March 2008 Archives | Wiz's Computer and Website Security Blog

My Spam analysis for March 24 - 30, 2008

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that male enhancement pills and other pharmaceuticals were finally displaced from the top spot in my spam categories, with Nigerian 419 and lottery scams, counterfeit brands of watches, clothing and footware, fake diplomas and debt consolidation loans, leading the pack. Most of the spam emails have links to websites hosted in China or Korea. Most of the fake and counterfeit watches, clothing, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a huge portion of certain types of forged sender spam.

My current statistics show that spam is now 55% of all my incoming email, for the week of March 24 through 30, 2008. Without my custom MailWasher Pro filters identifying and automatically deleting most of this crap, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters for you all). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by Trojans people are tricked into clicking on. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 24 through 30, 2008.

Download MailWasher Pro Here

Blacklisted (by pattern matching):	26.07%
Male enhancement spam:	5.83%
Other Pharmaceutical spam (includes Viagra and Cialis):	3.89%
Other filters: (See my MWP Filters page)	18.29%
Counterfeit Watches and Shoes:	7.39%
Loans and bankruptcy spam:	5.06%
Diploma spam:	5.06%
HTML Tricks:	4.28%
Nigerian 419 and Lottery Scams:	2.72%
Known Spam, by Subject, Body, or Sender:	15.56%
Google Redirect Exploits (to hostile downloads):	4.67%
DNS Blacklists:	0.40%
Bayesian learning filter:	0.78%

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the four 'biggies" that typically block 26+% of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

MailWasher Blacklist code: [email protected]
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

NEW MailWasher Blacklist code (3/27/08): [email protected]
Regular Expression for mail server filter use: .+@freenet\.de
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],[email protected],BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Posted by Wiz at 3:39 PM | Permalink

back to top ^

Nigerian Scammers operating out of Madrid Spain plus, using Botnets

Lately, I have been getting lots of Nigerian 419 Lottery scams, with the originating IP located in Spain, especially the ISPs - Ono.com and Telefonica.es. However, when I report these scams to SpamCop, a lot of the sending (not originating) IP addresses end up belonging to residential customers of broadband services in the US, Europe and South America. This tells me that the Nigerian crime gangs have buddied up with the owners of a botnet and are using it to relay some of their scam messages. Furthermore, some, but not all, of the scam emails also contain clickable links that lead to instant downloads of Trojan Horse downloaders, Keyloggers and Backdoors. This stinks of the Storm-Worm-Zhelatin Gang, located in St. Petersburg, Russia, although it could be a different botnet being rented out to Nigerians.

The main point of this article is not about botnets. Rather, it is to point out that many Nigerian 419 fraudsters are moving out of Africa, and Amsterdam (where they got arrested, convicted and deported), and settling in Spain. Not wanting to have their scam/spam messages traced directly to them, they have taken to the airwaves, literally. They are "piggybacking" on their neighbors' unsecured wireless routers, in apartment complexes or houses, using IP addresses assigned to other legitimate customers, to send scam runs. The victims are completely unaware that anything illegal is happening, until the Police come knocking on their door. Fortunately, the Nigerians who are piggybacking on the broadband accounts are in the same buildings. This has allowed the Spanish Police to locate and arrest some of them, as happened on February 18, 2008. Here is a quote from the Sophos article about those arrests:

Ten Nigerians arrested in Spain for email lottery scam
February 18, 2008

The ten people, all Nigerian nationals, are suspected of making more than 19,000 Euros ($28,000) in three months by demanding payments from innocent internet users who believed they had won a lottery.

Police report that the emails sent by the suspects were sent from the Teatinos area of Malaga in Spain, by piggybacking on a neighbour's wi-fi internet connection without permission. Seven arrests were made in Malaga, and three more in Huelva province.

Malaga is no stranger to Nigerian-run email scams. In 2005, 310 people were arrested in Malaga in what was said to be the biggest ever bust of a lottery scam gang. The arrests followed an investigation by the FBI and Spanish police into a scam run by Nigerian gangs.

