Emails with the subject “You are in a higher tax bracket”, from “Tax Commisar”, have been making the rounds for the last 20 hours or so. After reminding you that the US uses a progressive income tax, you’re told that you’re making more money than last year, and that you should review your annual tax report. The included link takes you to a double threat – the page itself tells you that you need a new Flash player, and it will attempt to automatically download (and run) a PDF file. The “Flash updater” is an installer for the Zeus bot, and the PDF file takes advantages of some known vulnerabilities in unpatched Adobe Acrobat versions to take control of your machine if the Flash updater doesn’t get it first.

Make sure you’ve grabbed the last Acrobat updates from Adobe, along with all of the other security patches that you should be keeping on top of. Malefactors have been using Acrobat as an abuse vector for a while, and it’s just getting worse.

There are a lot of email and SMS messages flying around over the last few days containing text like this (payload website name removed):

Hey, Obama's giving Gov Grants to help families in your area to stimulate the economy. Check it out, SCAMWEBSITE.com, don't miss out. It won't last long!

The payload websites try to look legitimate, with “As seen on CNBC, MSNBC, and CNN” logos everywhere, fake comments (with additional commenting “disabled due to spam”), and testimonials from people who claim this actually worked for them. These sites direct you to another site, liberally sprinkled with American flags and logos of the major news networks, which asks you for your contact information and a credit card, from which they will charge you a $1.95 shipping fee to send you an information packet. Hidden in the terms and conditions, however, you’ll find that this $1.95 only covers your “one-day trial period”, and that they’re going to bill you approximately $60/month until you cancel. You can read more about this, including a large number of archived complaints about this scam, at complaintboard.com.

Remember – if it seems to good to be true, it probably is. Careful reading of terms and conditions, along with research and a healthy dose of skepticism, can help keep you from being a victim.

Subject lines include:

• AIM critical update
• Your AOL Instant Messenger will be deleted
• AOL Instant Messenger critical update

Kaspersky identifies the downloaded file as an installer for the Zeus bot, which has been used both for spamming and for stealing personal information and was most recently in the news for having made a home within the Amazon cloud.

As always, practicing safe computing will help you. Be wary of ’security alerts’ that ask you to download files, pay attention to those URLs (www.aim.com/download is not the same as www.aim.com.download.botdomain.com), and keep your anti-virus and anti-malware programs up-to-date.

The FBI and Better Business Bureau are both warning people about scam donation sites related to the recent earthquake in Haiti. Users should be extra wary of requests for donations that come to them unsolicited, from people they do not know.

Of course, there are legitimate ways to donate. The American Red Cross is taking donations through their website. They are also accepting donations by text message – texting “HAITI” to 90999 will donate $10 to the Red Cross, billed to your cell phone. A similar donation process is being handled by Yele.org – texting “YELE” to 501501 will donate $5. When you visit a charity’s site to donate, be certain that you’re at their legitimate site – be careful of links (especially shortened links) spread through social networking sites, as they may not be taking you to the official charities’ sites.

• end-users have complained, in volume, about your email, or other email from your IP address

It is that simple. ISPs and anti-spam filters take steps to block mail because their users tell them it’s unwanted. They are not blocking email because they don’t like you. Senders of all sizes need to be aware that ISPs are paying much more attention now to the behavior of their users and, when their customers say “we don’t want this mail”, it has real meaning. As noted, in part, in this blog post by Laura Atkins at Word to the Wise, ISPs and deliverability experts have been saying similar things for quite some time. Keeping your recipients engaged and making sure that what you’re sending is wanted and requested before you send it goes a long way to making sure it makes it into the inbox. Also – once a user tells you they don’t want your mail by unsubscribing, don’t send them more mail! It seems obvious, but it’s happened more than once, and one of the worst things that you can do to your reputation is accidentally send mail to your suppression list.

Something else to consider – the concept of “end-user complaints”, for many ISPs and anti-spam filters, also includes email messages sent to long-dead addresses or to addresses that have never existed. If an email address has been dead, and the ISP has been sending you “no such user” or “invalid recipient” bounces, for the last few months and you’re still trying to send to it, that’s going to put your acquisition and retention policies in doubt, and the reputation of the rest of your email will sink. Al Iverson with Exact Target talks a bit about that in this post. The takeaway here is that maintaining a mailing list is more than just acquiring addresses – it’s making sure with that you respond quickly and appropriately to every unsubscribe request or bounce message you receive for every mailing you send out, it’s making sure that you are proactive in determining why your recipients don’t want your mail and taking steps to make sure they do want it, and it’s nurturing your relationship with your recipients.

