Scranton is the home of “Network Operations Center” (aka hostnoc.net/burst.net), a hosting service that has been criticized for over a decade for inadequate spam prevention. About 2.5% of all the spam that we block comes from this ISP. They are not a criminal spam organization themselves, but they are making so little effort to prevent spammers using their servers that they are consistently the number one spam source in the world.

All of the other locations on the list are major cities where a Spammer might reasonably want to operate from, with one exception: Sunnyvale. We block more spam from Sunnyvale than we do from the whole of China.

Sunnyvale? Twenty square miles of suburban sprawl nestling between the San Francisco Bay and the verdant shopping malls of Cupertino.  Is this an opportunity for the Cloudmark SWAT Team to leave our trendy South of Market loft space, leap on Caltrain, and just eighteen stations later reconfigure the spammer’s servers with a sledgehammer? It’s the stuff that dreams are made of.

Sadly it is not to be. (Put that hammer down, Igor.) It turns out that almost all of that Sunnyvale spam is coming from a very respected email service provider. Once again, it is not the company itself that is sending out the spam, it is sent via thousands of dummy webmail accounts, probably operated from botnets. While a certain amount of abuse is to be expected in any free webmail service, this can be mitigated. For any email service provider, outbound spam filtering should be as important as inbound – which is of course why Cloudmark provides the leading solution for both.

The weekend effect varies quite a bit depending on the country that the spam is sent from. The chart below shows the percentage of spam that turns up on each day of the week, broken down by country of origin. (The figures have been normalized so that each country adds up to 100 – in fact the majority of spam we see comes from servers or botnets in the US, and this would dwarf the other countries if plotted to scale.) Where the chart slopes down at the right that means there is less spam coming from that country at weekends.

As you  can see, there is a strong weekend effect in Brazil and Italy, where the traffic goes down to less than 60% of the weekday average, but there is very little in China and Japan. Though all the top twenty spam source countries show some weekend effect it is least in Asia, with Japan, Vietnam, and China all having a weekend percentage of 90% or more of the weekday rate. Hong Kong, however, perhaps because of the British traditions there, weighed in with a respectable 69% weekend effect, 1% better than Great Britain itself, where the weekend was invented.

Here’s the full list

So why is the weekend effect so pronounced in Brazil and Italy? Is it because they are devout Catholic countries and the spammers are in church on Sunday praying for forgiveness? Or are they too hung over from partying on Friday and Saturday nights to send out any spam? Look for further reports on this if I can persuade Cloudmark management to finance field trips to Italy and Brazil.

This is where the spammer hacks into a third party web site and places a file or script there that will redirect traffic to their web site. The web site continues to operate as usual, except that one or more URLs have been compromised. These are then used by the spammer to hide the call to action in the spam they send out. Instead of a link to GetYourViagraHere.com the link in the spam email is to PerfectlyInnocentWebSite/directory/random.html which redirects to  GetYourViagraHere.com.

This is obviously bad news for the owner of PerfectlyInnocentWebSite.com. Not only are they likely to get an unexpected burst of traffic which may reduce performance on their server or incur additional bandwidth costs, they suffer the potential difficulty of their web site being associated with spam and may even find their legitimate emails being blocked. Nobody is immune to this. We’ve seen schools, restaurants, small businesses and churches have their web sites hacked. In one case a company offering security services was notified that their web site had a page redirecting to a porn web site, which is not the greatest advertisement for their business.

If you have a web site, what can you do to make sure it isn’t compromised? First of all, make sure that your server software is up to date and has all the latest security patches. The vast majority of compromised machines are not due to zero day exploits for which there is no defense, they are due to attacks for which a patch exists but has not been applied to that particular machine. Remember you need to keep your entire software stack up to date, including scripting languages, frameworks and database.

You should also monitor your server logs to see if your site has been hacked. You can do this even if it is hosted on a third party service where you have no control over the software. Check for spikes in activity. Look for pages that suddenly become active, especially if you don’t remember adding them to your web site. Also, check your referring pages . Links from emails will either have a blank referring page, or will come from the URL of a webmail client. If you see a large number of referring pages where there is the string “mail” somewhere in the URL, take a close look at where that traffic is going. These sorts of checks are easy to automate, and a daily or hourly cron job looking for unusual activity of this type could save you a lot of pain.

Cloudmark’s filtering system is smart enough to tell the difference between a hacked domain, where we will block only those emails featuring the compromised URLs, and a rogue web site, where we will block all emails linking to that domain. However, all spam filters are not created equal. If your domain is hacked you could well fall foul of less precise filters and have your legitimate emails blocked, not to mention the fun of having to explain to your clients/pupils/parishioners why your web site is promoting Viagra or naked coeds.  So, make sure your server is secure and keep an eye on those logs.