If you run a forum or website that is plagued by Nigerian scammers you can block them from accessing it by employing a "blocklist." I publish and maintain a Nigerian Blocklist in two common formats:

.htaccess - for most Apache-based, shared hosting websites, where the webmaster only has control over his/her own website. The .htaccess rules will only block browsing you site and form submissions, but not email scams.

iptables - for those administrator-webmasters, who have Root access to dedicated, or VPS - Linux based servers. Iptables rules can be imported into your APF firewall, to block all access to undesirables, including email access.

Rather than create an entire new blocklist for the Nigerians residing in Spain, I am adding the IP addresses and CIDRs of Spanish IPSs to my Nigerian Blocklists.

End users, who receive email via a POP client (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora), and are tired of sorting through dozens or hundreds of daily email scams and other spam, can use the program I use to filter out spam and scams. That program is MailWasher Pro, which you can read about here.

In the meantime, do not fall for any lottery scams, or other free money pitches coming from Nigerian criminals. To see the details about what they have been up to recently, read my blog article about the sudden surge in Nigerian lottery scams.

Posted by Wiz at 1:14 PM | Permalink

back to top ^

Spybot Search and Destroy Malware Definitions Updated on March 26, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 26, 2008:

Keyloggers (Keyloggers steal your logins and passwords)
+ SpyKeylogger
+ SpyMyPC
+ StaticX

Malware Includes fake anti-virus and anti-spyware programs
+ AlfaCleaner
+ AntiSpywareSoldier
+ AzeSearch
+ Cleanator
+ FakeAlert.cc
+ Fraud.XPAntivirus
+ MalwareWipe
+ Performance Optimizer
+ Smitfraud-C.gp
+ SpyCrush
+ SpyDawn
+ SpyHeal
+ SpyShredder
+ SpywareIsolator
+ TrustCleaner
+ Vcodec.Intcodec
+ Virtumonde.dll (incl: 5955 variants)
+ VirusBurst
+ Win32.BHO.je
+ Win32.Renos
+ WinXDefender

Trojans Featuring 12 updated detections of Zlob* Trojans
+ Smitfraud-C.
+ Smitfraud-C.MSVPS
+ Win32.Dropper.Agent.byv
+ Win32.EESbinder
+ Zlob.DirectVideo
+ Zlob.Downloader.se
+ Zlob.Downloader.sg
+ Zlob.GoldCodec
+ Zlob.HQVideoCodec
+ Zlob.ImageActiveXObject
+ Zlob.KeyGenerator
+ Zlob.MMediaCodec
+ Zlob.QualityCodec
+ Zlob.SiteTicket
+ Zlob.VideoAccess
+ Zlob.VideoKeyCodec

Total: 565762 fingerprints in 126261 rules for 3758 products!

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

NOTE
I just experienced something unusual and I suspect a lot more Spybot S&D users may have this happen also. I normally operate as a Power User, in Windows XP Professional. I switch to my administrator level account to upgrade programs like Spybot S&D and apply system-wide immunization, which cannot be as easily done from a Limited User account. After installing the available updates for March 26, 2008, I ran Spybot and let it remove some cookies it found. After that, having defragged and run Windows Update from the Admin account, I logged off that account and into what I thought was my regular account. When I got there most of my desktop icons were missing, the custom settings were gone and things were not right in Whoville. I quickly thought about what might cause this and instinctively I restarted the computer. After logging in at the Welcome screen all of my icons and settings were restored. Whew! If this happens to you, it is caused by the new anti-rootkit plug-ins, as I have since learned. After you update the Spybot S&D program in an Admin account, reboot before logging in to a lesser privileged account. This way you won't lose any personalized settings. I hope they fix this soon!

