February 28, 2010

My Spam analysis for the week of Feb 22 - 28, 2010

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 5% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches, illicit drugs, fake Viagra, Canadian Pharmacy scams, pirated software, casinos and fake diplomas. My updated blacklisted senders list proved effective again this week, auto-deleting over 9% of all incoming spam (see my extended content for details).

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb Feb 22 - 28, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for Feb 22 - 28, 2010. Spam amounted to 47% of my incoming email this week. This represents a -5% change from last week.
finger pointing right MailWasher Pro by Firetrust
Pharmaceutical Spam: 20.34%
Viagra: 19.31%
Known Spam Domains: 12.41%
Counterfeit Watches: 10.69%
Other Filters (misc filters): 10.00%
Blacklisted Senders (dating scams & Viagra, etc): 9.31%
Casino Spam: 3.79%
Canadian Pharmacy: 3.10%
Phishing Scam: 3.10%
Diploma Scams: 3.10%
Exploit Link: 2.41%
Software (Pirated) Spam: 2.07%
DNS Blacklisted Servers: 0.34%

This was a busy week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

African Sender
Casino Spam
Male Enhancement [B]
Nigerian 419 Scam #3 [S F R]
Nigerian 419 Scam #5 [B]
RIPE
Russian Sender
PayPal Phishing Scam #1
Pharmaceuticals [S]
Phishing Scam [S or F]
Phishing Scam [B]
Software Spam
Unlicensed Prescription Drugs
Viagra.com Spam

(New Filters Added This Week)
(New) Blogger Exploit Link
Split Nigerian 419 Scams into 6 filters & disabled original

The following recent MailWasher Pro Email Blacklist entries were able to block over 9% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 24, 2010

Spybot Search & Destroy updates for Feb 24, 2010

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 24, 2010, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 20 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Additions made on 02/24/2010

Adware
+ MeMedia.AdVantage
++ YourSiteBar

Malware
++ Fraud.AntimalwareDoctor
++ Fraud.PCDefender
++ Fraud.PersonalAntiMalwareCenter
++ Fraud.SecureEssentials2010
+ Fraud.Sysguard
+ Lop
+ Win32.Virut.ag

Security Vulnerabilities
+ Microsoft.Windows.RedirectedHosts

Spyware
+ Win32.Spynet.a

Trojan
++ Bredolab.fb
++ Fraud.avi
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.nb
+ Win32.Agent.xwr
+ Win32.Autorun.mbzt
+ Win32.Bifrost
+ Win32.CeeInject
+ Win32.FakeAlert.ttam
++ Win32.OnLineGames.bkrn
++ Win32.OnLineGames.uiwr
++ Win32.OnLineGames.ussu
++ Win32.Prolaco.p
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
++ Win32.vbs
+ Win32.ZBot
+ Win32.ZBot.rtk

Spybot S&D currently has 2111918 fingerprints in 796159 rules for 5250 products.

False Positives Reported This Past Week

Thus-far, no false positives were confirmed for this week, as of the time this article was published.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above..

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 21, 2010

My Spam analysis for the week of Feb 15 - 21, 2010

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 5% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches and phones, illicit drugs, fake Viagra, Russian dating scams, pirated software, casinos and fake diplomas. My updated blacklisted senders list proved extremely effective again this week, auto-deleting over 16% of all incoming spam (see my extended content for details).

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 15 - 21, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for Feb 8 - 14, 2010. Spam amounted to 52% of my incoming email this week. This represents a +5% change from last week.
finger pointing right MailWasher Pro by Firetrust
Viagra: 32.26%
Blacklisted Senders (dating scams & Viagra, etc): 16.85%
Other Filters (misc filters): 12.19%
Counterfeit Watches: 9.68%
Pharmaceutical Spam: 7.17%
Known Spam Domains: 6.45%
Diploma Scams: 3.58%
Casino Spam: 3.58%
Russian Sender: 2.15%
Software (Pirated) Spam: 1.79%
Dating Scams: 1.43%
Known Spam TO: 1.43%
DNS Blacklisted Servers: 1.43%

This was a busy week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

APNIC
Canadian Pharmacy
Counterfeit Goods
Dating
(DHL) Courier Phishing Scam
Exploit Link Only (to malware infection)
Hidden ISO Subject
Known Spam Domains
Known User-Agent Spam
Loans
Nigerian 419 scams
Phishing Scam [Subject or From]
Russian Sender
Software Spam
Unlicensed Prescription Drugs
UPS Phishing Scam #1

(New Filters Added This Week)
Flagged by Spam Assassin
Live.com Spam Link
Subject contains < * + ' >

The following recent MailWasher Pro Email Blacklist entries were able to block almost 17% of this week's spam. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 17, 2010

Spybot Search & Destroy updates for Feb 17, 2010

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 17, 2010, as listed below. 16 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 18 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. One updated Internet Worm detection was also added this week.

