Stuff 'n' nonsense about email, spam, travel, and life in the UK.

Friday, May 15, 2009

FAQ: Suffering Backscatter

Dear Richi, I have about 20-30 returned emails from some entity/person who is somehow using my domain to send out bulk email. How is that even possible?

Sadly, it's trivial for a spammer to forge your address. It's not your Web host's fault.

Some badly configured email servers auto-reply to spam. That's what you're seeing.

If you want to complain to anyone, complain to the people running the servers who are auto-replying to you. Here's a template complaint I've used before...
Hello. You are sending spam to me by bouncing spam to an unrelated person. I did not send the spam to your server: spammers forge the message sender. Hence, your reply goes to an innocent third party.

Perhaps you sent an unsolicited bounce because your mail server is incorrectly configured. Please don't do that. You should *reject* during the SMTP conversation, not *bounce* after accepting the spam message. It is not necessary for your MTA to send a non-delivery DSN -- you should reject at the point of SMTP RCPT with a 553 error or equivalent.

Or perhaps you're auto-replying to spam. Presumably you filter spam before delivering inbound email. In which case, this reply shows that spam is getting through those filters.

It's bad practice to accept a message for a non-existent user. If you accept and then bounce, you're sending spam. For more information, please see

If this was an isolated error, there's no need to be concerned that you will be blacklisted as a spam source. It usually takes several complaints to illustrate a pattern of email abuse.

However, I urge you to correctly configure your mail servers.
More info at an old post of mine: I Got 25,000 Spam Messages in Two Days!

Labels: ,

Saturday, May 02, 2009

CNN: carbon footprint of spam

Finally, I have the CNN footage.

Amusingly, they mixed up the captions, so Woody got my title...

No video? Click here for the carbon footprint of spam video.

Labels: , ,

Wednesday, April 29, 2009

A "Monster" Spammer (NYSE:MWW)

Update May 1 3.30 UTC: several listwashing requests.

Dear (NYSE:MWW),

You are spamming me. Stop it. Please.

You're sending marketing email to an address that has never given informed consent to receive it.

Not only that, but you're even breaking the spirit, if not the letter, of the U.S. CAN-SPAM Act. While your unwelcome missive does include the proscribed physical address and unsubscribe link, they are displayed in white text on a white background.

Yes, really. (I dare say they'd be more visible if my email client displayed HTML images by default, but like many clients, it doesn't.)

Naturally, it's also in violation of the law in which your UK subsidiary operates. There was no "prior consent" given, within the meaning of the Privacy and Electronic Communications (EC Directive) Regulations 2003. Offenders are liable to a fine of up to £5,000 in a magistrate's court, or an unlimited fine if the trial is before a jury.

Update May 1 3.30 UTC:
I've received a couple of email messages and a Twitter DM from Monster, expressing apologies for the situation. Sadly, these expressions of regret don't extend to actually fixing the spam problem; they appear to be an attempt to listwash.

Sorry, Monster; listwashing is bad practice. My standard operating procedure is to never unsubscribe from a list that I did not subscribe to.

If Monster wishes to solve this problem, it would stop sending email to addresses of people who did not subscribe. I'm open to a public dialogue on this subject: feel free to tweet or comment here, rather than privately emailing or DM'ing.

Labels: ,

Friday, April 24, 2009

BoxSentry Ditches Challenge/Response; Fights False Positives

Update Apr 25 6.30am UTC: fix name of product (thanks, Meng)

Singapore-based BoxSentry has historically been known as a challenge/response spam filter vendor. Readers will probably be aware that I'm no fan of C/R.

As time goes by, BoxSentry has gradually de-emphasized C/R, but until recently it was still sending challenges for a small but significant proportion of the spam it received -- and hence was sending unsolicited "replies" to people who had never sent email to the BoxSentry user.

Manish GoelManish Goel, BoxSentry's CEO, confirmed to me that his company no longer uses C/R. That's great news for Internet users. Well done, Manish; I know that I and others have been thorns in your side for a while about this; I appreciate your good humour in our occasional, heated debates!

Manish also brought other news. While beefing up their technology base -- in part to compensate for the loss of the C/R layer -- the company has developed new techniques to better identify false positives.

BoxSentry has wrapped the new techniques in a product it's calling LogiQ. The idea is that it can run alongside a traditional spam filter and automatically retrieve any false positives it finds.

As an illustration, Manish offered a "typical" example: over the test period, a deployed spam filter from one of the well-known vendors delivered 11,500 legitimate messages, but LogicQ found an additional 680 false positives in the filter's quarantine. That's a roughly average false positive rate, in my experience. Not the exactly state-of-the-art, but pretty representative of deployed spam filters. It might equate to one false positive every week per user.

Manish says that 100% of the false positives identified with these new techniques really are false positives -- although they may not catch all of them.

A bold claim; I'm looking forward to digging into the details of the techniques under NDA...

Labels: , ,

Thursday, April 23, 2009

Astaro drops its R&D-led roadmap

This is Angelo Comazzetto. A Canadian, of Italian heritage, living in the U.S., working for a German company.

When I met him last year, his business card said something like Evangelist. These days, he's the product manager for Astaro's line of low-cost Unified Threat Protection appliances. Dspite his title change, he's not lost his passionate, high-energy, rapid-fire delivery style ;-)

Some notes from our meeting:
  • "600 new features" in the past year
    • based on win/loss analysis and other customer requests
    • no longer R&D-led roadmap!
    • Versions 7.2, 7.3, 7.4 all "major" releases
  • Now uses Commtouch for anti-spam, Astaro loves them
  • Astaro has dropped Kaspersky: too expensive and inaccurate
  • Moved to Postgres from MySQL
  • Added full https content inspection
    • Several options for deploying the proxy certificates to user PCs
  • Network balancing across several connections
  • Supports the proprietary Cisco IPsec client
    • So can have people move from obsolete Cisco PIX and ASA to Astaro
    • Supports iPhone VPN client (nice demo)

Labels: ,

Wednesday, April 22, 2009

Commtouch's new OEM Web security business

At the RSA Conference yesterday, I sat down for a friendly chat with Amir Lev, the CTO of Commtouch.

Commtouch is best known for its OEM anti-spam engine, which is licensed by a long list of well-known email security vendors.

In January, the company launched a Web security service, using a similar architecture and business model as its anti-spam technology. In other words, it's a hybrid of a managed service—cloud-based, if you insist—that maintains a database of known Web pages, plus an OEM engine that queries the database and intelligently caches the results.

Why do it in the cloud? Amir argues that it's hard to categorize the whole Internet, as the database gets huge and the changes are too big to push the updates in a timely manner.

The service categorizes the known threats so that OEMs can produce different types of products. For example, an product focussed on anti-phishing, which will major on the web pages categorized as fake bank portals, etc.

Amir argues that being an OEM is a good place to be, as the industry continues to move to a "soup-to-nuts" UTP model. Commtouch's vendor customers will often specialize in one or two areas and license the rest conventionally.

More controversially, Amir also argues that it's risky to build a strategice relationship with a small, niche company that offers an OEM solution, because if they're bought out, they may lose the OEM strategic focus.

Well, he would say that, wouldn't he?

Labels: , ,

Tuesday, April 21, 2009

Abaca's radical anti-spam tech wins at Yahoo!

At the RSA Conference, I was almost blinded by the huge grins on the faces of the Abaca reps.

As you may recall, Abaca has a really interesting spin on the spam filtering problem. Finely-tuned mathematics and a big database of receiver statistics give back up some truly impressive claims. As I said last year, I'm reasonably convinced that it's not just a silly FUSSP.

For over a year, Abaca has been working on a deal with Yahoo! to add the technology—which they now call CLX—to the spam filtering mix. A few months ago, I heard unofficially that Yahoo! agreed to roll it out.

Now, Abaca is announcing that the rollout has been hugely successful, and Yahoo! is extremely satisfied with the result. Nice going.

As an update, here's the (claimed) highlights of the Abaca technology:
  • Guaranteed accuracy of at least 99% catch rate (with money-back contract terms)
  • Claimed false positive rate is infinitesimal (I calculate their claims equate to one in a million messages)
  • After bootstrapping with recipient email statistics, no user training is required, but can be individualized by users clicking the Spam/Not-spam buttons
  • By its nature, it's extremely scalable—a single small server can handle 90 million messages per hour
Of course, I can't verify these claims, but it would appear that Yahoo! effectively has.

Equally, I don't know how close to reality the false positive figures are -- at best they're based on user reports alone, which usually tend to significantly under-state the reality. But, again, if the Yahoo! user reports are anything close to 1:1,000,000, then Abaca has something really worth shouting about.

Labels: , ,

Tuesday, April 14, 2009

Spam and its Carbon Footprint

All uses of the Internet have an impact on climate change. Sadly, that includes the less-savory uses.

Spammers dumped 60 trillion messages onto the Internet in 2008. As the climate-change consensus becomes overwhelming, it's high time we looked at the environmental impact of spam.

Recently, McAfee commissioned climate-change consultants ICF calculate the carbon footprint of spam. McAfee also asked me to help. We calculated the energy use associated with each stage in the lifecycle of spam, including the energy used to transmit, process, and filter spam.

Globally, the annual spam energy use is 33 billion kilowatt-hours, or 33 TWh—that's as much electricity as 2.4 million U.S. homes use, with the same greenhouse gas emissions as 3.1 million passenger cars using 2 billion U.S. gallons of gasoline.[1]

Two Surprising Conclusions

Far from being a net consumer of energy, spam filtering actually saves an incredible amount of energy. Imagine if all the spam filters in the world were switched off for a day. It would actually increase the carbon footprint of spam by at least five times.[2] In other words, spam filtering saves 135 TWh of electricity per year—that's like taking 13 million cars off the road.

But we could do even better. Imagine if every inbox were protected by a state-of-the-art spam filter. We could save about 75% of the spam energy used today—25 TWh per year;[3] that's like taking 2.3 million cars off the road.

Other Results

The average greenhouse gas emission associated with a single spam message is 0.3 grams of CO2. That's like driving 3 feet (1 metre), but because of the annual volume of spam, it's like driving around the Earth 1.6 million times.[4]

A year's email at a typical medium-sized business uses 50,000 KWh, more than one fifth of which is associated with spam.[5]

Filtering spam is all well and good, but fighting spam at the source can have even better results. Taking McColo offline in late 2008 saved energy equivalent to taking 2.2 million cars off the road, before spammers rebuilt their sending capacity.

Energy use associated with spam is mainly consumed by end-users deleting spam and searching for legitimate email ("false positives"). Only 16% of energy use is from spam filtering itself.


My role in the McAfee project was to help ICF build a model that accurately reflected where energy was used in producing, transmitting, filtering, and dealing with spam. To this end I provided consultancy and data, plus some analysis of the results.

The data came from my 25 years of experience with email and spam, cross-correlated with data from other researchers (including McAfee and McAfee's competitors).
  1. 33 TWh of electricity use emits 17 million tonnes (19 million U.S. tons) of CO2, equivalent to 3.1 million passenger cars, burning 7.6 billion litres of gasoline (2 billion U.S. gallons), or 2.4 million U.S. homes' electrical usage.
  2. Switching off spam filtering for one day would multiply spam in the average inbox by 5x and multiply false positives by at least 10x. While no energy would be used by spam filters, this reduction is vastly outweighed by the energy used by end-users coping with spam.
  3. Most inboxes are protected by spam filters, but many of them are less accurate than the best filters. Some inboxes are still completely unprotected. State-of-the-art filters can achieve better than 98% effectiveness/0.01% false positives and use less power: assumes 25% power saving over legacy spam filters.
  4. Based on passenger car averaging 20 miles per U.S. gallon; mean equatorial circumference 40,041 km (24,870 miles).
  5. Refers to an organization with 200 average business email users.

Incremental Energy

In any calculation such as this, there's always the concern that we're double-counting energy that would have been used whether or not there was spam. Let me assure you that this isn't the case. I only wanted to be involved in the project if we were measuring this meaningfully.

So the data and calculations were carefully designed so as to only measure energy that is used as a direct result of there being spam. In other words, it is "incremental" energy.

PCs and servers use less energy when idle than when doing "work"—in most cases it's this additional energy that we measured.

More About the Methodology

Some wags have complained that ICF doesn't publish its methodology. They have clearly not read the full report, including the appendix, which helpfully titled, err, Statement of Methodology. Perhaps they're confused by the 8 page summary?

Download Full Report

You can now get the full 28 page version at the usual place.

Radio Interview

ORF interviewed me on Friday. Download it here: richi-on-orf.mp3.

Labels: , ,

Saturday, September 13, 2008

Jeremy Jaynes gets a free pass?

It's déjà vu all over again. I see that Jeremy Jaynes has won his most recent argument in Virginia that the state's anti-spam law is unconstitutional. (Once again, thanks to Slashdot for the heads-up.)

Jaynes would have us believe that spamming is protected speech under the U.S. First Amendment. The court didn't exactly say that, but concluded that the law as written was overly-broad, because it didn't explicitly differentiate between commercial speech and any other kind of speech (e.g., political expression).

While I agree that anti-spam laws shouldn't restrict political speech, I have a couple of issues with this decision:
  1. Spam is spam, whatever the content; I'd hate this to be seen as a license for nut-jobs to fill my inbox with political rants.
  2. Doesn't the U.S. constitution already make it clear that commercial speech isn't unprotected?
As I noted back in March, it was worrying that the previous decision was split 4-to-3.

Again, I say I find it really hard to believe that the American founding fathers intended my inbox be full of spam.

Labels: , , ,

Friday, June 20, 2008

"Secure Resolutions" Sends Spam

Update August 25: Just a quick note. I'd appreciate it if shills for Secure Resolutions would stop emailing me to say I'm an ignorant idiot.

Update June 19: VerticalResponse has confirmed that Secure Resolutions's account is now closed and banned. Well done, guys.

Yesterday, I got email from some company called Secure Resolutions.
We are contacting you because you are currently a customer or you have been a customer and we would like to continue to be your supplier of anti-malware and backup protection. I would like to take this opportunity to introduce you to our award winning, patented technology...
etc., etc., etc.

Trouble is, I've never heard of them, and the role account they sent it to is incapable of being a "customer" of anyone. Yes, friends: ergo, this email was spam.

(Incidentally, there seems to be some connection between this company and Panda Security, who I've also caught spamming.)

The company uses VerticalResponse to send this spam, so I shot a note to their abuse alias and got an encouraging note back from their Email Delivery & Policy Enforcement team. VR says it has "completely disabled" the Secure Resolution's account and "opened an investigation."

Watch this space for updates.

Anyone else had problems with this sender?

Labels: ,

Tuesday, June 17, 2008

Scott Richter Settles Another Spam Suit

Oh looky, it's our "friends" Steve and Scott Richter in the news again. This time, they've settled with MySpace for $6 million after being accused of spamming thousands of users -- and using phished accounts to do it (see today's IT Blogwatch for more).

Of course, Scott gave up spamming some time ago. Or did he? Brian Krebs today offers an interesting investigation into domain registrations of spamvertised Web sites:
More than three quarters of all Web sites advertised through spam are clustered at just 10 domain name registrars ... Out of the 15,000 spam-advertised domains we examined, nearly half -- 7,142 names -- were registered through a Broomfield, Colo. company called Dynamic Dolphin ... the seventh most-popular registrar among spammers ... [and] owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. The CEO of Media Breakaway is none other than Scott Richter, the once self-avowed "Spam King" who claims to have quit the business. Anti-spam groups also have recently implicated Media Breakaway in the alleged hijacking of more than 65,000 Internet addresses for use in sending e-mail and hosting commercial Web sites.
Remember kids, Rule #1: Spammers lie.

Labels: , , ,

Wednesday, April 30, 2008

Your Reputation in Peril: Use Outbound Spam Filtering

Whether or not you or I believe Borderware's amazing claim that it filters 98% of spam using reputation alone, it's clear that reputation is increasingly important.

No surprise there, but what's the implication on legitimate email users?

As more and more spam filtering relies on your reputation as an email sender, your reputation gets more and more important. Lest we forget, most spam is sent by malware-infected zombies, some of which could be on your network.

That's why outbound spam filtering is increasingly important. It's not just about being a good 'net citizen -- you need it to protect your reputation.

If you don't keep a lid on spam exiting your network, your reputation will be trashed. In crude terms, your outbound IP addresses will be blacklisted, meaning your ability to send email to your legitimate business contacts will be severely limited.

If a few of your users are unwittingly sending spam, then all of your users will have serious trouble sending legitimate email.

Of course, an outbound spam filter can't, by definition, use sender reputation. It has to rely primarily on content filtering. Those that claim that reputation is the be-all-and-end-all of spam filtering are missing an important point.

With thanks to Proofpoint's Andrew Lochart and David Stanley, for a stimulating conversation last week.

Labels: ,

Saturday, April 19, 2008

The Media is Bored with Spam?

bored catI moderated a Ferris Research webinar earlier this week. It was intended to be a press-only event, to support a client's press release. Inevitably with these things, a few non-press register, but that's perfectly OK.

The client is a new spam filter vendor, that seems to have an interesting new twist on the problem (I'm reasonably convinced that it's not just a silly FUSSP).

The thing that really surprised me was how few press people turned up. In fact, non-press outnumbered the press folks two-to-one. What's up with that?

I also heard from the client's PR person (hi, Donna) that nobody has anything spam-related on their editorial calendars.

Doesn't the mainstream media care about spam any more? Certainly their readers do, as evidenced by the continuing churn in the spam filtering marketplace.

Any thoughts? Click the comments link below: I'm all ears.

Labels: ,

Wednesday, April 09, 2008

BorderWare claim: Amazing Reputation Filtering (RSA)

BorderWare is making a very interesting claim. It seems to be blocking an enormous proportion of its customers' inbound spam simply using IP reputation.

While most anti-spam vendors these days talk about blocking roughly 75% of the spam using IP reputation (basically a fancy word for DNSBLs), BorderWare's quoted statistic is 98.3%. Wow, that's a lot -- especially considering that the law of diminishing returns almost certainly applies.

This is a good thing because the more spam one can identify and block by reputation, the less spam content one has to examine using techniques such as Bayesian analysis, which are computationally "expensive".

But how does the company achieve such a high figure? By slashing the time taken for new entries to be added to its centralized reputation database (BSN, or "BorderWare Security Network" -- soon to be rebranded as "Reputation Authority").

These days, new zombie spam sources don't hang around to be detected, they get sending as soon and as fast as they can -- the botmasters have realized that a fresh, undetected spam source is far more effective than an old, known source. Minutes count; in fact in the spameconomy, time is money.

Labels: , ,

Proofpoint has a Reminder: It's Still Here (RSA)

Proofpoint has a new VP of marketing, and not a moment too soon. Andrew Lochart is the first to admit that his new employer has been very quiet recently, and he aims to change that.

Aside from the recent $20 million funding round and the additional 40 employees hired already this year, he reminds us that Proofpoint recently launched a hosted email security service, Proofpoint On Demand. This means that Proofpoint now offers its technology as a service, as software, as an appliance, and as a virtual appliance (a virtual-machine image of the appliance).

Sticking with what seems to be a "hybridized" theme, customers can mix and match the different form factors, while still managing them all from a single console. Handy, that.

Labels: , ,

Tuesday, April 08, 2008

Trend Micro's Hybrid Hosted Service (RSA)

Trend Micro takes an unusual approach with its hosted ("managed"; "in-the-cloud") email security service. Rather than trying to do everything, it sticks to what a service is good at.

Trend is applying the Pareto principle (a.k.a. "80/20 rule"). The company promotes a "hybrid" approach, with the hosted service implementing only a first level of spam filtering based on reputation -- filtering roughly 80% of the inbound spam. The remaining email is passed on to spam filtering appliances on the customers' premises, to deal with the other 20%.

The on-premise appliance can therefore more easily be customized to conform to local policy. When it comes to filtering spam using content, it's best to have an understanding of the types of legitimate content that the organization sends and receives -- the obvious example is medical organizations, who may well expect to receive email about a certain blue pill who's name begins with 'V'.

Of course, organization-specific customization ''can'' be done in the cloud -- there's nothing intrinsic about it that forces it to be on-premise, but this split in responsibilities seems like it has merit.

Labels: , , ,

Monday, March 31, 2008

Off to RSA

I'll be at the RSA conference next week, Monday-Wednesday. I'll also be doing other meetings in the SF bay area on the 3rd and 4th.

If you want to meetup or just get in touch, best bet is by email or text (+447789200701).

Labels: , , ,

Thursday, March 06, 2008

Spammers attaching .ZIP files with HTML inside

Since about 1am GMT today, I've seen a steady stream of messages with .ZIP attachments hit my spamtraps. The Zip files seem to contain a simple HTML page spamvertising the usual fake ED drugs.

Subjects include:
  • On Top All Night
  • Your Sexual Health
  • Master in bed are you
  • Smart in bed games
  • Be a big bed man
There seem to be two templates in use:
  1. a simple plain text body and a .ZIP attachment
  2. an HTML body (plus /alternative plain text) with the .ZIP file as a /related part


Sunday, March 02, 2008

Jeremy Jaynes Lost Appeal, but...

Hmmm, so I see that Jeremy Jaynes has lost his appeal in Virginia that spamming is protected speech under the U.S. First Amendment. (Thanks to Slashdot for the heads-up.)

Jolly good, and no surprise there, I think. However, why on Earth was it a 4-to-3 split decision? What were those three state supreme court judges thinking?

Well, according to the AP:
Justice Elizabeth Lacy wrote in a dissent that the law is "unconstitutionally overbroad on its face because it prohibits the anonymous transmission of all unsolicited bulk e-mail including those containing political, religious or other speech protected by the First Amendment."
Oh, balderdash. I find it really hard to believe that the American founding fathers intended my email to be full of spam.

Labels: , , ,

Friday, February 29, 2008

Spammers work for Desperate Social Networks

Hmm, email hitting spamtraps this morning for a social network called Sounds suspicious, no?

Let's see:
  • Spam sent to email addresses that only exist to trap spam? CHECK
  • Spam comes from dynamic consumer ISP space? CHECK
  • Envelope sender forged? CHECK
  • Date: header a couple of hours in the future? CHECK
  • "Content-Transfer-Encoding: 7bit" but includes 8-bit characters? CHECK
  • Text mentions "double opt-in" CHECK
  • Spamvertized website operates out of Latvia, not the UK? CHECK
Update: I only had a quick look and can't see anything obviously dodgy with the site itself. My suspicion is that it exists to spread malware -- either by exploiting browser vulnerabilities or by making people download Trojans when they register.

It could alternatively be a come-on for a Russian Brides style scam.

Labels: ,

Thursday, February 21, 2008

Can Anyone from Yahoo Help?

I have a client with a problem getting email to his customers on Yahoo. The users want the email, but it keeps turning up in their Bulk folders, not the Inbox. Most frustrating.

I've walked him through making everything squeaky-clean, but no luck.

Yahoo's "Postmaster" contacts just seem to be a huge black hole. Is there anybody reading this who can offer a clueful contact at Yahoo?


Labels: , , , ,

Friday, January 04, 2008

Alan Ralsky Indicted

Well well. It seems the Feds have decided that Ralsky has been helping the Russian stock kiters...
A federal grand jury indictment was unsealed today in Detroit charging 11 persons, including Alan M. Ralsky ... in a wide-ranging international fraud scheme involving the illegal use of bulk commercial e-mailing, or "spamming" ... The charges arose after a three-year investigation ... revealed a sophisticated and extensive spamming operation that, as alleged in the indictment, largely focused on running a stock “pump and dump” scheme.
Much, much more at today's IT Blogwatch.

(Happy new year, by the way.)

Labels: , , ,

Tuesday, November 06, 2007

Hilariously Bad 419 Scam Come-On

Hilariously bad 419 just hit inbox. Must. Stop. Laughing. And. Blog. It...
Minneapolis Telephone Network (MTN)
Foundation's Officer
125 Allen Avenue,

The Minneapolis Telephone Network (MTN),
would like to notify you that you have been
chosen by the board of trustees as one of the
final of a cash Grant/Donation for your own
personal, educational, and business
development.The Minneapolis Telephone
Network (MTN) was established by the Multi-
Million groups in 1993 was conceived with the
objective of human growth, educational, and
community development.To celebrate the 15th
anniversary program, the Minneapolis
Telephone Network in conjunction with the
Economic Community for West African States
(ECOWAS), United Nations Organization (UNO)
and the European Union (EU) is giving out a
yearly donation of Euro??3,500,000.00 (Three
Million ,Five Hundred Thousand Euro) and an
Auto-Mobile (Peugort 207 Car) each to 20 lucky
recipients for their patronage to this
organisation and continues growth.This
Donation/Grants is in view to mark it 15th years
of Best Telephone Network all over African and
some parts of the world.At least 20% of the
awarded funds should be used by you to
develop a part of your environment.Based on
the random selection exercise of internet
websites and millions of supermarket cash
invoices worldwide, you were selected among
the lucky recipients to receive the award sum of
Euro??3,500,000.00 (Three Million ,Five Hundred
Thousand Euro) and an Auto-Mobile (Peugort
207 Car) as charity donations/aid from the MTN
Group Limited (MTN Group), ECOWAS, EU and
the UNO in accordance with the enabling act of
Parliament. Your Qualification/Reference
numbers (M-323-T-6747, N-900-56) should be
quoated by winners in all discussions. You are
required to choose your delivery option which
will be convient for you in the order below:

1. Diplomatic Courier Service,Delivery To Your
Home Address.

2. Telegrahic Wire-Transfer,To Your
International Bank.

You are required to contact the promotion
agent in the below order.
Executive Secretary- Mr Raymond Chua Swee
All information is strictly confidential.
Mrs Gucci Villary
Minneapolis Telephone Network (MTN)
Foundation's Officer

Labels: ,

Wednesday, October 24, 2007

Gmail, How do I Love Thee? Let me Count the Ways...

Here's a quick Gmail goodness grab-bag top-10...
  1. Spam filtering. It just works. I estimate it kills more than 99% of my spam, and the only occasional false positives I get are from Yahoo Groups (which is a spam cesspit anyway) and mailing lists that include spam samples (uhhh...)

  2. IMAP access. Yay, we've been asking and asking and asking for it, but it finally arrived yesterday.

  3. Local front-end servers. Recently, Google moved the POP/IMAP/SMTP servers I connect to. They're not now in the U.S., but much closer to me (in the UK?). Some sort of routing cleverness, I dare say. This means downloading a load of messages is now very, very fast.

  4. Search and Filters. Fast, flexible, frequently-very-useful. Especially when combined with the saved search extension for Firefox (using Greasemonkey or the Better Gmail extension).

  5. Labels. I know some people hate 'em, to which I say, "Just think of them as folders." But they're so much better than folders, mainly 'cos you can "file" a message in more than one of them.

  6. Fetchmail. Integrated, as way of grabbing your email from other accounts, using POP. Saves auto-forwarding, which is increasingly broken.

  7. AJAX. Not as ground-breaking as OWA, not as flashy as Oddpost/Yahoo/SWA, not as mashable as Zimbra, but fast and usable all the same.

  8. Keyboard shortcuts. A big productivity saver. I hate to move my hands off the keyboard to find my mouse -- that's a key reason why I don't "do" Mac OS.

  9. Google Apps. A white label version of Gmail is included in Google's hosted applications service.

  10. Free. Yes, as a confirmed cheapskate, this is a good thing. Even Google Apps is free for up to 50 mailboxes. No more do vanity domain owners have to suffer the slings and arrows of outrageous email forwarders.

Labels: , , ,

Tuesday, October 16, 2007

Email Sender Reputation at all, David?

David Berlind sounds like he's sick of talking to hyperbole-fuelled anti-spam vendors. Can't say I blame him.
It is probably true that if everyone in the world ran just one solution, we’d be able to tweak that solution in such a way that we’d finally get a handle on the inbound and outbound problems associated with spam. When everyone has access to the same technology, there’s a name for that. It’s called a standard. There is zero chance of some proprietary solution becoming the defacto antispam solution for the world. But, if only AOL, Google, Microsoft, and Yahoo (the world’s leading e-mail solution/service providers) would get together and decide on what the non-proprietary standards should be and implement them in their systems, it wouldn’t be long before every other e-mail solution provider would have to follow suit (in order for their e-mails to interoperate).
Well, the thing is, in many ways, AOL, Google and Yahoo are doing what he asks (and even Microsoft is making encouraging noises).

The "standard" the industry's heading towards is "true" sender reputation (i.e., not the DNS-IP-blacklists-on-drugs that we have today). Being able to store and share opinions about the "goodness" of an individual sender and/or sender domain would be incredibly useful, but we're not there yet -- mainly because email is to easy to forge. This is where sender authentication comes in.

So the necessary precursor to sender reputaion is to get everyone using DKIM, so we have a strong method of sender authentication (not just the relatively weak-but-easy SPF/SenderID) -- this is where the big three mentioned above is right now (and as I said, Microsoft is making encouraging noises, despite its wedded bliss with SenderID).

For more, see:

Labels: , , ,

Thursday, October 11, 2007

Is Spam Blocking at Odds with Common Carrier Status?

ISPs in many countries, including the U.S. enjoy a legal status often known as "Common Carrier." Simply put, this absolves the ISP of responsibility if it assists in the transfer of illegal materials, such as copyrighted works or child pornography. The philosophy is that as long as the ISP simply moves data from one place to another -- not making any judgment or discrimination about whether to move one type of data or another -- the ISP should enjoy a "safe harbour."

From time to time, some wag gets the idea that email filtering of spam and viruses would cause ISPs to lose this legal protection. In other words, if an ISP chooses not to deliver a message because it's "spam," the ISP is discriminating based on the content or source, which may remove the safe harbour. When one thinks about it, this is complete nonsense, but stranger things have happened in various legal systems around the world.

This debate is happening again. Thanks to the good work done by MAAWG and others, ISPs are being encouraged to set up outbound spam filtering, to prevent zombified PCs sending spam from their networks, and to encourage users to clean their infected machines with walled gardens. Naturally, some are expressing concern that such discrimination would count as another chink in their common carrier armour.

It's time for the FCC and similar regulators in other countries to step up and make it clear that such genuinely useful -- some would say essential -- discrimination would not affect an ISP's common carrier status.

BTW, sorry for the long hiatus. Call it Blogger's Block. Thanks to Kevin Soo Hoo for helping break it.

Labels: , ,

Thursday, August 30, 2007

Inadvertent Spamming: a Cautionary Tale

I learned today of a well-known software vendor whose business has suffered as a result of poor list management practices. It's not the first, and probably won't be the last. This sorry tale only goes to illustrate the importance of avoiding becoming an inadvertent spammer.

It appears that, although it had been legitimately sending mailings to its customers, the vendor had been ignoring unsubscribe requests. As I've said before, any unwanted bulk email sent by an organization after an appropriate unsubscribe request is spam -- an organization that fails to act on unsubscribe requests in this way is a spammer.

As a result of its failure to honour unsubscribe requests, complaints about the spam began to accumulate at the feet of the various organizations that track spammers' activity. Crucially, these include sender reputation services, such as DNSBLs (also known as IP blacklists). Inevitably, despite the fact that the majority of email it sent was legitimate, the vendor gained a negative reputation as a spammer.

This caused some recipients of its email to reject or otherwise filter these legitimate messages. Not only were legitimate direct marketing messages filtered, but also messages containing customers' license keys, technical support replies, etc.

This is indeed a cautionary tale: the lesson for senders is that the unsubscribe process is truly a mission-critical part of your direct marketing or transactional email workflow. Failure to ensure its integrity can not only cause legal problems, but damage your customer relationships and your business.


Tuesday, August 14, 2007

Spam Causing Email Exodus?

I was asked an interesting question earlier this week. Paraphrased:
With the sheer number of people using semi-proprietary closed systems such as Facebook or Myspace for their personal and business communication, might they be serious contenders for a real spam solution?
Some time ago, I wrote about the, "People are stopping using email" meme. I said then that it's not so much that people are turning their backs on email as a medium, but that they have a wider choice of media available to them now -- such as IM, SMS, and social network websites. They're just more likely to choose the medium best suited to the task. Nothing's changed my mind since then.

Having said that, feel free to poke me, follow me, LinkIn, or whatever.

To paraphrase Meng Weng Wong's recent curry-inspired trendmap, all such media attract spammers if they become sufficiently popular. Lest we forget, spam was first a big problem on USENET -- email came later.

Labels: , ,

Monday, August 06, 2007

C/R and "Spam Index" Conversation Roundup

I wanted to pull together some of the conversations that have been flying around recently about challenge/response spam filtering and this "spam index" idea. As is often the case, quite a bit of the value is in the conversation, in addition to the original posts, hence this roundup...

As the holder of a domain name frequently forged into the From: or Reply-To: fields of spam, I can testify for certain that it doesn't work. In fact, whenever I receive a challenge to one of those forged addresses, I make sure to reply to it to make sure the spam gets through. Petty, perhaps, but I'm not being paid to filter C/R users' spam, so I'll pass it through.

Dean Harding:
I'll admit I was a bit suspicious that if challenge/response was such a panacea why were there not more people using it? My point was not that people should start using challenge/response, though, it was more to just point out that many people are still not happy with their spam filtering.

Len Dressler:
[Richi,] you're really kind of a dork ... It appears you have some sort of agenda of your own, fairly skewed towards blacklist and the like, which from an IT managers perspective, is a joke.

Len, you're entitled to your opinion, and I will defend your right to express it to the best of my ability. Fact is, state of the art spam filters catch 95-99% of spam, with a vanishingly-small false positive rate. Such spam filters use a combination of techniques ... I see no evidence that a single approach—such as IP blacklisting—is viable.

I was interested in learning of Peter's methodology ... I attempted to register on his web site in order to download a copy of his report. I'm still waiting for a response, who knows maybe his acceptance e-mail was justifiably intercepted by my spam filter.

If its my inbox, it is a communication tool for me, and I own the right to ask people to verify they are who they say they are.

Don Marti:
I see lots of “I just started using C-R, it’s great” posts, but no “I’ve been using C-R for years and it’s great” posts. C-R is something that you try and give up on. Or, in my case, watch other people try and give up on.

Effective spam control is possible. It doesn't require cumbersome and work-flow disruptive band-aid solutions like C/R ... What's needed and has been proven to be most effective is a human feedback component. Several of the best anti-spam products available today include this as part of their toolset.

This is not to say that you need a solution where YOU have to be the human in the loop. The best vendors in the space do that for you and push new rules out to their customers every 10 mins or so.

Devil's Advocate:
Asking various people "how happy" they are with their present anti-spam product has absolutely no bearing on the effectiveness of those products ... if you ask if a C/R user sees less spam, you're going to get a "yes". But, what if you ask all the innocent 3rd parties that receive the challenges (which the C/R user doesn't see)? ... All C/R succeeds in doing is displacing the original spam volume in favour of its own variety of spam ... [and] shows a blatant disrepect for the health of the Internet.

Nonsense - I am no expert, just a user, but every fact you make is wrong.

In my spamtrap archive, I have several samples of inappropriate challenges from every C/R system known to me. Just in the past month, I've got challenge-spam from: [long list deleted]
Still don't believe that C/R systems send spam to innocent 3rd parties?

Peter Brockmann:
Your last post proves precisely the point. Users don't care and shouldn't have to care about what falls into YOUR inbox, only what falls into THEIRS.

So users don't care that they're sending spam, as long as they don't get any?
Increasingly, the main issue with C/R isn't that it annoys innocent 3rd parties -- it's that the backscatter hits spamtraps, causing legitimate challenges to go undelivered. Hence, the false positive rate of C/R is actually surprisingly high.

Ask a C/R user about this though, and they'll often be blissfully unaware. It's hard to know when one is missing a legitimate unsolicited message from someone you don't know.

David Merrill:
For recipients, challenge-response and sender verification methods are good, but their use can get your domain blacklisted. Why? Because each incoming message, spam or not, generates an outgoing message, and spammers can (and do) use those in denial-of-service attacks.

Justin Mason:
Focussing the debate on the “user’s inbox” ignores the overall picture, including everyone else’s mailbox, which is where C/R fails.

But my favourite comment has to be from Al Iverson, on the membership-only list, SPAM-L (Al kindly gave me his permission to be quoted here):
C/R is trapped in this eternal September of newbie solution developers who think they're the bee's knees because they figured out how to implement a "new" version of C/R (which is usually exactly the same as every other one). Then they act like a kicked puppy when we don't jump for joy over how awesome it is to see...yet another implementation of C/R.

Eternal September of newbie solution developers? Priceless!

Labels: , ,

Friday, July 27, 2007

Who is Peter Brockmann?

So, according to one Peter Brockmann, challenge/response (C/R) spam filtering is a wonderful thing, and beats all other anti-spam techniques into a cocked hat.

Huh? What? How did he come to that conclusion?

I've beaten the "C/R filters are a terrible idea" meme to death, as have many others, so I'm not going to repeat all that here. If you're new to the arguments, take a stroll through these posts (perhaps you should work from the bottom up).

But I was about to write about Peter's methodology. However, it would have been an identical post to the one Justin Mason wrote -- he beat me to the punch. So here are Justin's money quotes:
The “Spam Index” is a proprietary measurement of spam filtering, created by Brockmann and Company. A lower “Spam Index” score is better, apparently, so C/R wins!
However — there’s a fundamental flaw with that “Spam Index” measurement, though; it’s designed to make C/R look good ... The “Spam Index” therefore considers a false negative as
about as important as a false positive. However, in real terms, if a user’s legit mail is lost by a spam filter, that’s a much bigger failure than letting some more spam through. When measuring filters, you have to consider false positives as much more serious!
[And] the situations where C/R fails are ignored. Is it any wonder C/R wins when the criteria are skewed to
make that happen?
I too took a close look at his methodology. It is really, really, horribly biased in favour of C/R. Unbelievably so. By orders of magnitude, arguably.

The idea is that one can come up with a neat "score" for the performance of a spam filter -- of course, the exact composition and weighting of such a score can sway the results in any direction one chooses.

Statistics aside, asking C/R users if they're happy isn't the be-all and end-all of anti-spam research. C/R users may indeed be happy -- happily unaware that their spam filter is sending spam by replying to innocent third parties who's addresses have been forged by spammers.

(As an aside, I note with amusement that Peter mis-categorizes Commtouch and IronPort as DNSBLs -- which he calls "RBLs", so perhaps Trend Micro should whine at him about trademark infringement.)

So what's going on here? I first came across Peter earlier this month, when I noticed some rather odd edits to the Wikipedia page about Challenge-response spam filtering made by one Pjbrockmann. The edits did rather deviate from Wikipedia's prized "neutral point of view" (NPOV). I also noticed a sneaky link back to his site from the page: naughty-naughty (as a great philosopher once said).

So, let's check out The About page says, "Brockmann is a Wikipedia contributor." Well, golly, so he is. (Perhaps I should add that to my puff piece too.) His Wikipedia contributions extend to being dinged twice in April and June for spam and non-NPOV (the more recent issue noted above would make it three). Not so great.

Justin alleges that Peter has a relationship with Sendio. I don't know about that, but I do see he also mentions SpamArrest as an example of C/R. But does this (presumed) relationship stop him being objective? As Steve Hunt says, it, "Depends on what you mean by objective":
We are all mere mortals, and my own personal preferences will be very clear in the posts. Actually, my personal preferences and biases pay the bills ... Does that make me less than objective? I don't think so, but use your own judgment ... I commonly won’t expose which vendors I’ve helped because – frankly – it’s none of your business. It doesn’t change my ability to speak frankly and truthfully, and you might look at the list of companies and assume some bias that really doesn’t exist.
I like how Steve puts this, but I differ from Steve and Peter in that my personal preference is to maintain a list of clients in public (it's not a complete list, mainly for reasons of confidentiality -- e.g., when I've worked on expert witness contracts). So I guess you might look at that and, "Assume some bias that really doesn’t exist."

But, as an independent adviser/analyst/consultant, I also hope that you'll find that what I have to say is actually true.

Labels: , ,

Monday, July 09, 2007

Google Acquires Postini

Google announced that it has agreed to purchase Postini for $625 million in cash. Why?

Postini is best known for its managed ("hosted", "on-demand") spam filtering service, but that's not what attracted Google. Gmail and its Google Apps. cousin already have sound spam filtering technology -- they don't need help from Postini.

What Google needed was a way to round out its Google Apps. story with solutions for its customers' policy, compliance, and archiving/e-discovery needs. Google was already partnering with Postini to provide this for Google Apps. customers. Presumably the experience was a positive one and Google simply wanted to own the technology and people.

Google's statements hint that the lack of Google-owned technology in these areas has been a sales inhibitor:
Many businesses have been forced to choose between innovation on one hand, and these backoffice mandates on the other. In effect, many businesses use legacy systems not because they are the best for their users, but because they are able to support complex business rules. We agreed to acquire Postini in order to create a more complete Google Apps solution that addresses the information security and compliance issues facing businesses of all sizes.

Labels: ,

Tuesday, July 03, 2007

Srizbi Spam Bot is Nastier than we Thought

According to Symantec's Kaoru Hayashi, last month's Srizbi Trojan is nastier than it at first appeared. It could be a peek at things to come in the world of spam-sending bots.

Naturally, as a malware geek, Hayashi doesn't call it "nasty" -- he says "really interesting":
Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.

Once the Trojan is installed, it works without any user mode payload and does everything from kernel-mode, including sending spam ... The most interesting code is contained in the spam routine. We know that using network functionalities directly from kernel-mode is much more complicated and we have seen many rootkit threats in the past - for example, Haxdoor, Rustock, and Peacomm - always carrying over a user-mode payload that gets injected into some Windows processes. Trojan.Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode.
We think this sample is still in a “beta” stage and it’s not finished yet.
The implication being that, if a future version of Srizbi fixes the problems that currently make it visible, detection gets a lot harder. Needless to say, that may well cause more spam to get sent before an infection could be detected and remediated.

I especially liked this bit:
[It] seems to include a special routine to uninstall competitor rootkits, such as “wincom32.sys” and “ntio256.sys”.

Labels: , ,

Friday, June 22, 2007

The DHS is a Wonderful Organization

DHS logoSo I hear the U.S. Department of Homeland security has been having one or two problems with its computer security:
A subcommittee of the Committee on Homeland Security ... expressed "shock and disappointment" that the DHS had reported as many as 844 security incidents in fiscal years 2005 and 2006. The incidents occurred on IT networks at DHS headquarters, and those belonging to Immigration and Customs Enforcement, Customs and Border Protection (CBP) and the Federal Emergency Management Agency.

The security issues ... included one in which a password dumping utility was found on two DHS servers. In addition, Trojans and other malicious programs were found on numerous agency servers, and classified mail was found to have been sent out over insecure networks.
Trojans? Unencrypted sensitive email? Oh, big fat hairy deal. C'mon, this is nothing that you couldn't find in most organizations of that size. It's hardly DHS's fault.

Give them a break. In fact, give them all a big pay rise -- especially those nice officers who work the immigration and customs desks at America's fine airports (and the ones who sit in Canada, too). I do like them a lot, and look forward to my time chatting with them every time I visit the U.S.

They are all, without exception, wonderful people, and anyone who says otherwise is probably some sort of terrorist.

Labels: , , , ,

Wednesday, June 20, 2007

A (Partial) Spammer Taxonomy

I was recently asked by a journalist, "So who are these spammers, anyway?"

There are many different types of spammer. Here are some examples:
  • Affiliates of vendors of products that can cause embarrassment (e.g. pills and porno). Such spammers get paid by commission on sales. Some of the products may be genuine; many are fake or of dubious quality. See Why You Shouldn't Buy from Spammers
  • Criminal gangs intent on driving up the price of a stock. They will have bought the shares before sending the spam and then sell their shares when the price rises. This is known as "stock kiting" or a "pump and dump scam." See Pump'n'dump: it's all About the Timing, Baby
  • Advance-fee fraudsters. They write pretending to have access to a large amount of money and need your help to transfer it to another country. They offer a percentage of the money for your help. Often originates in Nigeria. Also known as a "419 scam." See Evidence of 419 Scam Targeting Using Google
  • Companies that don't respect unsubscribe requests. See ZD are Spammers!
  • Companies that, after you sign up for newsletter "A" also send you information about topic "B." This is known as "List repurposing." See Techweb Spams me; Am I Impatient?
  • Legitimate companies who have bought lists of email addresses in good faith from liars. They are told that the names on the list are willing to receive unsolicited email, but actually the list is just names harvested from Web pages or stolen from address books. Such companies should perform better due diligence, but often don't.


Monday, June 18, 2007

See you at Inbox/Outbox this Week?

I'll be keynoting again and sitting on the Spamhaus panel. I'm also running an extra session about sender authentication (i.e., SPF and DKIM).

Everything's repeated both days, except the panel, which is only on Tuesday.

If you can't find me, text me on +447789200701 (assuming you want to ;-)

Labels: , , , ,

Friday, June 08, 2007

Weird Story in Computerworld

Greetings from Vegas.

My chums at Computerworld have put up a very oddly-written story today. It seems that Kingfisher Bay, an Australian resort, was using an "aging" version of Symantec's spam filter. Surprise-surprise, old versions of spam filters don't work very well, letting through a lot of spam.

In fact, it turns out that the resort wasn't using the Symantec Brightmail technology at all. It was still using the old, pre-Brightmail engine. Oddly, Symantec still sells this -- can't see why that's a good idea.

Anyway, it sounds to me like the company decided it wanted to use a managed service, rather than an in-house solution. Many smaller organizations are making this choice. Their obvious targets are MessageLabs, Postini, Microsoft (née FrontBridge), or a bunch of smaller/regional providers.

In the end, they chose MessageLabs. Naturally, MessageLabs is crowing to the press about how it's gained a customer from Symantec.

But hang on, doesn't MessageLabs use Symantec Brightmail anti-spam for its service? How ironic...

Labels: , ,

Thursday, May 31, 2007

Soloway Arrested

I guess it's OK to call Robert Soloway a spammer -- he's already been convicted in U.S. civil charges of spamming in 2003.

This time though, he's been arrested on criminal charges, brought by the FTC. The list of laws he's alleged to have broken is extensive:
  • 10 counts of mail fraud
  • 5 counts of wire fraud
  • 5 counts of identity theft (aggravated)
  • 13 counts of money laundering
  • 2 counts of email fraud (the only counts related to the CAN-SPAM Act)
If convicted, the possible penalties add up to a very long time in jail. Aunty Beeb thinks 65 years, but that estimate might be on the high side...

Assuming that he didn't give up spamming in 2003, his arrest (so far without bail) should at the very least cause less spam to be sent (i.e. the spam that would have been sent by him while he's under arrest). If he gets jail time, so much the better.

So far, all the high profile civil spammer convictions have involved fines, with the exception of Jeremy Jaynes. These fines seem on the face of it to be large, but in comparison with the money earned by successful spammers, not so much.

While those convictions increased spammers' fear of getting caught, they also served to publicize the amounts that successful spammers can make -- it may have actually encouraged new spammers to enter the game. That's the law of unintended consequences in action.

This is how the law works. Laws encode a society's terms of acceptable behavior. The credible threat of punishment removes the incentive for bad actors to... well... act badly.

The various laws that prohibit spamming just got much more credible.

More: Seattle PI / TechMeme

Labels: ,

Friday, May 25, 2007

Locally-Maintained Reputation

In response to yesterday's blog post, Cisco DE Jim Fenton* wrote:
reputation can be locally-maintained. Local reputation is not as powerful as shared reputation services, but does provide benefit in the short term.
Yes, that's right. Local domain reputation is often expressed in terms of whitelists and blacklists. Without sender authentication, these are notoriously unreliable.

It nicely illustrates one of the benefits of authentication.

For example, users of anti-spam filters sometimes find their colleagues' email in the quarantine, so they add a wildcard whitelist entry for their domain. They soon discover that a significant chunk of spam will have their domain forged into the sender address. Without sender authentication, there's not a lot can be done about this.

However, with sender authentication, you can have a whitelisted domain entry that only allows the message a free pass if the authentication passes -- otherwise the normal spam filtering rules apply.

You could even impose a local policy that says if a message "from" our domain fails authentication, we'll reject it as spam, but this is probably too risky, at least in the early stages of deployment.

* - well, they claimed to be "Jim Fenton" and I assume it's that Jim, but perhaps it was a dog

Labels: , , ,

Thursday, May 24, 2007

CNET's Error Explaining DKIM

Declan McCullagh, writing in CNET, makes the standard schoolboy error of assuming that email sender authentication technologies are "antispam techniques."

They're not.

DomainKeys Identified Mail (DKIM) and other sender authentication technologies are simply ways to detect forgeries. At best, they give a partial indication whether a message is spam or not, but their main use is to allow recipients to look up the reputation of the sending domain.

Detecting phishing attacks via sender authentication depends on legitimate senders, such as PayPal, publishing information in the DNS. An email that purports to come from can then be verified against that published information.

Of course, this doesn’t stop phishers from using similar domains, such as Many users won't notice the difference. A DKIM test will "pass" because the bad actors own the fraudulent domain.

In other words, DKIM alone is almost useless. That's why we also need domain-level reputation services.

For several years, spam and virus control has been assisted by the use of DNS blacklists (DNSBLs). These list rogue IP addresses and address ranges that have been observed sending spam, viruses, or other undesirable content. The lists are interrogated in real time, usually via a DNS query. Several spam control vendors use a form of DNSBL, known as a reputation service. These provide a professionally run service that rates the reputations of IP addresses—good, bad, or unknown.

So today, we have IP address based reputation services, but not the ability to track and report the reputation of a sending domain. In the future, reputation services will be able to track the reputation of sending domains, as well as of IP addresses. This is not possible today, as the purported sender of a message is too easy to forge.

Email sender authentication techniques such as DKIM thus provide the missing piece of the puzzle, by allowing services to track the reputation of a domain. So, as the use of sender authentication becomes more widespread, reputation services will become more useful.

And with sender authentication becoming more popular, trusted authorities need a standard mechanism to vouch for a domain name. For example, a receiving mail system may be able to use SPF/SIDF or DKIM to verify that an incoming message was sent by, but it currently has no standard way of deciding if it wants to receive email from that company.

The Domain Assurance Council (DAC) plans to solve that problem by publishing reputation or accreditation data about a domain name in a standard form. This standard, called Vouch By Reference (VBR), will create a market for organizations that vouch for domains, allowing its members to compete with minimum friction.

By the way, according to his Politech bio, Declan McCullagh is CNET's chief political correspondent, as well as being a rather good photojournalist.

Labels: , ,

Tuesday, May 08, 2007

Flies, Maggots, and Russian Brides

Symantec has its latest monthly "State of the Spam Union" report out. A couple of things caught my eye:

  1. [REDACTED] is America's most disgusting hamburger restaurant ... food is full of dead insects, such as flies and maggots -- delightful little anti-brand spam this. Must be pretty low volume though, 'cos I've not seen one in my traps.
  2. A new use for tweaked images, where each spam message has a slightly different image -- oft-used in stock kiting spam, they're now being used to spamvertise Russian brides! Is nothing sacred?

Labels: ,

Monday, April 30, 2007

Naive Bulk Emailers Howl in Protest

This is Andy Oram: pianist, CPSR member, and O'Reilly book editor. Andy's latest weblog post is a quiet rant about how difficult it is for new bulk email senders to navigate around a twisty maze of spam filters.

For example, he writes:

Just this morning, board members of a non-profit I volunteer for were complaining to me that email to board members gets trapped as spam
Ryan Bagueros ... told me lots of promising social networking companies are stymied because the emails they send members and prospective members get trapped by spam filters–especially at the major email hosting sites.

My sympathies. But there are two sides to every story.

On the other hand, some social networks behave idiotically and totally deserve to have their mail eaten.

Case in point:, which -- let's be charitable -- was less than transparent in its description of what happens when new users signup.

Actually, no. Let's not be charitable. Let's tell it how it is. Email from is spam. It asks new users for the password to their [Hotmail|Yahoo|AOL|Gmail] account. Then, without warning, it spams all the addresses in their address book.

I carefully went through the signup process, using a test Gmail account. This is not a case of clueless users blindly clicking OK.

While I'm on the subject, a general point about email n00bs.

There's a pervasive naivety about what it takes to successfully send legitimate bulk email. It's not as simple as popping a default install of Sendmail onto a DSL connection someplace and expecting the whole world to be overjoyed that you're sending them mail.

Often, people don't know they need help, blindly assuming it's their "right" to have their email delivered to anyone they choose, regardless of how poorly they send it.

Two examples; there are plenty more:

  1. Get your FCrDNS right. Don't know what that is? Look it up in Wikipedia. Still don't understand? You probably need help.
  2. Behave correctly when presented with a greylisting tempfail. Don't know what that is? Look it up in Wikipedia. Still don't understand? You probably need help.

As I say, plenty more where those came from...

Labels: , , , ,

Wednesday, April 18, 2007

More About the CEAS Spam Control Bake-off

Last week, I wrote about the CEAS 2007 Live Spam Challenge (CEAS is the Conference on Email and Anti-Spam). I opined that fair comparative testing of spam control technologies is extremely difficult, especially when behavioural analysis techniques such as greylisting and OS fingerprinting are part of the spam control technology mix.

I wanted to clarify that the test isn't intended to evaluate the relative strengths and weaknesses of existing spam control products (that would be extremely difficult to do fairly, as last week's post pointed out). The intention is to compare some promising new content-based filtering techniques -- techniques that might be employed as components in a cocktail of techniques used by a spam control product.

As Gordon Cormack, one of the test's co-organizers, wrote:

An open competition attracts all sorts of techniques that can be vetted. The methods that are uncompetitive can be discounted, and the "greatest hits" can be tested ... in combination with greylisting ... and other intrusive techniques.
One popular fallacy that I run into all the time is, "this test has limitations, so it shouldn't be done." All tests and experiments have limitations, and the scientific method involves identifying them and constructing specific experiments to see how much the limitations matter, not witholding all tests until the perfect one can be done (which, of course, it can never be).

Labels: , ,

Friday, April 13, 2007

Chatroom Pimping: New Spam Technique

Interesting spam from Taiwan. Just a single line containing a link to a Skype chatroom. What caught my eye was the chatroom subject embedded in the link:

Special price of the wrist-watch

Random thoughts:

  • Clearly what's going on here is the need for spammers to remove as much Bayesianable text as possible from their messages.
  • There probably needs to be a way that we can report these to Skype so they can quickly take 'em down. Spamcop doesn't work -- Skype is refusing abuse complaints.
  • Presumably if you were foolish enough to join the chat, you'd get bombarded with ads. for fake Rolexes and the like. Possibly also a vector for malware.
I was foolish enough, but the host was offline. Watch this space for updates on what happens...

Labels: ,

Wednesday, April 11, 2007

IDC's Spam Stats are Conservative?

Mark Levitt

Mark Levitt is the "Program VP for Collaborative Computing and the Enterprise Workplace" at IDC. His name is on a new report that includes some stats that have raised a few eyebrows.

Ars's Nate Anderson said:

New research from IDC claims that this will be the year in which spam outnumbers person-to-person e-mail for the first time.

Huh? Don't we hear from anti-spam vendors all the time that spam is 60, 70, 80, 99% of all email? Is Levitt living in a timewarp?

Well, reading between the lines of IDC's press release, it seems to me that we're comparing apples with oranges. I think Mark is including the number of legitimate messages that stay inside an organization. This is typically a whole lot more than the amount that comes in from outside. It might easily double the number of messages a user receives.

According to my latest estimates, an "average" email user (whatever one of those is) receives around 40 spam messages per day and 15 legitimate. Me? I get more like 500 spams/day, but that's including several spamtraps.

I love Brad Linder's comment:

Spam filters are a lot better than they used to be, so really what this means is that nefarious companies will continue to send messages that nobody will read this year.

Oh yeah, and the Ars story got dugg, too...

[Hat tip: Techmeme]

Labels: ,

Monday, April 09, 2007

CEAS Spam Filter Bakeoff

The fourth Conference on Email and Anti-Spam (CEAS) is planning a bakeoff this year. In the CEAS 2007 Live Spam Challenge, the organizers hope to simultaneously inject a live stream of spam and legitimate email into several spam filters over a 24 hour period.

However, fair comparative testing of spam control technologies is extremely difficult -- by some measures, it's impossible. Because some promising filter techniques rely on examining the real-time behaviour of the sending machine, it proves tricky to provide the exact same stream of email to all the filters at the same time.

For example, some filters attempt to "fingerprint" the sending machine's operating system -- the idea being that, say, a Windows 98 PC has no business submitting email direct-to-MX. In a test that replicates an inbound email stream to several servers, it's tricky to allow the receiving filters to send IP packets back to the true originating IP address in such a way that is fair and equitable for all test participants.

In its defense, CEAS recognizes this difficulty by excluding greylisting from the list of permitted techniques. I'll be watching this one with interest.

Labels: , ,

Friday, March 23, 2007

Email Marketer helps Spamhaus

This is Derek Harding. Derek is the CEO of an email marketing service provider. No, wait, don't hate him. His company, Innovyx, has signed an amicus brief to support Spamhaus's defence against e360Insight's lawsuit.

(If you've been living under a rock recently, you might not be aware that e360 objected to Spamhaus's assertion that it sent spam, despite numerous documented examples.)

Derek obviously comes at this from a different angle from us spam-haters, but it's nonetheless interesting and a useful addition to the debate. His opinion piece makes interesting reading as a level-header clarion call to legitimate email marketers to do the right thing. Here are some edited highlights:

Everyone knows spam is a problem ... the e-mail infrastructure is under serious attack and is struggling to cope. Meanwhile, many marketers view anything that restricts their ability to send whatever they desire as something to be fought. At best, blocklists and spam filtering systems are viewed as inconveniences to be evaded and worked around. At worst, they're seen as an illegal restraint on trade to be attacked in the courts. Best practices can be ignored when it's inconvenient, and the law is the minimum that you can get away with.
Spamhaus fills an important, even vital, role. They deserve our support ... What's in it for us is the survival of e-mail. Poor list hygiene, acceptance of bad practices, refusal to outlaw spam, and failure to support organizations like Spamhaus threaten to kill the goose that lays the golden eggs. We must stop being part of the problem and become part of the solution. We must look past getting this specific e-mail delivered to the bigger picture of ensuring e-mail remains a viable medium.

Richi sez: good stuff. Spamhaus is not the enemy of legitimate email marketers who send to people after having obtained informed consent and who honour the withdrawal of said consent.


Tuesday, March 20, 2007

Symantec's Internet Security Threat Report

Symantec has just released its twice-yearly Internet Security Threat Report. This contains plenty of interesting data from the perspective of Symantec's Security Response team. Well, "interesting" if you're interested in that sort of thing...

Here are some highlights (percentage changes are over a six month period):

  • About half of identity thefts are caused by loss or theft of laptops and other hardware containing personal data
  • Denial of Service attacks are down about 20%
  • Botnet activity is up by about 10% (in terms of number of active zombies)
    • China hosted about one quarter of these zombies -- more than any other single country
    • The U.S. hosted about 40% of the botnet command-and-control nodes
  • New vulnerabilities (e.g. in Windows or Web applications) were up about 10%
    • Operating system vendors are taking "longer" to patch vulnerabilities (no quantitative data disclosed)
  • The Stration family of worms was the most widely-reported
  • Email is still the most-used vector for propagating viruses and other malware -- at about 75%
  • Phishing is up 5% in terms of numbers of campaigns, and about 20% in terms of volume
    • Phishing attacks are more likely to be sent on a weekday than at the weekend
  • Stock kiting and other financial services spam represented about a third of all spam

Labels: ,

Friday, March 02, 2007

Drop Everything and Patch Symantec Mail Security for SMTP

Running Symantec Mail Security for SMTP? Stop what you're doing and download the patch (patch 176 at the time or writing).

Seems like a craftily-crafted incoming message can cause a buffer overrun. This may lead to code execution. [Update: Symantec now confirms that they see no chance of arbitrary code execution, merely denial of service.]

Currently being exploited. The code in question tries to infiltrate a Microsoft SQL Server, presumably in order to steal passwords. Another good reason to segment your servers so that they each have a single role; perhaps using virtualization.

Of course, a patch for this bug has been available for eight months, but that doesn't seem to have stopped exploits causing some trouble over at Turner Broadcasting System.

So run: don't walk. More at US-CERT.

Labels: ,

Tuesday, February 20, 2007

Why You Shouldn't Buy from Spammers

Aside from the obvious ("because it only encourages them"), the U.S. Food And Drug Administration offers another, more worrying reason:

A number of Americans who placed orders for specific drug products over the Internet (Ambien, Xanax, Lexapro, and Ativan), instead received a product that ... can cause muscle stiffness and spasms, agitation, and sedation ... Preliminary analysis indicates they contain haloperidol, the active ingredient in a prescription drug used primarily to treat schizophrenia.

Ouch. No surprise here: spammers are Bad People. Lest we forget, spam isn't merely an productivity-sucking irritant.

I'm indebted to the FDA for providing the following photos and captions. More at the FDA site.

Back photo of yellow Haloperidol with “H 2” imprinted on the tablet.
Back photo of yellow Haloperidol with “H 2” imprinted on the tablet.

Front photo of yellow Haloperidol with “Janssen” imprinted on the tablet
Front photo of yellow Haloperidol with “Janssen” imprinted on the tablet

Plastic bag containing yellow Haloperidol tablets as received by consumers
Plastic bag containing yellow Haloperidol tablets as received by consumers

Mailing envelope in which tablets were shipped to consumers
Mailing envelope in which tablets were shipped to consumers

Mailing envelope in which tablets were shipped to consumers
Mailing envelope in which tablets were shipped; yellow tablets, and the clear plastic bag in which they were contained. The ruler was placed for size comparison purposes

Mailing envelope in which the tablets were shipped to consumers. The ruler was placed for size comparison purposes.
Mailing envelope in which the tablets were shipped to consumers. The ruler was placed for size comparison purposes.

White haloperidol in blister pack
White Haloperidol in blister pack

Yellow Haloperidol in blister pack
Yellow Haloperidol in blister pack


Wednesday, February 07, 2007

The RSA Show Floor is Awful

I was going to rant about how boring/racist/sexist/infuriating the RSA expo floor is, but Ross Brown already did it for me. So... what he said:

'Dancing baloney' marketing ... demeaning use of booth babes, vaguely jingoistic references to fictional eastern European countries like Hackistan ... the vast majority of messages were identical. Differentiation is hard in security ... but wow, some of these booths were phoning it in from a content standpoint.


Thursday, February 01, 2007

Update to the Dark Reading Spam Saga

Dark Reading/Light Reading/TechWeb responded publicly in its forum about my accusation that it's sending spam:

hi folks,
chris williams here (i'm the web development manager for Dark Reading). i disagree about whether or not requiring "opt-out" should be considered spam. i think that if an entity makes clear in its policies that it will be contacting folks, but makes it very clear how to opt-out of that contact in each email, then that's not spam. it's just a reality of web-based business that email is still the best way to promote online events and products. i agree totally that there are lots of companies trying hard to trick you into getting on a list, then multiplying that list, and making it really hard for you to remove yourself from any of those lists.

however, we aren't doing that. we've tried since day one to be very responsive and to make it easy for folks to remove themselves from all of our lists. i'm being totally honest when i say that we didn't intend to omit lists from the preferences page to make it hard for folks to remove themselves... we just thought we'd made it easier for folks to get off those lists by including a link in every email to a page that removes a person from the specific list they referenced and tells them if they are subscribed to any other lists that we manage (and gives them a chance to unsubscribe from all of those lists right then).

i think you guys have made a great point about the lack of clarity on our preferences page about how to get off our promotional lists. so i've updated the preferences page to include those lists and allow users to remove themselves from those lists via the form just like regular newsletter subscriptions.

thanks for reading and posting,
To which I replied:
Chris, bravo for fixing the problem.

However, the admission that you intended people who unchecked every box to still receive promotional email leaves a nasty taste. As does the incorrect privacy policy. As does the sneaky positioning of the final default-opt-in checkbox.

Let me be very clear, direct marketers such as LR/DR/TechWeb are not the enemy -- "real" spammers who steal millions of addresses and misuse others' computing resources are the enemy. The problem comes when well-meaning people act like spammers.


TechWeb Spams me; Am I "Impatient"?

Oh, this is just peachy. It's amazing how some legitimate organizations just love to act like spammers. Well, if it walks like a duck and quacks like a duck...

[Also note update at end]

I was recently interviewed by the delightful Kelly Jackson Higgins at Dark Reading for an interesting story about legitimate organizations that get the reputation of being spammers. But I had to tell Kelly about a bad experience I had with her organization spamming me. I'd registered to post at Dark Reading's forum. I religiously checked the privacy policy, and unsubscribed from all the newsletters and "information about exciting new products and services."

However, within the hour I started getting promotional email from Dark Reading's parent company, Light Reading, Inc. (Both organizations are part of TechWeb.) While I'm aware that ZDNet is a spammer haven, I'd not come across this problem with TechWeb before.

After some investigation and back-and-forth emails, Kelly blogged the spamming issue, including comments from Warren Hultquist and Chris Williams, from Light Reading's "Web Team." These amount to the usual litany of spammer excuses:

  1. Just unsubscribe, using the link in the email.
  2. It's noted in our privacy policy.
  3. Promotional email is the price of registration.
My response:
  1. I did unsubscribe. As instructed in your privacy policy, I unchecked the box labeled, "Occasionally Light Reading Inc. sponsors may want to send you information about exciting new products and services. If you prefer not to receive these solicitations, please uncheck this box."
  2. Your privacy policy does not say anything about unsubscribing from promotional email using a link within such email. What it does say is, "At any time, you may opt out of receiving information about Light Reading or other parties by changing your registration profile." This is precisely what I did. After registration, I went to the User Preferences page and ensured that I was unsubscribed from everything (including the section in the picture below).
  3. In my opinion, such Faustian bargains are OK, so long as there's informed consent. The policy as described by Warren and Chris clearly doesn't meet this test. In addition, Light Reading isn't abiding by its privacy policy.

Oh, and by the way, your privacy policy's link to the "User Preferences" page is 404. I think you meant this one.

Finally, Kelly signs off with "a less patient user might report it as spam." Well, I guess that makes me impatient, then.

Ironically, this was the whole point of the original article -- if senders do stupid things, they'll get reported to blacklists, so their deliverability will come crashing down, causing bad things to happen to their business.

Update 1: it seems Dark Reading have heeded the key complaint and added two more checkboxes to the preferences page. In life, the mistakes we make aren't as important as how we fix the issues that arise.

Update 2: the next post is a forum exchange between Light Reading's web team and me.


Tuesday, January 23, 2007

Pump'n'Dump: It's all About the Timing, Baby

Funny guy: What's the secret of great comedy?
Straight man: I don't know, what is the secret of gr...
Funny guy: Timing.

And timing is also the secret to profitable stock kiting. In my previous post, I quoted Symantec's Amado Hidalgo, who hinted that the Trojan writers appeared to be working to a deadline. Presumably it was a deadline imposed by their stock-kiting scam-masters.

I'm guessing from the date of the blog post that the "burst of almost 1,800 emails" that Hidalgo talks about would have been over the weekend, or certainly before the markets opened on Monday.

Yes, timing is everything when encouraging fools to part with their cash. The botnet needs to be ready to spew out its quota of kiting come-ons at what the scammers calculate is just the right moment:

  • Too soon, and they risk clever day-traders buying in on the upswing and cashing out before the scammers do, thus reducing the ill-gotten profits

  • Too late, and the regulators might take an interest in the scammers' unusual transactions, before the scammers have had a chance to cash out and launder the profit

Not only that, but the spam needs to be sent in as short a time as possible -- in one, concentrated burst. If it's too spread out, the scammers can suffer either or both of the problems above. I conclude that this is why we're seeing these new botnets send a load of messages quickly, then falling silent -- as opposed to dribbling out fewer over a longer period.

This new strategy risks quicker discovery, but there seems to be no end to virus writers' ingenuity in infecting new victims' PCs.


Pump'n'Dump Spam Botnets: New Malware

This post is a quick overview of the latest happenings in the world of stock-kiting botnet malware. The key news is a nasty new derivative in the CME-711 family of Trojan Horses (AKA Trojan.Peacomm, TROJ_SMALL.EDW, Small.DAM, Downloader-BAI, Troj/Dorf-Fam).

In case you've been living in a cave for months, stock-kiting spam (AKA pump'n'dump spam) is a major part of most people's inbound spam right now. Most of it's being sent by botnets (networks of malware-infected PCs).

It uses a simple-yet-effective social engineering technique to fool unwary recipients into opening an executable. It promises video of Saddam Hussein, European storms, Chinese missiles, or other breaking news, designed to make people put their critical faculties to one side (assuming they had any in the first place).

Symantec's Amado Hidalgo has an in-depth writeup of how the Trojan builds a botnet. Money quotes:

The bot ... has fully fledged rootkit capabilities, albeit not very sophisticated. It would appear that the malware writers were in a rush to get the new version out as quickly as possible and some functionality of the rootkit has not been implemented correctly ... So, what is the purpose of all this renewed activity, you ask? The primary goal is to create a botnet that sends tons and tons of penny stock spam.
We saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped.

In my next post, I'll talk about how timing is all-important, when running a stock-kiting scam.


Friday, January 19, 2007

Symantec: Spammers Forge Phony Newsletters, Trying to Fool Filters

It seems that spammers have a new tactic in their war to get their unwanted... uhhh... content through our spam filters: forged newsletters.

What they're doing is sending messages that look like legitimate newsletters. Nasty. Examples seen so far appear to be from well-known brands such as 1-800-Flowers, Kohl, U.S. Airways, and "a fantasy football league" [Statto the spammer?].

There's no suggestion that the spammers have broken into the sending systems used by these brands. They just seem to be cloning legitimate content and modifying it. In the same way that phishers modify a bank's legitimate transactional messages to link to their own site, these spammers are taking copies of legitimate newsletters and tweaking them to include their spamvertisements.

But why go to all that trouble?

The idea is to take advantage of people's abhorrence of false positives. Spam filters will be carefully programmed, trained, or whitelisted to let legitimate newsletters through. If a spammer can make their spam look like one of these newsletters -- especially a widely-read newsletter -- they can get through the filter and in front of the user's eyes.

The spammers only seem to be testing the tactic right now -- it's at a very low level, but the theory is that if they find this is an effective trick, we'll see it a lot more.

I've not seen the test runs in my overflowing spam traps -- credit for discovering the phony newsletters goes to Symantec. I guess it takes a large organization, with 24x7, follow-the-sun labs to really keep on top of new developments in spam tactics. It's the speed of identifying these sort of early indications that separates the men from the boys, as it were.

Update: Symantec sent a picture to illustrate. Wasn't that kind?

More coverage:

Labels: ,

Thursday, January 18, 2007

Port 25 Blocking is NOT a Panacea

Increasing numbers of ISPs block the outbound SMTP port 25, requiring all outbound email to go through the ISP's official MTA, using SMTP authentication. However, ISPs that have implemented port 25 blocking shouldn't rest on their laurels.

The basic problem with port 25 blocking is the ability of botnets to subvert it. Once a PC is compromised, there's nothing to stop the virus from submitting spam to the official ISP MTA, using credentials stolen from the Windows registry or keyboard monitoring.

While port 25 blocking is useful if an ISP's only defense is outbound spam filtering, ISPs should do so much more. For example:

  • Cooperating with reputation services that list IP ranges that have no business sending unauthenticated-direct-to-MX, such as Spamhaus's new PBL
  • Recording the volumes of outbound port 25 traffic -- a sharp increase from the historical trend can indicate infection
  • Monitoring blocked attempts to use port 25 to outside MTAs -- another indication of infection
  • Disrupting botnet command and control messages
  • Moving infected PCs into a "walled garden", which prevents them from sending email, surfing the Web, or using other Internet applications until the problem has been cleaned up


Thursday, January 11, 2007

Why Do People Use a Backup MX?

Some organizations set up their MX records so there's an offsite backup MTA to receive mail (perhaps that should read "many organizations", I have no data). Is there still a justification for doing this?

In my simple view of the world, you simply don't need a backup MX. If your primary MX is unavailable, mail should still queue at the sending MTA for several days. The sending MTA should continue to retry periodically until your site is available again. In many ways, backup MX configurations are an anachronism -- a holdover from the days when connectivity was unreliable and some MTAs' queuing algorithms weren't great.

Backup MXs can cause problems if they don't do the same spam filtering that your primary MX does. This can cause backscatter.

If your primary MX is down for some time, a backup MX could also cause backscatter spam with "delayed" DSNs (delivery service notifications). On the other hand, not using a backup MX would usually allow the sending MTA to generate the DSN, which is a much better way to do it.

What do you think? Are there circumstances where a backup MX makes sense for you?


Monday, January 08, 2007

More About Why Cisco Bought IronPort

As I mentioned last week, Cisco bought IronPort for $830 million.

Clearly IronPort's reputation data is part of the prize for Cisco. Perhaps also, the PostX email encryption technology will possibly be useful (IronPort bought PostX last year). Perhaps some enhanced competition for Identum and Voltage? Alternatively, I fear that Cisco may let this stuff wither on the vine -- PostX customers should be concerned and watch closely.

An interesting question is what will happen (if anything) with SpamCop. IronPort deliberately ran SpamCop at arm's length as a matter of policy. It's not clear whether Cisco will maintain that policy. SpamCop is of course part of the raw data feeding into IronPort's reputation database, along with the data phoned home by the IronPort boxes.

As we saw with the BlackSpider acquisition by SurfControl, spam control companies that aggregate lots of data about spam sources are valuable, for reasons in addition to spam control. For example, if a zombie is sending spam, it's also probably a potential source of other bad stuff, such as worms and distributed denial of service attacks.

See also: my roundup of blogger reaction to this story in Friday's IT Blowatch.

Labels: , ,

Thursday, January 04, 2007

Anti-Spam Market Consolidation Continues -- Cisco Buys IronPort

Today, Cisco announced that it has acquired IronPort Systems for $830m in cash and stock.

Cisco is of course well-known for its "growth by acquisition" strategy, and was notably lacking in solutions for email hygiene. It makes sense for it to buy an appliance vendor.

IronPort and Ciphertrust have been the appliance market leaders for some time (albeit challenged by the appliances launched by large, conventional software vendors such as Sophos and Symantec). Ciphertrust was of course bought by Secure Computing in 2006, thus leaving Cisco with an obvious choice.

Will we look back at 2007 as the year of spam control market consolidation? We've certainly seen some significant M&A activity in previous years, but there's still plenty of scope for your vendor to be acquired or run out of VC money.

[Edit: it's now officially $830m, not $850m as I was originally advised by IronPort]

Labels: , ,

Sender Authentication Doesn't Fix Challenge/Response

Happy new year. Sorry that the first post of January is about challenge/response (again), but surprisingly few people seem to get it.

There's this idea floating around that challenge/response filters are OK if they check SPF, SenderID, or DomainKeys -- only challenging messages that pass those checks.

Twaddle. This idea that SPF or SIDF or DKIM can tell you whether a message is forged is naive.

Firstly, implementation on the sender side is spotty. If there's no SPF record or DKIM header to check, you're back to square one.

Secondly, don't forget that most spam is sent by virus-infected computers (corralled into a botnet). There's nothing to stop virus writers from sending spam that passes an SPF/PRA/DK check at the receiving end.

Labels: ,

Tuesday, December 19, 2006

Another Challenge/Response Datapoint

Sorry to harp on about challenge/response, but on the topic of C/R causing many false positives, I just noticed this post on The Admin Zone:

I HATE challenge-response spam blocking with a passion. All the time, I get Earthlink members signing up on my message board, but not putting the domain name in their whitelist. When vBulletin sends out a validation email, the following bounces back into my mailbox ... As a matter of principle, the mods and I NEVER respond to email challenges; we NEVER "click the link below" to be added to a whitelist.

If an existing user starts using challenge-response spamblocking, forget to put my domain in their whitelist, subscribe to threads, and as a result fill my mailbox with challenges, they're suspended for a week. Behind spam, it is my number two pet peeve.

Labels: ,

Wednesday, December 13, 2006

Boxbe: Another C/R Spamhaus

Some buzz today about Boxbe -- a service that promises to forward unsolicited email only from those willing to pay a fee for your attention. I signed up to take a look, and was frankly horrified by what I found.

Boxbe is a front for another of these awful challenge/response setups. Look at the reply I got to a test message:

Subject: Held: testing

The message you sent to regarding "testing" is being held undelivered because he or she has not pre-approved your email address [redacted] for access.

To deliver your message, you can:

* Take a short test (a simple test by following the link below
[link redacted]

* Pay a small fee (USD $0.15) which
Boxbe will share with the This is intended
for advertisers. To pay, click on the link below:
[link redacted]
Sigh. In case you've not heard the mantra already:
  1. Challenge/response causes spam (because spammers forge the sender)
  2. So if you use C/R, you're a spammer
  3. Filtering your spam is not my job
  4. If everyone used it, email wouldn't work!

Prediction: if Boxbe gets popular, spammers will start sending to it, which will cause backscatter complaints, which will cause blacklisting of Boxbe's servers.

Here's why backscatter is bad, and here's more about the stupid idea that is challenge/response. But don't just take my word for it.

Other Boxbe coverage at Wired, GigaOM, Download Squad.

Labels: ,

Sunday, December 10, 2006

GOOD News: Innocent Woman's PC Seized by Police

What's that you say? Good news? Read on...

Denver woman has PC. PC gets infected by remote-access malware. PC becomes zombie. PC does bad things. Armed police come knocking with warrant. PC seized as evidence. Local ABC news says:

Investigators said someone hacked into [Serry] Winkler's computer ... and used it with a stolen credit card to make fraudulent purchases online ... "Four sheriffs from the Boulder County Sheriff's Office with flak jackets and weapons drawn pounded on my door," said Winkler. "You're just not prepared for it." ... Winkler didn't have a firewall on her computer, which she said was too old. "I've tried it, but it just slows it down so badly that I can't," she said.

Internet security expert Rick Orr of Symantec said that early on, hacking activity was related to fame. "What we've seen in the last few years is a transition from a motivation of fame to a motivation of financial gain," said Orr. He said thieves don't take holidays and when it comes to Internet security, neither should you.

I say: good. I'm glad this happened and that it's getting some publicity (albeit local).

While I'm sad that Ms. Winkler was scared and inconvenienced, a few more of these sort of stories might actually make people more likely to protect their PCs. That ought to put a serious dent in the spam-spewing botnet problem.

Like this post? Digg it.

[Hat tip: Fergie.]


Saturday, December 09, 2006

Spam Volumes: What's Really Going on Here?

The sky is falling! The sky is falling! Spam has doubled / spammers are winning / spam is 80% of all mail / 90% of mail / 110%, etc. etc. etc...


I'm getting bored with self-serving anti-spam vendors flinging dubious statistics around. Yes, spam volumes have increased recently, but doubled? Much of this seems to be counting from an artificially-small base during a quiet summer for spam.

Here's my take on what's happening. A bit stream-of-consciousness, so please excuse. Grateful for your thoughts.

The growth in spam is chiefly down to two factors:

  1. Demand-side -- stock kiting gangs wanting access to more and more sending capacity
  2. Supply side -- new, bigger botnets with more sophisticated command and control mechanisms, which are more resistant to being shut down and can send fewer messages per zombie (because they're bigger), so stay under the radar longer
This is compounded by bad statistics, which make the growth seem bigger than it actually is:
  1. New botnets spewing spam from PCs not on blacklists, so a smaller proportion of spam gets rejected (and thus never seen in quarantines)
  2. New botnets resistant to anti-spam techniques such as greylisting (because they have real, autonomous MTAs), so a smaller proportion of spam gets rejected (and thus never seen in quarantines)
  3. New botnets employing content morphing tricks that are fooling many vendors' content filters, so more spam reaches the inbox -- then naive commentators wrongly assume that a doubling of spam in the inbox equals a doubling of spam on the Internet
The image spam messages tend to be about 10x bigger than "normal" (say median 30K compared with 3K), so spam volumes are now much higher in terms of bits on the wire.

Some anti-spam vendors are coping quite adequately with the new techniques, but seem to have broken PR departments ;-)

I trust Commtouch's and MessageLabs's data more than most -- my reading is that spam volumes increased measurably about a month ago, but not to the extent that Chicken Licken would have us believe.



Friday, December 08, 2006

Ciao! Interesting Social Engineering Attack

Here's an interesting way of getting your victim to download a Trojan horse. Some users in Italy have been receiving messages "from" a lawyers' office that appear to be replies to a message that the victim never sent.

The messages warn the victim that the lawyer has received pornographic spam from them, threatening the victim with legal action if it happens again. It goes on to say that the victim probably has some sort of virus on their PC and suggests that they download a virus cleanser, to which there's a helpful link in the message.

Of course, the link downloads a Trojan.

Not only that, but the names used for the lawyers seem to be real organizations. I've heard reports that at least one legal firm has four phones permanently tied up with victims calling about these "threatening-yet-helpful" messages apparently sent by the lawyers.

Like this post? Please Digg it, so others can find it.

Hat tip: Symantec's Security Response team.
Also noted by Paolo Attivissimo and Luca Curatola of Neodigital2k.


Tuesday, December 05, 2006

"Challenge/response filters have more Achilles' heels than they have feet"

I am such a media whore. That was your humble blogger, quoted in an InformationWeek article:

Spam Filtering Floods Innocent Inboxes
Do challenge/response spam filtering systems create more problems than they solve? One analyst argues against them.
By Thomas Claburn

Two weeks ago, Ferris Research messaging analyst Richi Jennings awoke to find his e-mail inbox filling with spam at a rate of about a message per second. Over the course of two days, a spammer using a bot net -- a collection of PCs that have been subverted through security exploits to send spam -- sent an estimated 10 million messages that purported to come from several of Jennings's e-mail addresses.

That resulted in more than 25,000 bounce messages, from ISPs that return spam to the supposed sender (rather than deleting it) and from challenge/response filters that reply to spam with a note asking the listed sender to answer a challenge question before the initial message gets delivered.
Despite the fact the Symantec's Brightmail service did "an impressively good job" in blocking most of the bounced e-mails, Jennings nonetheless had to deal with hundreds of unwanted messages.
"Over the last year or two, I've spoken to countless challenge/response filter vendors and they all have their own excuse about why their solution is completely different, and really, yes, they agree this is a problem with badly written challenge/response spam filters, but their spam filter would never do anything so stupid and broken," says Jennings. "And of course I'm looking at an example from just about every one of those vendors that I got two weeks ago."
Tal Golan, CTO, president, and founder of Sendio, maker of a challenge/response e-mail appliance used by more than 150 enterprise consumers, disagrees strongly with Jennings's assertion that challenge-based filtering has problems. "Without question, the benefit to the whole community at large drastically outweighs that FUD [fear, uncertainty, and doubt] that's out there in the marketplace that somehow challenge/response makes the problem worse," he says. "The real issue is that filters don't work. From our perspective, challenge/response is the only solution. This whole concept of backscatter is just not true. Very, very rarely do spammers forge the e-mail addresses of legitimate companies anymore."

[Read the full article]

Labels: ,

Saturday, December 02, 2006

Now! That's What I Call Spamming!

Occasionally, I remember to read Andy Clarke's blog, And all that Malarkey. Doozy of a post earlier this week. Spammers, take note (yeah, right; dream on)...

At about 4.30, the phone rang. Now I've written before about telephone salesmen, but this was a call with a difference ... Not only did [he] identify himself upfront to save me the job of interogating him, he actually asked, and very politely I should add, if it was OK to contact me. My defences came down and, Holy smokes, I even asked him right there what his software did ... So I gave him my email, this guy has class. Now, here is the odd thing. For the next two hours I was actively waiting for this guy to email me! Two hours in which I was wondering about his software ... he made me think about his product and about the experience of dealing with him (hell, I'm even blogging about it).


Tuesday, November 28, 2006

I Got 25,000 Spam Messages in Two Days!

Late last week, some idiot spammer decided it would be a neat trick to send a metric boatload of spam messages in my name (see also Joe Job). I estimate that in the space of 48 hours, his botnet spewed a million messages that appeared to come from one of my domains.

Unsurprisingly, a small percentage of those messages bounced. Guess where the bounces ended up? In my email. All 25,000 of them...

What can we learn from this?

  1. Symantec's Brightmail spam filter is really good. OK, I kinda knew this already, but the Brightmail filters that sit in front of my mail service did a near-perfect job of sifting out the bounces from the real email.

  2. Way too many email servers are badly broken, to the extent that they bounce email to unknown addresses, instead of rejecting it. Some of this is down to configurations that accept everything at the perimeter and only later decide the mailbox doesn't exist, but mostly it just seems to be broken software. (If you run a mail system that does this, for the love of all that's holy please fix it.)

  3. Way too many ISP abuse desks seem to think (2) is perfectly acceptable behavior.

  4. Way too many sites allow their users to auto-reply to email willy-nilly. Don't these people have spam filters? Amusingly, some do, as can be seen from the SpamAssassin-like headers added to the bounced spam, yet even though the message scores higher than the spam cutoff, they're still kindly letting me know that they're out of the office.

  5. Way too many ISP abuse desks seem to think (4) is perfectly acceptable behavior, too.

  6. Challenge/Response spam filters are a royal scourge. (See blog posts passim). It's not my job to filter your spam for you.

  7. SpamCop is still an excellent resource.
Some spammer probably thinks he's been jolly clever and put one over an "anti". However, the state of the art in spam filtering is just too good.

Labels: ,

Thursday, November 16, 2006

PC World's Steve Bass Repents?

Last week, I wrote about how PC World's Steve Bass was promoting those evil, evil challenge/response spam bouncing products. I pointed out in my blog post and also in private email to Steve that these things can get their users blacklisted, because misdirected challenges are as bad as the spam itself.

Today, Steve has a new post up, calling me a "Polite ... self-proclaimed spam expert." Errr, well, those who know me may not agree with the first bit. And I'm not sure the second bit is quite my choice of words, but my clients seem to think so. Never mind. Onwards...

Fortunately, Steve has first-hand experience of the problem:

I get a half-dozen or so of these misguided challenge/response e-mails every day

Unfortunately, Steve links to a Wikipedia explanation of something with a similar name but which is nothing to do with spam. Presumably he meant to link to Challenge-response spam filtering. Oopsy.

In fact, reading his explanation of C/R, I'm not sure he actually understands the problem. See if you agree:

You can set some programs to bounce messages back to spammers and make them think your address is no longer working. Quite often a message from a challenge/response system will get treated as spam and bounced back with the rest of the junk e-mail. And quite often these messages float around the Net when someone using challenge/response also has a computer virus.
The spamming part comes into play when the person sending the e-mail receives a reply from the challenge/response program, challenging the sender to prove he or she isn't a spambot.

Well I'd have put it a bit differently. How about this:

Q:You can set some programs to reply to spammers; great idea, right?
A: No, because the replies hardly ever go to spammers -- spammers forge the message's sender. So they don't work.

Q: But it's only spam and we don't care about those messages, so it's OK... right?
A: No, because the forged senders are often real email addresses, with real people at the end of them. So you're causing unwanted email to be sent to them.

In other words, Challenge/Response makes you a spammer.

Update: Steve posted more on this topic. Steve's right on when he says:

Challenge/response ... doesn't work. I'll give you an example. A PC World reader sends me an e-mail and I take a couple of minutes to respond. Then I get an e-mail challenging me, asking me to take an extra step -- click here, go to a Web site, or maybe stand in the corner and whistle a show tune.

Nope, not me, Pal. I've already been a good Netizen and responded to the reader's e-mail; and I'm not about to spend more time on this. If the person sending me the e-mail had a spark or two, they'd have added me to their whitelist before sending me a message. So I watched how I responded to getting a challenge e-mail, figured everyone else would do the same thing, and decided not to bother with it.

And if you're looking for the debate between me and Jeff Hendrickson, it's right here.

Labels: ,

Monday, November 06, 2006

PC World Offers Dangerous Spam Advice

Meet Steve Bass. Steve blogs at Watch Steve blog. Blog, Steve, blog. Steve just blogged a bunch of spam filtering resources. Unfortunately, his list is heavy on the challenge/response FUSSP meme. Ooops!

For the record, Choicemail's "unknown-sender registration" and the "bounce" features of MailSnoop and MailWasher are really terrible ideas. (Don't forget that the "sender" of spam is almost always forged.)

I do wish consumer-focused journalists like Steve wouldn't promote these features -- he'll get his readers blacklisted, causing their email not to go through.

Update: Steve has responded. (If you're looking for the debate between me and Jeff Hendrickson, click here to read the latest discussion and follow the link at the end.)

For more background, see:

Labels: ,

Monday, October 23, 2006

Microsoft Promises Sender ID Remains Open, But There's No News Here

Microsoft today announced that it has added the Sender ID Framework Email Authentication spec. to the list of Microsoft technologies covered under the Microsoft Open Specification Promise (OSP). This essentially means that Microsoft promises not to take action to protect its patents and other intellectual property (IP) related to these technologies.

The idea is to remove objections to implementing against published "standards" that are based on the fear of Microsoft will sue the developer. This was the main stumbling block preventing Sender ID from becoming an Internet standard in 2004 -- the Purported Responsible Address (PRA) algorithm was patented.

Big whoop. As far as I can tell, nothing has changed. There's no news here. Move along.

This promise seems to be exactly the same promise as was made by Microsoft in 2004. It's a promise that didn't prevent the MARID working group from failing to reach consensus -- mainly due to deadlock over the IP issue.


Tuesday, October 10, 2006

There May be Troubles Ahead (for Spamhaus)

But while there's moonlight, and music, and love, and romance...

I'm reading some misinformed comment about the latest Spamhaus woes. I wrote today's IT Blogwatch on the topic, but here's my attempt to summarize here...

  1. e360, which describes itself as a legitimate direct marketer [no comment], objected to being described by Spamhaus as a spammer. It sought legal redress in an Illinois state court.
  2. Spamhaus argued that it was a U.K. organization with no business dealings in Illinois, so the court had no jurisdiction. However, before Spamhaus decided on this defense strategy it asked the court for the case to be removed from state court and moved to federal district court.
  3. Because Spamhaus then decided not appear in court, the judge decided he had no choice but to enter a default judgment in favour of e360.
  4. A further, proposed order from the court would have the domain de-registered. This is potentially a huge problem for Spamhaus -- access to the Spamhaus blacklists is usually via a DNS lookup -- a query to a zone such as

For its part, Spamhaus appears nonplussed, stating that:

We think it can not actually happen, due to the effect it would have both on the Internet and on millions of users. We believe a government agency would have to step in before it happened. One U.S. government agency has begun working on a response. Before an event such as this could occur, we believe ICANN would fight the order, as ICANN understands both the technical effect as well as the political one (hint: ITU and U.S. control of the Internet).

In other words, Spamhaus is pointing to the ongoing grumbles from outside the U.S. about the continued control over Internet policymaking by the U.S. government. If Spamhaus were to "go dark" it may catalyze a new, strengthened effort to wrest control of the Internet from the U.S.

This proposed action may seriously reduce the effectiveness of our spam filters. In the meantime, what can you do to guard against the problem?

If your spam filter uses either of the Spamhaus DNS blacklists, you may be able to change the zone it uses to one that isn't under U.S. control. For example, look in your filter's configuration and change to (note that Spamhaus has not yet confirmed that this is supported).

Alternatively, as suggested by Slashdot's The Blue Meanie, you may be able to modify the way you resolve DNS queries. In UNIX-like operating systems, you might add something like this to /etc/named.conf:

zone "" in {
type forward;
forwarders {;;;; };


Friday, October 06, 2006

Lyris or Lie-ris? Suspect Spam Stats. for False Positives

I see Lyris claims that Gmail's spam filters cause 3 percent false positives and they used to cause 44 percent earlier this year. What rubbish. And how sad that a major IT news outlet regurgitated them so uncritically.

There's no way that a real Gmail user is seeing that kind of FP percentage, no matter how they legitimately measure it (and there are several ways used, depending on whether you'd prefer to publish a tiny number or a big, scary number).

My estimate of Gmail's FP performance is about 0.01 to 0.02 percent. That's based on roughly one per week, and measured as a proportion of total email hitting the spam filter.

Reading between the lines of Lyris's report, they're only measuring as proportion of inbound marketing email, which might explain why the headline figures are so high.

Frankly, these crazy numbers cast doubt on the rest of the statistics presented in this report. Lyris clearly has an agenda here -- to instill FUD in the minds of direct marketers so that they'll sign up to Lyris's services. That's nice...

Sadly, ZD were taken in by these shenanigans and presented the figures as an "IT Fact"


Thursday, October 05, 2006

Vista Software Protection Platform disables Windows Defender

Let's see if I have this straight. In its ongoing effort to thwart pirates, Microsoft is going to prevent its anti-malware bits from working on a PC running pirated Windows Vista? Sez Computerworld:

Customers who decline to or cannot successfully validate their copy of Vista during installation will be blocked from using certain features [including] Aero ... ReadyBoost ... and Windows Defender, which protects against viruses and spyware.
So it's fine for PCs running pirated versions of Vista to spew spam and malware into my inbox? Stupid, stupid, stupid...


Tuesday, October 03, 2006

ISPs Should Fix the Zombie Problem

Zombies are a big problem, but ISPs are in a unique position to fix the problem and should be motivated to do their part. ISPs can detect when one of its customers' PCs starts sending spam, either by outbound content control or by spotting an unusual spike in volume. ISPs may even be able to detect the earlier signs of infection, such as connection to an IRC channel used to control the bots.

When an ISP detects a zombie, it should immediately prevent that subscriber from sending email. It should make contact with affected subscribers and help them clean up their machines. If necessary, ISPs could cut off all Internet access for those subscribers, moving them into a Web "walled garden" -- this would force subscribers to see a web page alerting them to the problem and giving instructions on how to clean up their PC.

ISPs should be proactive in quickly fixing such problems. ISPs may need to modify their Terms Of Service, to contractually allow them to take these actions -- but take them they should, for the sake of their business.

If ISPs don't fix such problems, their reputation and the reputation of their customers may be damaged. The anti-spam industry has woken up to the fact that reputation is a good way to filter incoming SMTP connections, without the expense of content scanning. As this view becomes more prevalent, ISP customers won't want to be associated with an ISP that takes a cavalier attitude to their reputation and that of their customers.


Tuesday, September 12, 2006

Domain Assurance Council

The Domain Assurance Council (or DAC) is a new trade body representing organizations that certify or accreditate email sending organizations and customers of those organizations. (Examples of such organizations include Habeas and Goodmail; their customers are typically ISPs and spam control technology vendors.)

With sender "authentication" (authorization) standards such as SPF and DKIM becoming more popular, there's a need for a standard way for a trusted authority to vouch for a domain name. DAC plans to help the industry create a standard way for organizations to "vouch" for a sending domain. They will do that by publishing reputation or accreditation data about a domain name in a standard form. The standard will be known as Vouch By Reference (VBR).

For example, a receiving mail system may be able to use SPF or DKIM to verify that an incoming message was sent by, but it currently has no standard way of deciding if it wants to receive email from that company. Using VBR, a receiving system would be able to look up the domain and decide if it wishes to receive the message.

VBR could also allow smaller, more specialist organizations to vouch for organizations in their own vertical industry or niche (e.g. the pharmacalogical industry). The theory is that specialist authorities will know their industry better; if a sender goes bad, a specialist authority might discover this more quickly than a generalist.

VBR means that there should be no need for proprietary methods, such as Goodmail's. VBR will create a market for organization who vouch for domains; allowing its members to compete with minimum "friction." VBR should also allow customers to switch providers -- i.e. there will be no lock-in to a proprietary provider such as Goodmail.

Current members of DAC are Goodmail, Habeas, Return Path, Trend Micro, and IronPort. DAC is run by John Levine and Paul Hoffman. Paul has plenty of experience running this sort of group, having previously run the Internet Mail Consortium amongst others.


Friday, September 01, 2006

New Spammer Tactic: Blipverts

For a while now, stock kiting spammers have been encoding their spam in images and trying new ways to make each image slightly different. That makes it harder for hash-based content filters to spot the images.

Here's an interesting new twist. An animated GIF that flashes subliminal images. Presumably each of these is slightly different from message-to-message. On the right, you can see one of these "blipverts" separated out from the GIF (and resized).

(With apologies to Max Headroom)


Friday, August 25, 2006

New Unsubscribe Button in Windows Live (née Hotmail)

ClickZ' Rebecca Lieb reports on the Windows Live Unsubscribe button:

Ironic as it may sound, commercial e-mailers are jubilant about a new feature Microsoft's rolling out: an "unsubscribe" button.

The button is part of Windows Live, the beta service that will replace Hotmail in a few months. If it's as successful as many anticipate, expect similar changes at the other major ISPs.

Here's how it works: Windows Live account holders have begun to see the "unsubscribe" button replace the dreaded "report spam" button on messages that contain a valid unsubscribe link. When a person clicks the "unsubscribe" button, Microsoft forwards the request to the sender.
Not sure what I think about this. Microsoft claims to be protecting against listwashing, as only "legitimate" senders get the unsubscribe button. Then again, do we trust Microsoft's view of who's legitimate?

Note that if MS thinks the sender is legit., you don't get to see a Report Spam button.


Thursday, August 10, 2006

Ziff Davis are SPAMMERS

I've had enough. I'm outing Ziff Davis as a spamhaus.

The company sends me several unwanted messages per week. I have diligently unsubscribed several times. It also appears to repurpose lists to an alarming degree.

Its ISPs also appear to ignore abuse complaints.

I'm mad as hell and I'm not holding my tongue any more.


Monday, July 03, 2006

Hotmail Has Many, Many Spamtraps

Ben Isaacson of ESPC/Experian/CheetahMail fame mentioned something very interesting at last month's Inbox/Outbox conflab. Microsoft has an interesting way of building spamtraps to catch unwary spammers and idiot direct marketers.

Hotmail accounts expire after six months of disuse. This happens often -- people sign up for an account and then soon stop using it. For example because they think they need one to use the MSN Messenger IM system, or because they're using it temporarily as a throwaway address (to give to vendors they don't trust).

Once a Hotmail account expires, mail sent to it will be rejected, normally with 550 Requested action not taken: mailbox unavailable. After a further 6 months (i.e. one year of disuse), the mailbox may be treated as a spamtrap. This means that email sent to old Hotmail addresses may be used as samples to help train spam filters for Hotmail, MSN, FrontBridge, the Outlook Junk filter, etc.

What does this mean for legitimate marketers? It's now more important than ever to detect and eliminate bounces from your lists. If a receiving mail system consistently tells you that an address is bad, remove that entry from your lists. If you don't, your IP range can be blacklisted and/or your message content will seem more "spammy." Of course, this means that your messages are more likely to end up not being delivered to your users.

It used to be simply bad manners for a sender to continually send mail to nonexistant addresses, but now it's actually self-destructive.


Thursday, June 29, 2006

Weird stuff found in spamtrap

Check out this oddity that I just found in two of my spamtraps. I've not obfuscated the sender, as it appears to be the genuine address (hosted on the same small ISP, cross-referenced against several usenet posts). I've converted the base64 plain text body, natch...
Received: from
by *********** with esmtp
for ***********; Thu, 29 Jun 2006 09:44:32 +0100
Received: from development
( [])
by (8.13.6/8.13.1)
with ESMTP id k5T8h70p027899
for <***********>; Thu, 29 Jun 2006 04:43:07 -0400
MIME-Version: 1.0
Date: Thu, 29 Jun 2006 04:42:56 -0400
X-Mailer: Chilkat Software Inc (
X-Priority: 1
Content-Type: text/plain;
Content-Transfer-Encoding: base64
To: ***********
subject: From (US/ Canadian) Citizen Giving a Hand
This information is being sent to every government email world wide; we have used this technology to Help / heal and Hurt Any Living Plan or Animal.

We offer this information to you freely and if you want more on how to exploit this technology for medical or defense purposes please contact me back at supplied email.

Michael Workman

Makeup up Human body - Minerals in the Blood

Blood is a liquid tissue. This means that it contains cells suspended in a liquid. Red blood cells carry oxygen and help to carry carbon dioxide. White blood cells are involved in the body's defense mechanisms. Platelets are fragments of cells; they help blood to clot. The liquid is called plasma. It contains many important substances which must be carried around the body.

...and so on, for another 60 rambling paragraphs.


Monday, June 12, 2006

Why Did Microsoft buy Frontbridge? So It Could Get More Spam!

Last year, Microsoft acquired the hosted (or managed) email security service provider, Frontbridge. For some time, I've been saying that there's an interesting competitive advantage enjoyed by Frontbridge and other services providers, such as Postini, MX Logic, MessageLabs, and BlackSpider.

Companies that offer a service to a large number of customers get to see a lot of spam and other unwanted email. This is very useful to spot new types of spam campaigns and spot them quickly. As spammers shift to a botnet model, spam campaigns are hitting harder, sending more messages over a shorter period of time. The quicker a spam control solution can notice a new campaign and block it, the less spam is actually received by users.

Microsoft says that "92% of all email received at is spam," so the FrontBridge team is now receiving an enormous corpus of new spam, which should help them to be more reactive to new spam campaigns..

Interestingly, Microsoft claims that it's also extracting reputation data from spam sent to and, but I'm told by my buddies at Symantec that this is still protected by BrightMail technology.

[edited for clarity June 15 4pm BST]


Wednesday, May 03, 2006

Wired has half the Blue Security story

I see Wired is now talking about the Blue Security situation. It focusses on the spammer retaliation angle.

Naturally, there are some spammers who take a dim view of organizations that try to limit the number of mailboxes they can pollute. It now appears that spammers are passing around a list of names that purports to be this secret registry. Not only that, but levels of spam received by members of the Blue Security list have roughly doubled since May 1.

So how can this be?

I've seen the spammers' list. It's not as it seems -- it doesn't include spamtraps and other special addresses or wildcard domain entries that I know to be in there. What's happened is that a spammer has taken his list and "cleaned" it against the Blue Security list. He then compared the original list with the cleaned list to figure out which addresses were removed. He then bragged to his spammer buddies that he's "cracked" the Blue Security list.


Monday, May 01, 2006

Blue Security "do not email list" compromised? No!

It had to happen. I'm amazed it's taken so long.

Spammers are passing around a list of names that is purportedly the Blue Frog "do not email" list. Someone is already spamming the list with dire warnings of falling skies.

I've seen the list. It's not complete in the sense that it doesn't include the wildcard domain entries. It also doesn't include spamtraps that I know to be there. Presumably a spammer has taken his list and "cleaned" it against the blue list, then done a diff? Like I say, I'm amazed it's taken so long.

In other words, people won't get spam from these spammers unless they're already getting spam from them.

Blue Security's community forums are down "for maintenance." ;-)

Links (updated as I find them): 1 2 3 4 5 6 7 8 9...