I just found this information posted by a member of Team Spybot, on the official Forum, regarding multiple account computers having profile corruption issues:

That's a problem when you run the update while Spybot-S&D is open. To avoid this completely, just run the updater from the start menu while Spybot-S&D is closed. But as I wrote, a restart will allow login again. 1.5.3 will have it fixed as well.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 11:34 PM | Permalink

back to top ^

Sudden surge in Nigerian 419 Scam emails

For the last two days I have been getting lots of spam messages sent by Nigerian criminals, who are running a new 419 Advance Fee Fraud campaign. The current crop of 419 scams are mostly composed using all capital letters in the subject (but not always), and when you read the message body, it appears to come from a Barrister, or Solicitor, or a lottery, or a Will Executor. Huge rewards supposedly await the Mugu's (Fools) who respond and are willing to pay some processing fees to get this money transferred into their soon to be emptied bank accounts.

This request for fees to be paid in advance of the transfer of the imaginary funds is referred to as a 419 scam. That is the number of the statute in the Nigerian Criminal Code that covers financial advance fee fraud.

Here is a list of the subjects from the email scams I have received in the past 60 hours (Updated 3/28/08):

Download MailWasher Pro here

ASSISTANCE
ATM PAYMENT
Attention, Attention,, Attention
Attn:Beneficiary
CONTACT EFEX COURIER COMPANY ASAP
CONTACT FEDEX COURIER COMPANY FOR YOUR DELIVERY
CONTACT FEDEX COURIER COMPANY FOR YOUR PARCEL
CONTACT REV. DR. KENNETH OKOM DIRECTOR OF ATM CARD BANK
CONTACT YOUR ATM MASETR CARD
CONTACT YOUR ATM PAYMENT CENTER
Contact your claims agent
Dear Friend
From Barrister James.
FROM: PETER SUMEN. (NPA)
GOOD NEWS
IMPORTANT NOTICE
THIS IS FOR YOUR ATTENTION.
WILL EXECUTION
YOUR CONTRACT PAYMENT
Your Payment
GOOD NEWS CONTACT HALLMARK DELIVERY COMPANY FOR THE DELIVERY OF YOUR CONSIGNMENT ASAP.

Many of the message bodies begin with "Dear Friend,". Every one of these spam messages was an attempted 419 scam. If you get any email with these subjects you can probably be safe deleting it without reading the crap inside. If your email system allows for special filter rules, create one to delete or flag as spam all messages containing ALL CAPS. Spam Assassin already has this rule built into it. I personally use MailWasher Pro to screen all of my incoming POP email, before I download it to Outlook Express. MailWasher Pro uses a variety of methods to recognize spam and scams, including user created custom filters. I happen to write and maintain a group of filters for MailWasher Pro. They are available on my MailWasher Filters Page.

If you already have MailWasher and need a filter rule to detect messages containing all capital letters, here it is (the rule should be on one long continuous line):
[enabled],"Subject All Caps/Missing (S)","Subject All Caps/Missing (S)",33023,OR,Delete,Subject,doesn'tContainRE,(?-i)[a-z],Subject,doesn'tContainRE,.
Here is my MailWasher filter for known 419 scams (one long line):
[enabled],"Nigerian 419 Scams","419 Scam",16711680,OR,Blacklist,Delete,Body,containsRE,"^(?-i)Dear\ (Sir/Madam|Friend),( )?$",Body,contains,"URGENT AND CONFIDENTIAL",Body,contains,"BANK OF NIGERIA",Subject,is,"URGENT AND CONFIDENTIAL",Body,containsRE,"unclaimed\ (benefits|funds)",Subject,contains,"CONFIDENTIAL MUTUAL BUSINESS PROPOSAL",Body,contains,"contacting you based on Trust",From,contains,"Department of National Lotteries",Subject,contains,"UNITEDN NATION",Subject,containsRE,"TREAT\ (AS|VERY)\ (CONFIDENTIAL|URGENT)"
Just copy and paste that rule into your MailWasher filters.txt file, which is found in (Windows XP) your logged in identity > Documents and Settings > Application Data > MailwasherPro folder. Make sure MailWasher is closed before you add this rule, save the file, then open MWP again. The rule should be visible when you click on View > Filter Sidebar (Ctrl+F7). You can download MailWasher Pro here.

Do not ever fall for the pitches from these Con men in Nigeria. They are very good at relieving North Americans and Brits of their excess money, using greed as the bait.

If you have a website, with a forum, hosted on an Apache web server, and your members are getting harassed by Nigerian scammers, you should consider applying my .htaccess Nigerian Blocklist, to your web or forum root folder. This will block them from viewing posts, or signing up for accounts, using a browser, but won't block email or ftp access. On the other hand, if you have administrator access to the operating system itself, applying my Nigerian iptables blocklist to your Linux APF firewall will block not only http browsing, but also, email from Nigerian criminals, signups and ftp access. They won't be able to access your server whatsoever, if you apply the firewall rules.

.htaccess blocklist (recommended for most non-admin webmasters):
My .htaccess Nigerian Blocklist is found here

Linux APF firewall - iptables blocklist, for admins with root access:
My iptables Nigerian Blocklist is located here

I also publish blocklists in both .htaccess and iptables formats, to block Chinese and Korean traffic, Russian and Turkish spammers and exploited servers.

Posted by Wiz at 9:42 PM | Permalink

back to top ^

Mozilla Releases Firefox Browser 2.0.0.13 Security Update

March 25, 2008

Tonight, while I was browsing with Firefox, it was suddenly upgraded from version 2.0.0.12 to 2.0.0.13. This is because I set the option for Firefox to automatically check for and apply updates. Being the curious type I looked up the release notes, to find out why this new sub-version was pushed out, so quietly tonight. Here is the skinny.

What's New in Firefox 2.0.0.13

Release Date: March 25, 2008
Security Update: The following security issues were fixed.

MFSA 2008-19: XUL popup spoofing variant (cross-tab popups) - High
MFSA 2008-18: Java socket connection to any local port via LiveConnect - High
MFSA 2008-17: Privacy issue with SSL Client Authentication - Low
MFSA 2008-16: HTTP Referrer spoofing with malformed URLs - Moderate
MFSA 2008-15: Crashes with evidence of memory corruption (rv:1.8.1.13) - Critical
MFSA 2008-14: JavaScript privilege escalation and arbitrary code execution - Critical

This is half the vulnerabilities that were patched in the previous upgrade, from 2.0.0.11 to 2.0.0.12, which was released on February 7, 2008. If you use Firefox Browsers you should check for updates as soon as you go online with a computer it is installed on. It may beat you to the draw though! Otherwise, open Firefox and click on the Menu Item: "Help" > "Check for Updates." If you need the update it will be displayed prominently, with a button to Download and Install now. It'll only take a minute or so, on Broadband, after which a box will pop-up telling you that Firefox was upgraded and must be restarted. Click Ok to restart, even if you have multiple tabs open. They will reopen when Firefox restarts. You may have to login to password protected sites. After the update and restart, if you use and Add-Ons, or Extensions, run a check for updates to those items. It may take a few days for the authors to catch up and issue new releases to remain compatible with the latest updates. Most of the time everything I have added on still works after numerous upgrades.

If this is all news to you and you have not tried the FIrefox browser, here is a link to the official Firefox download page, for all languages. If you, like me, are in the US (or Canada), and use the US English version, on a Windows based computer, here is your Firefox download link, for the 5.7 Mb file. Save it to your hard drive and run setup. During the setup process Firefox will offer to import your Internet Explorer Favorites and Cookies. Allow it to import these items and finish the installation. Once Firefox opens you will have Bookmarks instead of Favorites, but, all of your previously saved Favorites will be available by clicking on Bookmarks > "From Internet Explorer." Mouse over this folder and all your Favorites will flyout in a list. Clicking on any bookmark will open it in the browser. Since you told it to import your cookies your preferences will carry over as well, although you may have to re-type your logins to some websites, manually. If this is necessary, tell Firefox to remember your login for that website and it will be safely stored for you.

