CudaMail Solutions

 Friday, June 27, 2008
The Danger of False Positives
Friday, June 27, 2008 9:24:17 AM (Mountain Daylight Time, UTC-06:00) ( False Spam | Postini | False Positives )
Which would be more damaging to your business, a few spam messages that get through to your Inbox, or one legitimate business email getting blocked by your spam filter?

We wanted to take a moment to share the following excerpts of an article from yesterday's issue of the Wall Street Journal.  The reporter takes an in-depth look at his company's spam filtering service - Postini, in this case - by sorting through all of the email messages sent directly to his spam folder.  In his search he discovers that of the 192 messages tagged as spam "46% were legitimate messages that had been flagged as spam."  Clearly this is an incredible and unacceptable false positive rate.

This article clearly validates Barracuda Networks' decision to prioritize a low false positive rate over blocking every single spam message. As you know, the Barracuda Spam Firewall has one of the lowest false positive ratings (.01%) of all solutions available today, while still maintaining a very high spam block rate of 95-99%.  With such ratings, chances are very good that customers will see the benefits of both a spam-free Inbox as well as feel confident that no legitimate messages are being blocked.  

The full article is below for your convenience.


www.WSJ.com
Wall Street Journal
*Real Message About Spam
June 18, 2008; Page B6*
Lee Gomes

We all hate the idea of doing anything that will end up making us deal with even more email than we have to manage now. But this is one of those situations where what you don't know can hurt you.

Dow Jones, like all big organizations, has been forced to subscribe to an antispam service to keep a firehouse of illicit and offensive mail messages from reaching its employees, reporters included. When the service was first turned on, Outlook inboxes were suddenly free of offers for prescription medicines, mortgage refinances, crude erotica and all the other mainstays of the spam economy. Regular email life could resume -- spam-free. It looked like another victory for technology in the hands of the good guys. If it seemed too good to be true, well, that happens all the time in the tech world.

But after a while, some of my colleagues and I began to wonder where all that spam was going, and whether there was a chance that maybe, just maybe, some of the emails being flagged as spam and sent to an email gulag were actually just innocent communications. (For the longest time, regular access to those files had been blocked by IT policy.)

I asked IT managers for access to what was being caught in our spam filters -- the messages held back in quarantine and not delivered to our inboxes. When access finally was granted to me, and others in the rank and file here, you could hear the gasps from cubicles when we all saw what we had been missing.

The antispam system had been so effective because it had labeled as spam just about everything that was even remotely suspect. It was acting a bit like a police department that, in an effort to curb juvenile delinquency, was hauling in all teenagers without "A" averages.

Naturally, a huge percentage of the emails weren't spam at all. Our freedom from spam had come at a stiff price -- a very high false-positive rate.

How bad was it?

I took a good long look at a few days' worth of messages in my spam bucket. There were 192 in all. Sorting them by hand into "real mail" and "actual spam," I figured that some 46% were legitimate messages that had been flagged as spam. Of these, most were news releases from companies, including VMWare, Dell and Hewlett-Packard. Notices from Purdue University, the Semiconductor Industry Association and Forbes Magazine also were blocked, though maybe that last one wasn't such a bad call after all.

I can live without the occasional news release. But what about when real readers take the time to sit down and write to me? That's a message I want to see.

Alas, of the 150 readers to write about a recent column, 20% were sent to the spam bucket and would never have been seen by me if I hadn't bothered to ask to take a look.

Other reporters who had taken advantage of the more-open access policy had similar tales. One colleague said his spam bucket contained a note from a friend he had assumed was angry with him because he hadn't written. Another found a crucial message from the company's official health-care provider announcing an important change in a health plan.

Spam researchers say this sort of thing is happening all the time at companies everywhere. "Your experience is not at all unique," says David Dagon, who studies spam detection at Georgia Tech. "Antispam technology has become pretty mature in the last few years, but a lot of innovation still has to occur because the problem is so dynamic."

The antispam software at my shop is provided by Postini, and we can assume it's at least as good as anyone else's by virtue of the fact that Google bought Postini last year.

