October 8th, 2008
Posted in Uncategorized
Dear Spammer Technical Support,
I’d like to submit a bug report for your recent spam run. We’re usually entertained with hilarious Subject lines and bizarre message content but your latest offering was quite poor. The Subject line of the message was $DIKSBJ and the body simply contained $DIKBODY and $DIKLINK along with a short text string. So it seems the variables in your configuration template are not being substituted correctly. I’ve attached a screen shot for you to view.
I realize you sent this via the Mega-D (aka Mega-Dik) Botnet so I can understand the $DIKSBJ choice of parameter name but it’s just not that interesting. Perhaps if it’s not a bug in your software, you might educate the user renting out your bots, on how to configure it properly. After all, they’re probably already paying you large amounts of money for the service.
Here are recent examples of Subject lines when everything went smoothly:
Subject: Huge dimension gives increased force
Subject: Gigantic dimension is a great power
Subject: Prodigious preparation is to your service
Subject: Perfect proportions are easily attained
One more thing, the problem also exists with your blog spam…
A quick search on Google shows several hundred
results for the same parameter names. Could you let me know when you expect to have a fix for this issue?
Tags: mega-d, spam
August 17th, 2008
Posted in Uncategorized
I thought it worth discussing the spam e-mails being sent related to the conflict in Georgia. So far, our spam traps show two very different types of spam mailings related to the issue which appear to have very different purposes.
The most recent messages I’ve seen are in German and originate from the Cutwail botnet. Typically spam messages are used to promote a product or aim to infect even more machines. Interestingly, in this case it’s neither – it’s a political message which actually links to a youtube video of a Fox News broadcast.
The Subject line is “Wahrheit uber Goergien Konflikt” which translates as the “Truth about Georgia Conflict”. It makes claims that YouTube have manipulated the visitor numbers so that the video isn’t popular (which I doubt). It goes on to state that we are not “media puppets” and we are opposed to “propaganda in the media” and that the information should be spread like a fire. I’ve removed the actual link to the video as I don’t want to promote traffic to it. Here’s a single sample of the message which originated from 220.127.116.11 which is listed on the CBL as associated with Cutwail. Although we’ve seen high volumes of these hit spam traps.
Subject: Wahrheit uber Georgien Konflikt
Ein kleines Madchen spricht die Wahrheit uber georgische Angriffe:
(YouTube manipuliert den Aufrufzahler und lasst dieses Video nicht popular werden)
2000 Tote innerhalb von 2 Tagen durch georgischen Angriff – RIP
Fur alle Kinder, Frauen, Manner die durch georgische Angriffe ermordet wurde starten wir diese Aktion.
Wir sind gegen Propaganda in deutschen Medien!
Wir sind keine Medien-Marionetten.
Wir wollten die WAHRHEIT! Wir sind das Volk!
Verbreite diese Nachricht wie ein Lauffeuer! (Emails, Blogs, Foren, ICQ)
Zusammen sind wir stark.
The second spam e-mail referencing Georgia appears to be coming from the Mega-D Botnet. There were reports that this could be a new botnet but the samples I’ve seen show infections of Mega-D so I’d need to see further evidence to support that claim although I couldn’t rule it out completely. Rather than spreading a political message, this spam links to malware to cause further infections. It looks like it’s simply leveraging a hot topic to socially engineer people to click on it rather than spread a political message. Gary Warner over at UAB (University of Alabama at Birmingham) has an excellent Anti-Spam blog and gives an analysis of this spam message.
It’s clever in that the subject line claims to be from the BBC NEWS. This may sound familiar to the CNN/MSNBC fake headline spam which was sent from the Rustock Botnet but it’s not at all related other than borrowing some social engineering ideas. A sample originated from 18.104.22.168 which is listed on the CBL as being infected as a Mega-D bot. The headers of the message also share heuristic type features of that particular botnet such as a forged header and a ratware singature. The message sent is as follows with the addition of an image of the President if viewed in a HTML mail user agent.
Subject: BBC NEWS.
Last news! Saakashvili (president of Georgia) the gay! See it now!
It’s not suprising that Botnets would leverage a major current affair event to try and get a recipient to read it. What did interest me was the fact that both Rustock and Mega-D are both using news agencies and both Cutwail and Mega-D are both using the Georgia conflict in their messages. There’s an overlap in the social engineering techniques used by the different Botnets as they learn from each other what appears to work. Another interesting point is that the spam from Mega-D is pro-Russian and the spam from Cutwail is pro-Georgian so it’s probably unlikely that the latter is under the control of the RBN (Russian Business Network).
Tags: botnet, cutwail, mega-d, spam
April 3rd, 2008
Posted in Uncategorized
Prohibition Induces “Botlegging”
Spamming is a “tragedy of the commons,” in which a finite resource (our time and attention) is abused at low cost by a minority (the spammers). Like many such tragedies in our human history, prohibition has been seen as the quick fix. Classic targets of prohibitionism include alcohol, drugs, and gambling. The idea is simple really. Stop spammers from profiting by making the actions illegal, enforceable and a harmful choice to the culprit. However, this kind of law is difficult to enforce.
In 2003, American legislators passed the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing). CAN-SPAM made it illegal to send unsolicited bulk email with a deceiving subject line and forced legitimate senders to identity themselves with a full mailing address.
So why then, does spam volume continue to rise despite an increased adoption of spam blocking mechanisms worldwide?
Several years have passed and spam volume is higher than ever. While CAN-SPAM is rightly criticized for not ending the spam problem, its most significant side effect was to force spamming underground and out of the reach of law enforcement. Face with service interruptions, spammers began in early 2004 to migrate their operations to a highly scalable distribution platform immune to law enforcement: the botnet.
By the end of the same year, the majority of spam was being delivered by decentralized networks such as “Phatbot” – and nowadays by Storm, Mega-D, and Srizbi – lending little hope to Bill Gates’ famous pronouncement that spam would be beaten before the end of 2006.
The fact is that there are limitations with each anti-spam technique. Content filters are a core component of that architecture and are very effective at separate spam from email once they receive and recognize it. DNSBLs can block bad senders from known IP addresses once they known the sender is bad. But what happens when a botnet harvests new zombies with IP addresses unknown to DNSBLs and uses those to send new spam campaigns – something that happens every day? Discarding spam after you receive it does nothing to decrease high spam traffic from new campaigns. What is needed is a combination of the best-of-breed elements suited to deal with each type of spam: known content, unknown content, known senders and most importantly the unknown sender.
If you’re doubling servers to deal with heavy spam loads, your infrastructure costs are under control of the spammers who can just keep sending more spam. What you need is a new solution that can block most spam without having to receive the message first in order to get the costs and the load back under control and ensure your infrastructure is used to deliver legitimate mail first.
NEXT: Post #3 Once Promising Proposals for a Final Ultimate Solution to the Spam Problem (FUSSP)
PREVIOUS: Post #1 Short History on Spam Protection
Tags: anti-spam, bill gates, botnet, CAN-SPAM, dnsbl, mega-d, spam, storm, trickle blog