The main contributor to the spikes you see there is an email with the subject, Receive up to $500 in tax credits with New Windows. Look inside and it’s nothing to do with Microsoft, they are talking about real, physical windows. The contents of the email vary, but here’s an image from a typical one.

All mention of tax credits has vanished at this point. That was just a hook to get you to open the email. There is still a large SAVE $500 icon but that, it says in the fine print, comes from a 30% saving in annual energy bills. There’s also unauthorized use of logos from Sears, Home Depot and a variety of window manufacturers. (Lowe’s must be feeling left out.)

Clicking on the image from Cloudmark HQ in San Francisco goes to a page that collects minimal information on windows requirement, but does mention San Francisco, so they are geocoding based on the IP address.

The next page in the sequence collects contact information, and submits it to an affiliate program. All this might just be written off as aggressive and somewhat deceptive marketing coupled with bad mailing list hygiene, until you click on the call to action link from a Canadian IP address. And then…

On the next page

You have to admire the Time Remaining counter to add that desperate sense of urgency, not to mention the annoying way the title bar kept flipping between You Are Today’s Toronto Winner and Congratulations!  As a James Bond fan from way back, I was hoping the counter would stop on 00.7 like it does every time Bond stops a bomb going off, but no such luck. It just got down to zero and I still had a chance to click on the image to claim my prize.

Somebody should tell these guys the new iPad is out now. This is the start of a common scam that first has the user supply personal data which is used to generate affiliate revenue, then an advanced fee is requested to deliver the prize, and finally the credit card information supplied for the advanced fee is used to make further charges. Oh, yes, and the prize never turns up. Somehow I doubt if the new windows will, either.

A couple of weeks ago, the Internet pharmacy verification site LegitScript released a report detailing how the domain registrar Internet.bs was helping to support the rogue online pharmacy trade by allowing suspect organisations to register thousands of domains which are then used in spam attacks. Spamhaus further added to this report, commenting:

A lot of registrars still need to step up their game in dealing with abuse issues. The clock is ticking, because if the domain industry does not start playing their part in the global fight against cybercrime and regulates itself, it will be regulated by others.

Since March 20th, we have been tracking a noticeable increase in the number of new .be domains (the country code for Belgium) being seen used as the the call-to-action domain in a variety of snowshoe spam attacks. This isn’t anything new, of course. We see spammers rapidly rotate through all manner of domains (URL shorteners, other country code top level domains, hacked websites) with this type of attack but what makes this interesting is that they are all registered via…Internet.bs.

This is a sample screenshot from one of the domains (each one points to the same template site, with the domain substituted at numerous places throughout). If we take a look at the numbers from the past 30 days:

This shows that there has been a 40% increase in .be domains seen in spam in the past week, compared to the previous 3 weeks. If you then look at the date of registration for those domains, this activity stands out even more:

That is over 10 times more registrations in the past week, compared to the previous 3 weeks. There are many players needed in the fight against spam and, like Spamhaus, we would also urge the domain industry to take a tougher and more decisive stand against the registration of such rogue domains, and the entities that allow it to happen.

For completeness, it should be noted that Internet.bs also issued a press release in response to the LegitScript report.

Usenet News is a good example. With fully distributed storage and management, there was no single point to control spam, and for a while most newsgroups became unusable. Now Usenet content can be accessed spam free through the Google Groups interface, but it is too late, and users have moved to other discussion forums. The eDonkey file sharing network is another example of a distributed network which has been completely taken over by spam files with interesting sounding titles but containing malware or porn. (Of course, the MPAA and RIAA probably consider this no great loss.) It’s also pretty much impossible these days to run an unmoderated WordPress blog without being spammed with back links.

Even with a central point of control, it is not enough to rely on the legal department to prevent violations of term of service. Any web site that allows users to post content is subject to abuse, and the richer the content that can be posted, the more possibility for abuse there is. Allowing links to be posted encourages back link spam for SEO purposes, as well as links to inappropriate sites. Sites which allow the posting of images hosted elsewhere can be used for click fraud, if the server hosting the image redirects to an affiliate link rather than serving up a JPEG. Allowing the posting of flash animations opens the door to a variety of attacks including click fraud, phishing and malware as well as plain old links or redirects to porn and pharma sites. If you let your users post arbitrary Javascript then pretty much any HTML based attack is possible. Recently we have seen Javascript on Tumblr pages used to turn them into redirectors to disguise the call to action URLs used in email spam.