Postini President Scott Petry seemed surprised that so much of my good mail was being flagged as spam. He said the software uses a number of different variables to score a message; those above a certain threshold get tagged as spam.

Those news releases, for example, were being sent from a single mailbox that had been configured in a way similar to the method spammers like to use. And one of the readers who had written to me had mentioned hospitals and charity work. A lot of spam involves charity scams, which is probably why that message got flagged, he said.

Mr. Petry then proceeded to explain aspects of our antispam software that I never knew about and that could be used to shrink the spam net.

Specifically, Postini allows individual users to determine how aggressive its spam's filters should be. By default, our filters had been set to a vigilance level of four on a 1-to-5 setting, with five being the most exclusionary.

It turned out -- and this was news to most of us -- that the spam filter could be set by each user to be as aggressive or as permissive as each of us wished. I could lower the rating, Mr.Petry said, and start to see some of the messages that I had previously been missing.

Of course, I would also start seeing a lot more spam. And here you have the sad truth about the state of the art in spam protection. Set up your software to a low setting and you'll get most of your mail, but lots of spam. Ratchet up the controls and you'll see fewer stock picks, but you might miss the note from a long-lost friend.

Next time someone starts telling you about how smart computers have become, remind them about this situation, will you?

Comments [0] | Trackback | # 
 Tuesday, June 24, 2008
The internet is a wonderful place - just perfect for picking up a PDF infection.
Tuesday, June 24, 2008 2:33:24 PM (Mountain Daylight Time, UTC-06:00) ( Anti-Spam | CudaMail | Threats | Adobe | PDF Malware )
PDF Flaw Exposes All to Botnet Attempts

Adobe revealed that a flaw exists even in fully up-to-date versions of Adobe Reader 8.1.2 that 'could potentially allow an attacker to take control of the affected system' This is similar to other bugs that have been utilized recently by the "Bot Herders" to take over Millions of PC's to add to their herds to later be used to send spam to you and your friends.

Adobe's bulletin and service patch:
http://www.adobe.com/support/security/bulletins/apsb08-15.html   

SANS Internet Storm Center (ISC) recommends that you update sooner rather than later.
http://isc.sans.org/diary.html?storyid=4616

While the SANS article mentions that the vulnerability will soon appear on a malware spreading website we at CudaMail expect the "Bot Herders" to start sending millions of messages with links to these malware sites and to use 'social engineering' to get you to interested enough to click on this unsolicited link.

So what can you do to protect yourself?

Update all your programs on a regular basis. Make sure you have a tested backup of all your important information for when - not if - you get infected and have to format and re-install your operating system (the only way to be 100% sure that you don't have a nasty infection) and don't click on links you are unsure about the origins of.

What else can we do as an anti-spam service to protect you?

While we do watch for outbreaks like this closely and will be blocking any messages that have links to known infected sites we always have to be careful to not step over the line and start blocking legitimate links. We could easily write a rule that blocks any PDF file or even any link to any PDF file but this format is used by billions of people to send all sorts of legitimate information every day and so we can't do that except in the case of a major outbreak and then for only a very short while.

So here is a question to you, our dear readers:

Would you prefer to have 100% protection from a new malware outbreak like we expect even if some legitimate messages may be blocked or would you like all your legitimate e-mail's to come through even if a few malware links also come through?

At CudaMail we have a third option - the per-user quarantine - where we can send every messages with a PDF attachment or a link to a PDF into your personal quarantine area. This would require that you take the effort to check this quarantine area and deliberately release the wanted PDF's. Is that a viable option for you?

We want to hear from you!
      
- Shaun

Comments [0] | Trackback | # 
 Thursday, June 19, 2008
CudaMail protects customers from new Storm Worm.
Thursday, June 19, 2008 11:15:26 AM (Mountain Daylight Time, UTC-06:00) ( Anti-Spam | Barracuda Spam Firewalls | CudaMail | Phishing Scams | Spam | Spam Filtering Service | Spam Stats | Threats )
The US-Cert is warning people about a new storm worm surge that is taking advantage of peoples interest in what is happening in China with both the recent earthquake and the Olympics foremost on people's minds.

