New figures suggest that 92.3 percent of all email sent globally during the first three months of 2008 was Spam¹ and a second report indicates that the top botnets, if they worked together, are capable of sending over 100 billion Spam emails per day².

The data from Sophos also indicated that 23,300 new Spam-related web pages were created every day during the period, or one about every three seconds.

Each and every one of these 2.1 Million URL's has to be discovered and added to the 'Intent' or URL database to be able to block them all, and you wonder why a few slip through the cracks?

Building a botnet first and then building 2.1 million web pages is a lot of effort to go through to send Spam touting the 'generic blue pill' or the latest 'real genuine copy' of the latest trendy fashion item be it a 'Designer Shoes Collection from Gucci Ugg Prada Chanel Dsquared' or other.

So Why Do Spammers Go To So Much Effort?

A recent National Geographic special called Illicit: The Dark Trade revealed the impact that all of these "knock-off" drugs, clothing, and accessories is having on the world (definitely worth watching). I didn't realize that the trade in counterfeit goods is a 600 Billion Dollar (USD) a year - yes that's a B, Billion - industry³ and a lot of it is done by international crime rings.

If they get caught for a counterfeit purse or shoe the sentence they get is a lot lighter than if they were trying to sell illegal drugs but it is the same people that do both and for the same reasons - to take advantage of you and your desire for a deal. The special also showed that counterfeit goods are more than just the 'real fake watches' as everything from toothpaste, mouthwash, generic drugs, automotive and airplane parts are being counterfeited as well. You think that 'blue pill' you bought online for such a deal was the real thing? Think again - it probably contained Borax bleach, chalk and paint - if you're lucky!

It has often been said that if people just stopped buying from the Spammers then there would be no financial incentive for them to send their Spam emails.

Let's try this statement on for size - if you purchase something promoted by a Spam message that sounds too good to be true - it is likely a counterfeit item and you are directly contributing to organized crime and terrorism.

Now go out there and play safe.

- Shaun

¹ www.itnews.com.au/News/74071,new-spam-site-found-every-three-seconds.aspx

² www.secureworks.com/research/threats/topbotnets/?threat=topbotnets

³ www.iacc.org/counterfeiting/counterfeiting.php

According to John Leyden (from "The Register") in his article "Security gumshoes locate source of mystery web compromise", the source of the mystery injection of more than 10,000 websites back in January has been uncovered!

He says:

"Thousands of legitimate websites were compromised at the start of the year to serve up malware, as we reported at the time.

It seemed that the exploitation of SQL Injection vulnerabilities was involved in the automated attacks. The precise mechanism was unclear until earlier this week when security researchers discovered a malicious executable later linked to the attack on a hacker site.

The hacker utility used search engines to find insecure websites that it then tried to exploit using an SQL injection attack. The exploit included an SQL statement that tried to inject a script tag into every HTML page on the website.

The tool - which had an interface written in Chinese - was programmed by default to insert a tag to the same malicious JavaScript file that featured in the January attack, solid evidence that it was at least partially behind the assault.

The tool runs a script called pay.asp, hosted on a server in China. This suggests that hackers running the attack were keeping count of the number of sites they had compromised, in order to work out how much they stand to get paid.

Further analysis of the tool by security researchers at the SANS Institute's Internet Storm Centre (ISC) is ongoing. The tool came to their attention via a tip-off from Dr Neal Krawetz. The initial attack was uncovered by security researcher Mary Landesman, of ScanSafe, who described it as the time as a new type of compromise.

The constant, changing flux of the malicious JavaScript served up by compromised sites made initial analysis difficult. With the benefit of the hacker tool used to pull off the attack this all becomes much clearer, much like it was easier for scientists to unravel a cure for the mystery pandemic that blighted mankind in the Twelve Monkies after they obtained a sample of the pure source.

"The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks. The tool has more functionality that we still have to analyze but this is the main purpose," writes ISC handler Bojan Zdrnja.

Website owners ought to use the discovery as a wake up call on the need to ensure that their web applications are secure, he added."

If you are worried about SQL injection and other attacks on your website then you should take a look at Barracuda Network's newest solution called the Website Firewall. For more information or to arrange for an eval unit please visit: www.BarracudaNetworks.ca/Searchresult.aspx?CategoryID=74.

Don't get enough spam already and think you should get more? Then you will probably feel jealous of the 50 participants of McAfee's global Spammed Persistently All Month (S.P.A.M.) of April. These 50 regular Joe's ranging from 17 year old high school students (Hello Zach) to a mother of three (Zach's Mom Tracy) and a university student (Katya) among others in all areas of the globe are the guinea pigs in this experiment to run throughout April 2008.

