April Fool's Day is upon us - don't be an e-mail fool - as the Spammers will be trying to take advantage of our love of a good laugh.
 
As always be very careful when you get an e-mail that you don't expect. Just last week my own wife sent me a video via e-mail and the first thing I did was call her and ask if she had sent it to me. It turns out she had but it could easily be an e-mail containing Spam/malware like the latest storm being reported on by the Internet Storm Center.

Storming into April on Fools Day

http://isc.sans.org/diary.html?storyid=4222

Here are some subject lines to watch out for (there may be more variations):

• All Fools' Day
• Doh! All's Fool
• Doh! April's Fool.
• Gotcha!
• Gotcha! All Fool!
• Gotcha! April Fool!
• Happy All Fool's Day.
• Happy All Fools Day!
• Happy All Fools!
• Happy April Fool's Day.
• Happy April Fools Day!
• Happy Fools Day!
• I am a Fool for your Love
• Join the Laugh-A-Lot!
• Just You
• One who is sportively imposed upon by others on the first day of April Surprise!
• Surprise! The joke's on you.
• Today You Can Officially Act Foolish
• Today's Joke!

The e-mails either contain or have links to a nasty malware payload.

The download is a binary, also with varying names:

foolsday.exe
funny.exe
kickme.exe

In your e-mail it will look something like this:

April Fool's Day http://276.233.234.297 <= This is an invalid link intended to be harmless

CudaMail blocks .EXE attachments by default so anyone using our CudaMail managed anti-spam service is not going to be getting any of the malware payloads but some of the links may slip through.

We are blocking new variants as quickly as they are discovered but the best defense is to be educated to not click on unsolicited links.

Consider yourself educated. :)

- Shaun

Notorious 'spam king' Robert Soloway has pleaded guilty to additional charges (fraud and tax evasion) related to his previous conviction for sending out huge volumes of Spam.
 
US Department of Justice indictment against Soloway:

> www.usdoj.gov/usao/waw/press/2007/may/soloway.html

Seattle times article on Soloway's guilty plea on the new charges:

> http://seattletimes.nwsource.com/html/localnews/2004283998_spamking15m.html 

The question to the reader therefore is 'Do you think that this sentence will result in less spam to your inbox?'
 
Sadly the answer is probably 'no' as the trend in Spam is still increasing and human nature, on both sides of the equation, being what it is won't change.
 
There are a number of sites you can go to if you want to look at Spam trends and one such site is Barracuda Central:

www.barracudacentral.com/index.cgi?p=spam
 
You can go there if you want to look at the pretty graphs but the number that jumps out at me is that worldwide the number of messages processed by all Barracuda Anti-Spam Firewalls yesterday was over 2 Billion. 2,277,470,908 to be exact and of that number the vast majority or 2,170,841,992 (95.32%) were blocked as Spam. This is in contrast to the same statistics a year ago where the number of messages processed per day was around 1 Billion per day and the Spam percentage was around 92%.
 
Sadly, the Spam mix is still about 50% off-brand pharmaceuticals and about 25% knockoff products which tells you what is profitable to the Spammers. If people stopped responding to these advertisements and voted with their cash then the Spammers would not be profitable and would have to look elsewhere for their next easy meal.

Will human nature change overnight?
 
Probably not. Consumers want a good deal and are not likely to change and the Spammers have found a financial niche that they fit into so expect the volume of Spam to continue and even increase as the effectiveness of anti-spam solutions like the Barracuda appliances, which CudaMail is powered by, makes the Spammers job that much harder. They will ramp up their efforts to sneak Spam past such solutions rather than change their nature.
 
- Shaun

A recent report that Spammers are taking advantage of the interest in the US Elections to try and peddle Viagra along with the other things that Spammers are taking advantage of - like Valentines day - make me think that things are getting worse instead of better and also makes me wonder if we are going to have to go to some form of 'walled city' for our e-mail.

The SMTP standard was designed to be open and people at that time (about 30 years ago now) wanted such an open system that there are now gaping holes that Spammers are using to send a deluge of Spam to our users.
 
What the Spammers are doing at the moment must be effective because I review the daily logs from our systems and this is really brought to light when on a Sunday, not a typical business day, our systems processs in excess of 1.5 million messages. Out of that number less than 13,000 or LESS than 1% (0.866%) were allowed through to the mail servers. Now we don't claim that we can block 100% of Spam so there is a very small percentage that get's through so let's say that 1/10 of 1% of the 13,000 is Spam. That means that out of 1.5 million messages only 13 Spam messages got through to our users.
 
This brings up two interesting questions:

1. How many people are buying from Spammers?

- If only a handful of messages are getting through the Spammers must have a high close ratio and a high margin to make this make economic sense.
 
2. Are we going about solving the Spam problem the wrong way?

- Why should we have to process 1.5 million messages when less than 1% are legitimate?
 