Of all the messages processed recently by CudaMail with the words 'China' or 'Olympics' in the subject line we were able to block, quarantine or tag this new spam surge with only a handful of them getting through to our customers. This was while at the same time allowing the legitimate messages through as some of our customers do a brisk business with partners in China and will not stand for false positives.

 
The warning from US-Cert is included below so you can see some of the variations of subject lines that are being used but this is not a complete list as the storm worm continues to change the subject line and links to try and evade the anti-spam measures in place such as CudaMail.

 - Shaun

US-CERT Current Activity

New Storm Worm Variant Spreading

Original release date: June 19, 2008 at 11:23 am Last revised: June 19, 2008 at 11:23 am

US-CERT has received reports of new Storm Worm related activity. The latest activity is centered around messages related to the recent earthquake in China and the upcoming Olympic Games. This Trojan is spread via an unsolicited email message that contains a link to a malicious website. This website contains a video that when opened may run the executable file "beijing.exe" to infect the user's system with malicious code.

Subject lines can change at any time, but the following subject lines are noted as being used:

  * The most powerful quake hits China

  * Countless victims of earthquake in China

  * Death toll in China is growing

  * Recent earthquake in china took a heavy toll

  * Recent china earthquake kills million

  * China is paralyzed by new earthquake

  * Death toll in China exceeds 1000000

  * A new powerful disaster in China

  * A new deadly catastrophe in China

  * 2008 Olympic Games are under the threat

  * China's most deadly earthquake

US-CERT encourages users and administrators to take the following preventative measures to mitgate the security risks:

  * Install anti-virus software, and keep its virus signature files up-to-date.

  * Do not follow unsolicited web links received in email messages.

  * Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.

  * Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

US-CERT reminds users to beware of future phishing attacks that may target natural disasters and the Olympic Games.

Relevant Url(s):
http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

 ==== This entry is available at

http://www.us-cert.gov/current/index.html#new_storm_worm_variant_spreads2

Comments [0] | Trackback | # 
 Thursday, June 12, 2008
Disaster Planning - Exchange and ISP Wworking Together For Business Continuity
Thursday, June 12, 2008 2:12:53 PM (Mountain Daylight Time, UTC-06:00) ( CudaMail | Microsoft Exchange | Disaster Planning )
With email being such a significant part of most business peoples day having a backup plan in place should something happen to your mail server is time well spent.
A customer named Harold I was recently working with on his CudaMail filtering setup was explaining to me a very interesting way to do a form of Disaster Planning for Exchange Server, specifically the version included in Small Business Server (SBS).

While this method doesn't help Exchange be more robust it does keep the company working should there be a problem with the Exchange server and gives Harold time to work on his server without significant e-mail down time. 

What he does is have his e-mail hosted at an ISP and uses the POP3 connector in Exchange to pull off the e-mail on a regular basis. Now this is not new as the POP3 connector has been available since SBS 2003 as far as I know but his setup is unique.

While most people would use the POP3 connector as a temporary solution when migrating to the Exchange SMTP service, Harold is leaving it in place and looking for a replacement with additional features.

(any experience with good and or free replacements?)

Should his Exchange server go "belly up" then the ISP’s mail servers would continue to accept and deliver e-mail to the mailboxes they have on their mail server.

This is where Harold’s advanced planning comes into play. He has made sure that the users know that they can use the webmail feature from the ISP to check on and reply to messages while the Exchange server is off-line. This keeps the Company alive and working and gives Harold time to do his repairs or restore from backup.

There are some pro’s and con’s to this setup that I think need to be addressed.
  1. Delay in getting e-mail.  Because the POP3 Connector does a scheduled check of the ISP mailbox there will be a delay of up to 15 minutes in getting e-mail.  The response goes out from Exchange immediately but in this age of "instant everything" people want e-mail to be instant too. The average delay is going to be 7 ½ minutes so this is not a big issue unless there is a deadline your trying to meet.

  2. History. As far as I know the POP3 connector does not have the setting to leave x number of day’s worth of messages in the mailbox so the end users will have to use both the local copy of e-mail on their desktop and also remember to BCC themselves on any sent e-mail so they can maintain an accurate history of what is said via e-mail.

