Mark - as the handler on duty at the Internet Storm Center - was nice enough to not only read all his spam for the week (about 2500 messages) but he also put together a nice chart showing what type of spam he was getting and from where:
|
Description |
Email Origin |
|
|
Greeting card |
Germany |
|
URL Link to exe. 28/33 AV products detected the file, three days ago it was 4. |
|
Viagra/Cailis Mesages |
Texas
Latvia
Paris
Russia
Chilli |
Mount Laurel (US)
US
Italy
Israel |
Links to Canadian Pharmacy web site. |
|
Viagra/Cailis Meds |
France |
|
Web Site Canadian Healthcare |
|
Movie downloads
(in Chinese) |
Argentina |
|
Nothing no links and nothing nasty, maybe a trial run. |
|
Herbal remedies |
USA
Germany
Sweden |
Oman
Lithuania
Brazil
|
Products to enlarge body parts.
The message contained a URL to one of three sites hosted in the same address range.
The registrar owns 695 other domains, received 50 of them. |
|
Lottery* |
UK
Canada
Greece |
|
So far this week I have won about $500,000,000, not bad for not entering any lotteries. The majority were sent from UK machines, machines at one particular facility. |
|
Click Fraud |
Spain
Bolivia
Poland |
|
The links in the message are ad click redirects. |
|
Paypal |
US
France |
|
The usual phishing exercise aimed at extracting account information. |
|
I am Lonely Tonight |
Turkey |
|
The usual I’m lonely tonight emails. If you respond it goes into how she wants to travel and can’t you help her out. |
|
Fake Goods |
Bombay
Russia
Bahrain
Greece
Italy |
Turkey
Slovak Republic Thailand |
Fake goods, watches, bags, etc. |
|
Business Proposal (419 messages) |
US
Germany
Los Angeles
United Arab |
Emirates
The Netherlands
Japan |
Transfer money and get a percentage. |
|
Work offers |
Belgium |
|
Work for a few hours per week and make thousands, most of these linked to professional looking sites. Typically they are recruiting for mules. |
|
Threats |
Turkey |
Russia |
There have been a few variants of these doing the rounds. |
> Source: http://isc.sans.org/diary.html?storyid=4343
This is a lot of work that Mark has gone through but it does highlight the value of good metrics or ways of gauging how effective an anti-spam system is.
Here at the
CudaMail support desk we occasionally get a client who at first is very upset that they got 5 spam messages in their inbox this morning and can't we do something about it? They are usually very thankful when we provide them with a report similar to the one below for their domain showing that tens of thousands of messages have already been blocked for them and these 5 messages are the start of a new campaign that they were lucky enough to get the first few messages from and now that they have provided us with some samples to work with we can stop this campaign in it's tracks too.
Sample CudaMail Spam Quarantine Summary
This also highlights the different perceptions we have as anti-spam specialists and the typical end-user or client. From our perspective we are fighting the good fight and our efforts are winning the war on spam. We block millions of messages a day and allow only a few 10's of thousands to be delivered to the client. Typical statistics are that on average 97 out of every 100 messages are spam and this is with a very low false positive rate (false positive = marking a wanted message as spam).
What is The Customer's Perspective On The Same Volume of Messages? They are going about their important work without being bothered by those 97 out of 100 messages that are spam so when a few messages slip through to them all of a sudden they are being "flooded" with spam. Same numbers but a very different perspective on the issue.
What Can You - the CudaMail End-User - Do to Help Out? 1.
Keep us in the loop. "One person's spam is another person's ham" as the saying goes so we don't know what you did or did not sign up for online. We maintain a number of spam traps and are always looking for new spam messages but may not be first in line when a spammer fires up his money making spam bot and sends out the latest surge. So if you are the lucky one to be fist on the spammers list and get a spam sample there are two very good ways to provide this feedback to CudaMail support.
2.
Install and use the Outlook plug-in. For those of you who use Microsoft Office with the full Outlook e-mail client the Plug-in is the easiest way to send spam samples back to CudaMail support and we have
blogged about this before. There are plug-ins available now for other e-mail clients (Thunderbird 2.x and Lotus Notes 6.5, 7 and 8) but these are under going beta testing right now.
You can read me Blog post about it by going
here:
3.
Debug-ID. For those who don't run Outlook or don't want to run a beta plug-in you can simply forward just the Debug-ID of the unwanted messages to the
support@CudaMail.com address.
A quick 'How to display full headers in client x' can be found at the following URL:
While support only needs the one line with the X-ASG-Debug-ID: number on it go ahead and forward all the information in the full headers on to us. What you do not want to do is forward the spam message body along with the full headers. What happens more often than not is that the CudaMail system will take your spam sample re-processes it and block it before it gets to support. We don't know that you were trying to send us this sample and can't do any thing about it because we didn't get it in the first place. Now typically we don't respond to every message providing a spam sample but we do review each and every one of them and make sure that he system will block them in the future.
With the above two thoughts in mind - perspective and feedback - what do you - the CudaMail client - want to see from the CudaMail system? Do you want to be sent reports on a regular basis (Daily, Weekly or Monthly) or will this just add to your information overload?
We look forward to hearing from your either in the comments below or direct to
support@CudaMail.com.
- Shaun