Saturday, April 29, 2006

Visit and assist anti-spam research

Last week, John Graham-Cumming launched If you're familiar with 'Hot or Not' you'll probably get the idea. As Graham-Cumming says:

The basic idea is to get humans (that means you) to read a small number of messages (some are ham; some are spam) and decide what they are. I'm doing this because there are currently two usable corpuses of spam and ham: the SpamAssassin Public Corpus (which was hand sorted) and the TREC 2005 Public Corpus (which was machine sorted) ... Once I've got enough human decisions (I'd love to get 10 per message; that means almost 1,000,000 human classifications) I'll make all the data public.

In other words, if you visit the site, you can vote on individual messages, to say whether or not you think they are spam or legitimate. This voting will be very helpful to spam researchers, because an acurate "corpus" of spam and ham allows them to automatically test new anti-spam techniques. Graham-Cumming continues:

I'll highlight any emails where people disagree with the current classification published by Gordon Cormack ... I expect it'll throw up some interesting data... for example, just how good are humans are sorting spam? Since we'll be able to look at where the corpus and the humans disagree we'll be able to spot machine errors and human errors.


Friday, April 28, 2006

Tips for your new anti-spam idea

So you have a fantastic new idea to solve the spam problem once and for all? Of course, you're sure it'll work brilliantly and you're sure nobody else has thought of it.

Sounds like you've come up with what spam fighters call a FUSSP -- a Final Ultimate Solution to the Spam Problem. Vernon Schryver maintains a list of fallacies that appear again and again from FUSSP inventors. It's fairly impenetrable to those outside the spam-fighting clique (as some think of it). So here are a few rephrased highlights. Think of them as tips to prevent making yourself look foolish:

  • Don't assume that spammers are stupid.
  • Don't rely on email recipients changing their behavior with nothing to show for it.
  • Don't rely on other email senders responding to automatic challenges (or on victims of challenges sent to forged addresses not to respond).
  • Don't rely on all ISPs, web hosts, and registrars being active, reponsible, spam-hating net citizens.
  • Don't propose replacing SMTP, DNS, TCP/IP, Microsoft Exchange, Lotus Notes/Domino, or other immovable objects.
  • Know what these terms mean: tarpit, DNSBL, HELO, EHLO, MX, RMX, MTA, MUA, DCC.
  • Know the difference between the SMTP envelope and header.
  • If your scheme requires a new standard, make sure you understand how standards are set on the Internet -- at a minumum, read and understand RFC 2223 and RFC 2026.
  • With few exceptions, strangers won't pay money to send you mail.


Thursday, March 30, 2006

Virus Alerts are as Bad as Spam

Many email security products or services will warn you if they detect a virus in an incoming message. You'll receive a Virus Alert message in your inbox that either includes the original plain text message with the attachment stripped out, or has just a simple notification that "so-and-so sent you a virus, and click here to read the message in the quarantine." The intention is that you can contact the sender and tell them that they have a virus on their PC.

The problem is that these days, most virus-infected email is been sent not by users, but by other viruses. It's effectively spam, except the motivation is to take over your computer, not to sell you ... uhhh ... things. The viruses will often use the same lists of recipients as spammers do. Naturally, there's no point in contacting the "sender" of the message -- it's probably forged.

The upshot is that these virus alerts messages are now just as bad as spam. Only a tiny proportion of them are any use. Email security solutions should be more selective of which messages they warn about.


Wednesday, March 01, 2006

Free Speech is No Excuse to Spam

It seems that some bulk email senders are getting spun up about developments such as Goodmail and Bonded Sender. For example, says it's, "Threatening the Internet as we know it ... The very existence of online civic participation and the free Internet as we know it are under attack."

Balderdash and piffle, say I. Nothing's really changed -- if users are complaining about some email, service providers will block the sender, whether or not they pay some sort of a bond or fee. There's no substantive change here. If you're an existing sender with a good reputation, you should have nothing to worry about -- well, nothing new anyway.

I suspect there's an underlying agenda to some of the moaning. There are some quasi-political and religious groups emailing indiscriminately, and hiding under the flag of Free Speech. That's no excuse -- people will still click the This Is Spam button, and so future mail will get blocked. Just because the message isn't commercial, it doesn't mean that users won't perceive it as spam. I've no sympathy for senders who use those tactics.

My advice to groups who are concerned about their continued ability to communicate legitimately is this: if you find that your email's being blocked, work with your email service provider and that of the recipient to figure out how you should act in the future. Don't act as if it's your deity-given right to send email to whomever you wish. Those that run email services are perfectly entitled to act on user spam complaints. As the saying goes, "My server -- my rules."


Saturday, February 25, 2006

Additional Thought on Phishing Complaints

Last week, I wrote about what brand owners should do about phishing. You may recall me saying that owners should have a mailbox where they can receive copies of phishing spam forwarded to them by consumers and (ahem) security researchers. I also said that owners could run spamtraps to pick up phishing attacks as they happen.

One aspect of this that I didn't mention, but perhaps it's not obvious -- the mailboxes used should not be spam filtered. A surprising number of banks and other brand owners get this detail wrong (cough Barclays cough). This causes them to ignore complaints and under-estimate the scale of the problem.


Friday, February 17, 2006

What brand owners should do about phishing

If you're a bank, or other organization that's worried about having your brand spoofed in a phishing attack, first you need to detect the attacks, and then you need to act. Here are some of the things you can do:

  1. Receive complaints from consumers -- publish an email address for consumers to forward suspected phishing emails to. The abuse desk can reply to the consumer to confirm whether this was a legitimate message or a phishing attempt (e.g.,
  2. Run spamtraps -- publish email addresses for the sole purpose of receiving spam. Scan the incoming spam for phishing attempts on your brand.
  3. Detect remote image loading -- scan your web server logs for the telltale signs of your images being displayed in web sites that don't belong to you.
  4. Takedown -- get the phishing web sites removed from the Internet. Work with:
    1. The ISP responsible for the email sender
    2. The hosting company hosting the phishing website
    3. The domain registrar responsible for a bogus copycat domain (e.g.
  5. Block -- inform consumer protection services to protect consumers while the sites are still available. For example:
    • Google's anti-phishing toolbar
    • Cloudmark's anti-fraud toolbar
    • Microsoft's anti-phishing protection in IE7
If you're worried about your brand's vulnerability to phishing, contact me. I can help.


Tuesday, February 07, 2006

More on Goodmail's wasted opportunity

As I said in my previous missive, Goodmail adds no practical value from the user's perspective. Goodmail deliberately misses the opportunity to protect them from phishing.

Goodmail could do so much more to warn users about scams involving sender impersonation ("phishing"). Right now, it's only certifying legitimate mail as "good." It's not spotting scam mail as "bad" -- even though it should be perfectly capable of doing so. It's very little use to consumers to simply reinforce the good, without issuing warnings about the bad. You're asking people to infer that scam email is bad (because it's not "good"). That simply doesn't work -- the psychology is all wrong.

Let's imagine that your mom's bank is a Goodmail customer. When she gets email from her bank, there's a comforting icon promising that the email is authentic. However, if a Russian mafia gang sends her some email pretending to be her bank, Goodmail says nothing -- even though they should be fully capable of popping up a big red, flashing warning.

The lack of phishing warnings is a huge missed opportunity. Both for consumers and for Goodmail's customers. Neither you, your mom or her bank want your mom to be fooled by criminals.


Monday, February 06, 2006

I'm going to be on TV today

In case you care, and if you're anywhere near CNBC today at 4.15-ish (EST), I'm going to be interviewed live from London. Topic is the ongoing AOL/Yahoo/Goodmail thing.

Hopefully it'll be more contentful than my soundbite on NPR's Marketplace show
this morning.


GoodMail Systems and AOL -- What's Going On?

Goodmail Systems has announced that AOL will be using its "postage stamp for email" approach to replace or augment AOL's current "enhanced whitelist" functionality. What's going on?.

In essence, AOL has outsourced some of its whitelist to Goodmail. Goodmail will impose a "tax" on commercial senders, if they wish to have first class delivery to AOL users' inboxes. First class in this context means bypassing spam filters and having images and links function correctly without the user being warned of their potential danger. A portion of the tax revenue is returned to AOL (the amount is undisclosed, but we believe it to be at least half) and the rest is retained by Goodmail.

This is an interesting service provided to senders by Goodmail -- the value provided in return for the fees is that senders get better delivery rates and more accurate feedback about whether messages got delivered and/or opened. However, there are also negative implications.

Some senders will object to being "held to ransom." The danger to Goodmail and AOL is that one of the big senders will be big enough to encourage AOL users to use a different email service. Alternatively, they may simply put more emphasis on their own portal messaging systems, like eBay is beginning to. Then they just have to send short text-only mails to AOL users to ask them to check the eBay site.

And what of the poor AOL customer? As I've said before, Goodmail adds no practical value from the user's perspective. Goodmail (and Iconix) deliberately miss the opportunity to protect them from phishing -- there's no big red flashing warning icon when a phishing email is received.



Monday, January 30, 2006

Fewer spammers forging the From header

It's a truism that the "From" or "Sender" of a spam email message is almost always forged -- it's hardly ever the actual sender. That could be changing. I've noticed an increasing volume of spam hitting my spamtraps that appears to have a valid return address.

Why would this be? I can think of at least four reasons:

  • It's illegal in some countries -- but many other actions related to spamming are also illegal
  • Increasing use of sender authorization technologies such as SPF, Sender ID, and DKIM by spam filters -- spammers think that a valid return address makes it more likely that their spam will get delivered
  • Increasing use of "call to action" filtering -- spam that invites the user to reply by email is harder to filter than spam that quotes a web site or phone number
  • Lower likelihood of being cut off -- people are unused to sending complaints about the owner of the sender domain; overworked abuse desks are less likely to notice that the spam implicates the sender domain

Tags: .


Friday, January 27, 2006

Evidence of 419 Scam Targeting Using Google

419 scams are typically initiated by sending email to a list of potential victims. The scammer hopes that one recipient -- the so-called mugu -- will be so greedy that he'll overlook the obvious illegality of the deal proposed. You've probably seen these come-ons in your inbox. For example:

I am MR MOHAMMED NASSER, the director in charge of auditing and accounting section of Standard trust bank of Benin cotonou Rep ublic of Benin in West Africa with due respect and regard. I have decided t o contact you on a business transaction that will be very beneficial to bot h of us at the end of the transaction .
During our investigation and auditing in this bank,my department came across a very huge sum of mon ey belonging to a deceased person who died in (beirut-bound charter jet) pl ane crash on the 25th December 2003 here in cotonou (replublic of benin) an d since his untimely death the funds has been dormant in his account with t his Bank without any claim of the fund in our custody either from his famil y or relation before our discovery to thisdevelopment...

It goes on to suggest that you might be able to help steal the money. In return for your help, you'll get a sizable proportion of the ill-gotten gains. It later transpires that the scammers need you to lend them some money for "expenses," which of course you'll never see again.

One of the ways the scammers find target their victims is by using Google and other search engines. Those of us who own websites and read our webserver logs can often find some hilarious search terms being issued from the Ivory Coast, Nigeria, Senegal, the Gambia, Uganda, and even Greece. My favorite recent examples are:

  • 2006 fine me email contact directors companies in uk
  • contact smash email addresses 2005 hotmail
  • +1 november 2005 email contact @%
  • 2005 premier league email directory
  • american people in england+2005 contact adress
  • i want to buy achieve email contacts pages please give me there email contacts 2005

Tags: , .


Friday, January 20, 2006

How LinkedIn limits spammy invites

Last week, I said that LinkedIn was capping the number of connections users may make, in order to avoid spammers misusing the service. According to co-founding LinkedIn marketing veep Konstantin Guericke, it's not strictly a limit on the number of connections, but on the number of invitations one can send.

Quite right too -- it's in the misuse of the invitation process where these self-styled "power networkers" become spammers. After looking at data about how the service has been operating, LinkedIn set the limit at 3,000 invitations. However, there's an exception process for users exceeding that number, which will only kick in if invitees are actually accepting the invitations.

As Konstantin summed it up, "It's [a] wisdom-of-the-crowds approach."

BTW, here's my LinkedIn profile -- 249 connections is enough for anyone, surely? ;-)


Monday, January 16, 2006

The MIT Spam Conference 2006 is ON!

Rumors of its death have been greatly exaggerated. It's now happening on March 3. Paper submission deadline is Feb 1.
This intensive, one-day conference will include many of the leading technical experts on spam from the bit-whacking level to the global economics of spam.

read more | digg story


Saturday, January 14, 2006

LinkedIn users are revolting spammers

Hmmm. It's interesting what happens when a few "power users" start using a social networking website such as LinkedIn in ways the owners didn't intend. Two interesting blog posts here: For a New Etiquette of LinkedIn and What Is LinkedIn Doing?

Looks like we're talking about a vocal minority of folks, each of whom have thousands of links. Their point is that they find LinkedIn incredibly useful. LinkedIn's point is that for the site to be useful, in the way in which it was intended, users should know people to whom they link "well" -- LinkedIn believes it's not possible to know thousands of people well enough for them to participate on the site in the way envisaged.

Truth be told, the behavior of some of these self-styled "power networkers" verges on spamming in my personal experience. Nevertheless, I'm sympathetic to both points of view. Ultimately though, it's LinkedIn's ball and the site owners can take it home any time they choose.

Tags: .


Friday, December 23, 2005

FixingEmail: CAN-SPAM is working?


The FTC is trying to convince Congress that CAN-SPAM has caused spam levels to drop. True? Well, yes and no. Let's look at the facts...

1. Spam levels are dropping? False.

The number of spam messages sent continue to rise. It's possible that spam might be leveling off as a percentage of spam, but the number of legitimate messages is rising faster.

2. But people are getting less spam, right? Irrelevant. [read more]

Tags: .


Wednesday, December 21, 2005

Spam Quarantines Should Be Sorted by Score

When spam filters decide what's spam and what's legitimate email, they often assign a score to the message. You can think of this score as the confidence that the message is spam. For example, filters based on SpamAssassin typically assign a score of more than 5.0 to indicate spam. However, spam filters can make mistakes and occasionally flag legitimate messages as spam (known as a false positive). Usually these false positives have a relatively low score.

Most spam filters maintain a quarantine or spam folder where they put the spam messages. Users or administrators can browse the quarantine folder in an attempt to find false positives.

Searching for false positives is a laborious task. It's very helpful to sort the quarantine list by the messages' score. This means that any false positives are likely to be near the top of the quarantine list. The Pareto Principle -- the "80/20 rule" -- applies. In other words, in order to get 80% of the benefit, the user only need browse the first 20% of the quarantined messages.

An example of a quarantine that does this is Electric Mail's PerimeterProtect hosted service. A surprising number of spam filter quarantines don't even allow this sort order as an option.

Tags: .


For more posts, go to the home page, or see the archive.