  3. Encryption. The POP3 connector in Exchange cannot encrypt the messages being pulled down via POP3. This is why Harold is looking for a better POP3 connector. Does anyone have any experience, good or bad, with the third party POP3 connectors?

  4. Passwords. The users need to keep track of the passwords used for e-mail at the ISP. How good are your users at remembering passwords?

  5. Training and reminders. The old adage ‘use it or lose it’ comes to mind. Will the users remember how to use the Webmail in a time of crisis? With e-mail down how will you be able to remind them they have this option?

  6. What happens to his e-mail if the ISP has a problem? How can he modify his setup to get the best of both worlds?

Can you think of any other issues or gotcha’s with this setup? Would an IMAP connector be a better option? Is there such a beast for Exchange?

- Shaun

Comments [0] | Trackback | # 
 Monday, June 02, 2008
Where Does All the Spam Come From?
Monday, June 02, 2008 3:18:20 PM (Mountain Daylight Time, UTC-06:00) ( Anti-Spam | Spam | Spam Stats | Regional Based IP List )


Source: Technology Review

The above is a wonderful chart shows that China, Brazil and Turkey lead in generating the most unwanted messages. The graph generated by data from Team Cymru is a lot easier to read than their default Hilbert Curve graph.




Source: Team Cymru

But they also have some nice graphs as well.

www.team-cymru.org/Monitoring/Graphs/

(Warning – the above graphs are Flash based.)

How can we use this information?

Well, if you are based in one country and only expect to get e-mail from only a handful of other countries then you can use a region to IP address list to block all e-mail from the countries you don’t plan on getting any e-mail from.  You should, however, have an alternate method of contact like a web form so that people from these blocked regions can still reach you.

One great region based IP list can be found at http://countries.nerd.dk/ in a format suitable to use as a real time black list (RBL) via most mail server software.

- Shaun

Comments [1] | Trackback | # 
 Friday, May 30, 2008
This Week In The Spam Filtering World ...
Friday, May 30, 2008 5:54:15 PM (Mountain Daylight Time, UTC-06:00) ( Anti-Spam | Spam | Threats )
Here's what's went on this week in the blogosphere in the anti spam world:


Backscatter

Use a service or server based anti spam system. Such systems employ measures that block spam and are hardened to large quantities of spam and will provide some protection from backscatter in and of themselves, however the spam ...


How much longer will anti-spam captchas be useful?

Luis von Ahn, an inventor of the anti-spam tool known as "captchas," talks with Jon Gordon about how much longer the squiggly line challenge-response tools will be useful.


TypePad launches new anti-spam tool for bloggers

TypePad AntiSpam is the product of the antispam technology Six Apart has been using in their TypePad hosted blogs since May 2007. Now the service, which is in beta, is available to anyone, open source, and free -- regardless of how ...


MySpace wins $230 million anti-spam judgment

Just saw this over at namepros, although I don't use myspace but I like to think that spammers (not only the ones spamming myspace) will think twice before doing spamming again Excite News - MySpace wins $230 million anti-spam judgment.


Social Networking Sites Also Popular With Spammers

Popular networking sites have become one of the latest targets in recent spam attacks. Cloudmark, an anti-spam enterprise, revealed that social networking sites have seen a huge rise in spam in the 6 months to March 2008. ...


Enjoy!

- Shaun

Comments [0] | Trackback | # 
 Wednesday, May 21, 2008
Start of the Memorial Day Spam Storm Coming
Wednesday, May 21, 2008 9:47:40 AM (Mountain Daylight Time, UTC-06:00) ( Anti-Spam | CudaMail | Memorial Day | Spam | Threats )
With the down turn in the US economy more people are turning to the web for the best deal so expect vendors to be even more aggressive in their approach to getting eyeballs on ads and this includes sending more e-mail marketing as this is the least cost advertising venue.

The spammers have been using e-mail for years now because it works and the big marketers have joined in as a scan of some of the recent subject lines processed by CudaMail shows.

