Spam

Anything related to Spam.

Who’s Who phish

And here, I thought I was finally famous.  It’s so disappointing.

I got a “Weekly Follow-up from the National Academic Association.”  I suppose it doesn’t really matter that I’d never heard of them, let alone weekly, because it came from the “Academic Association.”

“Hello Candidate,” it starts, and goes on to tell me that “As the school year opens, the Who’s Who Among Executives and Professionals begin a global search for accomplished individuals in both faculty and administrative roles at post-secondary institutions of learning.”

Could this possibly be a job offer?  They apparently need me to “verify your contact information so that we can properly publish your updated credentials alongside 30,000 of your prestigious peers. Such a listing can only bring you increased visibility and networking opportunities within the scholastic community.”  Only 30,000!  Such a select group!

Alas, when I actually went to the site http://www.wittersphere.info/YM40/53/1338/710177.1/4/13295/1600293/3O80?gy=?qqu06/vc/ld-99505.g78 (tested with a safe browser, but it doesn’t actually seem to be feeding malware) it turned out to be the “International Association of Successful Individuals.”  Therefore, I don’t qualify, but no doubt a number of you do, so I’m letting you know  :-)

All that, and it was just pharma spam?

Got a message yesterday.  It was immediately suspect, since it purportedly came from YouTube, and was threatening that I had sent “the maximum number of messages per day.”  It was also sent to the “-owner” of a mailing list I run on Yahoo.  Of course, I don’t send email through YouTube.

However, since I do have a YouTube account, and just in case there was a mail capability I didn’t know about, I figured I’d better check it out.  Sending through Yahoo is a good form of obfuscation.  I did, eventually, figure out that it came via ThePlanet in Houston (probably a bot infected machine).

I then suspected that it might be some kind of account phishing.  However, when I actually looked at the URL, and checked it out, it seems to have been a simple pharma spam (bounced from a site in France to one in Russia).

All that trouble and obfuscation, just to post pharma spam?  Sophisticated misdirection kits are obviously getting cheaper and easier for the script kiddie level spammers to buy.

Comment(ary) Spam…

I’m not sure why I feel the urge to keep writing about comment spam: primarily, I suppose it’s because I get so much amusement from it (just as well considering how much of it I read when I moderate comments on the ESET blog), rather than because the world is full of bloggers waiting for me to tell them how to recognize it, even if it isn’t apparently posted by someone called nike soccer shoes or where to buy a laptop or even my personal favourite of the moment, rolling in the deep adele. (Well, there went my favourite heuristic.)

Still, I liked the cheek of this one:

“Throughout the great scheme of things you’ll get a B- for effort. Where you actually confused me personally was first on your particulars. As people say, the devil is in the details… And it couldn’t be more correct here. Having said that, let me inform you what did deliver the results. Your authoring is pretty powerful which is most likely the reason why I am taking the effort in order to comment. I do not make it a regular habit of doing that. 2nd, even though I can easily see a leaps in reason you make, I am not sure of just how you appear to connect the points which inturn produce the final result. For the moment I shall yield to your point but trust in the foreseeable future you actually link the facts better.”

So much so that I did a quick Google to see how common this particular approach is, and sure enough I found a whole bunch of very similar posts – by similar, I mean the same core text with minor changes such as “the great pattern of things”. Apparently, I’m not the only blogger who tends to assume that if a comment is enthusiastic, it’s probably spam.

Thank you for your constructive criticism, Mr feather extensions online: I like your style. But my absolute favourite at the moment is Fritz, who commented dispiritedly that he is “always a big fan of linking to bloggers that I love but don’t get a lot of link love from”: too bad URLs in comments are stripped automatically, or I might have allowed that one through just to put a smile on your face.

David Harley

Shaw idiot spam filter yet again

Once again, in a month and a half, Shaw has disabled my outbound email.

For no particular reason.

Oh, sure, the error code says 554, rejected due to poor reputation.  So, like before, I do a lookup.  (For those interested in the stability of DHCP, my IP address is still the same, a month an a half later.  Even after being away for two conferences, and a short vacation.)  So, once more, I look up http://www.senderbase.org/senderbase_queries/detailip?search_string=70.79.166.169

This time there is even less information.  Google groups, SpamCop, dnsbl.njabl.org, bl.spamcop.net, cbl.abuseat.org, sbl.spamhaus.org, and pbl.spamhaus.org all say I’m clean.  (dnsbl.sorbs.net refuses to say anything, oddly.)

RFC-Ignorant.Org does say, again, that Shaw itself is questionable.  So, does that mean all Shaw clients are silent tonight?  How big of a CIDR does this affect?  (And why?)  How come I’m the guy who gets picked on?

Once again, Shaw’s “help” “Support” line is of no use.  This time around “Jason” tells me I just have to be patient: the spam guys are looking into something.  He won’t venture any guesses as to what the something is.

RSA APT thoughts

By now people are starting to hear that RSA has been hit with an attack.  Reports are vague at best, and we have very little idea how this may affect RSA customers and security in general.  But I’d like to opine about a few points.

First, we, in the profession of information security, are still not taking malware seriously enough.  Oh, sure, most people are running antivirus software.  But we don’t really study and understand the topic.  Malware gets extremely short shrift in any general security textbook.  Sometimes it isn’t mentioned at all.  Sometimes the descriptions are still based on those long-ago days when boot-sector infectors ruled the earth.  (Interesting to see that they are coming back again, in the form of Autorun and Autoplay, but that’s simply another aspect of Slade’s Law of Computer History.)  Malware has gradually grown from an almost academic issue to a pervasive presence in the computing environment.  It’s the boiling frog situation: the rise in threat has been gradual enough that we haven’t noticed it.

Second, we aren’t taking security awareness seriously enough.  These types of attacks rely primarily on social engineering and malware.  Security awareness works marvelously well as a protection against both.  RSA is a security corporation: they’ve got all kinds of smart people who know about security.  But they’ve also got lots of admin and marketing people who haven’t been given basic training in the security front lines.  For a number of years I have been promoting the idea that corporations should be providing security awareness training.  Not just to their employees, but to the general public.  For free.  I propose that this is not just a gesture of goodwill or advertising for the companies, but that it actually helps to improve their overall security.  In the modern computing (and interconnected communications) environment, making sure somebody else knows more about security means that there is less chance that you are going to be hit.

(Third, I really hate that “APT” term.  “Advanced Persistent Threat” is pretty meaningless, and actually hides what is going on.  Yes, I know that it is embarrassing to have to admit that you have been tricked by social engineering [which is, itself, only a fancy word for “lying”] and tricked badly enough that somebody actually got you to run a virus or trojan on yourself.  It’s so last millennium.  But it’s the truth, and dressing it up in a stylish new term doesn’t make it any less so.)

Japan Disaster Commentary and Resources

It probably hasn’t escaped your notice that there’s a lot of malware/SEO/scamming whenever a major disaster occurs. A few days ago I started to put together a list of commentary (some of it my own) and resources relating to the Japanese earthquake and tsunami, in anticipation of that sort of activity.

Originally, I was using several of my usual blog venues, but decided eventually to focus on one site. As ESET had no monopoly on useful information, I wanted to use a vendor-agnostic site. Actually, I could have used this one, but for better or worse, I decided to use the AVIEN blog, since I’ve pretty much taken over the care and feeding of that organization. The blog in question is Japan Disaster: Commentary & Resources.

It’s certainly not all-inclusive, but it’s the largest resource of its type that I’m aware of. Eventually, it will be organized more so as to focus again on the stuff that’s directly related to security, but right now, given the impact of the crisis, I’m posting pretty much anything that strikes me as useful, even if its relevance to security is a bit tenuous.

I’m afraid I’m going to post this pointer one or two other places: apologies if you trip over it more often than you really want to!

David Harley CITP FBCS CISSP
AVIEN COO
ESET Senior Research Fellow

Shaw and Spamhaus

I seem to be back on the air.

A few observations over this whole affair:

(Sorry, I’ve not had time to put these in particular order, and some of the point may duplicate or relate …)

1) I still have absolutely no idea why Shaw cut me off.  They keep blaming Spamhaus, but the only links they offer me as evidence clearly show that there is no “bad reputation” in the specific IP address that I am currently using, only a policy listing showing one of Shaw’s address ranges.

2) I got absolutely no warning from Shaw, and no notice after the fact.

3) Shaw’s spam filtering is for the birds.  Today I got two messages flagged as spam, for no clear reason I could see.  They were from a publisher, asking how to send me a book for review.  The only possible reason I could see was that the publisher copied three of my email addresses on the same message.  A lot of people do that, but it usually doesn’t trip the spam filter.  Today it did.  (Someone else with Shaw “service” tried to send out an announcement to a group.  Since he didn’t have a mailing list server, he just sent out a bunch of messages.  Apparently that got *his* account flagged as spamming.)  I also got the usually round of messages from security mailing lists tagged as spam: Shaw sure has something against security.  And at least one 419 scam got through unflagged today, despite being like just about every other 419 in the world.  (Oddly, during this period I’ve noted a slight uptick in 419s and phishing in general.)

4) Through this episode I had contact with Shaw via email, phone, “live chat,” and Twitter.  I follow ShawInfo and Shawhelp on Twitter.  On Twitter, I was told to send them a direct message (DM).  I had, in fact, tried to do that, but Shaw doesn’t accept direct messages by default.  (Since I pointed that out to them, they now, apparently accept them from me.)  They sent me public messages on Twitter, and I replied in kind.  Through the Twitter account they also informed me that error 554 is “poor reputation” and is caused by sending too many emails.  They didn’t say how many is too many.  (Testing by someone else indicated something on the order of 50-100 per hour, and I’ve never done anything near that scale.)

5) The “live chat” function installs some software on your (the client) machine.  At least two of the pieces of software failed the digital signature verification …

6) The “information” I got from Shaw was limited.  The first (phone) support call directed me to http://www.senderbase.org/senderbase_queries/detailip?search_string=70.79.166.169  If you read the page, the information is almost entirely about the “network” with only a few (and not informative) pieces about the IP address itself.  (I did, separately, confirm that this was my IP address.)  The bulk of the page is a report on addresses that aren’t even in the same range as I am.  About halfway down the right hand side of the page is “DNS-based blocklists.”  If you click the “[Show/Hide all]” link you’ll notice that four out of five think I’m OK.  If you click on the remaining one, you go to http://www.spamhaus.org/query/bl?ip=70.79.166.169  At the moment, it shows that I’m completely OK.  At the time I was dealing with Shaw, it showed that it’s not in the SpamHaus Block List (SBL) or the XBL.  It was in the PBL (Policy Block List), but only as a range known to be allowed to do open sending.  In other words, there is nothing wrong with my IP address: Shaw is in the poop for allowing (other) people to send spam.

7) The second (live chat) support call sent me to http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+  Again, this page showed a single negative entry, and a whole page of positive reports.  The single negative entry, if pursued, went to the same Spamhaus report as detailed above.

8) At the time, both initial pages, if followed through in terms of details, led to http://www.spamhaus.org/pbl/query/PBL164253 giving, as the reason, that “This IP range has been identified by Spamhaus as not meeting our policy for IPs permitted to deliver unauthenticated ‘direct-to-mx’ email to PBL users.”  Again, Shaw’s problem, not mine.  However, that page has a link to allow you to try and have an address removed.  However, it says that the “Removal Procedure” is only to be used “If you are not using normal email software but instead are running a mail server and you are the owner of a Static IP address in the range 70.79.164.0/22 and you have a legitimate reason for operating a mail server on this IP, you can automatically remove (suppress) your static IP address from the PBL database.”  Nevertheless, I did explore the link on that page, which led to http://www.spamhaus.org/pbl/removal/  Again, there you are told “You should only remove an IP address from the PBL if (A) the IP address is Static and has proper Reverse DNS assigned to your mail server, and (B) if you have a specific technical reason for needing to run a ‘direct-to-MX’ email service, such as a mail server appliance, off the Static IP address. In all other cases you should NOT remove an IP address from the PBL.”  This did not refer to my situation.  Unfortunately, THESE TWO PAGES ARE INCORRECT.  If you do proceed beyond that page, you get to http://www.spamhaus.org/pbl/removal/form  This page does allow you to submit a removal request for a dynamic IP address, and, in fact, defaults to dynamic in the form.  It was only on the last part of the second call, when the Shaw tech gave me this specific address, that I found this out.  For this I really have to blame Spamhaus.

9) In trying to determine if, by some weird mischance, my computer had become infected, I used two AV scanners, one spyware scanner, and two rootkit scanners.  (All results negative, although the Sophos rootkit scanner could have been a bit clearer about what it had “found.”)  Of course, I’ve been in the field for over two decades.  How would the average user (or even a security professional in a non-malware field) even know that there are different types of scanners?  (Let alone the non-signature based tools.)