Wiz's Computer and Website Security Blog

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 78% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced this week were numeric links to Storm Trojan infected computers and spam for casinos, finances, lottery scams, phishing scams, and pump and dump stocks.

My current statistics show that spam is now 76% of all my incoming email, for the week of November 19 through 25, 2007. This is up 1% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for November 19 through 25, 2007.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 2:00 PM | Permalink

back to top ^

I wanted you all to be aware (in case you don't already know) that cyber-criminals are planning all out attacks against online consumers this holiday season, and they have already begun. Everything from phishing scams, to social engineering via tricky email messages, to the outright theft of transaction databases by exploiting servers is being rolled out to try to take your money and identity. Please treat all strange email subjects and senders as potential threats, not just objects of curiosity. Also, whatever your operating system your computer uses, please keep it updated with all current patches, to reduce your chances of getting exploited by a threat in the wild.

If you intend to make an online purchase, use a credit card if you have one, as most issuers limit your liability to $50, in the event your numbers are stolen and used fraudulently. There may or may not be similar protection on your debit cards, and if a cyber-criminal wipes out your bank account, you may have to wait a long time to get the money credited back, if it is at all.

Do not fall victim to Nigerian 419 scammers, whether it is the advance fee to claim funds scam, the lottery scam, the over-payment/refund scam, the money-laundering work-at-home check cashing scam, or other variations used by the World's foremost scammers.

Do not click on links in unsolicited emails, to view cute animals, or sports trackers, or eCards, or postcards, especially numeric URL links! The Storm Trojan BotMasters use these tricks to infect your PC and make it part of the World's largest Botnet, to date. If such an email arrives from a sender you know, send them a message asking if they actually sent that email to you. Chances are that they have no knowledge of that message being sent in their name. Heck, I get spam emails supposedly from my account names to the same accounts (but the sender's name is random characters or a non-existent user name)! Spammers use forged senders and reply to addresses in all of their messages now. There is no point in replying to them to complain, because, either the sender is unaware their name was used, or the account does not actually exist on that mail server.

eBay, PayPal, bank and credit union phishing scams are being ramped up, in anticipation of huge rewards during the upcoming Christmas buying season. Ditto for probes against online credit card databases.

One of the main reasons there is such a huge increase in the amount of spam this Winter, especially a lot of nasty stuff, is because the criminals behind these messages are hiding behind compromised personal computers that they have drafted into their BotNets. They do not fear being tracked down because they have created a virtual firewall between the command centers, the zombie computers and themselves. These people usually live in countries where the law turns a blind eye to such activities, as long as they don't use the Botnet against their own people, or governments. A lot of them speak Russian as their native language.

Keep your defenses up this shopping season. Use spam filters, like MailWasher Pro (which I use), to filter out as much spam and scam email as possible, to reduce your exposure to email-borne threats. Keep regularly updated versions of anti virus and anti spyware programs on Windows based PCs (see graphic image ads on this page for reputable security products), and set your computer to receive Windows Updates automatically. Do not run as an administrator while browsing the Internet or reading email. It is dangerous, whether your operating system is Windows, Mac or Linux. Use Limited User, Power User or User privileges instead, and learn how to escalate to administrator level only as and when needed. I have an entire article about creating limited user accounts here. Read it and learn to protect your PC.

Each well secured computer is one less zombie in a Botnet, and hopefully, one less identity theft victim. Have a safe and happy holiday season!

Posted by Wiz at 1:08 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Additions made on 11/21/2007

Adware
+ MeMedia.AdVantage

Malware
+ AntiSpyZone
+ BPS.SpyEliminator
+ CoolToolBar
+ FroggieScan
+ IEDefender
+ KazaapAdwareAndSpywareRemover
+ MalwareScanner
+ NoAdware
+ SpyBouncer
+ SpyRemover
+ Vario.AntiVirus
+ Vcodec.eMedia

PUPS (Possibly Unpopular Software)
+ CleanSpaceUltimate
+ Spy-Killer
+ SynergeticSoft.PrivacyDefender

Security
+ Microsoft.Windows.System

Spyware
+ Cydoor (97)

Trojan
+ IE-Improver
+ Fraud.ProtectionBar
+ NSIS Media.VB (22)
+ Smitfraud-C.MSVPS
+ Win32.Agent.ekn
+ Win32.IrcContact
+ Zlob.Downloader
+ Zlob.Downloader.iec
+ Zlob.Downloader.oid

Total: 509988 fingerprints in 108866 rules for 3403 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 5:54 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 70% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced this week were numeric links to Storm Trojan infected computers and spam for casinos, counterfeit watches, finances, lottery scams, phishing scams, and pump and dump stocks.

