Planet Antispam

Richi Jennings: Open letter to The Pink'un: you were snowed

2009-01-06T00:41:24+00:00

Dear FT editors,

Your January 4th editorial, Surfers should pay congestion charges, made painful reading.

The Network Neutrality debate isn't centred on the ability to buy preferential access to to the Internet. This is a canard floated by parties with an agenda to muddy the waters and obscure the real debate.

The real issue is to prevent vertically-integrated media companies from exercising unfair competition.

Imagine an ISP who's parent company also owned a competitor to Skype, the popular Internet phone service. Network neutrality regulations would seek to prevent that ISP from selectively reducing the quality of service between Skype users.

It has little or nothing to do with CDNs, "selling access to special fast lanes" or "preventing the market from rationing a scarce resource."

Yours sincerely,
Richi Jennings.

Enemieslist: new pats posted - 20090105 (maintenance pats release)

2009-01-05T23:07:52+00:00

34224 patterns, 11411 right anchor strings, 128505 test IPs.

Contribs from the past couple of weeks.

Was asked to start tracking couplets (pattern class and tech, taken
together as a sort of meta-identifier); there are no new couplets
in this release.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20090105

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20090105

Box Of Meat: John Levine: Who pays for e-mail?

2009-01-05T21:32:08+00:00

John Levine: Who pays for e-mail?: “An acquaintance wondered why the people who run the systems that receive mail get to make all the rules about what gets delivered. After all, he noted: The sender pays for bandwidth and agrees to abide by the bandwidth provider’s rules.”

Box Of Meat: David Risley: Don’t Be a Video Spammer - Here’s Why

2009-01-05T21:18:51+00:00

David Risley: Don’t Be a Video Spammer - Here’s Why: David Risley reviews a few online video distribution services, and discusses why they don’t work with the popular video sites.

Box Of Meat: Consumerist: Giving The Phone Book Spammers What For

2009-01-05T20:09:40+00:00

Consumerist: Giving The Phone Book Spammers What For: “If I throw something on your lawn, it is called littering. If the phone company does it, it’s called marketing.”

Richi Jennings: GWAVACon: BrainShare alternative for Novell collaboration community

2009-01-05T15:48:34+00:00

Are you a Novell GroupWise, ZENworks, or Teaming customer? Are you disappointed that Novell canceled the BrainShare event?

Do you know about GWAVACon? Since 2005, this conference has been focused on the Novell collaboration community. GWAVACon has been held in Dallas, Sydney, San Diego, Munich, and Berlin. This year the U.S. event will be held in Las Vegas: January 25-27.

The events get strong support from Novell and other vendors in the Novell ecosystem. This year the keynote will be given by Juan Carlos Cerrutti, a Novell Vice President. RIM is a key sponsor.

I'll also be speaking at the event (so it's not all sunshine and roses). Many thanks to Richard Bliss for the invitation.

The organizers have three attractive incentives for people to come along:

For those who were attending BrainShare in Salt Lake City, the early-bird deadline was extended to January 8th. This is a $200 discount (but only until January 8th, so move fast).
For those who had already booked flights to Salt Lake City, GWAVACon is offering a discount equal to the airline change fee for those switching flights from SLC to Las Vegas.
For $1695 all expenses are paid. This includes airfare, hotel, and food. This is great for those that have budget for "training" but not for "travel". It includes everything for a single price that's slightly less than a BrainShare pass. (Offer is for those coming from the U.S. only.)

Of course, you can't combine these offers, so choose which one works for you best.

Ed Falk: Phishing attacks reach Twitter

2009-01-05T08:50:28+00:00

Social networking site Twitter is experiencing a bad round of phishing, prompting admins there to publish a warning on line.

How it works:

In short, spammers get your Twitter ID in any one of a number of ways, and send you a direct message — which twitter forwards to you via email — or perhaps simply send you an email constructed to look like it came from Twitter.

The email is a typical phishing email which invites you to log onto Twitter and directs you to a Twitter look-alike web site (e.g. twitter.access-login.com) which then steals your Twitter login and password.

Your Twitter account is then used to send more phishing direct messages to all of your contacts, and the process continues.

One more complication: Normally, direct messages can only be sent between accounts which have mutually followed each other. In other words, before the phisher can send you a direct message, they somehow have to get you to follow them back on Twitter.

One way this is accomplished is by simply following you and hoping you'll blindly follow them back. Yet another way is by exploiting various "auto-follow" systems. The way auto-follow works is that you can contact the Twitter support team and ask that auto-follow be enabled for your account. Then, anytime someone follows you, you wind up following them back — and becoming a target for phishing messages — without having taken any positive steps to do so. There are also third-party services such as Tweet Later which provide auto-following as a sideline tool.

It's not yet known what the goal of the phishers is. It could all just be a juvenile prank, or perhaps the phishers are waiting until they've compromised enough accounts before they start swamping Twitter with advertisements.

What you can do: First and foremost, never enter your login information into a web page which you reached by clicking a link in an email. Or if you must, double and triple-check the url in the browser to make sure that it's really the web site you think it is.

Never be fooled into thinking that your favorite web site has inexplicably set up a different domain name to handle logins (it's actually harder to do it that way, not easier, because of the way cookies work.)

In fact, it's best to type in the domain name yourself, or use a bookmark you've previously created, rather than trust any url you saw in an email.

Update: Computerworld has an article as well: Twitter phishing scams: Not so tweet. It discusses more possible motivations for the phishers and has more details on how the phish works.

Also, one commenter made a point which is very significant: Even if your twitter login isn't very valuable on twitter, many people use the same credentials on a variety of sites. You might want to consider a policy of using different passwords on different sites.

Spam Wars Dispatches: Another Confused Spammer

2009-01-04T22:12:48+00:00

Can't keep his goofy campaigns straight:

Subject: Hump the best girls
You can save 75% with us! <http://pharm[removed].com>

Your discount code #nzzvqi.

Add some bootleg CDs to the mix, and we'll have sex, drugs, and rock-and-roll.

Spam Wars Dispatches: About "podmena traffica test"

2009-01-04T22:07:05+00:00

It seems that I'm not the only one receiving spammy messages whose body contains nothing but the following:

podmena traffica test

The Subject: lines are of the typical medz/watchez variety, and not always in well-constructed English:

New products supersite for you to find product you need.

Always be ready.

Get rid of terrible pounds!

Security and privacy guaranteed.

Worldwide delivery instantly to your home

Affordable prices on quality medications.

Don't pay a fortune for your watch.

the best presents for Christmas and Sylvester party

The From: plain-language names are, for the most part, realistic-sounding—although "Mohamed Clifford" might be a stretch. The sending machines are from all over the place, typically indicating that they come from infected PCs acting as members of a botnet.

So, what does the message or the existence of this message mean?

The text appears to have a Russian-language heritage. I'm no Russian expert, but some have suggested that the first word is transliterated from a Russian word having the meaning of "spoofing." Interestingly, I have found many instances around the Web in which blog comment posters—legitimate members of a blog, not blog spammers—have had their messages invisibly modified upon sending, so that the "podemna traffica test" phrase appears at the very beginning of the message they posted.

Affected posters, of course, blame the blog hosting software, but if that were so, then more than the odd message in an active thread would be affected. No, it has to be an infection embedded within the poster's PC...the same types of infected PCs sending out otherwise blank spam, but whose empty body has this phrase inserted at the start.

Receiving such spam messages is harmless (except for the aggravation), and because the botnet controller keeps sending these things, it makes it easy for spam filters to block them and report infected IP addresses to their providers. If you find that one of your blog comments had the phrase inserted without your knowledge, you are in deep doodoo. Shut 'er down, and clean 'er up.

UPDATE (5 Jan 2009): The "test" is over, and spam is spewing.

John R. Levine: Who pays for e-mail ?

2009-01-03T03:41:02+00:00

An acquaintance wondered why the people who run the systems that receive mail get to make all the rules about what gets delivered. After all, he noted:

The sender pays for bandwidth and agrees to abide by the bandwidth provider's rules.

Box Of Meat: Freedom to Tinker: Three Flavors of Net Neutrality

2009-01-01T01:43:42+00:00

Freedom to Tinker: Three Flavors of Net Neutrality: “Net Neutrality” has become a big, overblown term meaning different things to different people. Here Ed Felten attempts a high-level taxonomy; David Weinberger’s response is worth reading, too.

Box Of Meat: CIO: Microsoft Removes Fake Security Software from 400,000 PCs

2009-01-01T01:33:35+00:00

CIO: Microsoft Removes Fake Security Software from 400,000 PCs:

“Windows users increasingly have been plagued with worthless security software as criminals bundle the money makers with other malware or seed significant users with waves of spam touting the programs.”

(via fergdawg)

Silent Noise: Moneyloss for idiots

2009-01-01T01:32:14+00:00

Fresh spam.

Subject: ***SPAM*** Updated Billing Information

Dear Senior,

Losing weight is possible. Don't despair. Take back control of your
weight and most importantly, your life. If others can do it, why not
you?

FatLoss4Idiots program helps you to lose weight, and it does that in the
most healthy-way, unlike other fad diets in the market. Also, with
fatloss4idiots, you are able to generate custom diet plans that compute
all of your calories.

But as we said, the decision is yours. Fatloss4idiots has proved to work

Terry Zink: Top 10 Spam Stories of 2008

2009-01-01T00:48:00+00:00

Well, it's a yearly tradition in the western hemisphere that at the end of the year, we compose a top 10 list of the 10 most <insert description here>. So, I thought that I would create my own list of the top 10 spam stories of 2008. Now, not all of these will be universally applicable to everyone, they are the top 10 stories as seen by me.

Backscatter makes the news. Backscatter spam is a scourge on the internet, and it made big headlines this year, so much so that even the USA Today covered it. Even bigger coverage? I blogged about it in an 18-part series. Take that, USA Today!
Sanford Wallace gets a huge fine, Soloway convincted. Dubbed the original Spam King, Sanford Wallace (I think it was this guy) lived life large in downtown Seattle. But in May of 2008, he was hit with a $230 million dollar fine for spamming MySpace. He should have held out a few more months and then asked the government for a bailout.

On a similar note, Seattle Spammer Robert Soloway was convicted on three charges and faces up to 27 years in prison. I considered going down to the court house and watching the sentencing; I never got around to it. Probably a good thing I couldn't engage in a little schadenfreude.
Eddie Davidson escapes from jail, commits suicide. Certainly a big news story in the spam world, if not tragic, convicted spammer Eddie Davidson escaped from a minimum security prison. He then went and killed his family. A very sad ending to this story.
Spammers spoof CNN news outbreaks. Spammers spoofing news organizations is nothing new, and spoofing in general is a technique almost as old as spam itself. However, in August of this year, spammers released a new outbreak of spam that looked exactly like a CNN breaking news report. What set this one apart was how legitimate it looked and the size of the spam outbreak. The payload led users to get their computers infected with malware; the spammers did their homework on this one.
V3: Rise of the Viruses. Viruses attached to emails have always been around. They certainly aren't anything new, that's for sure. But 2008 saw a huge increase in the number of viruses attached to email. We saw over a 5x increase. Are your antivirus definitions up-to-date?
Outbound filtering now in vogue. This is not a story that affects everyone in the anti-spam world (or maybe it is). However, we have spent an entire year working on cutting down the amount of spam that passes through our outbound servers. I used to concern myself with inbound traffic; now, I realize that my responsibilities (and time and energy) flow in both directions. Outbound filtering has caused me more (figurative) headaches than any other spam issue.
David Ritz has his case ruled against him. In a case that upset pretty much everyone in the antispam community, a judge in North Dakota ruled in favor of e360 in their case against him that he unlawfully broke into their servers. The anti-spam community pointed out that the tools he used are available to pretty much anyone.
e360 sues Comcast, gets it's case tossed out. e360 got a little bolder when it decided to take on Comcast and sue them for preventing their business from operating as normal. Comcast counterfiled and the judge agreed; e360's case was tossed out and the judge wasn't particularly ambiguous about it. To quote the judge "Plaintiff e360Insight, LLC is a marketer. It refers to itself as an Internet marketing company. Some, perhaps even a majority of people in this country, would call it a spammer." Hmm, you think?
Now we know why spammers keep at it - people keep buying their stuff. An article earlier this year on Directmag reported on a study that (apparently) 29% of people have purchased goods from their email spam. Everyone I know reacted with skepticism but the point was made, even if this is out by a factor of 100, 0.3% of users buying stuff from their spam makes it really easy for spammers to make money with their economic model. Send out tons of messages, get people to respond. It's easy to reach that many people by using email. Will people never learn?
McColo goes offline, spam plummets 50% overnight. This is, by far, the number one news story of spam this year. A reporter for the Washington Post pestered some ISPs to shut down California-based McColo, considered by many to be a spam hosting operation. When they finally did, global spam levels plummeted that same day. The reprieve was short-lived and they are coming back up but the point is made - if somebody has the will to do it, spam can suffer serious setbacks. I enjoyed some schadenfreude on this one, too.

Well, that's the way I saw the world this year. From everyone here at Microsoft Exchange Hosted Services, have a very happy new year and we'll see you in 2009!

Box Of Meat: Security and the Net: Prediction for 2009: more phishing and spam via online services

2009-01-01T00:12:53+00:00

Security and the Net: Prediction for 2009: more phishing and spam via online services

Box Of Meat: DarkReading: CastleCops Shuts Down

2009-01-01T00:11:20+00:00

DarkReading: CastleCops Shuts Down: “The all-volunteer organization investigated phishing and malware scams, and was credited with successfully derailing many of these attacks and phishing sites.”

Spam Wars Dispatches: Bank of America Phisher Wants it All!

2008-12-31T18:21:36+00:00

There are phishing forms and there are phishing forms. To escort 2008 out the door, today's Bank of America phisher hijacked a skateboard park site to host his brand of reach-into-your-soul-and-yank-it-out form. To arrive at this form, an unsuspecting BofA customer would have to not notice that the usual two-page login sequence was not followed. Only the first, "Enter Online ID" page appears, and not the second level stuff (which, by the way, is not 100% foolproof anyway).

Look at the huge list of things asked of this form:

State where your accounts were opened :

Online ID :

Bank of America ATM or Check Card PIN :

Passcode :

Social Security Number :

Account Number :

Routing Number :

Last Eight Digits of ATM or Checkcard Number :

E-mail Address :

E-mail Password :

Card holder name :

Address1 :

Address2 :

City :

State :

Zip :

Country : U S A

Phone Number :

Credit/ debit card number :

Exp date : /

Code verification number :

Mother Maiden Name :

Mother Middles Name :

Father Maiden Name :

Father Middles Name :

Date of Birth :

Driver License# :

"Middles Name" notwithstanding, anyone who hands over all of this information will find themselves cloned in the banking and credit worlds—with everything of value headed outward. If this crook wanted to be especially cruel, you would have given him all he needed to lock you out of your own email account permanently.

The only reason this guy doesn't ask for your shoe size is that the datum is not resalable. If it were, he'd ask!

Sophos Blog (Spam Category): Play phishing

2008-12-31T12:35:54+00:00

Over Christmas I spent some time in the metropolis that is Heathrow’s Terminal 1. To pass the time I bought a couple of non-computing magazines (holidays are a chance to forget about work!). Imagine my surprise then when upon opening Scientific American, I found an article on Phishing. The article titled, in the print copy, Can [...]

Terry Zink: More on whether cybersecurity should be managed from the White House

2008-12-30T21:23:15+00:00

Continuing on from my previous post, should there be a central government authority that oversees cybersecurity?

The article which I originally cited earlier continues:

As everyone now seems to agree, that means effective cybersecurity requires bringing together a dizzying number of players, from the IT heads of government agencies and major private firms to software and hardware manufacturers to diplomats. Because large-scale attacks are often carried out by transnational botnets, Tiirmaa-Klaar argued, a coordinated international legal response will be necessary to prevent them. That might mean, inter alia, developing model legislation for developing nations where low-tech law enforcement allows cybercriminals to thrive.

As far as CSIS is concerned, that means cybersecurity efforts require the sort of bird's-eye view available only from a perch at the White House—and the kind of authority to yoke together disparate actors that only a presidential imprimatur will provide. Yet at the same Heritage event, Frank Garcia, a career staffer with the House Permanent Select Committee on Intelligence, voiced doubts about proposals to shift primary responsibility for cybersecurity away from DHS. "Any new organization or bureaucracy takes a while to get their culture established," said Garcia. "Fix the problems as they may exist at DHS. Don't try to create some supra-group somewhere else that rises above all the other organizations in the executive branch. Because you're still going to have the same problem. Nobody's going to want to give up budget authority to that group; it doesn't matter where you put it."

In comments to reporters last week, DHS Secretary Michael Chertoff conceded the need for a "White House mechanism" to harmonize cybersecurity efforts across agencies, but also sounded a preemptive skeptical note. "We've heard you have to have a cyberczar," said Chertoff. "You have to have a czar for this and a czar for that. Just remember — all these things add extra layers."

Since we now have an Obama administration in the White House (or rather, we will in less than a month), it looks like a central agency is going to oversee this. There are some advantages:

Resources - Only a central agency really has the ability to mobilize resources to get something like this off the ground and co-ordinate a centralized effort to improve cybersecurity.
Co-ordination - With someone ultimately in charge at the top, real decisions can be made. Microsoft might argue with Yahoo who in turn disagree with AOL (or whoever the players are) but ultimately somebody has to call the shots. Eventually a decision must be made and only someone with real authority can unilaterally make the decision to move forward, if an impasse has been reached.

Of course, while there are advantages, there are clearly a number of drawbacks. Here are a couple that I can think of off the top of my head:

Bureaucracy - as DHS Secretary Michael Chertoff says, adding more and more layers of bureaucracy and yet another government agency doesn't add any more efficiency to the problem. People have to report to other people and government agencies are notorious for having to follow protocol. Besides which, we already have the Department of Homeland Security. Do we really need another one?
Track records - Governments don't really have the best track records when it comes to dealing with issues. As the old joke about government goes, "You think the problems we created are bad? Just wait until you see our solutions!" In other words, even if we have determined that another government agency to oversee this is a good thing, government does not have the track record of doing things efficiently. In other words, all we do is end up consuming more taxpayer resources to do a job that private industry could have done better, but now cannot, because those resources have been consumed.

It certainly is an interesting problem to have. And given the current economic climate, I'm not sure how much attention it will get during the first 100 days.

Box Of Meat: Washington Post Security Fix: PC Got a Virus? Consider Getting Help Offline

2008-12-29T22:02:10+00:00

Washington Post Security Fix: PC Got a Virus? Consider Getting Help Offline: “If you suspect or know your PC is infected with a virus, it’s probably wise to avoid purchasing anything using that computer until you’re sure the machine is clean. That includes additional anti-virus or security products.”

Box Of Meat: UPI: U.S. government vulnerable to Internet predators

2008-12-29T21:59:32+00:00

UPI: U.S. government vulnerable to Internet predators: ‘…the most disturbing “cyber” threats are largely invisible to the general public, because they involve attacks on specialized networks used by the armed forces, healthcare professionals, air traffic controllers, financial institutions, public utilities and heavy industry.’

Box Of Meat: Feld Thoughts: Recommendation – Ignore All The 2009 Predictions

2008-12-29T21:56:29+00:00

Feld Thoughts: Recommendation – Ignore All The 2009 Predictions

Box Of Meat: Food Bits: How SPAM became spam

2008-12-29T21:53:10+00:00

Food Bits: How SPAM became spam: A clear explanation of the difference between Hormel’s SPAM product and email spam, written for the food processing industry.

Box Of Meat: Web Ink Now: Attention marketers: Time to stop abusing Twitter

2008-12-29T21:47:34+00:00

Web Ink Now: Attention marketers: Time to stop abusing Twitter:

“I predict that in 2009 there will be a backlash…and either the Twitter community will need to self-police or the good people who run Twitter will need to make rules.”

Sounds a lot like what happened with email.

The Internet Patrol: The People’s Email Network - Spam Your Legislators, Friends and Complete Strangers

2008-12-29T15:11:21+00:00

In what seems like a good idea, the People's Email Network (UsAlone.com), claims that it "facilitates the process of sending email messages to Washington. In one place on our site you can send a message that is automatically submitted to the members of congress for where you live." What ...

Terry Zink: Should cybersecurity be managed from the White House?

2008-12-28T07:32:23+00:00

A couple of weeks ago, an article appeared on arstechnica.com asking the question "Should cybersecurity be managed from the White House?"

During the recent presidential elections in the United States and the federal elections in Canada, the two major players in both parties had differing views that crossed borders. In the US, the McCain campaign tended to favor free market solutions to the problem of cybersecurity, and the Conservatives in Canada took a similar position. In other words, rather than having the government step in, industry instead would collaborate to stamp out (or at least control) the problem of spam, botnets, and so forth. Conversely, the Obama campaign, as well as the Liberal Party in Canada, tended to favor more government interaction to oversee the problem. Here are some excerpts from the article:

In a report released Monday, the nonpartisan Center for Strategic & International Studies served up dozens of recommendations for improving American cybersecurity—but by far the most headline friendly was the call for a new National Office for Cyberspace within the White House, headed by an "assistant to the president for cyberspace," or cybersecurity czar.

Of course, the U.S. arguably has a "cybersecurity czar" already: Rod Beckstrom, who heads the National Cyber Security Center within the Department of Homeland Security. But the experts on CSIS' Commission on Cyber Security for the 44th Presidency argue that DHS is the wrong agency to take the lead on cybersecurity, which should be coordinated by a White House office with a direct line to the president. "Securing cyberspace," they argue, "is no longer an issue defined by homeland security or critical infrastructure protection" but rather "an issue of international security in which the primary actors are the intelligence and military forces of other nations." Under their plan, the existing NCSC would be fused with the Joint Inter-Agency Cyber Task Force to form the NOC. Similarly, a new Cybersecurity Directorate within the National Security Council would absorb relevant functions of the Homeland Security Council.

The cybersecurity effort within DHS has, perhaps understandably, focused on hardening the .gov domain against attacks, an approach that the report worries "skilled opponents will be able to outflank." And indeed, on the day of the report's release, Estonian defense advisor Heli Tiirmaa-Klaar gave a talk at the conservative Heritage Foundation, in which she stressed that when her country became perhaps the first victim of large-scale cyberwafare last year, only about 30 percent of the targets of attack were on official government networks. Rather, said Tiirmaa-Klaar, cyberwarriors target elements of the civilian-run critical infrastructure as part of broad-based "destabilization operations."

There are some pros and cons to having government oversight of the problem of cybersecurity. In my next post, I'll dig a bit deeper into the issue. Note the last part of the above quote where Estonian defense advisor Heli Tiirmaa-Klaar talked about the cyberattacked experienced by that country in 2007, a topic I spoke about in two previous posts.

Silent Noise: Asprox - Bad Gateway

2008-12-28T03:01:52+00:00

HTTP Status Code: HTTP/1.1 502 Bad Gateway - nginx/0.6.31

.. is what I get when trying to connect to either of the domains mentioned in my two last postings about domains hosted on the Asprox botnet.

Reminds me a bit when McColo went down and their bots apparently had no Command and Control Center to tell them where to go. Or something like that.

It has been like this for the last couple of days.

Some time after my last posting on December 21, they disappeared briefly together with the target for the iframe, 79.135.168.18.

Sophos Blog (Spam Category): Dorf to SQL in a year

2008-12-26T13:12:34+00:00

Reviewing Chee and Samir’s posts for Dec 26 2007 reminded me how much the Dorf family of malware dominated thinking in 2007. I don’t know the actual figure but I suspect a significant number of blog posts and identities written in 2007 were related to the Dorf campaign. If I were to review the posts [...]

Sophos Blog (Spam Category): Nigerian 419/advance fee scams: the FBI edition

2008-12-25T23:22:39+00:00

On this relatively quiet Christmas day, I got a chance to examine some of the messages that came to our spamtraps. I was searching for Christmas/new year related Nigerian scams, and I came across something else quite strange, which is Federal Bureau of Investigation (FBI)-themed Nigerian scams. The FBI would never give out atm cards full [...]

John R. Levine: Anonymous speech doesn't require forgery

2008-12-25T23:11:03+00:00

In September the long strange Jeremy Jaynes spam case took its most recent twist when the Virginia Supreme Court reversed its previous decision and threw out the state's anti-spam law on First Amendment grounds. The state is currently preparing one final appeal to the U.S. Supreme Court, and interested parties are preparing their briefs. I recently reread the decision, and was struck that the court's analysis depends on a severe misunderstanding of the way that e-mail works.

Enemieslist: new pats posted - 20081225 (maintenance pats release)

2008-12-25T18:03:04+00:00

34106 patterns, 11410 right anchor strings, 125578 test IPs.

A few more contribs from a set of spambot hosts.

Was asked to start tracking couplets (pattern class and tech, taken
together as a sort of meta-identifier); there are no new couplets
in this release.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20081225

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20081225

Terry Zink: Merry Christmas!

2008-12-25T16:25:49+00:00

I had my birthday a couple of weeks ago and one of the things I did was perform one of my favorite card tricks for some friends. As a Christmas gift to my readers (now how many bloggers do that?), I thought I would share it with all of you. Enjoy!

\/param>\/param>\/embed>\/object>\/div>";" alt="" />

Spamresource.com: EmailAppenders Has a Question

2008-12-25T12:23:35+00:00

"Is there anything wrong with collecting business cards and selling the list?" -- Ian Cooper, president of new business development for EmailAppenders. Yes, Ian, there's something wrong with everything you do. You enable people to send spam. Not exactly something to be proud off.

Sophos Blog (Spam Category): McColo and me

2008-12-25T10:24:45+00:00

Today, I am in work with Mathieu and we are processing any spam that the automated systems don’t already block and analysing any malware that we don’t already proactively detect - actually Mathieu is doing the hard work whilst I do the easy work. I am pleased to be able to report that it is [...]

Sophos Blog (Spam Category): Plenty of Bargains for Christmas Day Shoppers

2008-12-25T08:21:34+00:00

Forget the financial crisis folks, there are still plenty of too-good-to-be-true deals available for those looking for a last minute Christmas day bargain gift. Check out the following great email deals: For those that need help in the sack, and willing to take medications they have no idea how and/or where it was made, try this [...]

Enemieslist: new pats posted - 20081224 (maintenance pats release)

2008-12-24T22:13:59+00:00

34089 patterns, 11412 right anchor strings, 125559 test IPs.

Contribs from the past week, plus a few more set-aside catchups.

Was asked to start tracking couplets (pattern class and tech, taken
together as a sort of meta-identifier); there are no new couplets
in this release.

Download them here:

sendmail:
http://enemieslist.com/downloads/sendmail_access_db
http://enemieslist.com/downloads/rightanchors

postfix:
http://enemieslist.com/downloads/postfix_regexp_table
http://enemieslist.com/downloads/postfix_regexp_table-20081224

exim:
http://enemieslist.com/downloads/exim_hosts
http://enemieslist.com/downloads/exim_hosts-20081224

Terry Zink: Cyberwarfare 101: Case Study of a Textbook Attack, part 2

2008-12-24T17:31:37+00:00

This post continues on from my previous post on the cyberattack on Estonia in 2007.

During the first wave of the assault, network security specialists attempted to erect barriers and firewalls to protect primary targets. As the attacks increased in frequency and force, these barriers began to crumble.

Seeking reinforcements, Hillar Aarelaid, chief security officer for Estonia’s Computer Emergency Response Team, began calling on contacts from Finland, Germany, Slovenia and other countries to assemble a team of hackers and computer experts to defend the country. Over the next several days, many government ministry and political party Web sites were attacked, resulting either in misinformation being spread or the sites being made partially or completely inaccessible.

After hitting the government and political infrastructure, hackers took aim at other critical institutions. Several denial-of-service attacks forced two major banks to suspend operations and resulted in the loss of millions of dollars (90 percent of all banking transactions in Estonia occur via the Internet). To amplify the disruption caused by the initial operation, hackers turned toward media outlets and began denying reader and viewer access to roughly half the major news organizations in the country. This not only complicated life for Estonians but also denied information to the rest of the world about the ongoing cyberwar. By now, Aarelaid and his team had gradually managed to block access to many of the hackers’ targets and restored a degree of stability within the networks.