Basically these participants have been given a dedicated laptop, a pre-paid credit card and a mission. Their mission is to do everything wrong and see what the results are. They are going to respond to Spam messages - buy the 'Genuine Replica Watches' on-line and sign up for everything they can and see what happens. William reported on Day 2 that without any protective software running he received 160 Spam messages and is getting pop-ups and browser hijacks 'on a regular basis'. The Blogs are a very interesting read.

Here Are My Predictions:

1. The laptops that these people are using will become a "willing soldier" in one of the Spam Bot armies lurking out there and may end up sending themselves (and us) more Spam. How is that for irony?

- Collectively the top botnets are capable of sending over 100 billion Spam messages per day*

2. Malware - The laptops will have to be wiped and re-installed for everyone at least once during the month. They are going to do this anyway for the participants at the end of the experiment before they get to keep them so this will be good practice. I'm not sure I would trust these laptops even after they are wiped though with the rootkits that are now being incorporated into the Bot software. Reports are coming in already that the laptops are slowing down and becoming unresponsive.

3. Massive consuption of time - the management of this Spam will take more and more time until these participants will not be able to do anything but read and reply to e-mail all day long.

4. Cyber Crime - all the participants have been given 'new identities' just like someone in the witness protection program to use online. I predict that some of these identities will be sold on the black market and thus stolen.

McAfee is of course going to use this experiment to advertise that there is a lot of Spam out there and that you need protection but I could have told you that - just look at the CudaMail statistics page. ;)

- Shaun

* Source: www.secureworks.com/research/threats/topbotnets/?threat=topbotnets

For More Information:

www.mcafeespamexperiment.com
www.echannelline.com/canada/printer.cfm?item=DLY040708-2

Let's talk about what you can to do help make your e-mail both more reliable and keep Spam out of your client's mailboxes.
 
First, most people have this idea that e-mail is both near instant and 100% reliable - unfortunately, both of these ideas are 100% wrong!

The SMTP protocol was designed when Internet links were both unreliable and slow, therefore the protocol was built to be resilient and to retry failed messages. However, the link speeds have now increased and have become more reliable, therefore people have gotten used to their e-mail arriving really quickly and so they have come to the unreasonable expectation that e-mail is near instant and 100% reliable.

Let's look at a couple of scenarios that will show that this is not the case as well as address some ways to increase your control over your e-mail server's level of reliability.
 
Case 1 - Single Mail Exchanger
 
A lot of e-mail domains right now have only 1 Mail eXchanger (or MX record) typically pointing to a single mail server at the head office.

So what happens if your internet connection goes down or there is some "hiccup" with the mail server or your firewall (you do have a hardware firewall don't you?). Anyone who tries to e-mail you will not be able to and the sender may get an undeliverable messages (or not) from their mail server after some period of time.

The Sending mail server should be configured to retry this message to you a number of times at some interval both of which are set solely by the administrator of the sending mail server. In other words, you have no control over how often they will try again or for how long and it will be different for each and every mail server that is trying to send to you. Talk about a troubleshooting nightmare!
 
Case 2 - Backup Mail Exchanger

When you publish an MX record via DNS one of the properties of the record is a preference. Here is an example (fictitious) domain and the tools you would use to see what your MX record points to:
 
nslookup -type=mx somedomain.com
Non-authoritative answer:
somedomain.com        MX preference = 10, mail exchanger =
mail.somedomain.com
somedomain.com        MX preference = 99, mail exchanger =
smtp.SomedomainISP.com
 
What the above record is saying is that when sending e-mail to 'yourbuddy@somedomain.com' to first try sending it to the mail server named 'mail.somedomain.com' and if that fails to try and send the e-mail through the mail server named 'smtp.SomedomainISP.com'. Your ISP may even include this service for free if you ask them, however these 'store and forward' backup mail servers typically just accept and forward messages WITHOUT anti-spam processing and since they are from a trusted source (your ISP) most mail servers are configured to accept without further processing.

Guess what? The Spammers are aware of this little fact and will, in violation of the standard, try to send e-mail to your domain through your backup or secondary MX record. This is how a lot of Spam sneaks in today - it takes the back door and doesn't get challenged by the security guard at the front door - your primary anti-spam solution.

So what is the solution to this problem?

Case 3 - Spam filtered MX Backup service.

Make sure your backup or secondary MX record points to a system or systems that are as hard on Spam as the protection on or in front of your mail server. This is the reasoning behind our CudaMail MX Backup Service.