Firefox is a tabbed browser and can open links you click on in a new tab, instead of a new Window. You have the option of giving the new tab focus, or staying put where you were when you clicked on the link. Furthermore, Firefox does not run any ActiveX controls, thus making it infinitely more safe to browse with then Internet "Exploder." Give Firefox a try today.

Posted by Wiz at 11:36 PM | Permalink

back to top ^

Russian connection to user agent "WordPress/2.1.1" in website access logs

I read the access logs for my website every day and sometimes I see something that jumps out and grabs my attention, as not right. This month, that something is a bunch of attempts to grab various pages on my blog, in an unusual manner, with a very unusual user agent: WordPress/2.1.1

At first I thought that somebody is just trying to pick up my MovableType RSS feed, but that is not what they are after. So, I did a little research on "WordPress/2.1.1" and learned that it represents a hacker compromised version of the popular WordPress PHP blogging software, which was updated months ago, to version 2.1.2, by Wordpress.org. I suppose that there may be some Wordpress users who haven't heard that this version was hacked with a backdoor, and haven't bothered to check for updates, but the log entries I am seeing are not from a Wordpress blog. I decided to do a little investigating, which is something I am good at. So, I followed the IP addresses to see from whence they came.

What I have learned so far, regarding the visitors who have configured their browser with the user agent "WordPress/2.1.1" is that, (A) - they come at me with no "Referer" field entry, (B) - they always try to GET a blog article itself, followed immediately with a request for the HEAD, and (C) - they change IP addresses after getting my 403 (Forbidden) message and try again. This cloaking of IP addresses has no effect, since I am also blocking them by their User Agent string.

Let's take a look at the access log entries for this user agent (stretch out or maximize your browser):

67.228.198.50 - - [02/Mar/2008:00:58:01 -0700] "GET /blogs/2008/02/my_spam_analysis_for_february_18_24_2008.html HTTP/1.1" 403 350 "-" "WordPress/2.1.1"
67.228.198.50 - - [02/Mar/2008:01:04:52 -0700] "HEAD /blogs/2008/02/my_spam_analysis_for_february_11_17_2008.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

69.50.177.18 - - [13/Mar/2008:12:06:49 -0600] "GET /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 351 "-" "WordPress/2.1.1"
69.50.177.18 - - [13/Mar/2008:12:07:14 -0600] "HEAD /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

89.108.85.75 - - [23/Mar/2008:16:52:38 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
89.108.85.75 - - [23/Mar/2008:16:53:08 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

91.192.116.2 - - [23/Mar/2008:18:56:59 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
91.192.116.2 - - [23/Mar/2008:18:57:14 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

216.255.185.178 - - [24/Mar/2008:10:15:07 -0600] "GET /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1
216.255.185.178 - - [24/Mar/2008:10:15:22 -0600] "HEAD /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1

These are definitely not typical access log entries and nothing a normal search engine or human visitor would do. Wordpress is a software blog application that gets installed onto web servers. It is not a browser. User agents are words that identify a browser, or a search engine, or robot. Despite the diversity of IP addresses, these visits are not unrelated. Read my extended comments to see where these IP addresses are allocated and my conclusions about their source and probable intent.

We are following the strange access log entries of a visit from somebody, or some bot, using the distinct user agent string: Wordpress/2.1.1. It hit my server over most of the month of March (so far), always using a GET followed by a HEAD request, for the same blog files. Let's trace those IP addresses to their home bases.

67.228.198.50 belongs to SoftLayer, a web host full of compromised servers and websites, that is on my Exploited Servers Blocklist.

69.50.177.18 belongs to Concord Intercage / Atrivo.com, with a CIDR of 69.50.160.0/19.