My current statistics show that spam is now 75% of all my incoming email, for the week of November 12 through 18, 2007. This is up 1% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for November 12 through 18, 2007.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 3:32 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Additions made on 11/14/2007

Adware
+ Anti-Leech + Netpumper

Keylogger
+ Ardamax (3)
+ Elite Keylogger

Malware
+ Ad-PurgeSpywareAndAdwareRemoverPro
+ AdwareRemover2007
+ AntispyStorm
+ BPS AdwareCops
+ BPS AdwareStriker
+ One-Shot-Antivirus
+ Vario.Antivirus
+ YourSoft-AntiVS

PUPS (Possibly Unpopular Software)
+ 100PercentAntiSpyware

Security
+ Microsoft.Windows.System

Spyware
+ Cydoor (97)

Trojan
+ NSIS Media.VB (21)
+ Prorat-D
+ Smitfraud-C.MSVPS
+ Win32.Absturz
+ Win32.Abaddon
+ Win32.Agent.atr
+ Win32.Agent.bxx.rtk
+ Win32.Destrukor
+ Win32.Small.au
+ Win32.Small.ny
+ Win32.Small.rc
+ Zlob.Downloader.eot
+ Zlob.Downloader.vcd

Total: 495408 fingerprints in 103336 rules for 3397 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this category

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 12:12 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 78% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced this week were numeric links to Storm Trojan infected computers and spam for casinos, counterfeit watches, pirated software and pump and dump stocks.

My current statistics show that spam is now 74% of all my incoming email, for the week of November 5 through 11, 2007. This is up 2% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for November 5 through 11, 2007.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 11:59 AM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Additions made on 11/07/2007

Keylogger
+ Perfect Keylogger

Malware
++ AdwareDeluxe
+ Doctor-Adware-Pro
+ Smitfraud-C.
+ Vario.AntiVirus
++ Vario.RougeAntiSpy
++ VirusRanger
++ Win32.MMD

PUPS (Possibly Unpopular Software)
++ eSupport.FFBiosExt

NOTE: This has just been diagnosed as a false positive by the folks at Spybot Search and Destroy. It is a diagnostic utility to determine if a BIOS update is available for your motherboard. It was listed as a "PUP" because it installs as a Windows Service and does not have an uninstall option. This detection will be removed in the next definitions update, on November 14, 2007 (unless something more sinister is discovered about this program).

If you allowed Spybot to remove this file and you think you may need it again (to diagnose hardware issues), you can use the restore function built into Spybot S&D to restore it's functionality.

Trojan
++ ABetterInternet.iSearch
+ Bifrose.LA
+ Hupigon
+ Smitfraud-C.MSVPS
++ TM.BestOffers
++ TM.BTGrab
++ TM.ZServ
++ Win32.Agent.msgr
++ Win32.BabyDel
++ Win32.Delf.QP
+ Win32.SdBot.aad
+ Zlob.DNSChanger
+ Zlob.Downloader
+ Zlob.Downloader.oid
+ Zlob.Downloader.vcd
+ Zlob.Downloader.vdt

Total: 502022 fingerprints in 99085 rules for 3381 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 11:37 AM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 75% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced this week were numeric links to Storm Trojan infected computers (3) and spam for casinos (1) and "pump and dump stocks" (0).

My current statistics show that spam is now 72% of all my incoming email, for the week of October 29 through November 4, 2007. This is the same percentage as last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for October 29 through November 4, 2007.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 11:46 AM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Additions made on 10/31/ 2007

Hijacker
+ Bestsearch.Scvhost
+ Pigeon.1604
+ Searchdom.Wininit

Keylogger
+ Ardamax
+ Perfect Keylogger
+ SCKeylogger

Malware
+ AproposMedia
+ Command Service
+ DeepDive
+ Doctor-Adware
+ FlashDollars.SpywareRemover
+ Fraud.XPAntivirus
+ Nous-Tech.UCleaner
+ Nous-Tech.Ultimate-Fake-Security-Center
+ VirusProtectPro
+ Win32.Keymake
+ Win32.Renos
+ Win32.Virtualizer

PUPS (Potentially Unwanted Programs)
+ Yazzle

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ Starware

Trojan
+ Apropos.ax
+ Bifrose.LA (2)
+ Hupigon
+ Peflog.RP
+ PeopleOnPage.ContextPlus
+ PeopleOnPage.Envolo
+ Smitfraud-C.
+ Virtumonde
+ Win32.Agent.brf
+ Win32.Agent.brk.rtk
+ Win32.Agent.byh
+ Win32.Agent.ci
+ Win32.Autoit
+ Win32.Brabot.g
+ Win32.Delf.aeo
+ Win32.VB.aya
+ Win32.VB.Nu
+ Zlob.DNSChanger.Rtk
++ Zlob.Downloader.eot
++ Zlob.Downloader.vdt
+ Zlock.uc

Total: 471701 fingerprints in 94773 rules for 3407 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 11:37 AM | Permalink

back to top ^