Some of these are spam and some are just marketing messages:

Alarm systems.
"5 Horrible Home-Invasion Statistics."
"Secure your home today"

Pharma
"Live Life to the fullest"
"May 21st - Ready to Process Reorder"
"Cleanse your digestive system and feel great."
"Side effects include: Increased libido, decreased cellulite, and ..."

Office Supplies
"Discount printer ink and toner plus extra 10% coupon"

Social Networking
"Someone is looking for you. Find out who."

Septic Tank Insurance
"Has your Septic Tank ever backed up on you?"

Hardware and Tools
'True Value: Weekly Merchandising Newsletter - 5.20.08"

Vacations
"World Series of Poker* Invitation in Vegas for You"

Men's Clothing
"20% Off + $4.95 Flat Rate Shipping"

Women's Clothing and Swimwear
"Memorial day event - 50 items at 50% off!"

Satellite TV
"Over 40 Digital Quality channels for $19.99/mo. Get more with DISH Network"

Wedding Decorations
"Wedding Accessories on Sale"

Business Cards
"MAY MADNESS LAST DAY!!!!!"

Big Fans
"Industrial Cooling...$99"

So a warning to everyone that from our Operations Center here at CudaMail we see the volume of e-mail marketing, both legitimate and unwanted spam, is being turned up to 11 as we get closer to the long weekend in the U.S.

- Shaun

Comments [0] | Trackback | # 
 Tuesday, May 20, 2008
Natural Disasters and Phishing Scams
Tuesday, May 20, 2008 9:11:29 AM (Mountain Daylight Time, UTC-06:00) ( Natural Disasters | Phishing Scams )
Fires and floods and earthquakes, oh my...

Great reminder from US Cert on protecting yourself from the opportunists that prey on the feelings and emotions of all when a natural disaster strikes. At times when your heart strings are being pulled on it is almost as if the brain get's switched off and this provides an opening for the scammers to strike and they will.

If you want to help out in a situation like this then go through the official channels and not allow yourself to be solicited via a message delivered in an e-mail even if it comes from one of your trusted friends or family.

- Shaun

> From the US Cert (Computer Emergency Readiness Team) Natural Disasters and Phishing Scams

Original release date: May 19, 2008 at 4:30 pm
Last revised: May 19, 2008 at 4:30 pm

In the past, US-CERT has received reports of an increased number of phishing scams that take advantage of natural disasters. Due to recent natural disasters, US-CERT would like to remind users to remain cautious when receiving unsolicited email that could be a potential phishing scam.

Phishing scams may appear as requests for donations from a charitable organizations asking users to click on a link that will take them to a fraudulent website that appears to be a legitimate charity. The users are then asked to provide personal information that can further expose them to future compromises.

Users are encouraged to take the following measures to protect themselves from this type of phishing scam:
  • Do not follow unsolicited web links received in email messages.
  • Review the Federal Trade Commission's Charity Checklist.
  • Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.

For additional information regarding phishing, US-CERT recommends reading the following documents:
  • Recognizing and Avoiding Email Scams (PDF)
  • Avoiding Social Engineering and Phishing Attacks

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

http://www.ftc.gov/bcp/edu/pubs/consumer/telemarketing/tel01.shtm

http://charityreports.bbb.org/public/All.aspx?bureauID=9999

====

This entry is available at:

http://www.us-cert.gov/current/index.html#natural_disasters_and_phishing_scams

Comments [0] | Trackback | # 
 Wednesday, May 07, 2008
Eight Surefire Ways to Become an Identity Theft Victim
Wednesday, May 07, 2008 11:44:12 AM (Mountain Daylight Time, UTC-06:00) ( Anti-Spam | CudaMail | Identity Theft )

A funny but O so true write-up from SANS (www.sans.org) on what NOT to do online.

1. Practice Unsafe Surfing. When you purchase a new computer, go online without activating the firewall, or purchasing protective software.

Further expose yourself digitally by sharing a wireless connection with the entire neighborhood. Without digital encryption, you can share the contents of your hard drive with anyone on the street. For maximum risk, do some online banking on a public computer -- like the one at the library or a public cafe. Bonus points are added if your Social Security number is your user ID for any transactions.

