Posted by TommyCarlier // Tue, Jul 31, 2007 7:34 AM Our company is about to release a product we’ve been working on for more than 3 years, and we’re running into this annoying problem. via MSBuild RSS Feeds
Read More… (From Email Spam News)

In 2004, Bill Gates of Microsoft promised that the spam problem would be ’solved’ in two years time. Three years later, Microsoft’s Hotmail service receives four billion messages a day, more than 90% of which are spam.
Read More… (From Spam News)

The purpose of the spam is a throwback to the early days of e-mail abuse July 31, 2007 — Spammers are jumping on the success of The Simpsons Movie to trick e-mail users into validating their addresses, so they … via ComputerWorld
Read More… (From Email Spam News)

If you are looking for a good free anti spam spamfighter - a free spam blocker or free spam filter - to help you deal with spam email, here are a couple of free spam filters and free spam blockers - including free anti spam software - that you may not have heard about! Now you can deal with your spam mail with your choice of a free Internet spam filter or free anti spam software! There is even free anti spam software for World of Warcraft users (SpamMeNot and one version of SpamSentry).
Read More… (From The Internet Patrol)

A Marina del Rey man believed to be the first to plead guilty or be convicted at trial under a federal anti-spam law passed four years ago was sentenced Monday to six months of home detention. via KNBC
Read More… (From Email Spam News)

“It is common that spammers will use large events, such as film premiers, wide scale media stories, or holidays to coerce e-mail users into a scam. We are hoping to avoid having our users fall victim to these scams by filtering away these e-mails”

Spammers are once again taking advantage of a blockbuster film, The Simpsons Movie. via Customer Interaction Solutions
Read More… (From Email Spam News)

“By breaking the communication cycle, the botnets are rendered harmless without affecting other services.”

A security tool that identifies botnets and blocks attacks from these zombie networks is being made available by Trend Micro online in the software-as-a-service model. via PC World
Read More… (From Email Spam News)

Our friends over at SpamShield have come up with a really nifty use for Google maps - they have created a spam map - they call it “Spam World” - which maps where all the spam is coming from - around the world - in real time (well, updated every fifteen minutes).
Read More… (From The Internet Patrol)

“The success of blogs, forums, etc, has not gone unnoticed to cyber crooks, who use them to try to infect as many people as possible”

Script kiddie tool foils captchas Virus writers have created a malicious tool capable of automating the publication of spam and links to sites hosting malware on forums and blogs. via Channel Register
Read More… (From Email Spam News)

A rash of virus-laden spam has been going around posing as Hallmark e-cards or other e-cards. “You’ve received a greeting ecard from a friend” says the subject. Variations include “You’ve received a greeting card from a partner”, “You’ve received a greeting postcard from a class-mate”, and “You’ve received a greeting ecard from a class mate”. The “ecard” appears to come from such legitimate sounding addresses as hallmark.com, MyPostcards.com, postcards.org, e-cards.com, NetFunCards.com, FunnyPostcards.com, Greeting-Cards.com, and VintagePostcards.com. Whatever the variation, it’s not only spam, it’s almost certainly carrying a virus or a trojan which will turn your computer into a spam- and virus-sending robot.
Read More… (From The Internet Patrol)

“Cloudmark Authority for SpamAssassin enables all service providers to benefit from the same high level of accuracy and performance as tier-one service providers.”

Cloudmark, the global leader in carrier-grade messaging security, today announced Intergenia, a provider of hosting and broadband services, as its first European customer to deploy Cloudmark Authority for … via Light Reading
Read More… (From Email Spam News)

The other hazard I’d like to look at with regards to SPF and SenderID is the issue of newsletters, or more specifically, bulk emailers. Bulk emailers have a long and checkered history of using questionable email practises. They put in lots of advertising in their messages that spammers often mimic (refinance your mortgage, reduced price software, free <insert word here>), they have opt-out requests unselected in sign-up pages (often in grey text with font size = 1), they sell your email address to other bulk emailers (jerks) and usually insert a lot of HTML in their message, a lot like how spammers used to do it a couple of years ago. Still, even though there are a lot of grey-hat mailers, there are some legitimate ones as well. Bulk email really is a necessity to business. Businesses have to keep in contact with their customers and those that have signed up to receive email from the business want to hear from them. If a customer wants to hear about the latest sale at Home Depot, or United Airlines wants to tell its preferred customers about its latest vacation travel package, or Starwood Hotels keeps bugging me about its latest savings plan even though I only stayed with them one time and regret turning over my email address, the reality is that email marketing is something that business must do. I think a good bulk emailer does the following things:

1. It honours opt-out requests by providing a link to click on, rather than replying with REMOVE in the subject line.
2. It doesn’t sell your email address to anyone.
3. It makes you opt-in by default - that means that the checkbox is unclicked when you go to the page to sign up for something. This is more the responsibility of the merchant, but still…
4. It doesn’t ask you to whitelist them when you receive their messages.
5. It publishes SPF and SenderID records.

Aside from that, bulk mail has the issue of how it identifies itself. Suppose that website goodmailers.com has SPF record v=spf1 ip4:1.2.3.4. It then does a mailing campaign for Northwest Airlines. What does it put in the message headers? Let’s deal with SPF first. In the message From: address, it could put promtions @ nwa.com. It could put a different Reply-To to get replies, but what does it put in the Envelope Sender? Suppose the SPF record for nwa.com is v=spf1 ip4:139.72.159.240 ip4:139.72.159.241 mx ~all. That means that goodmailers.com, if they don’t want to get mail rejected by email servers that use SPF, must put mail @ goodmailers.com as the envelope sender. Wouldn’t that look a little odd? It is supposedly coming from nwa.com but the Return-Path says goodmailers.com? I don’t know that much about marketing and branding, but I bet somebody at nwa.com does and wouldn’t like a bulk sender putting their stamp on their customer marketing messages. But, if goodmailers puts promotions @ nwa.com as the envelope sender, then from the above we can see that if the mail is coming from 1.2.3.4 (the IP authorized to send mail from goodmailers.com), this will fail the SPF check from nwa.com’s SPF record. So, on the one hand we have a marketing problem and the other we have a security problem. In reality, nwa.com gets around this by having a different SPF record than what I put above. It’s actually the following: v=spf1 ip4:139.72.159.240 ip4:139.72.159.241 mx include:elabs3.com ~all Northwest Airlines actually outsources their bulk mail to EmailLabs and specifically authorizes them to send email for them. This means that elabs3.com can send bulk mail for Northwest Airlines and put nwa.com as the envelope sender. A SenderID implementation will take a look at this SPF record, and because elabs3.com is authorized to send mail, it will (probably) extract the PRA, most likely the From: or Sender: address, and this, too, will pass an SPF check. This raises the question of whether or not Northwest Airlines really wants to add elabs3.com to their SPF records. They don’t own EmailLabs so that means there needs to be a lot of trust between them and NWA. This may not be so bad for an airline, but what about a financial institution? In a discussion last week, one of my colleagues said that financial instutitions should never outsource their bulk email service. It’s too much of a risk. If the bulk mailer was ever compromised (or ever turned gray or black) they could do an incredible amount of damage to their customers in a short amount of time. The emails would get through SPF and SenderID checks and customers might be tempted to enter in their information. On the other hand, there would be an incredible lawsuit in that case and the email provider would be out of business in short order - both from the lawsuit and from the loss of business. It’s still debateable whether or not financial institutions and even other businesses want to add bulk mailers to their SPF record. If you don’t control the domain in your SPF record, you may want to think twice before adding it. On the other hand, as a business you probably want to outsource your mass emailing. I guess the CFO and chief security officer need to evaluate the risk/reward ratio.
Read More… (From Terry Zink’s Anti-spam Blog)

Both SenderID and SPF have their critics. I’d like to touch on two potential problems with them: the first is the issue of email forwarding. There’s no official standard on how email is to be forwarded (in terms of rewriting the headers). Suppose that Mail Server A sends the message and everything complies with SenderID or SPF - the envelope sender is correct, the domain has its SPF or SenderID records set up correctly, and so forth. The message goes through some internal routing, but then is subsequently forwarded by another outside mail server (perhaps an open relay) with no change to the email headers. Or, consider the case of receiving mail at one mail host on your network which then relays it to a central mail server. What happens? Well, since the last hop of the message router is the transmitting IP that the receiving email server receives the message from, it only makes logical sense that to use the envelope sender / PRA and that IP in doing an SPF or SenderID check. Since nothing was rewritten in the message headers, this will fail a sender authentication. The creators of SPF actually admit that this is a problem and suggest whitelisting the IP as a possible workaround:

Checking SPF On Forwarded Mail Mail forwarding is set up by the receiver and so for forwarded mail, the border mail server should be checked rather than the the forwarder’s mail server [sic]… Authorized forwarders should be whitelisted against SPF checks to avoid this problem.

Note: OpenSPF needs to clean up their grammar. I’m not a big fan of this workaround. Whether it’s your own internal mail servers routing the mail (SPF is designed to be used at the border of your network) or some other forwarder somewhere, my experience with whitelisting is that you’ll be forever whitelisting IPs. Just when you think you’ve found one forwarder, another one pops up. I can’t tell you how times I’ve fixed a false positive caused by spam regex rules thinking I’ve fixed all of our broken rules only to see another broken rule pop up. The fact of the matter is that there are lots of mail forwarders out there and chances are you’ll never find them all. While SenderID has the theoretical advantage of checking the Sender headers or Resent-(From|Sender) headers and could (in theory) look through the other email headers trying to extract the original sending IP and matching the PRA, I think this is a lot of trouble as well because it would have to figure out which IP in the headers was the original one and also detect which headers are fake and which are not. So, how can mail servers get around this problem? As a spam analyst who has processed over one hundred thousand false positives, I’ve long since learned that even though an anti-spam technique is supposed to be 100% designed to hit spam, it almost always hits legitimate messages that the designer of the technique hadn’t considered. The technique is good at stopping spam but inevitably proves to be overly sensitive. In the case of SPF and SenderID, this email forwarding is a legitimate problem. My own preferred technique is to tweak the recommended implementation. Whereas SPF and SenderID say you should reject mail that fails an authentication test, I prefer to score it aggressively. For example, if we have a spamminess scale based upon probability that runs from 1 to 10, with 1 being non-spam and 10 being spam, assume that if a message scores higher than 5.0, it is considered spam. The recommendations for SPF and SenderID say to reject mail based upon a test failure, so their probability grades would be 10.0. Thus, combined with other elements in the mail that knock down its spamminess, it’s unlikely to get it under the spam threshold. My way of doing it would be to score an authentication failure at 6.0, enough to get the message over the spam threshold, but not so far above it that non-spammy elements couldn’t bring it back down. In my experience, most spam contains elements that mark it somewhat spammy anyways, while non-spam contains elements that make it non-spammy. A message with an authentication failure will often times have other elements that will keep it over the spam threshold, while a non-spam message with a failure will usually (75% of the time) be able to be pulled under the threshold. Of course, there are times when spam will get pulled under (false negatives) and non-spam gets pushed over (false positives), but in my experience, it is generally better to error on the side of reduced false positives.
Read More… (From Terry Zink’s Anti-spam Blog)

“Trying to define ‘good’ for every blog is impossible”

Back in January Amit Agarwal wrote a post called ” How to Reduce RSS Stress In Your Online Life ” in which he talked about managing enormous lists of RSS feeds. via Read/Write Web
Read More… (From Email Spam News)

Last Friday’s Asian WSJ, and the online edition(subscription only, I’m afraid), published a feature I’d been working on for a while: The digital divide. I focused on Newmont’s mine in Sumbawa, in eastern Indonesia, and the company’s limited success in…
Read More… (From loose wire blog)

“In India, strong family-oriented values act as a dampener for any cyber crime related to infiltrating computers with malware, spams and viruses”

A research by US-based IT security and control firm SophosLabs shows that only 2.8 per cent of all spam or malware - software designed to infiltrate or damage a computer system - comes out of India. via The Telegraph
Read More… (From Email Spam News)

(This is the text of my weekly Loose Wire Service column, syndicated to newspapers like The Jakarta Post. My thanks to Joe Wein for the information that made this column possible.) A lot of people think that online scams happen…
Read More… (From loose wire blog)