E-mail from Bill Gates

This morning I checked an old Hotmail account and I was surprised to see an e-mail from Bill Gates. The From header was "Bill Gates (billgates_2008lottery@yahoo.fr)" which was a little surprising. I would have thought that Bill would be sending it from a Microsoft or at least a Hotmail address and not a competitor such as Yahoo. I put that thought at the back of my mind since I was excited to see why he was e-mailing me. Here's the message I received:



The content of the message was in French. I put this down to the fact that Microsoft is based in Redmond, Washington which borders us here in Canada and perhaps some French Canadian influence had started to spread across the border in the USA?

After reading the e-mail, I discovered I was a winner of the "BILL GATES FOUNDATION LOTTERY FOR INTERNET EXPANSION IN AFRICA". I realized this was quite a big deal since capitalization was used in the name! All I have to do is contact Claude Verges at the "law firm" and provide my name, address, phone, fax, e-mail and a copy of my national identity card or passport. All of which would be very useful for identity theft so I think I'll pass on this occasions. Sorry Bill!

Breaking the Law

I can't believe I'm about to do this but here goes ....



What's the big deal you're wondering? Well, I just published some Network Solutions whois information related to the test.com domain. In this case the domain I chose was arbitrary but it's common practice for Anti-Spam researchers to investigate suspected spammers whois details to try and correlate domains to the same spammer. The whois records are open to the public so you wouldn't think it would be such a big deal to put them on a website. However, a court in North Dakota considers "publication of whois lookups without authorization from Network Solutions" to be an unauthorized activity.

Spam fighter David Ritz investigated a suspected spammer by using typical tools. He was sued by this person and the judge's finding documents are available here. I'm shocked by the decision but I guess it comes down to a lack of understanding of the interweb and it's complex network of pipes.

E-mail Security Blogs

The purpose of the MailChannels blog is to provide readers with useful information about happenings in the exciting world of Anti-Spam rather than marketing blurbs. I thought it might be useful to provide a list of interesting blogs from other companies and individuals which deserve credit for their contribution to the Anti-Spam community. In some cases such as our own blog the focus is primarily on Anti-Spam, others are more general security blogs. If you can think of any other blogs that should be included please add a comment.

Corporate Blogs

MailChannels Anti-Spam Blog - I should start with our very own blog! The MailChannels blog was born in November 2007 and keeps a finger on the pulse of Anti-Spam related news. We comment on the latest spam tactics and trends.

Commtouch Blog - I just discovered the newly launched Commtouch blog today which is what prompted me to write this blog post. It's still in it's infancy but should be an interesting one to watch.

Symantec Security Response Blog - This blog provides regular updates on e-mail security news including a summary of their monthly state of spam report. As a former Symantec Brightmail employee of 5 years I'm quite fond of this blog as I know many of the contributors.

McAfee Avert Labs Blog - The McAfee blog provides interesting updates with the option of e-mail updates - they also provide an RSS feed. Again it's a favorite of mine since I've worked with Kevin McGhee who is a contributor to their blog

Sophos Security Blog - Funnily enough Sophos have an office just a few blocks from Mailchannels. As several members of our team are former Sophos employees it's another favorite. We also get a chance to meetup with the developers in person at Perl Monger conferences in the city.

Trend Micro - As Trend are based in Asia and have a large Asian customer base they often have news from across the pond that may not be widely known in North America.

F-Secure - The F-Secure blog provides details on spam, phishing, spyware and virus attacks and is well worth a read.

SANS Institute - Technically this is a diary but the SANS Internet Storm Center has great commentary on general internet security issues.

Secure Works - The SecureWorks blog doesn't have a great deal of content itself but it does have posts of weekly links to Anti-Spam news stories in the media.

Individual Blogs

John Graham Cumming - John is a member of the Mailchannels technical advisory board. He maintains "The Spammers Compendium" which names and tracks the first seen date of the latest spam techniques. He also writes a regular Anti-Spam newsletter.