What you should really do:
  • Use a hardware firewall at work and at home along with good AV software that is kept up to date.
  • While the desire to go 'Wireless' is high and the products make is so easy take the time to set it up properly or call in an expert to set it up for you.
  • Never do more than just check news stories on some basic searching when on an unknown and thus un-trusted computer be it at the library or even over at your friends house.

2. Skimp on anti-virus and anti-spyware protection. Courting disaster online is easy. Invite malicious code to attack your computer simply by doing nothing. Antivirus programs can be pricey, and the maintenance of constantly downloading updates is time-consuming. Combine that with the security updates from Microsoft or Apple and it's enough to seriously annoy anyone.

What you should really do:

Install a good Anti-Virus solution, most like F-Secure, come in a full protection suite and could be included free with your internet connection (Shaw includes F-Secure for example) Turn on automatic updates in Windows and if your programs can be set to do the same do so. Once a month manually check to ensure your programs are up to date with something like the online F-Secure Health Check or the Secunia Software Inspector. It wouldn't hurt to visit both Windows Update and Office Update while your at it.

3. Passwords are a pain! Make life easy for yourself by using the same password for EVERYTHING, and make it something easy to remember, like your first name or 'password'. Just in case, make sure you write it down on a yellow sticky and put it somewhere easy to see.

And don't forget to have your browser set to 'remember password' to make life easy for you - and the cyber thief.

What you should really do:
  • Use the idea of a password phrase to remember hard to guess passwords. A favorite phrase or poem can become the backbone of a secure password policy.
  • For Example the phrase 'The quick brown fox jumped over the lazy dog' can be used to easily remember a password of 'tqbfjotld'.
  • Make your password harder to guess by throwing in Capitalization, numbers and special characters.
    • If you want to keep things simple then come up with at least three or four secure passwords.
    • The first would be used only for online banking. The second would be used for your e-mail. The third would be used anywhere you have to register to use a site. The fourth could be used for questionable sites that require you to register.

4. Peek at junk email and open attachments from unknown sources. Open attachments from strangers, secret crushes, long-lost friends saying "what's up," or strangers hawking cheap drugs -- you'll never know unless you peek at that email. One of the many fun things that can happen when you open an attachment containing malicious code is infecting your computer with a Trojan horse or virus, which can easily lead to identity theft.

What you should really do:

Use a service like CudaMail to filter out all these unwanted messages. They are either marketing messages or worse, spammers trying to add your computer to their botnet. Stay away from these messages no matter how 'interesting' the spammers make them.

5. Stuff your wallet with juicy identifying tidbits. Wallets and purses are more than just handy cash-carrying devices. They often have credit cards, identification, insurance information and even Social Security cards. Obviously, more is better if you'd like to become the prey of fraudsters.

Losing or misplacing a wallet or purse can cause more problems than just the hassle of replacing all those cards and buying a new bag. Armed with your date of birth, Social Security number and mailing address, there's no limit to the damage thieves could cause.

What you should really do:
  • Keep only what you need in your wallet or purse.
  • The rest of the information should be in a safety deposit box where you can get it if you need it but the rest of the time it is locked away.
  • Check on the personal information the credit bureaus have on you to make sure it is accurate and that someone hasn't signed up for a credit card or something else in your name but using a different address.

6. Make your checks payable to criminals. If you're like most people, you wouldn't post your checking account information on your front door, though you should if you'd like to be a victim of fraud. Similarly, checks reflecting the same information can be dropped casually into unsecured mailboxes. Statistically the chances of your mailbox being targeted by criminal elements are low, but not that low. According to the 2008 Identity Fraud Survey Report from Javelin Strategy and Research, almost 1 in 10 victims of identity theft who can pinpoint the scene of the crime say that it happened at the mailbox.

7. Opt out? Opt in! While you're mailing checks from the unlocked mailbox, go ahead and get credit card companies to send you all the pre-approved offers that the postman can cram into the box. Similarly, don't get credit card statements online; leave them on the side of the road so that they're more convenient for fraudsters who lack the technical knowledge or follow-through to launch complicated hacking schemes.

