unlike the delivery mechanism, is highly predictable: spam, spam, spam…

In a statement entitled ‘Spamhaus Litigation Update’ the Internet Corporation for Assigned Names and Numbers (ICANN) has made it clear that in the case of e360Insight, LLC et al. V. The Spamhaus Project which is currently pending in the United States District Court, Northern District of Illinois, it cannot comply with any order requiring it to suspend Spamhaus.org or any specific domain name because ICANN does not have either the ability or the authority to do so.

Interestingly, ICANN is not a party to the action, no such order has actually been issued as of yet, and there is growing speculation whether in the case of any order being forthcoming (which is likely) it is unable or rather unwilling. The ICANN argument rests upon the fact that only the Internet registrar with whom the registrant has a contractual relationship (Tucows in this case) can suspend an individual domain name.

Why should you care about such legal wrangling and responsibility squirming? Simple: Spamhaus is one of the biggest weapons out there in the fight against spam, and has been firing back at the spammer for many years now. If you agree with the whole blacklist blackhole approach to spam or not is pretty much by the by, the plain fact is that if Spamhaus is removed from the battlefield then the spammer gains ground, and we all end up with more spam.

So how did this end up at this potentially problematical point? Earlier this year e360insight sued Spamhaus, who it called a fanatical vigilante organisation, for including them in the spam blacklist database. The legal suit was originally filed in Illinois state court, Spamhaus managed to argue successfully and get it moved to federal court, at which point they then said that US courts had no jurisdiction in the matter as they were a UK business operating out of the UK and e360insight should sue them here instead. As such, Spamhaus decided not to defend the action, reasoning that it was a waste of time and especially money if there was no jurisdiction anyway. Of course, with no defence the judge had no option but to file a default judgement against Spamhaus for $11.7 million in damages (which Spamhaus made clear it isn’t paying) as well a demand to remove e360 from the blacklist (which it also isn’t doing on the grounds that the judgement is unenforceable.)

Unfortunately, this led to the court moving ahead with a proposed order instructing ICANN to suspend the domain, in effect taking Spamhaus out of business and handing victory to the spammers of this world on a big, gold, diamond encrusted plate. And that is no exaggeration if you believe the Spamhaus figures of 50 billion spam messages blocked by its system every single day. Yet the implications go beyond just the impact of 650 million mailboxes being swamped with a new wave of unfiltered spam traffic. There are political points at stake: the Internet Registry in question, Tucows, is based in Canada so if the US court orders them to suspend the domain, will they? If they do, will this prevent other possible blacklist services from taking up the Spamhaus banner?

If any of this happens, what is the future of ICANN, already under pressure from the United Nations and the international community at large for giving too much control of the global Internet to the US? Certainly if it ends up that a US court can order a US body such as ICANN to turn off any domain anywhere in the world on their say so, then I cannot see how that body can retain the confidence nor any validity outside of the US.

For now, at least, I think I have to say well done to ICANN (not something that happens often) for taking a somewhat principled stand. Well, I think so, the real stand will come when any such suspension order is actually made…