Then on May 9, the day Russia celebrates victory over Nazi Germany, the cyberwar on Estonia intensified. Many times the size of the previous days’ incursions, the attacks may have involved newly recruited cybermercenaries and their bot armies. More than 50 Web sites and servers may have been disabled at once, with a data stream crippling many other parts of the system. This continued until late in the evening of May 10, perhaps when the rented time on the botnets and cybermercenaries’ contracts expired. After May 10, the attacks slowly decreased as Aarelaid managed to take the botnets offline by working with phone companies and Internet service providers to trace back the IP addresses of attacking computers and shut down their Internet service connections.

During the defense of Estonia’s Internet system, many of the computers used in the attacks were traced back to computers in Russian government offices. What could not be determined was whether these computers were simply “zombies” hijacked by bots and were not under the control of the Russian government or whether they were actively being used by government personnel.

Although Estonia was uniquely vulnerable to a cyberwarfare attack, the campaign in April and May of 2007 should be understood more as a sign of things to come in the broader developed world. The lessons learned were significant and universal. Any country that relies on the Internet to support many critical, as well as mundane day-to-day, functions can be severely disrupted by a well-orchestrated attack. Estonia, for one, is unlikely ever to reduce its reliance on the Internet, but it will undoubtedly try to develop safeguards to better protect itself (such as filters that restrict internal traffic in a crisis and deny anyone in another country access to domestic servers). Meanwhile, the hacker community will work diligently to figure out a way around the safeguards.

One thing is certain: Cyberattacks like the 2007 assault on Estonia will become more common in an increasingly networked world, which will have to learn — no doubt the hard way — how to reduce vulnerability and more effectively respond to such attacks. Perhaps most significant is the reminder Estonia provides that cyberspace definitely favors offensive operations.

Terry Zink: Cyberwarfare 101: Case Study of a Textbook Attack, part 1

2008-12-24T17:31:28+00:00

This is part of a series on cybersecurity originally published by Stratfor on April 18, 2008.

Summary

One of the most mature instances of a cyberwarfare attack was an assault on Internet networks in Estonia in late April and early May of 2007. The Russian government was suspected of participating in — if not instigating — the attack, which featured some of the key characteristics of cyberwarfare, including decentralization and anonymity.

During the night of April 26-27, 2007, in downtown Tallinn, Estonia, government workers took down and moved a Soviet-era monument commemorating World War II called the Bronze Soldier, despite the protests of some 500 ethnic Russian Estonians. For the Kremlin — and Russians in general — such a move in a former Soviet republic was blasphemy.

It was also just the kind emotional flash point that could spark a “nationalistic” or “rally-around-the-flag” movement in cyberspace. By 10 p.m. local time on April 26, 2007, digital intruders began probing Estonian Internet networks, looking for weak points and marshaling resources for an all-out assault. Bursts of data were sent to important nodes and servers to determine their maximum capacity — a capacity that the attackers would later exceed with floods of data, crashing servers and clogging connections.

A concerted cyberwarfare attack on Estonia was under way, one that would eventually bring the functioning of government, banks, media and other institutions to a virtual standstill and ultimately involve more than a million computers from some 75 countries (including some of Estonia’s NATO allies). Estonia was a uniquely vulnerable target. Extremely wired, despite its recent status as a Soviet republic, Estonian society had grown dependent on the Internet for virtually all the administrative workings of everyday life — communications, financial transactions, news, shopping, restaurant reservations, theater tickets and bill paying. Even parliamentary votes were conducted online. When Estonia’s independence from the Soviet Union was restored in 1991, not even telephone connections were reliable or widely available. Today, more than 60 percent of the population owns a cell phone, and Internet usage is already on par with Western European nations. In 2000, Estonia’s parliament declared Internet access a basic human right.

Some of the first targets of the attack were the Estonian parliament’s e-mail servers and networks. A flood of junk e-mails, messages and data caused the servers to crash, along with several important Web sites. After disabling this primary line of communications among Estonian politicians, some of the hackers hijacked Web sites of the Reform Party, along with sites belonging to several other political groups. Once they gained control of the sites, hackers posted a fake letter from Estonian Prime Minister Andrus Ansip apologizing for ordering the removal of the World War II monument.

By April 29, 2007, massive data surges were pressing the networks and rapidly approaching the limits of routers and switches across the country. Even though not all individual servers were taken completely offline, the entire Internet system in Estonia became so preoccupied with protecting itself that it could scarcely function.

To be continued in my next post.

Spam Wars Dispatches: Make a Christmas Phish

2008-12-23T20:35:16+00:00

Pity the poor illiterate crooks who don't have anything else to do at Christmas except con unsuspecting souls out of their PayPal account credentials, credit card data, and bank account numbers. This guy tried to be creative, but lost his way at the very end:

Paid Paypal Survey: One Way To Earn Your Money
Dear Customer,

In an effort to continually measure the service quality given to our members we send out random surveys

asking for valuable feedback on how we are doing and how we can improve.

There are only a few questions to score and should only take a few moments of your time.

Your patience will be rewarded with $90 direct deposit to your account and your name will

automatically be entered into our quarterly drawing for a $2009 grand prize.

Sincerely, PayPal Team

PayPal Survey!

www.paypal.com/survey [hidden link to a different URL]

--------------------------------------

DO NOT REPLY TO THIS EMAIL. IF YOU HAVE QUESTIONS PLEASE CONTACT US.

Note: If you received this message in your SPAM/BULK folder, that is because of the restrictions implemented by your ISP *
For security reasons, we will record your ip address, the date and time. Deliberate wrong imputs are criminally pursued and indicted.

The destination web site offers plenty for the gullible recipient to do:

Just look at all that information being requested! Why on Earth would PayPal need all that stuff to shove ninety bucks into your PayPal account?

May Santa drop a truckload of coal on this heartless hole.

Box Of Meat: CyberCrime & Doing Time: More than 1 Million Ways to Infect Your Computer

2008-12-23T19:25:13+00:00

CyberCrime & Doing Time: More than 1 Million Ways to Infect Your Computer: ‘The current scam takes advantage of the thousands of websites which have a “URL redirect” on them. A URL redirection program allows the website owner to “send you” to another website, while keeping track of where you went. …The problem is that many of those sites actually allow other people to use their URL to redirect traffic as well.’

Terry Zink: Blame Canada

2008-12-23T18:17:32+00:00

Last week, the CBC released an article claiming that Canada is the world's worst spam source. Some excerpts from the article:

Canadian computers — many of them unwittingly — send out over nine billion spam e-mails a day, almost five per cent of all global spam traffic, according to a report from network and internet security firm Cisco.

The United States was the single largest source of outgoing spam messages, Cisco reported, accounting for 17.2 per cent of all global spam.

Canada was the fourth biggest source, with 4.7 per cent of all global spam, behind the U.S., Turkey (9.2 per cent) and Russia (8.0 per cent), and had the highest percentage of spam on a per-capita basis of the 16 top nations.

Canada's privacy commissioner, Jennifer Stoddart, has been pushing for over a year for Canada to enact legislation to fight spam. Canada is the only G8 country without anti-spam legislation, she said when first drawing attention to the issue last year.

I think that these statistics are interesting. I've known for a long time that the United States was the number one source of spam, what surprises me is that Turkey is number 2. For the longest time, China was number 2. Even more surprising is that Canada is number 4. For such a small country (population of only 33 million), it sends a very disproportionate amount of spam. If we use the numbers above, then we have the following on a daily basis:

The US sends one piece of spam for every 9.26 citizens
Russia sends one piece of spam for every 9.26 citizens, the same as the US
Turkey sends one piece of spam for every 4 citizens
Canada sends one piece of spam for every 3.71 citizens, 2.5x the rate of the United States

These are interesting numbers because they don't correlate well with Microsoft's 2008 Security and Intelligence Report, which I have blogged about earlier. In that report, Canada's malware infection rate is slightly lower than the United States and Russia and substantially lower than what we see in Turkey.

Assuming that both sets of data are correct then what can we infer from these two sets of data? Namely, that high rates of infection do not necessarily correlate to high rates of spamming. Also, it is possible that rather than sending out spam, these infected machines in other countries do things other than spam - perhaps botnet armies create webmail accounts, perhaps they create new domains on which to host spam landing pages, perhaps they randomize domains in fast flux networks, or maybe they do other types of DDOS attacks. In any case, we can blame Canada for being a major spam source, but if spammers were uniformly distributing their spam, Canada would actually be a minor player.

Box Of Meat: everything's better...

2008-12-23T16:26:50+00:00

everything's better...

Terry Zink: Personalized Spam

2008-12-22T21:22:30+00:00

The Times of India has an article entitled This Spam is Just For You! The article is awkwardly written and I don't think that the point comes across very well, so I thought I'd rewrite some of it.

SAN FRANCISCO: Yes, guys, those spam e-mails for Viagra or baldness cream just might be directed to you personally.

So, too, are many of the other crafty come-ons clogging inboxes, trying to lure us to fake websites so criminals can steal our personal information.

A new study by Cisco Systems Inc found an alarming increase in the amount of personalized spam, which online identity thieves create using stolen lists of e-mail addresses or other poached data about their victims, such as where they went to school or which bank they use.

Unlike traditional spam, most of which is blocked by e-mail filters, personalised spam, known as "spear phishing" messages, often sail through unmolested. They're sent in smaller chunks, and often come from accounts the criminals have set up at reputable Web-based e-mail services. Some of the messages are expertly crafted, linking to beautifully designed websites that are bogus or immediately install malicious programmes.

The first part of the article is correct in that personalized spam comes harvested from other sources. For example, a cyber-thief might steal your email address from a website you visit, like a Reunion website and find out where you went to school. In this case, they might use a social engineering technique to harvest more information from you: "Hi So-and-so, your 15th reunion is coming up. Please go to this web page to fill in more details!"

They might also hack into a bank's system and get a list of email accounts of all the users for that bank. In this case, a clever spammer would target you while spoofing your own bank in an attempt to deceive you into providing your bank password. A spammer with a list of email addresses for a specific bank has a better chance of getting a victim than a spammer with a general list spamming a million random email addresses.

The article does a poor case of drawing the link as to why personalized spam gets through filters and is sent in smaller chunks. The reason it is sent in smaller chunks is that targeted advertising doesn't need to cut as wide a swath to get the desired response rate. If you already know something about your audience, you don't have to waste time sending out millions of messages. Do manufacturers of power tools advertise on the Oxygen network? Do retailers who sell women's makeup advertise on Sunday afternoons during football season? Of course not, because the target demographics aren't watching. Similarly, if a spammer knows something about the victims he is intending to spam, he only needs to send out a small spam campaign, not the millions of messages he might normally do by slinging mud and hoping something sticks.

Now, the reason that these spear phishing messages get through unmolested is because the article assumes that most email filters today use reputation filtering as their main line of defense. That's mostly true, but not strictly true. If a spammer has to send a huge advertising campaign, then he needs to send it from a lot of sources. These big spam volumes are easy to detect. But if he sends only a small spam campaign, then that is tougher. These smaller blips hide within larger IP ranges and therefore it is harder to build up a reputation on them and therefore, reputation filters don't work.

Of course, it doesn't follow that the message will sail through to the user's inbox. At least in our case, we rely on a lot of content filtering to catch much of our spam. So even if reputation filtering is evaded, the content filtering after that will detect the message as spam.

Finally, it doesn't logically follow that spear phishing messages are sent from reputable web-based mail services (like Gmail or Hotmail). If you're a spammer, then sending from a reputable web service will increase your chances of delivery regardless of whether or not the attack is targeted. However, sending a small chunk of messages from a web-based service makes reputation filtering very easy to evade.

Terry Zink: The trouble with SMTP

2008-12-22T21:01:45+00:00

SMTP, or Simple Mail Transfer Protocol, is the Internet protocol that the world uses to transmit email. Its advantage is that it is simple to use (so simple, even a caveman could use it! But on a side note, I did not save 15% or more with Geico; in fact, by using them, it costs me about 30% more. But I digress...).

As John Levine has said (somewhere), the great thing about SMTP is that anyone can use it to send mail to anyone else. The crucial flaw about SMTP is that anyone can use it to send mail to anyone else. I would agree with that, so let's see what exactly that statement means.

SMTP allows you to compose an email. First, you say HELO (or EHLO in Extended SMTP), which is the mail server saying "Hello, my name is ...". Next, you give a MAIL FROM, that is, who the message is from. Then you specify a RCPT TO, who the message is going to. You add the contents of the body of the message, say QUIT and bang, you're done. The message is routed to the Interweb and it magically arrives in your inbox.

This all works well when people you can trust are the ones doing the communicating. It also works if people who you don't know but are trustworthy want to communicate with you. People who you trust you don't need to worry about, they will always send mail with the proper credentials. But you don't want to receive mail only from people you trust; you also want to communicate with new people. On Facebook, I recently had my birthday and well over a third of the birthday wishes were from people I didn't know a year ago; in the past year I've wanted to receive communication from new people. You cannot simply lock down your communications interface and SMTP allows you to receive communication from those you have never heard from. So long as the new communicator is trustworthy, there's no problem. Anyone can send mail to anyone.

And that's the problem. Because anyone can send mail to anyone, it is wide open to abuse. You want to hear from your best friend, but what if your worst enemy (in my case, Korean kimchee) impersonates your best friend and sends you an email? Someone who you thought you can trust is now intending to cause you harm. In and of itself, SMTP does not have a mechanism to force the sender of the mail to identify themselves. Because of this, spammers can abuse the protocol. They can send mail to anyone and they don't need to worry about the consequences. They can send mail as anyone without worrying about the consequences.

In a world where we all play by the rules and assign our credentials to the things we say and do, this all works fine. But we don't live in that kind of world, we live in a world where small segments of the population abuse the trust of the rest of us and exploit it for financial gain. I guess it doesn't have to be for financial gain, but it usually is in the case of spammers.

So, SMTP has low bars to entry and setting it up helps the world to communicate with each other. But in doing so, its drawback is that technology has allowed spammers to abuse it and scale that abuse upwards. It's a catch-22; we'd like a better email communication protocol but there's already a huge investment in it and replacing it would take years, if not more likely decades.