Authenticate

If you aren’t signing your mails with DKIM (DomainKeys Identified Mail) yet, make 2010 the year that you start! Whilst DKIM alone won’t help improve your deliverability, if you have other good sending practices, you should be able to take advantage of your good reputation.

If you aren’t too sure about what the various flags mean, J.D. Falk recently posted a quick guide which should get you up to speed.

Additionally, if you publish SPF (Sender Policy Framework) records for a sending domain or hostname, consider being more specific about where your mail might be sent from. Stating that mail will come from a handful of servers makes the record much more useful to receivers than blanket coverage of every IP address that your email or Internet service provider has.

De-clutter the Inbox

Even when recipients are receiving newsletters that they want, sometimes the volumes they receive can overwhelm and lead to unsubscribes, or worse, the spam button. If you’re sending more than one newsletter to a recipient per week, consider if that really is the best policy; you should definitely be giving them the option to define how often they receive your mails in this case.

Go truly Opt-In

Are you still making new subscribers un-tick the checkbox on your signup forms? You really, really shouldn’t be. If your signup form has the checkbox pre-ticked and you make them un-tick it in order not to receive your newsletter, this makes your list an opt-out one, not an opt-in one. This is not best practice. Christine Borgia has a good example of this topic and goes on further to talk about engagement on the AOL postmaster blog.

While we’re at it, make sure that the accompanying text that explains what happens if the checkbox is ticked or not is written in simple and plain language. You don’t want to not confuse them into not signing up for your list, after all.

Reply and Exist

Please do not reply using this e-mail address. If you have any problems or questions regarding this survey, you can click here

Please do not reply directly to this email as no-one will respond. If you wish to contact [sender], please do so via the ‘contact us’ section of our website

We’ve all seen mails containing sentences such as these. The intent behind them has some validity; you don’t want your mailboxes to fill up with lots of queries and it is more efficient to channel recipients through your already established processes. Just think about this for a moment though, if you don’t want to get mails from your recipients, why are they going to want to get mails from you? Beware the perils of getting this really wrong!

Promote the Unsubscribe Link

Unsubscribes are not what you want but they are a lot better than getting the spam button treatment. If the recipient doesn’t want your mail anymore they probably won’t want to scroll all the way to the bottom of your mail. Make it easier for them to unsubscribe from your list than to hit that spam button, which could have knock on effects for your reputation. It isn’t a particularly new concept either.

Be Transparent

If you use shortened domains, either for the reverse DNS of your IP allocations or for links within your content, make it easier to spot and more obvious that those are yours. Consider directing HTTP requests to those domains to your own website, perhaps a specific set of pages that outlines exactly what these domains are used for.

Whilst we’re on a transparency trip, step out from behind that domain whois proxy service. If you are a legitimate business then there is no reason to be hiding your details behind one of these services, intended more for private individuals. Laura at Word to the Wise has commented on this same topic as part of her Thats What Spammers Do series.

Hopefully there is at least one resolution for you in there to stick by. Above all, just resolve not to engage in practices that make it hard to distinguish you from a spammer; oh, and try not to break it before the end of January, OK?

Happy New Year!

Snowshoe/hailstorm attacks:

Snowshoe spam is a campaign which is distributed across multiple IP addresses within a /24 netblock (256 IP addresses) and migrates through large portions of a /16 (65,536 IP addresses). These campaigns commonly feature hashbuster text within the body of the messages, rotating domains in the call to action, and/or random word combinations in rDNS.

A hailstorm attack is a snowshoe campaign across smaller netblocks (/25 and /27 observed, not always contiguous), mailing over a shorter duration (under one minute, usually within seconds) with simultaneous connections. Typically, spammers engage in snowshoe and hailstorm attacks to evade DNSbls and other IP address and volume based spam filters.

Over the past 30 days, over 60% of the IP addresses sending new snowshoe spam campaigns to the Cloudmark Global Threat Network were located in Romania. IP addresses in the United States were responsible for almost 27% of snowshoe campaigns.

Botnet driven spam:

We have observed a significant amount of spam originating from the Cutwail botnet leading to installers for Zeus/Zbot. Recently, messages telling recipients to register in the CDC’s H1N1 program have been observed.