Some organizations have to be more open to whom they accept e-mail from because that is the nature of their business - online sales from almost anyone - but what about those organization that only get a few e-mail messages from a few select partners? Could they setup a closed e-mail system where there is a process to be added to their accept list and reject all other e-mails? They could even setup 2 e-mail domains. The first with a few common e-mail addresses like sales@ support@ and billing@ for their public mail presence and the second - by invite only - domain for their real mail boxes?
 
The first domain will get a ton of Spam but will act like a switchboard with only a few select people having to review the messages and forward them internally to the people that will take action on them. The second domain will not accept e-mail from just any domain so it will be very easy to track down the source of any "Spammy" messages and stop them.
 
What do you think? Have you thought of or implemented a 'walled city' plan for your e-mail? Let us know in the comments.
 
- Shaun

According to this article at the Internet Storm Center (http://isc.sans.org/diary.html?storyid=4054) the bot handlers are working to build up their Spam sending bot network by sending out e-Card spam.

These seemingly harmless e-mail's claim that there is something special for you, either a joke or a surprise and more often than not will trick you into opening it.

Be part of the solution and don't get tricked by these e-Cards. If you know the sender then confirm with them (not by e-mail) that they really sent it to you.

If they didn't send it or if it is sent anonymously then don't open it no matter how curious you are. There are a lot of other joke sites on the Internet or you can always go have a chat with your Grandpa. :)

- Shaun

Do you want to educate the CudaMail system so it understands better what kind of e-mail you want to get and what you consider as spam?

Do you want to have a very easy way to submit SPAM and false positive reports?

Do you want an easy way to keep your white list up to date?

If you answered YES to any of the above questions then you may want to try the Outlook Plug-in.

Getting to Know The Outlook Plug-In:

This very simple toolbar can be installed in the Outlook 2000 to 2007 e-mail client (not Outlook Express or the new MS Mail) to give you some additional options and two new buttons. These Green and Red buttons with an envelope and either a Check Mark (good) or Red X (bad) make the process of sending a report back to the system that you consider a message SPAM or Wanted as easy as clicking on the corresponding button. It can't get any simpler than that!

To download the toolbar simply go to the CudaMail Web Portal and click on the 'Get Mail Client Plugins Here' link at the bottom of the page. (this download link is only for current CudaMail customers - if you have a Barracuda Spam Firewall and want the plug-in go talk to your network administrator)

Per-user Web portal is at https://web.CudaMail.com

Once you download the Outlook Plug-in you have to run it to install it so you need to do this with an account that has administrative access to your PC. After it is installed you should be able to get to the 'Spam Firewall' tab under the 'Tools' - 'Options' menu item and it should look something like this:



What Does This All Mean?

Automatically Update White list: When this option is checked off every time you add someone as a new personal contact or e-mail someone then they will be added to your personal white list. While this sounds like a great idea you need to login to your personal options area on the CudaMail system on a semi-regular basis to clear out old or stale white list entries and specifically to make sure your own e-mail address is not on the white list.

A typical spammer trick is to send you spam pretending to be you so you do not want to white list your own e-mail address or you will get more spam.

This can happen by accident if you 'reply all' to an e-mail and don't take your e-mail address off or if you are in the habit of always cc'ing yourself.

Additional Button Actions:

Spam: Permanently Delete Message or Move to Deleted Items folder.

While I like to completely get rid of any spam messages by leaving it on the 'Permanently Delete Items' option you have no way of easily getting back any message you accidently marked as Spam. By setting this option to "Move to - Deleted Items Folder' you can always rescue it from there if you have an accident.

Not Spam: Add E-Mail addresses to Whitelist. When a message come through with the subject tagged as spam '[CudaMailTagged] -original subject' and you click on the Green button to submit a 'falsely marked as spam' report this option will also update your personal whitelist so that this senders e-mail will not be tagged in the future.

There is a second benefit to the plug-in as it is building your own personal database of 'Good' and 'Bad' messages that are unique to you. Once you have marked at least 200 messages of each type then the statistical analysis or 'Barracuda Bayesian Learning' will kick in and provide additional protection against Spam. You will only be able to mark messages that have been processed by the CudaMail system so don't just select everything in your inbox and try to mark them all as 'good'. What you should do is look at the message and ask yourself 'Did this e-mail come from outside our organization and is it a representative sample of e-mail that I want to get in the future?'

This plug-in is also the answer to questions like the following:

1. How do I automatically whitelist all of my contacts?
2. I get so few messages in the per-user quarantine how am I ever going to get 200 'good' messages?
3. How do I send you samples of spam that I don't want?

Does the Outlook plug-in work with Microsoft Vista?

Yes the Outlook Plug-in versions 2.1.0.5 and above work with Microsoft Vista and Outlook 2007. The plug-in version can be found on the licensing screen when installing the plug-in, or in Microsoft Outlook by viewing the Spam Firewall tab in the Options window. The version number will be located in the bottom-right corner of the window.

If you can give the Outlook Plug-in a try. I have been using it myself for the last 2 years and I get a sense of joy every time I can click on the 'Spam' button because I know that this is making the Spammer's job that much harder next time.

- Shaun