Box Of Meat: Finding Dulcinea: Obama Supporters Sick of Campaign Spam

2008-12-22T19:11:35+00:00

Finding Dulcinea: Obama Supporters Sick of Campaign Spam: ‘Many members of Obama’s massive e-mail list are getting tired of regularly receiving solicitations for contributions—especially since the race was won more than a month ago. The focused campaign message once delivered by e-mails from the Obama team has fractured into what Politico calls a, “jumble of sometimes disparate-feeling fundraising pitches, YouTube videos and calls for activism.”’

Box Of Meat: SophosLabs: Lie culture: why spam works

2008-12-22T18:51:58+00:00

SophosLabs: Lie culture: why spam works: “Spammers prey on the vulnerable, the gullible, the charitable and the greedy, and mainstream advertising has made it easy for them.”

Box Of Meat: CircleID: ICANN Upgrades Domain Name Whois Inaccuracy Reporting System

2008-12-22T18:49:02+00:00

CircleID: ICANN Upgrades Domain Name Whois Inaccuracy Reporting System

Box Of Meat: The Irish Times: New law puts 'hefty price tag' on spam

2008-12-22T18:47:46+00:00

The Irish Times: New law puts 'hefty price tag' on spam: “The regulations, which come into effect immediately, relate to all unsolicited mail sent by e-mail, text message or fax. Unsolicited mail for direct marketing purposes will be treated as an indictable offence…” in Ireland.

Box Of Meat: Sydney Morning Herald: Kiwis nail a Mr Big of the spam world

2008-12-22T18:45:48+00:00

Sydney Morning Herald: Kiwis nail a Mr Big of the spam world: “A New Zealand man living in Australia has agreed to pay fines totalling $92,715 after admitting his role in an international spam email operation said to be responsible for sending out billions of unsolicited emails in recent years.”

Box Of Meat: PSFK: Creative Review Supports JWT’s Urban Spam

2008-12-22T18:43:24+00:00

PSFK: Creative Review Supports JWT’s Urban Spam: “…just because someone knows how to use some chalk, it doesn’t mean they can hit us with marketing messages anywhere they please.”

Sophos Blog (Spam Category): Lie culture: why spam works

2008-12-22T10:01:14+00:00

If you look through your spam email folder, or back through our blog articles, it very quickly becomes clear that they mostly try to convince you to do some or all of the following: run some malware (that sends more spam) buy some sex (usually through the intermediate form of some pills) buy some money (by spending less [...]

John R. Levine: US Dep't of Commerce doesn't like ICANN's new domain plan

2008-12-22T00:11:04+00:00

ICANN's authority to manage top level of the DNS comes from a two-year Joint Project Agreement (JPA) signed with the US Department of Commerce in 1997, since extended seven times, most recently until September 2009. Since the DoC can unilaterally cancel the JPA which would put ICANN out of the DNS business, when DoC speaks, ICANN listens.

Silent Noise: Asprox - definately a new round of sql-injections

2008-12-21T13:17:51+00:00

There is definately a new round of sql-injections happening.

The three main domains hosted on the Asprox botnet that are being used are wmpd.ru, mtno.ru and nvepe.ru.
The two .kz domains, dft6s.kz and bnmd.kz are not being directly used for the attacks (so far).
The domains do hold the style.js file.

See also previous post a couple of days ago ("Asprox - back on track")

Last Friday evening, via search engines, I found around hundred domains/pages that were infected.
Now there are probably thousands.

Spam Huntress: MyDailyFlog sends deceptive invites

2008-12-21T02:11:28+00:00

There’s a guy in my “network” who keeps on joining one network after another. And he always sends me invitations. They go straight in the “half spam” bucket. The latest invitation piqued my curiosity. It was from mydailyflog.com, and it said: Hi! I would like to invite you to visit MyDailyFlog and see my latest photos. And then the [...]

Spam Wars Dispatches: Amazon Prime Phish

2008-12-20T04:33:41+00:00

Amazon Prime is a subscription service from amazon.com that lets you get "free" two-day shipping with every order. I say "free" in quotes because Amazon Prime does have an annual cost, but one that frequent Amazon customers certainly recoup fairly quickly.

And so, consider the Amazon Prime customer who receives the following message:

From: Amazon.com Customer Service
Subject: Your Amazon.com Prime Cancellation Confirmed

Hello from Amazon.com.

Your Amazon Prime membership has been cancelled, per your request.

Our records indicate that you haven't used your Amazon Prime membership benefits, so I've requested a full refund of $79 for the membership fee. The refund should be processed within the next 2-3 business days and will appear as a credit on your next credit card billing statement.

Please know that we value your business, and we hope to see you again soon at Amazon.com.

We always strive to provide a high level of service, and we would appreciate your feedback. Please let us know if we resolved your inquiry.

If yes, click here:

Please note: this e-mail was sent from an address that cannot accept incoming e-mail.

To contact us about an unrelated issue, please visit the Help section of our web site.

Best regards,

http://www.amazon.com

Of course, if the recipient was concerned and did the right thing—log onto amazon.com through normal means—there would be no change to Prime status. But clicking the link would lead to a lookalike login page, where one's username and password credentials would be lifted. Minutes later, their Amazon accounts (and associated credit cards) will have been hijacked.

Thankfully for the phishing message I saw, the phony site (hosted in Russia) was taken down. But the template is set. It will be used again with a different web site destination. Amazon Prime customers: Beware.

Silent Noise: Asprox - back on track

2008-12-19T20:32:06+00:00

With end user infections and sql-injections.

Domains registered in December:
mtno.ru, nvepe.ru, wmpd.ru (Naunet as usual is the registrar for .ru domains)
bnmd.kz, dft6s.kz (Something called "Skilltex" is the registrar).

Some of their older domains still exists.
E.g. advabnr.com has been put back in duty.

style.js is the name of the javascript file.

In addition to the javascript (which I still cannot decode) it pulls an iframe from 79.135.168.18.
One file is downloaded, 4499.pdf.

Terry Zink: Sometimes security restrictions are annoying

2008-12-19T18:27:08+00:00

As I relate some of my travels, I often observe how many security leaks there are in everyday life. But sometimes, security precautions can be annoying.

I was traveling in Europe last week, and then I made a connecting flight back to Canada through Montreal. However, I forgot to tell my credit card company that I was planning to travel. But in my defense, I don't use that credit card very often. It's a Canadian credit card from when I used to live there; when I'm in Canada, I prefer to use that one otherwise I lose too much money due to the exchange rates. I also get air miles on it, and I have quite a few on there.

So I was in Northern Ireland and I bought something and tried to pay for it with my credit card. It was declined. I rolled my eyes and used a different card. Later on when I was in Montreal, I bought something else and I tried to use the same card. Once again, it was declined! I had to use yet another card to get the purchase to go through (on an unrelated note, American Express -- which I wasn't using -- is completely useless outside of the United States, it seems). My Canadian credit card kept getting declined over and over.