What you should really do:

Don't use the mailbox by your front door as an outbox just because it is convenient. Take your bills to the bank to pay or drop them off at a real post office. Anything you do get that has your identifying information on it like a pre-filled out credit application should go through a good cross cut paper shredder before leaving your place.

8. Nothing is too good to be true. Everyone wants to feel special and maybe more importantly, filthy rich. When reading an emailed proposition from an African business tycoon, an imperiled prince or downtrodden heiress offering millions of dollars in exchange for some small measure of assistance, it's difficult not to wish it were true. Falling for the story will undoubtedly lead to unpleasantness.

What you should really do:

Don't let your greed get the better of you. While the 'I have umpteen million dollars that I'm trying to sneak out of the country' e-mail's are getting old hat people are still falling for them. What is more insidious is the 'work at home as an agent' e-mail's that make it sound so easy. All you have to do is deposit a check or two each week into your personal bank account and wire transfer the funds to 'the company'. You either end up out the entire amount when the check is returned NSF or you are working for organized crime and are a money launderer.

The internet is a wonder and scary place at the same time. Be educated and play safe.

- Shaun
Comments [0] | Trackback | # 
 Monday, April 28, 2008
Mark Hofman Reports a Surge in His Spam - Are You So Lucky?
Monday, April 28, 2008 1:51:12 PM (Mountain Daylight Time, UTC-06:00) ( Anti-Spam | CudaMail | False Spam | Outlook Plug-In | Spam Filtering Service )
Mark - as the handler on duty at the Internet Storm Center - was nice enough to not only read all his spam for the week (about 2500 messages) but he also put together a nice chart showing what type of spam he was getting and from where:

Description

Email Origin

 

Greeting card

Germany

 

URL Link to exe.  28/33 AV products detected the file, three days ago it was 4.

Viagra/Cailis Mesages

Texas
Latvia
Paris
Russia
Chilli

Mount Laurel (US)
US
Italy
Israel

Links to Canadian Pharmacy web site.

Viagra/Cailis Meds

France

 

Web Site Canadian Healthcare

Movie downloads
(in Chinese)

Argentina

 

Nothing no links and nothing nasty, maybe a trial run.

Herbal remedies

USA
Germany
Sweden

Oman
Lithuania
Brazil

 

Products to enlarge body parts.

The message contained a URL to one of three sites hosted in the same address range.

The registrar owns 695 other domains, received 50 of them.

Lottery*

UK
Canada
Greece

 

So far this week I have won  about $500,000,000, not bad for not entering any lotteries.   The majority were sent from UK machines, machines at one particular facility.

Click Fraud

Spain
Bolivia
Poland

 

The links in the message are ad click redirects.

Paypal

US

France

 

The usual phishing exercise aimed at extracting account information.

I am Lonely Tonight

Turkey

 

The usual I’m lonely tonight emails.  If you respond it goes into how she wants to travel and can’t you help her out.  

Fake Goods

Bombay
Russia
Bahrain
Greece
Italy

Turkey
Slovak Republic

Thailand

Fake goods, watches, bags, etc. 

Business Proposal (419 messages)

US
Germany
Los Angeles
United Arab 

Emirates

The Netherlands
Japan

Transfer money and get a percentage.

Work offers

Belgium

 

Work for a few hours per week and make thousands,  most of these linked to professional looking sites.   Typically they are recruiting for mules.

Threats

Turkey

Russia

There have been a few variants of these doing the rounds.


> Source: http://isc.sans.org/diary.html?storyid=4343

This is a lot of work that Mark has gone through but it does highlight the value of good metrics or ways of gauging how effective an anti-spam system is.

Here at the CudaMail support desk we occasionally get a client who at first is very upset that they got 5 spam messages in their inbox this morning and can't we do something about it? They are usually very thankful when we provide them with a report similar to the one below for their domain showing that tens of thousands of messages have already been blocked for them and these 5 messages are the start of a new campaign that they were lucky enough to get the first few messages from and now that they have provided us with some samples to work with we can stop this campaign in it's tracks too.

Sample CudaMail Spam Quarantine Summary



> Click CudaMail_Summary_for_Domain.pdf (12.76 KB) for to download the PDF sample

This also highlights the different perceptions we have as anti-spam specialists and the typical end-user or client. From our perspective we are fighting the good fight and our efforts are winning the war on spam. We block millions of messages a day and allow only a few 10's of thousands to be delivered to the client. Typical statistics are that on average 97 out of every 100 messages are spam and this is with a very low false positive rate (false positive = marking a wanted message as spam).

What is The Customer's Perspective On The Same Volume of Messages?

They are going about their important work without being bothered by those 97 out of 100 messages that are spam so when a few messages slip through to them all of a sudden they are being "flooded" with spam. Same numbers but a very different perspective on the issue.

What Can You - the CudaMail End-User - Do to Help Out?

1. Keep us in the loop. "One person's spam is another person's ham" as the saying goes so we don't know what you did or did not sign up for online. We maintain a number of spam traps and are always looking for new spam messages but may not be first in line when a spammer fires up his money making spam bot and sends out the latest surge. So if you are the lucky one to be fist on the spammers list and get a spam sample there are two very good ways to provide this feedback to CudaMail support.

2. Install and use the Outlook plug-in. For those of you who use Microsoft Office with the full Outlook e-mail client the Plug-in is the easiest way to send spam samples back to CudaMail support and we have blogged about this before. There are plug-ins available now for other e-mail clients (Thunderbird 2.x and Lotus Notes 6.5, 7 and 8) but these are under going beta testing right now.

You can read me Blog post about it by going here:


3. Debug-ID. For those who don't run Outlook or don't want to run a beta plug-in you can simply forward just the Debug-ID of the unwanted messages to the support@CudaMail.com address.

A quick 'How to display full headers in client x' can be found at the following URL:
While support only needs the one line with the X-ASG-Debug-ID: number on it go ahead and forward all the information in the full headers on to us. What you do not want to do is forward the spam message body along with the full headers. What happens more often than not is that the CudaMail system will take your spam sample re-processes it and block it before it gets to support. We don't know that you were trying to send us this sample and can't do any thing about it because we didn't get it in the first place. Now typically we don't respond to every message providing a spam sample but we do review each and every one of them and make sure that he system will block them in the future.

With the above two thoughts in mind - perspective and feedback - what do you - the CudaMail client - want to see from the CudaMail system? Do you want to be sent reports on a regular basis (Daily, Weekly or Monthly) or will this just add to your information overload?

We look forward to hearing from your either in the comments below or direct to support@CudaMail.com.

- Shaun

Comments [0] | Trackback | # 

About the author

Shaun Sturby, MCSE Shaun Sturby, MCSE
Technical Services Manager, and Optrics' point person for email security

  Navigation

Home
Archive
CudaMail.com
BarracudaNetworks.ca
Optrics Inc.
Shop.Optrics.com

  Search

  Tag Cloud

Adobe (1) Airline e-Ticket Scam (1) Anti-Spam (32) Anti-Virus Software (1) April Fool's Day (1) Barracuda Central (3) Barracuda Networks (5) Barracuda Spam Firewalls (4) Barracuda Web Filter (1) Barracuda Website Firewall (1) Black Market (1) Botnets (1) CudaMail (23) Disaster Planning (1) e-cards (1) Email Hoaxes (1) False Positives (1) False Spam (3) Fast Flux (1) Folding @ Home (1) Fortinet (1) HydraFlux (1) Identity Theft (1) Illicit Trade (1) Malware (2) Marshal (1) McAfee (1) Memorial Day (1) Microsoft Exchange (1) MX Backup (1) National Geographic (1) Natural Disasters (1) ORDB (1) Outlook Plug-In (2) PDF Malware (1) Phishing Scams (8) Postini (1) Regional Based IP List (1) Robert Soloway (2) S.P.A.M. (1) Secure Computing (1) Seti @ Home (1) Sophos (3) Spam (20) Spam Filtering Service (9) Spam Stats (7) SPF (2) SQL Injection (1) Storm Worm (2) Threats (19) US Election Spam (1) US-CERT (5) Valentine's Day (1)

  Category Feeds