All of these attacks can be defeated. For example, eBay allows the posting of third party images, HTML, and flash animations in eBay listing, but devotes substantial technical resources to scanning and monitoring all postings, so that click fraud, malware and phishing attacks are not a significant problem for eBay shoppers. Repeated scanning is important, as a flash animation hosted elsewhere can be modified days or weeks after a listing has been posted. However, the listing can still be deleted. The ability to retrospectively delete earlier posts once they have been identified as an attack is an advantage that social networks have over most messaging spam prevention, where once a message has been delivered it cannot be recalled.

Tools for spamming twitter have around for a while now, and there is also a large and liquid market for fake twitter followers.

Though Twitter has been effective in reducing spam from high levels in mid 2009, they are still vulnerable to mutating attacks. Until they put some throttle in place on account creation this is likely to continue. Of course, it is hard to tell a loss making pre-IPO company that they need to throttle back on growth, as growth is the most compelling story that they have for their investors.

Pinterest is the newcomer on the social networking scene, but rapidly growing. They are now one of the top thirty sites in the US, and have a demographic that is very attractive to marketers, including black hat marketers. Hence the email I received, offering a complete suite of tools for setting up a farm of Pinterest accounts, and using them to spam.

The techniques include tracking popular subjects and adding posts with the subjects but your links, trapping a user so that they cannot follow your link until they have repinned it, using URL shorteners to hide links, and automatically submitting links from the amazon.com affiliate program. The author claims, “In January I thought to give them a try by making up a couple of bots, after the success rates that I was seeing I decided to create a whole package of bots which I have been using non-stop since the day with just a couple of account bans which were caused by excessive spamming & also they even lasted a few days before being shut down!” It’s quite possible that the long term growth and survival of Pinterest will depend on how effectively they can respond to the script kiddies who are currently testing their defenses, and to the tier one operators who will follow once the profitability of spamming there has been demonstrated. Will they be another Usenet News or the next big thing?

WHOIS was an invention of the early Internet, back in days when humans maintained everything like network and domain assignments and everybody knew each other. It has not evolved gracefully with the rest of the Internet: From a technology perspective it doesn’t support internationalization or robust syntax (a date reported by any two registries could be in any format you can think of), and WHOIS servers in general aren’t built to operate at Internet scale. Policy-wise, there’s not even a requirement that registrars provide it as a service in many cases, or that the data be practically useful. And big customers of these data face problems like query rate limits and obscured or even false information.

What this means is that it’s difficult or impossible for us to be precise in our evaluation of a new domain or IP address. We can’t reliably determine who owns it, or whether it’s affiliated with someone we do know about, or when it was assigned, registered, updated, or expired. This means we have to guess at some of these using heuristics. It would be far better if we could make these determinations based on reliable data from trustworthy registrars rather than just using observation and educated guesses. We could also tell for sure which registrar handled the data, so we can detect common registrars handling registrations by miscreants.

But there’s now some big pressure to change this. ICANN’s administration has decided they want to see the current system replaced by something far more robust and reliable. Some RIRs (Regional Internet Registries, the folks that receive and then parcel out IP address blocks to local carriers) have deployed prototype systems that provide WHOIS data using RESTful concepts and a common, well-defined syntax. This huge modernization push will give us what we need to make proper use of WHOIS data, at long last. And the fact that this is voluntary on the network side is particularly exciting. What’s more, recently several big domain name registrars have said they’d also like to come to the table on the domain name registration side.

At the IETF, we’re starting a working group that will produce a series of RFCs defining the upgraded service so that clients and servers alike can start to exchange information. Things like internationalization, consistent format, scalability, quality of service, etc., can all be addressed by the proposed new system. This would indeed be a very welcome development.

Also coming up on the standards side: The progression of SPF, which has had Experimental status since its publication in 2006, to the Standards Track as the favoured email path authorization scheme; new developments in IPv6 standards and practices; best practices with respect to greylisting; a guide to safe handling of malformed mail; the evolution of email address internationalization; development of reputation services; and revision of HTTP.

Although DMARC is certainly a hot topic as well, as we saw at the MAAWG meeting last month, it hasn’t developed enough yet to warrant entry into the IETF realm, but that’ll come along in time. There will soon be other announcements about DMARC and our involvement in it.

Watch this space for updates on all the above as we make progress toward a safer standards-based messaging world.

