Mark - as the handler on duty at the Internet Storm Center - was nice enough to not only read all his spam for the week (about 2500 messages) but he also put together a nice chart showing what type of spam he was getting and from where:

Description	Email Origin
Greeting card	Germany		URL Link to exe.  28/33 AV products detected the file, three days ago it was 4.
Viagra/Cailis Mesages	Texas Latvia Paris Russia Chilli	Mount Laurel (US) US Italy Israel	Links to Canadian Pharmacy web site.
Viagra/Cailis Meds	France		Web Site Canadian Healthcare
Movie downloads (in Chinese)	Argentina		Nothing no links and nothing nasty, maybe a trial run.
Herbal remedies	USA Germany Sweden	Oman Lithuania Brazil	Products to enlarge body parts. The message contained a URL to one of three sites hosted in the same address range. The registrar owns 695 other domains, received 50 of them.
Lottery*	UK Canada Greece		So far this week I have won  about $500,000,000, not bad for not entering any lotteries.   The majority were sent from UK machines, machines at one particular facility.
Click Fraud	Spain Bolivia Poland		The links in the message are ad click redirects.
Paypal	US France		The usual phishing exercise aimed at extracting account information.
I am Lonely Tonight	Turkey		The usual I’m lonely tonight emails.  If you respond it goes into how she wants to travel and can’t you help her out.
Fake Goods	Bombay Russia Bahrain Greece Italy	Turkey Slovak Republic Thailand	Fake goods, watches, bags, etc.
Business Proposal (419 messages)	US Germany Los Angeles United Arab	Emirates The Netherlands Japan	Transfer money and get a percentage.
Work offers	Belgium		Work for a few hours per week and make thousands,  most of these linked to professional looking sites.   Typically they are recruiting for mules.
Threats	Turkey	Russia	There have been a few variants of these doing the rounds.

> Source: http://isc.sans.org/diary.html?storyid=4343

This is a lot of work that Mark has gone through but it does highlight the value of good metrics or ways of gauging how effective an anti-spam system is.

Here at the CudaMail support desk we occasionally get a client who at first is very upset that they got 5 spam messages in their inbox this morning and can't we do something about it? They are usually very thankful when we provide them with a report similar to the one below for their domain showing that tens of thousands of messages have already been blocked for them and these 5 messages are the start of a new campaign that they were lucky enough to get the first few messages from and now that they have provided us with some samples to work with we can stop this campaign in it's tracks too.

Sample CudaMail Spam Quarantine Summary



This also highlights the different perceptions we have as anti-spam specialists and the typical end-user or client. From our perspective we are fighting the good fight and our efforts are winning the war on spam. We block millions of messages a day and allow only a few 10's of thousands to be delivered to the client. Typical statistics are that on average 97 out of every 100 messages are spam and this is with a very low false positive rate (false positive = marking a wanted message as spam).

What is The Customer's Perspective On The Same Volume of Messages?

They are going about their important work without being bothered by those 97 out of 100 messages that are spam so when a few messages slip through to them all of a sudden they are being "flooded" with spam. Same numbers but a very different perspective on the issue.

What Can You - the CudaMail End-User - Do to Help Out?

1. Keep us in the loop. "One person's spam is another person's ham" as the saying goes so we don't know what you did or did not sign up for online. We maintain a number of spam traps and are always looking for new spam messages but may not be first in line when a spammer fires up his money making spam bot and sends out the latest surge. So if you are the lucky one to be fist on the spammers list and get a spam sample there are two very good ways to provide this feedback to CudaMail support.

2. Install and use the Outlook plug-in. For those of you who use Microsoft Office with the full Outlook e-mail client the Plug-in is the easiest way to send spam samples back to CudaMail support and we have blogged about this before. There are plug-ins available now for other e-mail clients (Thunderbird 2.x and Lotus Notes 6.5, 7 and 8) but these are under going beta testing right now.

You can read me Blog post about it by going here:


3. Debug-ID. For those who don't run Outlook or don't want to run a beta plug-in you can simply forward just the Debug-ID of the unwanted messages to the support@CudaMail.com address.

A quick 'How to display full headers in client x' can be found at the following URL:

• http://oit.nd.edu/email/fullheaders.shtml

While support only needs the one line with the X-ASG-Debug-ID: number on it go ahead and forward all the information in the full headers on to us. What you do not want to do is forward the spam message body along with the full headers. What happens more often than not is that the CudaMail system will take your spam sample re-processes it and block it before it gets to support. We don't know that you were trying to send us this sample and can't do any thing about it because we didn't get it in the first place. Now typically we don't respond to every message providing a spam sample but we do review each and every one of them and make sure that he system will block them in the future.

With the above two thoughts in mind - perspective and feedback - what do you - the CudaMail client - want to see from the CudaMail system? Do you want to be sent reports on a regular basis (Daily, Weekly or Monthly) or will this just add to your information overload?

We look forward to hearing from your either in the comments below or direct to support@CudaMail.com.