URL obfuscation:

Although URL obfuscation is nothing new, we continue to see it used by spammers to evade spam filters and trick the recipient. Some of the obfuscation methods we observed included the use of hex, octal, and HTML numeric and character entity encoding in URLs, the use of extra characters in href tags, and the use of style tags within the domain of the call to action.

Example of HTML numeric entity encoding:

<a href=”http://ffq&#8211;bz.d107ptsn&#178;01.com/ “>Click here</a>

&#8211; is an en dash:  –

&#178; is a superscript two:  ²

HTML numeric and character entity encoding are decoded and successfully rendered by many mail clients and browsers. In the example above, the domain is ffq–bz.d107ptsn²01.com.

Example of the use of style tags within the domain:

• http://<STYLE>Uqbysa for varykuto Qzufyce jzy</STYLE>fairsha<STYLE>Aziw for suilto Yhaxjnary lygavun</STYLE>pe.com

In a mail client (such as Outlook) or a webmail client, the recipient would only see http://fairshape.com. However, it would be a non-clickable link, so the recipient would need to copy and paste the URL into the web browser.

We have also observed spam containing Google properties (e.g., groups.google.com, docs.google.com, writely.google.com), spaces.live.com, and many other places hosting user-generated content as the call-to-action URL ultimately serving up landing pages advertising online pharmacies. These online pharmacy landing pages are hosted off of the same IP addresses as domains advertised in wavy image spam.

Perfectly innocent websites are being compromised as well and are being used to host spam content (usually redirectors leading to online pharmacy landing sites). These web pages are appearing as the call to action in spam, and unfortunately, due to the high number of insecure websites, the spammers have a dynamic set of hosting resources to burn through.

We also observed an increase in economy related spam. The content varied from debt consolidation services to work at home scams.

One of the most egregious work at home scams advertised through email, Facebook, and Twitter spam was the Google work at home scam. The messages promoted a free kit for recipients to make money through Google. Unfortunately, recipients were required to provide their credit card information to pay for a small shipping and handling fee. Subsequently, the recipients were charged a substantial recurring monthly fee, and most were unable to reverse or stop the charges. This scam has no legitimate ties to Google. In fact, Google recently filed suit in US District Court in Utah against Pacific Webworks, Inc. and John Does for violations of trademark, cyberpiracy, and consumer sales practices laws.

Will email become nonexistent in the face of new age media? Is seeking permission the most important act of email senders? What is an engaged recipient? These questions and more answered in the BrontoBlog.

http://blog.bronto.com/2009/12/18/deliverability-forum-cloudmark/

I disagree with this statement. Speaking from a filtering point of view, we do not tweak our filters to be more aggressive merely because there is a higher volume of emails coming in during the holidays. Year round, we are constantly updating our filters and implementing new approaches to address mail which attempts to circumvent policies, filters, and blocklists. On the other hand, the holiday season is the time of year that ESPs and senders pull out mailing lists they haven’t touched since last year, blow the dust off of them, and try mailing to them in the hopes of garnering a few last-minute click-throughs. That behavior is likely to cause a lockdown on filters, as ISPs see an increase in bounces, attempts to deliver to old addresses, and complaints from users who, having not heard from you in a year, are no longer engaged.

Keeping your recipients engaged and your lists clean are year-round activities. If the only time you think of your recipients is the holiday season, don’t be surprised that they’re not thinking about you, either. Monitoring bounces and feedback loops, aging out unresponsive recipients, re-engaging jaded customers… these are basic list hygiene actions and should be performed year-round.

This past year, Cloudmark has been conducting ESP outreach to promote open and transparent communication between ESPs and anti-spam vendors/receivers.  We understand the senders’ role in the email ecosystem. Although it is important to block and filter spam from being delivered to the inbox, it is just as important to allow permissioned, legitimate, wanted email to be delivered to the awaiting recipient.

However, if senders engage in practices which abuse the recipient (e.g., lack of explicit permission, lack of relevancy, excessive frequency) and/or abuse the receiver (e.g., circumventing filters, obfuscating identity, rotating IP space), it is the responsibility of the entire email ecosystem to take action to preserve email as a viable channel of communication. Historically, anti-spam vendors, receivers, and recipients have been bearing the load and addressing these issues. It is time for ESPs and senders to do the same. ESPs, if you are serious about reducing abusive messages being sent through you as well as preventing your company (reputation, account managers, deliverability folks, etc) and industry from being abused, then I am willing to help and provide as much input and insight as I can. However, if it is just lip-service, I cannot help you unless you are willing to help yourselves.