We (Optrics Engineering) have been Barracuda Diamond Partners for a number of years and have seen the above problems (Case 1 and Case 2) a number of times with the clients we deal with and are offering not just an MX backup service but a Spam Filtered MX Backup Service. We have a redundant cluster of Barracuda Spam Firewalls that we use to provide primary anti-spam protection for smaller organizations but can use these same servers to accept, scan for Spam and deliver to your mail server in the event that your anti-spam solution goes off-line or your Internet connection or firewall has an issue.

This cluster is configured to retry delivery to your mail server every 15 minutes for up to 48 hours. Those pesky Spammers who try to sneak in through the back door are going to be very surprised when they run into the CudaMail service on your secondary MX records and you now know how often and how long you have before people get an 'undeliverable' response back.

While e-mail is not 100% guaranteed the above service puts you in control and slams the door in the face of the Spammers.

Now go have a nice (Spam-free) day!

- Shaun

April Fool's Day is upon us - don't be an e-mail fool - as the Spammers will be trying to take advantage of our love of a good laugh.
 
As always be very careful when you get an e-mail that you don't expect. Just last week my own wife sent me a video via e-mail and the first thing I did was call her and ask if she had sent it to me. It turns out she had but it could easily be an e-mail containing Spam/malware like the latest storm being reported on by the Internet Storm Center.

Storming into April on Fools Day

http://isc.sans.org/diary.html?storyid=4222

Here are some subject lines to watch out for (there may be more variations):

• All Fools' Day
• Doh! All's Fool
• Doh! April's Fool.
• Gotcha!
• Gotcha! All Fool!
• Gotcha! April Fool!
• Happy All Fool's Day.
• Happy All Fools Day!
• Happy All Fools!
• Happy April Fool's Day.
• Happy April Fools Day!
• Happy Fools Day!
• I am a Fool for your Love
• Join the Laugh-A-Lot!
• Just You
• One who is sportively imposed upon by others on the first day of April Surprise!
• Surprise! The joke's on you.
• Today You Can Officially Act Foolish
• Today's Joke!

The e-mails either contain or have links to a nasty malware payload.

The download is a binary, also with varying names:

foolsday.exe
funny.exe
kickme.exe

In your e-mail it will look something like this:

April Fool's Day http://276.233.234.297 <= This is an invalid link intended to be harmless

CudaMail blocks .EXE attachments by default so anyone using our CudaMail managed anti-spam service is not going to be getting any of the malware payloads but some of the links may slip through.

We are blocking new variants as quickly as they are discovered but the best defense is to be educated to not click on unsolicited links.

Consider yourself educated. :)

- Shaun

As some of you may know,  ORDB.org (aka the Open Relay Data Base) was one of the original real time or IP based black lists. The idea was that as your mail server or anti-spam service (like CudaMail) was getting a connection from a sending mail server you could ask ORDB.org if the senders IP address was known to ORDB and if it was you had a pretty good idea that you didn't want to accept this e-mail as it was most likely spam being routed through an open relay mail server.
 
Well after running as a free service for years the ORDB.org service was shut down on December 18, 2006 and instead of replying it would just time out.  Not a big deal and since your mail server didn't get a reply either way you went on to other tests. They announced that they were going off-line and at some time in the future they would be replying with a positive result to any new queries. This has happened many times over the years with various free anti-spam databases for a variety of reasons. Most administrators didn't notice the ORDB.org announcement or put the removal of this test on their 'to do' list and promptly forgot about it until now.
 
So on March 25, 2008, after giving fair warning, the DNS servers for ORDB.org started to answer every query with a positive result. All mail servers still using a SPAM filtering solution that references ORDB (relays.ordb.org) started to immediately block all incoming e-mails regardless of their real status as spam sources. You can't blame the admin of ORDB.org as they were doing this service for free and had been paying for the bandwidth used up by all these timed out queries for the last 2 years.
 
While the CudaMail system does still use some of the no charge databases out there to block spam it does not use ORDB.org. Barracuda Central has also been actively working on their own internal reputation system. The Barracuda Reputation system is very mature at this point with the end result is that this database is flagging new spam sources before the no charge databases like ORDB.org used to do. The real benefit of Barracuda Central maintaining this database is that there are dedicated people paid to maintain it as part of their business plan and the problems experienced by people who rely on the free databases will not happen to CudaMail.

Now go have a nice spam free day!