Many events in the London Olympics were oversubscribed and tickets are in fact being allocated by a lottery system. This means anyone who has ordered tickets and is not using an effective spam filtering system will stand a good chance opening one of these messages if they receive it. Inside, the victims are told they have won $1,500,000 (or sometimes £1,000,000) and all they have to do is fill out this simple form with personal details. They may then either find their bank accounts cleared out or be asked for a series of advance fees to enable them to claim their reward. In more extreme forms of the Nigerian scam, some victims were persuaded to travel to Nigeria where they were kidnapped and held for ransom.

Variations of the advance fee scam have been around since the late 18th Century, but the arrival of the Internet has provided a vast new avenue for the corrupt and unscrupulous to beguile the naive and credulous. But surely everyone knows about it by now? It’s even been lampooned by comics from Flight of the Conchords to Dilbert. So why, if everyone knows about it, are the spammers still in business?

The answer lies in the demographics of the Internet. There are somewhere around two billion Internet users world wide and that number is growing by at least a hundred million every year. While some people have been taken for hundreds of thousands or even millions of dollars hoping to get money out of Nigeria, let’s assume very conservatively that the average take is a mere five thousand dollars, and that only one person in ten thousand is gullible enough to fall for this. That still means that there are potential earnings of at least fifty million dollars a year just from people new to the Internet.

Aside from effective spam filtering, next best defense against this scam is education, so here are a few handy tips to inoculate new Internet users:

• Your long lost grandfather did not emigrate to Nigeria.
• You can’t win a lottery without buying a lottery ticket.
• People with millions of dollars in hand can usually spell and punctuate correctly.
• THEY KNOW HOW TO TURN OFF CAPS LOCK, TOO!!!
• Finally, a precept from Sir Terry Pratchett: “Multiple exclamation marks are a sure sign of a diseased mind.”

Subject: A Valentine’s Gift _For Your Loved One ; up to 99% Off on Gifts, iPad2,LCD HDTV & more…

The links redirect to one of many “Penny Auction” sites. The Better Business Bureau has called penny auctions one of the top ten scams of 2011. They work like this. An item is auctioned off starting at one cent, and with bids increasing in one cent increments. Every bid delays the end of the auction by ten or twenty seconds... but every bid costs a fee, usually fifty cents or a dollar, whether or not the bidder is successful! Once a bidder has spent fifty or a hundred dollars in failed bids, they may feel obliged to keep on bidding in the hope of salvaging a profit out of the deal after all. For the iPad mentioned in the email above that sold for $18.23, bids cost $0.60 so the  the vendor would have collected $1,093.80 in bidding fees, as well as the $18.23 final sale price. Just to make sure that the vendor does not lose out, the software for running penny auctions contains the option of having robot bidders to keep the bidding open if the vendor has not yet collected enough in fees.

Penny auctions are an example of the Game Theory paradoxes related to the Prisoner's Dilemma, where a group of players, each one apparently acting out of rational self interest, end up with a result that is far worse than they could achieve if they were able to collaborate. As Joshua, the computer in the movie Wargames, said, "A strange game. The only winning move is not to play. How about a nice game of chess?"

Clicking on the links takes you to a website that will try to get you to sign up for a mix of various offers that are likely to cost you money in the long run.  You’ll also have to agree to get more email from a variety of “marketing partners” and to convince one of your friends to do the same.

To be fair, when you get to the website, they do tell you that in order to be eligible for your “free” iPad, you will need to go through all these conditions:

But that’s a lot of conditions that have to be meet.  Also note that it states “Your information will be shared with our marketing partners”, but it doesn’t mention who those partners are.  So you could be signing up for a lot of email from many different companies that you may or may not care about.  You also need to convince one of your friends to sign up and give their permission  to be sent  these emails.  Here’s one section from the Terms & Conditions that outlines what will occur if another unique household, that you have referred, doesn’t complete the program requirements.:

“J. If at the end of the 60-day period you have successfully completed the required number of reward offers but you have not referred (1) unique household(s) that also completed the program requirements, you will not be eligible to receive the reward. However, as a consolation for participating, you may automatically receive a check for a minimum amount of $25 or a $25 (minimum amount) gift card to the merchant of our choice.”- Terms and Conditions, I. ELIGIBILITY – J.

The Terms and Conditions also state that there is no way to cancel an account once you create it:

“C. Expiration/Cancellation of Account

(1.) Your account will expire 60 days from the date you register on this website. Upon expiration, you will no longer be eligible to receive the reward.

(2.) There is no way to cancel an account. If you no longer wish to remain a part of this website, you should refrain from accessing your account.”

- Terms and Conditions, II. REGISTRATION – C.

 

Lastly, when you try to leave the page, you get a “Confirm Navigation” window just to make sure you really want to leave: