Archive for May, 2008

Update on Gmail spam exploit

Posted: Tuesday, May 27, 2008
Posted by dcawley.

A couple of weeks ago I made a blog post based on a SecurityFocus vulnerability report suggesting that Gmail smtp servers could be abused by spammers. At the time, the exact details of the attack were not disclosed to give Google an opportunity to respond to the claims. Since then, the INSERT security team have released the details of the attack including a proof of concept program for demonstration. The key point is that it’s trivial to setup any e-mail address to Auto Forward messages to. The idea is that a spammer could send a message from a blacklisted IP to a Gmail account they’ve setup to be a spam cannon. Then they would just need to mark the received message as not spam to allow that message to be forwarded in the future. After that, the blacklisted IP can send to the Gmail spam cannon address and have a […]

Ever wonder why there are so many .info spam websites?

Posted: Monday, May 26, 2008
Posted by dcawley.

Although it may sometimes seem that the purpose of a spammer is to try and fill your inbox with useless content, their main goal is to have a recipient perform some type of action. The “call to action” could be to click on a website URL, call or fax a number or simply send an e-mail to an address provided. In this way the spam campaign can result in sales or in the case of phishing, the collection of valuable data. Content Filtering solutions often have lists against blacklisted URL’s, phone numbers and e-mail drop boxes since there’s an overhead for the spammer in changing and managing the call to action – domain registration costs, adding phone lines and breaking CAPTCHA’s to create new drop boxes. There’s also the risk that the provider of these services could terminate the accounts making the campaign ineffective. Let’s take the case of a […]

How to use Passive OS Fingerprinting (p0f) with Traffic Control

Posted: Monday, May 26, 2008
Posted by ksimpson.

I was having an IM chat with a newly minted TC user recently, and the user asked me how he can enable the Passive OS Fingerprinting (p0f) trigger (link goes to our manual, PDF), which permits you to selectively slow down, block, or even whitelist senders based on their operating system type. Now, before you get too excited, it’s important to note that p0f cannot detect the sender’s operating system type with 100% certainty; and, even when the correct operating system type has been identified, it’s not guaranteed that the information is useful in preventing spam. But for those who are curious about this feature and want to give it a shot, here are some guidelines: To enable p0f, you need to add a configuration line enabling the p0f trigger. Here’s a suggested, safe way to do that: TriggerP0F Throttle Windows /2000|SP4/ This configuration line tells Traffic Control To apply […]

Join Ken Simpson at MAAWG Europe June 10-12

Posted: Wednesday, May 21, 2008
Posted by ksimpson.

I will be co-chairing the botnet subcommittee with MXLogic’s Sam Masiello at the upcoming Messaging Anti-Abuse Working Group (MAAWG) meeting in Heidelberg Germany at 1:30pm Wednesday June 11. We will be discussing a preliminary “botnet taxonomy”. If you’re a member of MAAWG and are planning to attend Heidelberg, or if you will be in Europe at the same time, I’d love to meet with you! Drop me a line at [email protected]

Post #9 on Why Spam Filters Suck “trickle blog” series

Posted: Friday, May 16, 2008
Posted by d.liao.

Real World Scenarios Despite all the money invested into anti-spam solutions, spam volume continues to rise. Yes, spamming is an arms race. But the real race is one of sheer volume. Spammers respond to difficulty by simply sending more spam. Better filtering? Send more to improve numbers getting through. Spamming not profitable enough? Send more spam. Users not interested? Send more variety. With botnets, spammers have a highly scalable delivery infrastructure and are not limited by resources. Unfortunately, it’s the receiver of spam that bears the cost of that volume. The problem is more than just the annoyance of spam. Spam is a big cost to organizations. High spam volumes lead to delays in email delivery and significant over-capacity to handle spikes in volume. Email providers know customers are very sensitive to any delays in the receipt of important email, and any service disruptions by a failure to handle loads […]

Gmail open relay exploit?

Posted: Wednesday, May 07, 2008
Posted by dcawley.

A vulnerability report posted to the BugTraq section of the SecurityFocus website suggests that Gmail smtp servers can be abused by spammers. For the moment the exact details of the attack are not being disclosed to give Google an opportunity to respond to these claims. The report gives a high level description of the vulnerability as follows: This issue is related to the risk of a malicious user abusing Gmail’s email forwarding functionality. This is possible because Gmail’s email forwarding functionality does not impose proper security restrictions during its setup process and can be easily subverted. By exploiting this problem an attacker can send unlimited spam and phishing (i.e. forged) email messages that are delivered by Google’s very own SMTP servers. Pablo Ximenes claims that this technique can be used to circumvent spam filters that use whitelists and that they’ve developed a proof of concept attack that enabled them to […]

MailChannels a finalist for the BCTIA Technology Impact Awards

Posted: Tuesday, May 06, 2008
Posted by ksimpson.

The British Columbia Technology Industry Association (BCTIA) hands out awards every June at its annual barbecue to recognize companies in the region that have contributed to the advancement of the technology industry here in our corner of the world. I am pleased to announce that MailChannels has been selected as a finalist for the “Best Application of Technology” award, in recognition of our success in stopping spam using our Traffic Control software. Here’s a link to the BCTIA press release.

Customer: “My spam volume is down – is it you guys?”

Posted: Monday, May 05, 2008
Posted by ksimpson.

MailChannels tracks (in real-time) the email flows hitting our customers worldwide. We use this data to establish a fairly comprehensive reputation score for IP addresses we have seen many times – mostly as a method for automatically “whitelisting” IPs which have a long track record of sending good email.Recently, a customer of ours asked us to prepare some historical data showing the performance of Traffic Control at their site over time. We were somewhat surprised to see that the volume of connections they receive each day has dropped to just a third of what it was last September.What has caused this drop? We’re not really sure, but here are some ideas: Spammers have chosen to “blacklist” this customer’s servers, because they are noticing the customer is slowing down most spam-bot connections; Global spam volume is down by two-thirds (haven’t seen this with other customers, so we don’t think it’s likely […]

Post #8 on Why Spam Filters Suck “trickle blog” series

Posted: Friday, May 02, 2008
Posted by d.liao.

Dealing a Blow to Spammers ISPs have recently been getting a lot of criticism for traffic shaping P2P file sharers. While we can argue over whether this is excessive or not, they have been doing this primarily for legitimate reasons, to reduce the impact of resource hogging users on the rest of their network. The same technique can also have a positive impact on email, SMTP traffic shaping essentially puts shackles on email’s heaviest users­ the spammers ­who have a voracious appetite for broadband capacity. Slowing down unknown senders causes the greatest harm for spammers who need to circulate their messages as quickly as possible. In fact during peak-load times, 90% of spammers go away after 10 seconds of being put in the slow lane. Using traffic shaping, senders of spam are literally restricted from delivering packets to the network. This slowing down approach works by shaping the TCP connection […]