- Shaun

Spammers are continuing to use the oldest trick in the book - social engineering - to try to get you to be part of their plan. The US CERT (Computer Emergency Readiness Team) has released a number of advisories over the last few weeks on recent Spammer tricks of impersonating someone trusted like the tax department or a trusted news source to get you to click on a one of their web links.

Here are some recent samples:

IRS Rebate Phishing Scam

• www.us-cert.gov/current/archive/2008/04/25/archive.html#irs_rebate_phishing_scam
• www.us-cert.gov/current/archive/2008/03/31/archive.html#internal_revenue_service_tax_scams
  

Federal Subpoena Spear-Phishing Attack

• www.us-cert.gov/current/archive/2008/04/25/archive.html#federal_subpoena_email_scam

Radiation Leak - from a trusted news source

• www.us-cert.gov/current/archive/2008/04/11/archive.html#email_attack_circulating

The text included with the links the Spammers send may make your pulse race (I can get my Tax rebate now!) and thus they try to get the emotional part of you to take control of your mouse before the logical part of your brain (This sounds fishy - better be safe and delete this message or call them direct to confirm) kicks in.

Guess what? - By clicking on the link you played right into the Spammer's plan and you either filled in a form (Phishing) and gave them information they can use to steal your identity or money or your computer got infected and is now playing it's part in sending out Spam.

How do you keep yourself safe while on the Internet?

Install and use a good anti-virus / anti-malware product and keep it up to date.

Take the time - once in a month at least - to do a full update for security patches and then do a full anti-virus / anti-malware scan of your computer.

Use some reputable online scans to double check on your Anti-Virus.

F-Secure Health Check Online scanner

• www.f-secure.com/healthcheck/

Panda Active Scan

• www.pandasecurity.com/canada-eng/homeusers/solutions/activescan/default.htm?track=80383

Kaspersky

• http://usa.kaspersky.com/products_services/free-virus-scanner.php

Secunia's Online Scanner (checks to confirm your software is up-to-date)

• http://secunia.com/software_inspector/

(Warning - These companies use these online services to try and sell you on their products - you may have to provide an e-mail address to start one or more of these services so you may get marketing related messages after using these services)

At work you will want to use a higher-end firewall (such as a firewall from Fortinet or Secure Computing) or a dedicated web filter appliance (from Barracuda Networks) with a second layer of anti-virus / anti-malware / web content filtering between your computers and the Internet.

Spammers are the problem but we have to do our best to be part of the solution!

- Shaun

New figures suggest that 92.3 percent of all email sent globally during the first three months of 2008 was Spam¹ and a second report indicates that the top botnets, if they worked together, are capable of sending over 100 billion Spam emails per day².

The data from Sophos also indicated that 23,300 new Spam-related web pages were created every day during the period, or one about every three seconds.

Each and every one of these 2.1 Million URL's has to be discovered and added to the 'Intent' or URL database to be able to block them all, and you wonder why a few slip through the cracks?

Building a botnet first and then building 2.1 million web pages is a lot of effort to go through to send Spam touting the 'generic blue pill' or the latest 'real genuine copy' of the latest trendy fashion item be it a 'Designer Shoes Collection from Gucci Ugg Prada Chanel Dsquared' or other.

So Why Do Spammers Go To So Much Effort?

A recent National Geographic special called Illicit: The Dark Trade revealed the impact that all of these "knock-off" drugs, clothing, and accessories is having on the world (definitely worth watching). I didn't realize that the trade in counterfeit goods is a 600 Billion Dollar (USD) a year - yes that's a B, Billion - industry³ and a lot of it is done by international crime rings.

If they get caught for a counterfeit purse or shoe the sentence they get is a lot lighter than if they were trying to sell illegal drugs but it is the same people that do both and for the same reasons - to take advantage of you and your desire for a deal. The special also showed that counterfeit goods are more than just the 'real fake watches' as everything from toothpaste, mouthwash, generic drugs, automotive and airplane parts are being counterfeited as well. You think that 'blue pill' you bought online for such a deal was the real thing? Think again - it probably contained Borax bleach, chalk and paint - if you're lucky!

It has often been said that if people just stopped buying from the Spammers then there would be no financial incentive for them to send their Spam emails.

Let's try this statement on for size - if you purchase something promoted by a Spam message that sounds too good to be true - it is likely a counterfeit item and you are directly contributing to organized crime and terrorism.

Now go out there and play safe.

- Shaun

¹ www.itnews.com.au/News/74071,new-spam-site-found-every-three-seconds.aspx

² www.secureworks.com/research/threats/topbotnets/?threat=topbotnets

³ www.iacc.org/counterfeiting/counterfeiting.php

Let's talk about what you can to do help make your e-mail both more reliable and keep Spam out of your client's mailboxes.
 
First, most people have this idea that e-mail is both near instant and 100% reliable - unfortunately, both of these ideas are 100% wrong!

The SMTP protocol was designed when Internet links were both unreliable and slow, therefore the protocol was built to be resilient and to retry failed messages. However, the link speeds have now increased and have become more reliable, therefore people have gotten used to their e-mail arriving really quickly and so they have come to the unreasonable expectation that e-mail is near instant and 100% reliable.

Let's look at a couple of scenarios that will show that this is not the case as well as address some ways to increase your control over your e-mail server's level of reliability.
 
Case 1 - Single Mail Exchanger
 
A lot of e-mail domains right now have only 1 Mail eXchanger (or MX record) typically pointing to a single mail server at the head office.

So what happens if your internet connection goes down or there is some "hiccup" with the mail server or your firewall (you do have a hardware firewall don't you?). Anyone who tries to e-mail you will not be able to and the sender may get an undeliverable messages (or not) from their mail server after some period of time.

The Sending mail server should be configured to retry this message to you a number of times at some interval both of which are set solely by the administrator of the sending mail server. In other words, you have no control over how often they will try again or for how long and it will be different for each and every mail server that is trying to send to you. Talk about a troubleshooting nightmare!
 
Case 2 - Backup Mail Exchanger

When you publish an MX record via DNS one of the properties of the record is a preference. Here is an example (fictitious) domain and the tools you would use to see what your MX record points to:
 
nslookup -type=mx somedomain.com
Non-authoritative answer:
somedomain.com        MX preference = 10, mail exchanger =
mail.somedomain.com
somedomain.com        MX preference = 99, mail exchanger =
smtp.SomedomainISP.com
 
What the above record is saying is that when sending e-mail to 'yourbuddy@somedomain.com' to first try sending it to the mail server named 'mail.somedomain.com' and if that fails to try and send the e-mail through the mail server named 'smtp.SomedomainISP.com'. Your ISP may even include this service for free if you ask them, however these 'store and forward' backup mail servers typically just accept and forward messages WITHOUT anti-spam processing and since they are from a trusted source (your ISP) most mail servers are configured to accept without further processing.

Guess what? The Spammers are aware of this little fact and will, in violation of the standard, try to send e-mail to your domain through your backup or secondary MX record. This is how a lot of Spam sneaks in today - it takes the back door and doesn't get challenged by the security guard at the front door - your primary anti-spam solution.

So what is the solution to this problem?

Case 3 - Spam filtered MX Backup service.

Make sure your backup or secondary MX record points to a system or systems that are as hard on Spam as the protection on or in front of your mail server. This is the reasoning behind our CudaMail MX Backup Service.

We (Optrics Engineering) have been Barracuda Diamond Partners for a number of years and have seen the above problems (Case 1 and Case 2) a number of times with the clients we deal with and are offering not just an MX backup service but a Spam Filtered MX Backup Service. We have a redundant cluster of Barracuda Spam Firewalls that we use to provide primary anti-spam protection for smaller organizations but can use these same servers to accept, scan for Spam and deliver to your mail server in the event that your anti-spam solution goes off-line or your Internet connection or firewall has an issue.

This cluster is configured to retry delivery to your mail server every 15 minutes for up to 48 hours. Those pesky Spammers who try to sneak in through the back door are going to be very surprised when they run into the CudaMail service on your secondary MX records and you now know how often and how long you have before people get an 'undeliverable' response back.

While e-mail is not 100% guaranteed the above service puts you in control and slams the door in the face of the Spammers.

Now go have a nice (Spam-free) day!

- Shaun

As some of you may know,  ORDB.org (aka the Open Relay Data Base) was one of the original real time or IP based black lists. The idea was that as your mail server or anti-spam service (like CudaMail) was getting a connection from a sending mail server you could ask ORDB.org if the senders IP address was known to ORDB and if it was you had a pretty good idea that you didn't want to accept this e-mail as it was most likely spam being routed through an open relay mail server.
 
Well after running as a free service for years the ORDB.org service was shut down on December 18, 2006 and instead of replying it would just time out.  Not a big deal and since your mail server didn't get a reply either way you went on to other tests. They announced that they were going off-line and at some time in the future they would be replying with a positive result to any new queries. This has happened many times over the years with various free anti-spam databases for a variety of reasons. Most administrators didn't notice the ORDB.org announcement or put the removal of this test on their 'to do' list and promptly forgot about it until now.
 
So on March 25, 2008, after giving fair warning, the DNS servers for ORDB.org started to answer every query with a positive result. All mail servers still using a SPAM filtering solution that references ORDB (relays.ordb.org) started to immediately block all incoming e-mails regardless of their real status as spam sources. You can't blame the admin of ORDB.org as they were doing this service for free and had been paying for the bandwidth used up by all these timed out queries for the last 2 years.
 
While the CudaMail system does still use some of the no charge databases out there to block spam it does not use ORDB.org. Barracuda Central has also been actively working on their own internal reputation system. The Barracuda Reputation system is very mature at this point with the end result is that this database is flagging new spam sources before the no charge databases like ORDB.org used to do. The real benefit of Barracuda Central maintaining this database is that there are dedicated people paid to maintain it as part of their business plan and the problems experienced by people who rely on the free databases will not happen to CudaMail.

Now go have a nice spam free day!

- Shaun Sturby