Ajit Gaddam: TechNews and Security

You can’t stand spam. I can’t stand spam. Fortunately for us and most of the people using Wordpress, Akismet is the perfect plugin dealing with comment spam. Akismet is the brainchild of Matt Mullenweg of WordPress and his merry band of Automattic hackers. Their favorite definition of kismet is “Kismet (principle), the magnetic attractive force that actualizes the playing out of karma; often used in the positive sense.”

Automattic Kismet (Akismet for short) is a collaborative effort to make comment and trackback spam a non-issue and restore innocence to blogging, so you never have to worry about spam again.

The Graph below is a graph of Ham and Spam since Akismet started. “Ham” is the non-spam message in Akismet lingo

My Guess: We will hit the 1 Billion Spam comment sometime on Sunday(03/24). I will post a follow up post once we reach the 1 Billion mark.

Related Links:

1. Download Akismet plugin for Wordpress and other Blogs

Okay, this email is rather funny. A spammer who knows his spam email might be blocked informs me that since this particular email has passed through my spam filters, I now have an opportunity to know about his great services and products. Apparantly the spammer focuses on customer service and support too …

Many spam-filtering techniques work by searching for patterns in the headers or bodies of messages. For instance, a user may decide that all e-mail they receive with the word “Viagra” in the subject line is spam, and instruct their mail program to automatically delete all such messages. To defeat such filters, the spammer may intentionally misspell commonly-filtered words or insert other characters, as in the following email example

The principle of this method is to leave the word readable to humans (who can easily recognize the intended word for such misspellings), but not likely to be recognized by a literal computer program. This is only somewhat effective, because modern filter patterns have been designed to recognize blacklisted terms in the various iterations of misspelling. Other filters target the actual obfuscation methods; such as the non-standard use of punctuation or numerals into unusual places, for example: within in a word.

(Note: Using most common variations, it is possible to spell “Viagra” in over 1.3 * 1045 ways.[29])

So, how do we get around such Spam techniques?

Most of the spam that sneaks into my inbox past SpamAssassin and my Bayesian spam filter gets there because almost every word in the message is intentionally misspelled. By not giving the filter recognizable content, the messages get past. So how about a spam filter that works by spell check? If more than 50% of the words are misspelled, there’s a good bet that the message is spam or in a language I can’t read anyway.

This started out from performing a Spam message analysis we receive everyday at AskStudent.

What is spam?

Spam is usually meant as unsolicited email messages sent to your account. Spam is also referred to as “unsolicited commercial email/posts” and “unsolicited bulk email” sent to either your email accounts on message posts online on websites or blogs. They range from advertising usually Viagra to potentially offensive(child Porn).

Why am I getting all this spam?

Spammers(the people who send spam) “harvest” email addresses from various places. If you have done anything on the Internet at all (register a software product, participated in a online discussion board), your address could potentially be harvested by spammers. Even if you hardly do anything on the Internet, as long as you have some kind of presence (even just an email address), your address could still be the target of spam messages. Spammers have been known to launch attacks similar to “cold calling”; they’ll keep trying email addresses until they find a valid one.

For example, a spammer could send a message to fit.edu addresses and just use all known common first names before the @ sign. The invalid ones will bounce but the valid ones will get delivered.

We will walk you through a new method being used by spammers –> 

Have the spam link on online message boards originate from a valid and a reputed site such as a .edu or a University/college website.

Spammers have determined that if they register for a message or university discussion board account, they can then leave a link to their webpage. The link shows up on the message board user list. What the spammers then do when leaving a link on comments on a web site such as AskStudent’s , instead of leaving an obvious link to a spammer site, the link would be something like the following:

web.universityname.edu/deptname/disc1_frm.htm

This URL looks relatively innocent, after all it is coming in from a university web site and probably some students there have a discussion going on, on their message boards about the article on which the “comment” was placed. But, if you follow the link, you get to a discussion board that uses JavaScript to immediately redirect you to the spammer’s site.

The problem with this hacked .edu message boards is that they are coming in from a Trusted domain. So what happens when a link from a trusted domain is posted on your blog. It results in something like this coming into our moderation queue everyday. Spam links which originate from .edu domains.

Links being used for SEO

Still not convinced. Try a Google search for phentermine, a drug that is among the most promoted by spammers. In the results page on Google, two out of five top results return hacked message board pages advertising and promoting phentermine.

Read the rest of this entry »

In this category, I will be posting the different and various kinds of spam messages I get. Most of them are funny. Some of variants of the Nigerian Spam and some are bordering on innovation. The image headers are being hotlinked to Microsoft’s servers to this header image http://i2.microsoft.com/h/all/i/ms_masthead_8×6a_ltr.jpg. Microsoft’s Logo comes from this link http://i2.microsoft.com/h/en-us/i/msnlogo.gif in this spam email

This spam message is from the Microsoft Award Team congratulating me on winning the Microsoft Lottery Award. It included a serial number, my lottery ticket number and also my lottery ticket winning numbers which were 14, 21, 25, 39, 40, 47 with the special number being 20. I also won £1,350,000.00 or 1 Million and three hundred and fify thousand Great Britain pounds as one of the 5 jackpot winners in this draw.

I have been assigned a fiduciary agent, a Dictor Greg Thomas, for claiming my reward who is based in the U.K and has the Email address : dictor_greg_thomas@katamail.com and a UK telephone number: +44 7 031 948 758.

The Email is also from a Bryan McDonald of the Microsoft Promotion Team who is also a Vice President at Microsoft. Her email address is not as everyone would imagine, based on the microsoft.com domain but a globedraw010@hotmail.com

Read the rest of this entry »

Spammer Watch : DAY # 1 

So, I followed up with our London based Nigerian spammer by emailing him that I am indeed interested in proceeding with this “financial transaction”. I pretend to be a Mr. Brandon Hurley based in the UK. So, here is my first email to Mr. Peter Fischer, our friendly neighbourhood spammer

Spammer Watch : Day # 2

So, within 7 hours, I get an email from Mr.Fischer thanking me for my interest. This is starting to get interesting.
Read the rest of this entry »

Mark Sunner, Chief Security Analyst at MessageLabs was among the many security analysts watching one Trojan called “Spam Thru”, a piece of malware designed to send spam from an infected computer, at the turn of last year. Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor.

Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.

The thing that worries Mark Sunner the most is that he suspects the major traffic spike towards the end of 2006 was merely a test run for more if not similarly sophisticated botnets to follow. Sunner adds

” With new levels of sophistication this has reached a real milestone. Botnets are getting smaller, more stealthy and more discreet and yet the volumes of spam are going up. Without a hint of scaremongering, will this get a lot worse throughout 2007 in terms of botnet sending? Absolutely, yes.”

The British IT-Sicherheitsfirma Message Lab registered a dramatic increase in Spam Mail traffic from 64.4% to 72.9% late last year, all attributed to Spam Thru.

Read the rest of this entry »

Spamming is the abuse of electronic messaging systems to send unsolicited bulk messages. While the most widely recognized form of spam is email spam, spam in blogs is becomming huge these days along with search engine spam and mobile phone messaging spam.

Spamming is economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge.

Blog Spam or “blam” for short is spamming on webblogs. This type of spam takes advantage of the open nature of comments in the blogging sftware by placing comments to various blog posts that provided nothing more than a link to the spammer’s commerical web site.

Blogs such as TechCrunch have caught over 1 million spam comments. For most blogs such as this one and AskStudent, the protection from such Blog Spam like TechCrunch is Akismet.

Today, I saw a new method of Blog Spam by these spammers. They are using TinyURL, a very popular web service which provides short aliases to long URLs. TinyURL inspite of its benefits has had to face the criticism that they are opaque, hiding the ultimate destination from a web user. This opaqueness is now being leveraged by spammers, who can use such link in spam and thus bypassing URL blacklists.

UPDATE:

TinyURL has blocked the above site stating that they abused their policy. How does one deal with such spam? Post in comments area.

Related Articles:

1. How to hide your email address from spammers, a thorough guide

2. How a PayPal phishing email looks like and how to detect it

3. Top phishing targets are Ebay and PayPal followed by Banks

4. References: Wikipedia article on spammer

In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures.

The first recorded mention of phishing is on the alt.online-service.america-online Usenet newsgroup on January 2, 1996, although the term may have appeared even earlier in the print edition of the hacker magazine 2600. The term phishing is a variant of fishing, probably influenced by phreaking,  and alludes to the use of increasingly sophisticated lures to “fish” for users’ financial information and passwords. The word may also be linked to leetspeak, in which ph is a common substitution for f.

Shown below is a sample email message I received from PayPal

If you dissect this email digging into its header and the content code, you will see two things jump out

Read the rest of this entry »

Every IT professional worth his/her salt has their own webpage/blog these days. While you may have people from all over the globe dropping a line at your site, Email harvesters are the most unwanted visitors on any website. These email spambots crawl the web via search engines to find and extract email addresses from webpages. E-mail addresses in your blog or webpage are no secret to spam robots. Here’s a guide that should help you protect your email addresses from these spam spiders. Techniques mentioned use text manipulation, Masking, HTML, Flash, CSS, and JS to hide email addresses.
How email spammers operate? Email addresses always contain an @ symbol. Most spambots do a pattern-search for likely combinations of letters (abc@xyz.com) like billgates@microsoft.com or larrypage@google.org in the HTML source of webpages. Often they just search for the @ character and grab all the letters on each side on the assumption that it’s a valid email address.
How to keep your email address available to humans but invisible to email spiders? There are tons of Email Address Protector software that claim to protect your email address in web pages and get rid of junk mail - Don’t waste your money, they only encode your email or generate a javascript snippet. We will discuss manual email encoding techniques here. If a visitor clicks an encryped email link on your website, it will work as normal, but spam robots will not be able to extract the address from the link. Read the rest of this entry »