When I got back to the States, I checked my cell phone (I had it turned off while abroad). I had a message from the credit card fraud protection services. I immediately knew what was up, though I suspected it before. Back in the summer when I booked my China trip, this same credit card kept declining purchases. So here's the story - my credit card company knows where I live and when it sees irregular purchasing activity, such as something in Europe or Eastern Canada, it flags it and prevents the purchase from going through. It's a good service because it helps to mitigate fraud and theft.

But on the other hand, it's quite annoying. Over the past few weeks I've been traveling quite a bit. Not having my credit cards work is irritating. I have to pull out a different debit card, hand it to the clerk and then get hammered on the exchange rates. I really do prefer to use credit cards while traveling rather than debit cards. My debit card works perfectly fine. My credit card does not.

And therein lies the dilemma, which is preferable? The credit card which tries to proactively prevent fraud and is a real inconvenience to me? Or the debit card (which also functions as a credit card because it only requires a signature at some vendors), which is more insecure but is way more convenient and not a hassle, and makes me want to just skip using the credit card altogether?

Security is great, but it sure gets in the way sometimes.

Terry Zink: Security only works if you follow procedure

2008-12-19T18:16:44+00:00

I've been traveling the past two weeks, which explains the dearth of posts in this blog. But as I've been traveling, I've noticed that when it comes to security, there are some major gaps in the system.

Take airports, for example. I was waiting in an airport, about to travel back from Europe to the United States. When I first checked in, they asked me if I wanted a window seat or an aisle seat if they came up, and I said yes. They told me to go to my gate and when the chance came up, they'd call me.

So, I headed over to the departure gate. Now, if you've been to an airport lately, you know all about security. No liquids, aerosols or gels. You have to go through piles of security checks. And then you have to show your photo ID before you board the plane (at least sometimes you do... not always). Anyhow, I got to the departure gate and waited for them to call me.

Here's where the story gets interesting. I heard them call my name "Passenger Zink (the Great), please report to an agent." I knew they were going to change my seat. At this point, passengers had already started boarding the plane and there was no one to go up to. So, I just walked up to another agent between some taped off areas and waited to talk to the agent. She was talking to someone else, and when she finished she turned to me.

She looked at me for a couple of seconds, I explained my situation, and then she said "How did you get into this area?" Presumably, it was a restricted area. I didn't explain how, but all I did was walk through to the place. There were no barriers to clear, no guards paying attention, no signs saying "Do not enter this area", none of that. I was instructed to step under some rope and wait over there and not the place where I was before (of course, there were no agents in the place where I was currently waiting). My whole point is that for all the security that I had to clear getting up to the departure gate, it was surprisingly easy to get into a restricted area later on.

I have often wondered if computer security is like that. Sure, things like passwords are great, but if you put it on a sticky tab on your monitor it defeats the security protocol. It's good to have ID swipe cards to enter buildings, but not so great if people tailgate in after you without swiping their card.

Michael Boyd Clark: BlogFlux Privacy Policy Violation

2008-12-19T05:03:17+00:00

Back in May 2006 I wrote abut why I use tagged email addresses. Just today, I found yet another company violating their privacy policy. On October 31, 2007, I registered with BlogFlux.com. Their current privacy policy says: 7b1d91231a87fb75e0054e886a0dea57

Your email is only used for contacting you about Blog Flux updates….Your email will also not be distributed to anyone for any purpose….Blog Flux maintains a strict “no-spam” policy. Your e-mail address will not be sold to a third party.

In the past 14 months, I’ve received a handful of messages (well, three) from BlogFlux. Each message clearly identified who they were, each had an opt-out link at the bottom, and each message was related to my BlogFlux account. Today I received a message from “Lesley.” She’s somehow affiliated with LoadedWeb.com. LoadedWeb.com has nothing on their web site about who they are, who’s running the site, their affiliations. LoadedWeb.com also does not have a privacy policy at all. Google searches show that LoadedWeb.com several years ago was a web host.

BlogFlux.com’s privacy policy refers people to their contact page “[i]f you have any questions about this privacy statement, the practices of this site, or your dealings with this Web site…” Unfortunately the contact.php page has no contact info on it at all. That’s the same URL they give in the footer of the site.

Looking at the message headers, I would guess that BlogFlux and LoadedWeb are probably owned or operated by the same people. Their IP addresses are on the same block. (204.11.52.70 and 204.11.52.71). That address is registered to enthropia.com. Their web site looks to be ancient, not updated since 2003?

I’d have to say avoid using BlogFlux.com, or LoadedWeb.com. It is probably just a couple guys doing cool web stuff from their basement, but it feels very random. I don’t think I’d trust them with my personal data or information.

216.180.243.10 19/Dec/2008:00:10:35

Copyright © 2008 PlanetMike's Technology Journal. This Feed is for personal non-commercial use only. If you are not reading this material at http://www.planetmike.com or in your news aggregator, the site you are looking at is guilty of copyright infringement. Please contact copyright@planetmike.com so we can take legal action immediately.

BlogFlux Privacy Policy Violation

Spam Wars Dispatches: Beneath the Latest Blasts

2008-12-19T00:46:51+00:00

I was wondering why, despite some very pointed filtering on my email server, a fair amount of sex chat lures have made it to my email client—where Entourage has successfully spotted every one as spam and diverted them accordingly. The rendered body of all of these messages claims to be from someone who "was just reading your profile online," and implores me to visit via MSN. Uh, no thanks. But a peek at the source code reveals why this recent flood may be making it into a lot of inboxes.

The message bodies are intentionally malformed HTML documents. They start like this:

<html> <body>
<br />
Hey there, i was just reading your profile online and i would love to chat<br>you should come on MSN i am waiting [removed]girl69@hotmail.com or on yahoo IM [removed]xoxo@yahoo.com
</body>

But before reaching the final <html> tag, the author has inserted a <style> tag whose content is a humongous semicolon- and return-delimited list of 1000 (exactly) words, names, and numbers. None of the text inside the tags is rendered, but does get studied by at least some content filters. Here's how the list starts out:

Mario;retour;apartar;painfully;Mon;Pronti;Charron;cancel;catastrophe; coppia;Busch;ministro;identified;Amerikaanse;answering;asap;Blues; recognized;oranges Schmitt;amp;establishes;Tom;Communist;arranges;Cairo;Mission;osteen; Eller;Scurry;Bezos;sawdust;wesentlichen;reformsgolpe;Antingen; confidence;Barnes;afternoon Nestor;Huang;center;adds;menschen;Rhythm;vorsichtig;gegaan;avail; Circumstances; ....

Oddly enough, this collection was not randomly assembled for each message. They were all identical. Perhaps it is a carefully researched collection of text that has proven to get past various Bayesian filters. Also identical were the forged Sent: dates and times (17 December 2008, at 14:50 PST). Subject: lines varied a bit from a presumably canned list (e.g., Hey Baby, i think i love you, Chat With Me, etc.).

I won't say how many made it to my email client, but suffice to say it was enough to get my attention. Just not enough to get me to dial up MSN and chat. Sorry, grrrls.

UPDATE (17:50PST): I guess it wasn't a carefully-crafted list of hashbusting words after all. Just saw another one with a smaller list of 156 different words hidden in a <style> tag, beginning with: ghoulish;automate;inc;acquire;chord;autopsy;lubricious;flintlock;dexterity;depressant;