Your Reputation in Peril: Use Outbound Spam Filtering

Whether or not you or I believe Borderware's amazing claim that it filters 98% of spam using reputation alone, it's clear that reputation is increasingly important.

No surprise there, but what's the implication on legitimate email users?

As more and more spam filtering relies on your reputation as an email sender, your reputation gets more and more important. Lest we forget, most spam is sent by malware-infected zombies, some of which could be on your network.

That's why outbound spam filtering is increasingly important. It's not just about being a good 'net citizen -- you need it to protect your reputation.

If you don't keep a lid on spam exiting your network, your reputation will be trashed. In crude terms, your outbound IP addresses will be blacklisted, meaning your ability to send email to your legitimate business contacts will be severely limited.

If a few of your users are unwittingly sending spam, then all of your users will have serious trouble sending legitimate email.

Of course, an outbound spam filter can't, by definition, use sender reputation. It has to rely primarily on content filtering. Those that claim that reputation is the be-all-and-end-all of spam filtering are missing an important point.

With thanks to Proofpoint's Andrew Lochart and David Stanley, for a stimulating conversation last week.

The Media is Bored with Spam?

I moderated a Ferris Research webinar earlier this week. It was intended to be a press-only event, to support a client's press release. Inevitably with these things, a few non-press register, but that's perfectly OK.

The client is a new spam filter vendor, that seems to have an interesting new twist on the problem (I'm reasonably convinced that it's not just a silly FUSSP).

The thing that really surprised me was how few press people turned up. In fact, non-press outnumbered the press folks two-to-one. What's up with that?

I also heard from the client's PR person (hi, Donna) that nobody has anything spam-related on their editorial calendars.

Doesn't the mainstream media care about spam any more? Certainly their readers do, as evidenced by the continuing churn in the spam filtering marketplace.

Any thoughts? Click the comments link below: I'm all ears.

BorderWare claim: Amazing Reputation Filtering (RSA)

BorderWare is making a very interesting claim. It seems to be blocking an enormous proportion of its customers' inbound spam simply using IP reputation.

While most anti-spam vendors these days talk about blocking roughly 75% of the spam using IP reputation (basically a fancy word for DNSBLs), BorderWare's quoted statistic is 98.3%. Wow, that's a lot -- especially considering that the law of diminishing returns almost certainly applies.

This is a good thing because the more spam one can identify and block by reputation, the less spam content one has to examine using techniques such as Bayesian analysis, which are computationally "expensive".

But how does the company achieve such a high figure? By slashing the time taken for new entries to be added to its centralized reputation database (BSN, or "BorderWare Security Network" -- soon to be rebranded as "Reputation Authority").

These days, new zombie spam sources don't hang around to be detected, they get sending as soon and as fast as they can -- the botmasters have realized that a fresh, undetected spam source is far more effective than an old, known source. Minutes count; in fact in the spameconomy, time is money.

Proofpoint has a Reminder: It's Still Here (RSA)

Proofpoint has a new VP of marketing, and not a moment too soon. Andrew Lochart is the first to admit that his new employer has been very quiet recently, and he aims to change that.

Aside from the recent $20 million funding round and the additional 40 employees hired already this year, he reminds us that Proofpoint recently launched a hosted email security service, Proofpoint On Demand. This means that Proofpoint now offers its technology as a service, as software, as an appliance, and as a virtual appliance (a virtual-machine image of the appliance).

Sticking with what seems to be a "hybridized" theme, customers can mix and match the different form factors, while still managing them all from a single console. Handy, that.

Trend Micro's Hybrid Hosted Service (RSA)

Trend Micro takes an unusual approach with its hosted ("managed"; "in-the-cloud") email security service. Rather than trying to do everything, it sticks to what a service is good at.

Trend is applying the Pareto principle (a.k.a. "80/20 rule"). The company promotes a "hybrid" approach, with the hosted service implementing only a first level of spam filtering based on reputation -- filtering roughly 80% of the inbound spam. The remaining email is passed on to spam filtering appliances on the customers' premises, to deal with the other 20%.

The on-premise appliance can therefore more easily be customized to conform to local policy. When it comes to filtering spam using content, it's best to have an understanding of the types of legitimate content that the organization sends and receives -- the obvious example is medical organizations, who may well expect to receive email about a certain blue pill who's name begins with 'V'.

Of course, organization-specific customization ''can'' be done in the cloud -- there's nothing intrinsic about it that forces it to be on-premise, but this split in responsibilities seems like it has merit.

Off to RSA

I'll be at the RSA conference next week, Monday-Wednesday. I'll also be doing other meetings in the SF bay area on the 3rd and 4th.

If you want to meetup or just get in touch, best bet is by email or text (+447789200701).

Spammers attaching .ZIP files with HTML inside

Since about 1am GMT today, I've seen a steady stream of messages with .ZIP attachments hit my spamtraps. The Zip files seem to contain a simple HTML page spamvertising the usual fake ED drugs.

Subjects include:

• On Top All Night
• Your Sexual Health
• Master in bed are you
• Smart in bed games
• Be a big bed man

There seem to be two templates in use:

1. a simple plain text body and a .ZIP attachment
2. an HTML body (plus /alternative plain text) with the .ZIP file as a /related part

Jeremy Jaynes Lost Appeal, but...

Hmmm, so I see that Jeremy Jaynes has lost his appeal in Virginia that spamming is protected speech under the U.S. First Amendment. (Thanks to Slashdot for the heads-up.)

Jolly good, and no surprise there, I think. However, why on Earth was it a 4-to-3 split decision? What were those three state supreme court judges thinking?

Well, according to the AP:

Justice Elizabeth Lacy wrote in a dissent that the law is "unconstitutionally overbroad on its face because it prohibits the anonymous transmission of all unsolicited bulk e-mail including those containing political, religious or other speech protected by the First Amendment."

Oh, balderdash. I find it really hard to believe that the American founding fathers intended my email to be full of spam.

Spammers work for Desperate Social Networks

Hmm, email hitting spamtraps this morning for a social network called Friendsgroup.co.uk. Sounds suspicious, no?

Let's see:

• Spam sent to email addresses that only exist to trap spam? CHECK
• Spam comes from dynamic consumer ISP space? CHECK
• Envelope sender forged? CHECK
  
• Date: header a couple of hours in the future? CHECK
  
• "Content-Transfer-Encoding: 7bit" but includes 8-bit characters? CHECK
  
• Text mentions "double opt-in" CHECK
  
• Spamvertized website operates out of Latvia, not the UK? CHECK

Update: I only had a quick look and can't see anything obviously dodgy with the site itself. My suspicion is that it exists to spread malware -- either by exploiting browser vulnerabilities or by making people download Trojans when they register.

It could alternatively be a come-on for a Russian Brides style scam.

Can Anyone from Yahoo Help?

I have a client with a problem getting email to his customers on Yahoo. The users want the email, but it keeps turning up in their Bulk folders, not the Inbox. Most frustrating.

I've walked him through making everything squeaky-clean, but no luck.

Yahoo's "Postmaster" contacts just seem to be a huge black hole. Is there anybody reading this who can offer a clueful contact at Yahoo?

Anyone?
Beuller?

Alan Ralsky Indicted

Well well. It seems the Feds have decided that Ralsky has been helping the Russian stock kiters...

A federal grand jury indictment was unsealed today in Detroit charging 11 persons, including Alan M. Ralsky ... in a wide-ranging international fraud scheme involving the illegal use of bulk commercial e-mailing, or "spamming" ... The charges arose after a three-year investigation ... revealed a sophisticated and extensive spamming operation that, as alleged in the indictment, largely focused on running a stock “pump and dump” scheme.

Much, much more at today's IT Blogwatch.

(Happy new year, by the way.)

Hilariously Bad 419 Scam Come-On

Hilariously bad 419 just hit inbox. Must. Stop. Laughing. And. Blog. It...

Minneapolis Telephone Network (MTN)
Foundation's Officer
125 Allen Avenue,
Lagos-Island
Nigeria.

Concern:Winner,
The Minneapolis Telephone Network (MTN),
would like to notify you that you have been
chosen by the board of trustees as one of the
final of a cash Grant/Donation for your own
personal, educational, and business
development.The Minneapolis Telephone
Network (MTN) was established by the Multi-
Million groups in 1993 was conceived with the
objective of human growth, educational, and
community development.To celebrate the 15th
anniversary program, the Minneapolis
Telephone Network in conjunction with the
Economic Community for West African States
(ECOWAS), United Nations Organization (UNO)
and the European Union (EU) is giving out a
yearly donation of Euro??3,500,000.00 (Three
Million ,Five Hundred Thousand Euro) and an
Auto-Mobile (Peugort 207 Car) each to 20 lucky
recipients for their patronage to this
organisation and continues growth.This
Donation/Grants is in view to mark it 15th years
of Best Telephone Network all over African and
some parts of the world.At least 20% of the
awarded funds should be used by you to
develop a part of your environment.Based on
the random selection exercise of internet
websites and millions of supermarket cash
invoices worldwide, you were selected among
the lucky recipients to receive the award sum of
Euro??3,500,000.00 (Three Million ,Five Hundred
Thousand Euro) and an Auto-Mobile (Peugort
207 Car) as charity donations/aid from the MTN
Group Limited (MTN Group), ECOWAS, EU and
the UNO in accordance with the enabling act of
Parliament. Your Qualification/Reference
numbers (M-323-T-6747, N-900-56) should be
quoated by winners in all discussions. You are
required to choose your delivery option which
will be convient for you in the order below:

1. Diplomatic Courier Service,Delivery To Your
Home Address.

2. Telegrahic Wire-Transfer,To Your
International Bank.

You are required to contact the promotion
agent in the below order.
Executive Secretary- Mr Raymond Chua Swee
Email:info@raymonchua-swee.1to1.org
All information is strictly confidential.
Mrs Gucci Villary
Minneapolis Telephone Network (MTN)
Foundation's Officer

ROTFLMAO

Gmail, How do I Love Thee? Let me Count the Ways...

Here's a quick Gmail goodness grab-bag top-10...

1. Spam filtering. It just works. I estimate it kills more than 99% of my spam, and the only occasional false positives I get are from Yahoo Groups (which is a spam cesspit anyway) and mailing lists that include spam samples (uhhh...)
   
   
2. IMAP access. Yay, we've been asking and asking and asking for it, but it finally arrived yesterday.
   
   
3. Local front-end servers. Recently, Google moved the POP/IMAP/SMTP servers I connect to. They're not now in the U.S., but much closer to me (in the UK?). Some sort of routing cleverness, I dare say. This means downloading a load of messages is now very, very fast.
   
   
4. Search and Filters. Fast, flexible, frequently-very-useful. Especially when combined with the saved search extension for Firefox (using Greasemonkey or the Better Gmail extension).
   
   
5. Labels. I know some people hate 'em, to which I say, "Just think of them as folders." But they're so much better than folders, mainly 'cos you can "file" a message in more than one of them.
   
   
6. Fetchmail. Integrated, as way of grabbing your email from other accounts, using POP. Saves auto-forwarding, which is increasingly broken.
   
   
7. AJAX. Not as ground-breaking as OWA, not as flashy as Oddpost/Yahoo/SWA, not as mashable as Zimbra, but fast and usable all the same.
   
   
8. Keyboard shortcuts. A big productivity saver. I hate to move my hands off the keyboard to find my mouse -- that's a key reason why I don't "do" Mac OS.
   
   
9. Google Apps. A white label version of Gmail is included in Google's hosted applications service.
   
   
10. Free. Yes, as a confirmed cheapskate, this is a good thing. Even Google Apps is free for up to 50 mailboxes. No more do vanity domain owners have to suffer the slings and arrows of outrageous email forwarders.
    

Email Sender Reputation at all, David?

David Berlind sounds like he's sick of talking to hyperbole-fuelled anti-spam vendors. Can't say I blame him.

It is probably true that if everyone in the world ran just one solution, we’d be able to tweak that solution in such a way that we’d finally get a handle on the inbound and outbound problems associated with spam. When everyone has access to the same technology, there’s a name for that. It’s called a standard. There is zero chance of some proprietary solution becoming the defacto antispam solution for the world. But, if only AOL, Google, Microsoft, and Yahoo (the world’s leading e-mail solution/service providers) would get together and decide on what the non-proprietary standards should be and implement them in their systems, it wouldn’t be long before every other e-mail solution provider would have to follow suit (in order for their e-mails to interoperate).

Well, the thing is, in many ways, AOL, Google and Yahoo are doing what he asks (and even Microsoft is making encouraging noises).

The "standard" the industry's heading towards is "true" sender reputation (i.e., not the DNS-IP-blacklists-on-drugs that we have today). Being able to store and share opinions about the "goodness" of an individual sender and/or sender domain would be incredibly useful, but we're not there yet -- mainly because email is to easy to forge. This is where sender authentication comes in.

So the necessary precursor to sender reputaion is to get everyone using DKIM, so we have a strong method of sender authentication (not just the relatively weak-but-easy SPF/SenderID) -- this is where the big three mentioned above is right now (and as I said, Microsoft is making encouraging noises, despite its wedded bliss with SenderID).

For more, see:

• CNET's Error Explaining DKIM
• Locally-Maintained Reputation

Is Spam Blocking at Odds with Common Carrier Status?

ISPs in many countries, including the U.S. enjoy a legal status often known as "Common Carrier." Simply put, this absolves the ISP of responsibility if it assists in the transfer of illegal materials, such as copyrighted works or child pornography. The philosophy is that as long as the ISP simply moves data from one place to another -- not making any judgment or discrimination about whether to move one type of data or another -- the ISP should enjoy a "safe harbour."

From time to time, some wag gets the idea that email filtering of spam and viruses would cause ISPs to lose this legal protection. In other words, if an ISP chooses not to deliver a message because it's "spam," the ISP is discriminating based on the content or source, which may remove the safe harbour. When one thinks about it, this is complete nonsense, but stranger things have happened in various legal systems around the world.

This debate is happening again. Thanks to the good work done by MAAWG and others, ISPs are being encouraged to set up outbound spam filtering, to prevent zombified PCs sending spam from their networks, and to encourage users to clean their infected machines with walled gardens. Naturally, some are expressing concern that such discrimination would count as another chink in their common carrier armour.

It's time for the FCC and similar regulators in other countries to step up and make it clear that such genuinely useful -- some would say essential -- discrimination would not affect an ISP's common carrier status.

BTW, sorry for the long hiatus. Call it Blogger's Block. Thanks to Kevin Soo Hoo for helping break it.

Inadvertent Spamming: a Cautionary Tale

I learned today of a well-known software vendor whose business has suffered as a result of poor list management practices. It's not the first, and probably won't be the last. This sorry tale only goes to illustrate the importance of avoiding becoming an inadvertent spammer.

It appears that, although it had been legitimately sending mailings to its customers, the vendor had been ignoring unsubscribe requests. As I've said before, any unwanted bulk email sent by an organization after an appropriate unsubscribe request is spam -- an organization that fails to act on unsubscribe requests in this way is a spammer.

As a result of its failure to honour unsubscribe requests, complaints about the spam began to accumulate at the feet of the various organizations that track spammers' activity. Crucially, these include sender reputation services, such as DNSBLs (also known as IP blacklists). Inevitably, despite the fact that the majority of email it sent was legitimate, the vendor gained a negative reputation as a spammer.

This caused some recipients of its email to reject or otherwise filter these legitimate messages. Not only were legitimate direct marketing messages filtered, but also messages containing customers' license keys, technical support replies, etc.

This is indeed a cautionary tale: the lesson for senders is that the unsubscribe process is truly a mission-critical part of your direct marketing or transactional email workflow. Failure to ensure its integrity can not only cause legal problems, but damage your customer relationships and your business.

Spam Causing Email Exodus?

I was asked an interesting question earlier this week. Paraphrased:

With the sheer number of people using semi-proprietary closed systems such as Facebook or Myspace for their personal and business communication, might they be serious contenders for a real spam solution?

Some time ago, I wrote about the, "People are stopping using email" meme. I said then that it's not so much that people are turning their backs on email as a medium, but that they have a wider choice of media available to them now -- such as IM, SMS, and social network websites. They're just more likely to choose the medium best suited to the task. Nothing's changed my mind since then.

Having said that, feel free to poke me, follow me, LinkIn, or whatever.

To paraphrase Meng Weng Wong's recent curry-inspired trendmap, all such media attract spammers if they become sufficiently popular. Lest we forget, spam was first a big problem on USENET -- email came later.

C/R and "Spam Index" Conversation Roundup

I wanted to pull together some of the conversations that have been flying around recently about challenge/response spam filtering and this "spam index" idea. As is often the case, quite a bit of the value is in the conversation, in addition to the original posts, hence this roundup...

Anonymous:

As the holder of a domain name frequently forged into the From: or Reply-To: fields of spam, I can testify for certain that it doesn't work. In fact, whenever I receive a challenge to one of those forged addresses, I make sure to reply to it to make sure the spam gets through. Petty, perhaps, but I'm not being paid to filter C/R users' spam, so I'll pass it through.

Dean Harding:

I'll admit I was a bit suspicious that if challenge/response was such a panacea why were there not more people using it? My point was not that people should start using challenge/response, though, it was more to just point out that many people are still not happy with their spam filtering.

Len Dressler:

[Richi,] you're really kind of a dork ... It appears you have some sort of agenda of your own, fairly skewed towards blacklist and the like, which from an IT managers perspective, is a joke.

Richi:

Len, you're entitled to your opinion, and I will defend your right to express it to the best of my ability. Fact is, state of the art spam filters catch 95-99% of spam, with a vanishingly-small false positive rate. Such spam filters use a combination of techniques ... I see no evidence that a single approach—such as IP blacklisting—is viable.

Anonymous:

I was interested in learning of Peter's methodology ... I attempted to register on his web site in order to download a copy of his report. I'm still waiting for a response, who knows maybe his acceptance e-mail was justifiably intercepted by my spam filter.

Sandman:

If its my inbox, it is a communication tool for me, and I own the right to ask people to verify they are who they say they are.

Don Marti:

I see lots of “I just started using C-R, it’s great” posts, but no “I’ve been using C-R for years and it’s great” posts. C-R is something that you try and give up on. Or, in my case, watch other people try and give up on.

Anonymous:

Effective spam control is possible. It doesn't require cumbersome and work-flow disruptive band-aid solutions like C/R ... What's needed and has been proven to be most effective is a human feedback component. Several of the best anti-spam products available today include this as part of their toolset.

This is not to say that you need a solution where YOU have to be the human in the loop. The best vendors in the space do that for you and push new rules out to their customers every 10 mins or so.

Devil's Advocate:

Asking various people "how happy" they are with their present anti-spam product has absolutely no bearing on the effectiveness of those products ... if you ask if a C/R user sees less spam, you're going to get a "yes". But, what if you ask all the innocent 3rd parties that receive the challenges (which the C/R user doesn't see)? ... All C/R succeeds in doing is displacing the original spam volume in favour of its own variety of spam ... [and] shows a blatant disrepect for the health of the Internet.

Anonymous:

Nonsense - I am no expert, just a user, but every fact you make is wrong.

Richi:

In my spamtrap archive, I have several samples of inappropriate challenges from every C/R system known to me. Just in the past month, I've got challenge-spam from: [long list deleted]
...
Still don't believe that C/R systems send spam to innocent 3rd parties?

Peter Brockmann:

Your last post proves precisely the point. Users don't care and shouldn't have to care about what falls into YOUR inbox, only what falls into THEIRS.

Richi:

So users don't care that they're sending spam, as long as they don't get any?
...
Increasingly, the main issue with C/R isn't that it annoys innocent 3rd parties -- it's that the backscatter hits spamtraps, causing legitimate challenges to go undelivered. Hence, the false positive rate of C/R is actually surprisingly high.

Ask a C/R user about this though, and they'll often be blissfully unaware. It's hard to know when one is missing a legitimate unsolicited message from someone you don't know.

David Merrill:

For recipients, challenge-response and sender verification methods are good, but their use can get your domain blacklisted. Why? Because each incoming message, spam or not, generates an outgoing message, and spammers can (and do) use those in denial-of-service attacks.

Justin Mason:

Focussing the debate on the “user’s inbox” ignores the overall picture, including everyone else’s mailbox, which is where C/R fails.

But my favourite comment has to be from Al Iverson, on the membership-only list, SPAM-L (Al kindly gave me his permission to be quoted here):

C/R is trapped in this eternal September of newbie solution developers who think they're the bee's knees because they figured out how to implement a "new" version of C/R (which is usually exactly the same as every other one). Then they act like a kicked puppy when we don't jump for joy over how awesome it is to see...yet another implementation of C/R.

Eternal September of newbie solution developers? Priceless!

Who is Peter Brockmann?

So, according to one Peter Brockmann, challenge/response (C/R) spam filtering is a wonderful thing, and beats all other anti-spam techniques into a cocked hat.

Huh? What? How did he come to that conclusion?

I've beaten the "C/R filters are a terrible idea" meme to death, as have many others, so I'm not going to repeat all that here. If you're new to the arguments, take a stroll through these posts (perhaps you should work from the bottom up).

But I was about to write about Peter's methodology. However, it would have been an identical post to the one Justin Mason wrote -- he beat me to the punch. So here are Justin's money quotes:

The “Spam Index” is a proprietary measurement of spam filtering, created by Brockmann and Company. A lower “Spam Index” score is better, apparently, so C/R wins!
...
However — there’s a fundamental flaw with that “Spam Index” measurement, though; it’s designed to make C/R look good ... The “Spam Index” therefore considers a false negative as about as important as a false positive. However, in real terms, if a user’s legit mail is lost by a spam filter, that’s a much bigger failure than letting some more spam through. When measuring filters, you have to consider false positives as much more serious!
...
[And] the situations where C/R fails are ignored. Is it any wonder C/R wins when the criteria are skewed to make that happen?

I too took a close look at his methodology. It is really, really, horribly biased in favour of C/R. Unbelievably so. By orders of magnitude, arguably.

The idea is that one can come up with a neat "score" for the performance of a spam filter -- of course, the exact composition and weighting of such a score can sway the results in any direction one chooses.

Statistics aside, asking C/R users if they're happy isn't the be-all and end-all of anti-spam research. C/R users may indeed be happy -- happily unaware that their spam filter is sending spam by replying to innocent third parties who's addresses have been forged by spammers.

(As an aside, I note with amusement that Peter mis-categorizes Commtouch and IronPort as DNSBLs -- which he calls "RBLs", so perhaps Trend Micro should whine at him about trademark infringement.)

So what's going on here? I first came across Peter earlier this month, when I noticed some rather odd edits to the Wikipedia page about Challenge-response spam filtering made by one Pjbrockmann. The edits did rather deviate from Wikipedia's prized "neutral point of view" (NPOV). I also noticed a sneaky link back to his site from the page: naughty-naughty (as a great philosopher once said).

So, let's check out brockmann.com. The About page says, "Brockmann is a Wikipedia contributor." Well, golly, so he is. (Perhaps I should add that to my puff piece too.) His Wikipedia contributions extend to being dinged twice in April and June for spam and non-NPOV (the more recent issue noted above would make it three). Not so great.

Justin alleges that Peter has a relationship with Sendio. I don't know about that, but I do see he also mentions SpamArrest as an example of C/R. But does this (presumed) relationship stop him being objective? As Steve Hunt says, it, "Depends on what you mean by objective":

We are all mere mortals, and my own personal preferences will be very clear in the posts. Actually, my personal preferences and biases pay the bills ... Does that make me less than objective? I don't think so, but use your own judgment ... I commonly won’t expose which vendors I’ve helped because – frankly – it’s none of your business. It doesn’t change my ability to speak frankly and truthfully, and you might look at the list of companies and assume some bias that really doesn’t exist.

I like how Steve puts this, but I differ from Steve and Peter in that my personal preference is to maintain a list of clients in public (it's not a complete list, mainly for reasons of confidentiality -- e.g., when I've worked on expert witness contracts). So I guess you might look at that and, "Assume some bias that really doesn’t exist."

But, as an independent adviser/analyst/consultant, I also hope that you'll find that what I have to say is actually true.

Google Acquires Postini

Google announced that it has agreed to purchase Postini for $625 million in cash. Why?

Postini is best known for its managed ("hosted", "on-demand") spam filtering service, but that's not what attracted Google. Gmail and its Google Apps. cousin already have sound spam filtering technology -- they don't need help from Postini.

What Google needed was a way to round out its Google Apps. story with solutions for its customers' policy, compliance, and archiving/e-discovery needs. Google was already partnering with Postini to provide this for Google Apps. customers. Presumably the experience was a positive one and Google simply wanted to own the technology and people.

Google's statements hint that the lack of Google-owned technology in these areas has been a sales inhibitor:

Many businesses have been forced to choose between innovation on one hand, and these backoffice mandates on the other. In effect, many businesses use legacy systems not because they are the best for their users, but because they are able to support complex business rules. We agreed to acquire Postini in order to create a more complete Google Apps solution that addresses the information security and compliance issues facing businesses of all sizes.

Srizbi Spam Bot is Nastier than we Thought

According to Symantec's Kaoru Hayashi, last month's Srizbi Trojan is nastier than it at first appeared. It could be a peek at things to come in the world of spam-sending bots.

Naturally, as a malware geek, Hayashi doesn't call it "nasty" -- he says "really interesting":

Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.

Once the Trojan is installed, it works without any user mode payload and does everything from kernel-mode, including sending spam ... The most interesting code is contained in the spam routine. We know that using network functionalities directly from kernel-mode is much more complicated and we have seen many rootkit threats in the past - for example, Haxdoor, Rustock, and Peacomm - always carrying over a user-mode payload that gets injected into some Windows processes. Trojan.Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode.
...
We think this sample is still in a “beta” stage and it’s not finished yet.

The implication being that, if a future version of Srizbi fixes the problems that currently make it visible, detection gets a lot harder. Needless to say, that may well cause more spam to get sent before an infection could be detected and remediated.

I especially liked this bit:

[It] seems to include a special routine to uninstall competitor rootkits, such as “wincom32.sys” and “ntio256.sys”.

Classy.

The DHS is a Wonderful Organization

So I hear the U.S. Department of Homeland security has been having one or two problems with its computer security:

A subcommittee of the Committee on Homeland Security ... expressed "shock and disappointment" that the DHS had reported as many as 844 security incidents in fiscal years 2005 and 2006. The incidents occurred on IT networks at DHS headquarters, and those belonging to Immigration and Customs Enforcement, Customs and Border Protection (CBP) and the Federal Emergency Management Agency.

The security issues ... included one in which a password dumping utility was found on two DHS servers. In addition, Trojans and other malicious programs were found on numerous agency servers, and classified mail was found to have been sent out over insecure networks.

Trojans? Unencrypted sensitive email? Oh, big fat hairy deal. C'mon, this is nothing that you couldn't find in most organizations of that size. It's hardly DHS's fault.

Give them a break. In fact, give them all a big pay rise -- especially those nice officers who work the immigration and customs desks at America's fine airports (and the ones who sit in Canada, too