- Shaun Sturby

Notorious 'spam king' Robert Soloway has pleaded guilty to additional charges (fraud and tax evasion) related to his previous conviction for sending out huge volumes of Spam.
 
US Department of Justice indictment against Soloway:

> www.usdoj.gov/usao/waw/press/2007/may/soloway.html

Seattle times article on Soloway's guilty plea on the new charges:

> http://seattletimes.nwsource.com/html/localnews/2004283998_spamking15m.html 

The question to the reader therefore is 'Do you think that this sentence will result in less spam to your inbox?'
 
Sadly the answer is probably 'no' as the trend in Spam is still increasing and human nature, on both sides of the equation, being what it is won't change.
 
There are a number of sites you can go to if you want to look at Spam trends and one such site is Barracuda Central:

www.barracudacentral.com/index.cgi?p=spam
 
You can go there if you want to look at the pretty graphs but the number that jumps out at me is that worldwide the number of messages processed by all Barracuda Anti-Spam Firewalls yesterday was over 2 Billion. 2,277,470,908 to be exact and of that number the vast majority or 2,170,841,992 (95.32%) were blocked as Spam. This is in contrast to the same statistics a year ago where the number of messages processed per day was around 1 Billion per day and the Spam percentage was around 92%.
 
Sadly, the Spam mix is still about 50% off-brand pharmaceuticals and about 25% knockoff products which tells you what is profitable to the Spammers. If people stopped responding to these advertisements and voted with their cash then the Spammers would not be profitable and would have to look elsewhere for their next easy meal.

Will human nature change overnight?
 
Probably not. Consumers want a good deal and are not likely to change and the Spammers have found a financial niche that they fit into so expect the volume of Spam to continue and even increase as the effectiveness of anti-spam solutions like the Barracuda appliances, which CudaMail is powered by, makes the Spammers job that much harder. They will ramp up their efforts to sneak Spam past such solutions rather than change their nature.
 
- Shaun

A recent report that Spammers are taking advantage of the interest in the US Elections to try and peddle Viagra along with the other things that Spammers are taking advantage of - like Valentines day - make me think that things are getting worse instead of better and also makes me wonder if we are going to have to go to some form of 'walled city' for our e-mail.

The SMTP standard was designed to be open and people at that time (about 30 years ago now) wanted such an open system that there are now gaping holes that Spammers are using to send a deluge of Spam to our users.
 
What the Spammers are doing at the moment must be effective because I review the daily logs from our systems and this is really brought to light when on a Sunday, not a typical business day, our systems processs in excess of 1.5 million messages. Out of that number less than 13,000 or LESS than 1% (0.866%) were allowed through to the mail servers. Now we don't claim that we can block 100% of Spam so there is a very small percentage that get's through so let's say that 1/10 of 1% of the 13,000 is Spam. That means that out of 1.5 million messages only 13 Spam messages got through to our users.
 
This brings up two interesting questions:

1. How many people are buying from Spammers?

- If only a handful of messages are getting through the Spammers must have a high close ratio and a high margin to make this make economic sense.
 
2. Are we going about solving the Spam problem the wrong way?

- Why should we have to process 1.5 million messages when less than 1% are legitimate?
 
Some organizations have to be more open to whom they accept e-mail from because that is the nature of their business - online sales from almost anyone - but what about those organization that only get a few e-mail messages from a few select partners? Could they setup a closed e-mail system where there is a process to be added to their accept list and reject all other e-mails? They could even setup 2 e-mail domains. The first with a few common e-mail addresses like sales@ support@ and billing@ for their public mail presence and the second - by invite only - domain for their real mail boxes?
 
The first domain will get a ton of Spam but will act like a switchboard with only a few select people having to review the messages and forward them internally to the people that will take action on them. The second domain will not accept e-mail from just any domain so it will be very easy to track down the source of any "Spammy" messages and stop them.
 
What do you think? Have you thought of or implemented a 'walled city' plan for your e-mail? Let us know in the comments.
 
- Shaun

According to this article at the Internet Storm Center (http://isc.sans.org/diary.html?storyid=4054) the bot handlers are working to build up their Spam sending bot network by sending out e-Card spam.

These seemingly harmless e-mail's claim that there is something special for you, either a joke or a surprise and more often than not will trick you into opening it.

Be part of the solution and don't get tricked by these e-Cards. If you know the sender then confirm with them (not by e-mail) that they really sent it to you.

If they didn't send it or if it is sent anonymously then don't open it no matter how curious you are. There are a lot of other joke sites on the Internet or you can always go have a chat with your Grandpa. :)

- Shaun