NetRange: 69.50.160.0 - 69.50.191.255
CIDR: 69.50.160.0/19
NetName: INTERCAGE-NETWORK-GROUP
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM

What do we know about Atrivo and Intercage? LOTS!

A quick lookup of the IP in question, 69.50.177.18, at Spamhaus.org, reveals this interesting tidbit, under Ref: SBL53320:

69.50.160.0/19 is listed on the Spamhaus Block List (SBL)

Hosting: inhoster.com spammer/cybercrime hosting front

See:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36702

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36453
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

What is the connection between Intercage, Atrivo and Inhoster? Inhoster is registered via estdomains, which is hosted on Intercage/Atrivo, all of which are owned by the same person.

83.222.14.129 belongs to MASTERHOST-COLOCATION, which is located at Lyalin lane 3, bld 3, 105062, Moscow, Russia. The CIDR for Masterhost is 83.222.0.0/19.

89.108.85.75 is assigned to Agava Company, based in B. Novodmitrovskaya str., 36/4, 127015 Moscow, Russia. Their CIDR is 89.108.64.0/19.

91.192.116.2 is hosted in the United Kingdom, on servers owned by TodayHost Ltd. IP addresses within their CIDR; 91.192.116.0/22, have been harassing my website for a couple of months now. All of their efforts are blocked thusfar.

216.255.185.178 is owned by none other than Intercage! This particular net block has a CIDR of 216.255.176.0/20.

These unusual visits from multiple IPs, are traced back to Russian concerns. Inhoster is involved here, as probably is the RBN. Whatever they are up to, it is no good. My guess is that this is either an attempt to read the source code of my blog, looking for a way to send automated comment spam, or to test my security fences. The single British host is no surprise to me either. I have already learned that the RBN is now farming out servers from certain UK concerns, but using them for their own, malicious purposes.

My recommendations for other webmasters.
Apply my Exploited Servers Blocklist and my Russian Blocklist to your Apache Server .htaccess file, as soon as possible. If you have root access to your Linux based server, use my iptables blocklists instead, in your Linux APF firewall.

A sample of the blocklist for .htaccess, for just these aforementioned IP CIDRs, is:

<Files *>
order deny,allow
deny from 67.228.0.0/16 69.50.160.0/19 83.222.0.0/19 89.108.64.0/19 91.192.116.0/22 216.255.176.0/20
</Files>

Additionally. block access to anybody with the exact user agent "WordPress/2.1.1" - in your .htaccess, with the following rule:

RewriteCond %{HTTP_USER_AGENT} ^WordPress/2\.1\.1$
RewriteRule .* - [F]

Posted by Wiz at 8:18 PM | Permalink

back to top ^

My Spam analysis for March 17 - 23 2008

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that male enhancement pills and other fake pharmaceuticals dominated all spam categories, but, with counterfeit brands of watches, clothing and footware, along with fake diplomas, making a big comeback. Most of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Much of the fake and counterfeit drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a huge portion of certain types of forged sender spam.

My current statistics show that spam is now 50% of all my incoming email, for the week of March 17 through 23, 2008. This is 6% down from last week, much of which is attributable to me applying pattern matching spam filters to my mail server. However, 50% spam is still getting through and without my custom MailWasher Pro filters identifying and automatically deleting most of this crap, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters for you all). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by Trojans people are tricked into clicking on. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 17 through 23, 2008.

Download MailWasher Pro Here

Blacklisted (by pattern matching):	15.49%
Male enhancement spam:	15.96%
Other filters: (See my MWP Filters page)	26.29%
Counterfeit Watches and Shoes:	18.78%
Casino spam:	3.29%
Diploma spam:	6.10%
HTML Tricks:	6.10%
Spam sent to and from same email account:	2.82%
Known Spam Subjects:	4.23%
DNS Blacklists:	0.47%
Bayesian learning filter:	0.47%