Justin Mason - Justin is also a member of the Mailchannels technical advisory board and for good reason. He's the person behind the excellent Spam Assassin project! He also maintains the Planet Anti-spam page [Update: Justin commented to this post to point out he aggregates posts from many of these blogs into a single "river of news" format]

Terry Zink - In Terry's own words... "protecting your mail against the scum of the internet". He's a microsoft employee working as a program manager in the exchange hosted services anti-spam division.

Al Iverson - Al writes the "Spam Resource" blog with plenty of Anti-Spam tidbits and was very active in the past year with around 90 posts.

Ed Falk - His blog, named "The Spam Diaries" is focused on Anti-Spam issues as the name suggests and has been blogging on spam for over 10 years.

David Spark - The Anatomy of Spam Blog is maintained by David spark. Although it does have interesting content, the last post was made in July 2007 so it's not up to date.

Will Spammers resort to cutting down trees?

It's clear that spammers are quite happy to clog up our bandwidth as spam makes up over 90% of all e-mail sent. However, would they resort to different tactics besides e-mail that could be wasteful of other resources? It's now possible that spammers could resort to cutting down trees to get their advertisements across. How you ask...?

I recently read an interesting article by Aaron Weaver pointing out an attack vector to send printer spam. At first, it may seem unlikely that spam would be sent via this medium but just consider fax spam that has been received for years. The difference is that faxing and cold calling by phone typically have high costs associated with them whereas the costs of internet based techniques are orders of magnitude less and so can be of huge volume. Aaron describes his Proof of Concept as follows...

By using only JavaScript, an Internet web site can remotely print to an internal network based printer by doing an HTTP Post. The web site initiating the print request can print full text, enter PostScript commands allowing the page to be formatted, and in some cases send faxes. For the attack to succeed the user needs to visit a web site that contains this JavaScript.

For example, a web page could be created in html with a reference to a users local printer which commonly uses a well known port number, which is 9100: < form action='http://local_printer_address:9100' .....

The difficulty is that the local printer would need to be identified for every visitor to the page. As pointed out in the article this could be done by sending multiple requests to internal IP addresses (192.x.x.x or 10.x.x.x) or using an applet narrow it down to a specific subnet.

This would allow an attacker to send printer spam to your local printer if an administrator password hadn't been set up or restrictions on IP addresses it should accept jobs from had not been defined. As the vast majority of printers do not have tight security settings this attack is quite feasible and could result in page upon page of printer spam. Very wasteful of paper but probably not the most major contributor to deforestation just yet!

Alan Ralsky in Handcuffs!

A few days ago I wrote a blog piece on the indictment of the International Spam King, Alan Ralsky. At the time he was still at large somewhere in Europe and rumored to hand himself . The Detroit Free Press have just reported the following within the past hour:

Ralsky, 62, of West Bloomfield, was brought into U.S. District Court in Detroit in handcuffs, escorted into court by FBI and Postal Inspection Service agents who greeted him at Detroit Metro Airport upon his return from Germany. His lawyers had arranged his surrender.

He faces multiple charges, the most serious being "mail and wire fraud" which could cost him a maximum penalty of 20 years in prison and a $250,000 fine. This is because the spam ring he is involved with were responsible for buying cheap stock, then artificially inflating it's price by promoting the stock in spam before selling it at a huge profit.

Spam King Indicted

In 2002, I worked in Anti-Spam Operations and could easily identify particular spammers by commonalities in the attack such as message headers, message content, website template, whois records, domain naming conventions, etc.

At the time one of the most prolific spammers was Alan Ralsky and his preferred spam runs included debt management, pills and eventually penny stock pump and dump scams. His usual tactic was to register thousands of domains for a spam run and cycle through each of the domains in his spam message. Many of these domains were registered to a fake address in China to a person named "Zhang Jun". I've seen it so many times I can remember it almost 6 years later!

It was quite a blast from the past to return from the New Year to hear that the law has finally caught up with Alan Ralsky. Reuters have reported that a 41-count indictment charges 11 people with operating a spam operation focused on running a stock "pump and dump" scheme. This is even more serious than spam as it amounts to fraud since they manipulated a stock price through spam campaigns and made large amounts of money in doing so.