Additions made on 02/17/2010

Adware
++ DonkeyToolbar

Malware
+ AdRotator
+ Fake.SpywareRemover
++ Fraud.AdvancedDefender
++ Fraud.GuardWWW
+ Fraud.MalwareDefense
++ Fraud.PaladinAntivirus
++ Fraud.SavePcAv
++ Fraud.SecurePcAv
+ Fraud.Sysguard
+ Fraud.SystemSecurity
+ Fraud.VolcanoSecuritySuite
++ Fraud.YourPCProtector
+ Lop
+ Mirar
+ Win32.FraudLoad
+ Win32.TDSS.reg

PUPS (Possibly Unwanted Programs)
++ GameVance.PlaySushi
+ Live-Player

Spyware
++ Win32.Spynet.a

Trojan
+ Supsav.Smss32
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.ado
++ Win32.Agent.svv
++ Win32.Agent.wi
+ Win32.Agent.wu
+ Win32.Autorun.mbzt
+ Win32.FakeAlert.ttam
++ Win32.HareBot.a
++ Win32.OnLineGames.ujug
++ Win32.Rbot.wu
++ Win32.ScreenBlaze
++ Win32.Stinx.h
+ Win32.TDSS.rtk
++ Win32.Virut.w
+ Win32.ZBot

Worm
+ Win32.Allaple.ab

Spybot S&D currently has 2033341 fingerprints in 769409 rules for 5235 products.

False Positives Reported This Past Week

TeaTimer mistakenly detected the "Morpheus Toolbar" in C:\WINDOWS\system32\WBEM\WMIADAP.EXE, during an upgrade of a user's Intel Wireless 3945ABG software from version 10.x to 11.5.x, using the DELL proprietary driver upgrade. Team Spybot offered this solution to the affected user, or others similarly affected by false positives in Teatimer:

If you are running several security software, make sure that only one active protection feature runs at a time. In case you want to deactivate the TeaTimer you can do this in Spybot S&D advanced mode in Tools - Resident.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 14, 2010

My Spam analysis for the week of Feb 8 - 14, 2010

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 4% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including a lot of spam for counterfeit diplomas, watches and Viagra, the totally fake "Canadian Pharmacy," Russian dating scams, Nigerian 419 and lottery scams and various identity phishing scams. My updated blacklisted senders list proved extremely effective again this week, auto-deleting over 24% of all incoming spam (see my extended content for details).

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 8 - 14, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for Feb 8 - 14, 2010. Spam amounted to 47% of my incoming email this week. This represents a -4% change from last week.
finger pointing right MailWasher Pro by Firetrust
Viagra: 36.71%
Blacklisted Senders (dating scams & Viagra, etc): 24.47%
Other Filters (misc filters): 11.81%
Counterfeit Watches: 5.49%
Canadian Pharmacy Scams: 5.06%
Pharmaceutical Spam: 4.64%
Diploma Scams: 2.11%
Known Spam Domains: 2.11%
Nigerian 419 and Lottery Scams: 1.69%
Subject all CAPS (mostly 419 scams): 1.69%
DNS Blacklisted Servers: 1.69%
Phishing Scams: 1.27%
PDF Attachment exploit threats: 1.27%

The latest weekly updates to my custom MailWasher Pro filters were to the Viagra Spam [S], Phishing Scam [S or F], UPS Phishing Scam #1, Unlicensed Prescription Drugs, Exploit Link, Known Spam Domains, Facebook Phish (New), Western Union Scam, Herbal Spam and African Sender (419) filters. Everything else is working as it should. If you're not already using MailWasher Pro to filter out spam you should consider doing so! Read the next three paragraphs for more details about it.

The following recent MailWasher Pro Email Blacklist entries were able to block almost 25% of this week's spam. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.de
+@+.hk
+@+.tw
+@+.jp
+@+.kr
+@+.ru
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 11, 2010

Spybot Search & Destroy updates for Feb 10, 2010

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 10, 2010, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 8 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. Two Internet Worm detections were also added this week and another long distance modem dialer.

Additions made on 02/10/2010

Dialer
+ Coulomb Ltd.Content Access Plugin

Malware
++ Fraud.AntimalwareDefender
++ Fraud.KasperskiyAntivir
+ Fraud.PCAntispyware2010
+ Fraud.Sysguard
+ Fraud.XPAntivirus
+ Win32.FraudLoad.edt
++ Win32.Wace.a

PUPS (Possibly Unwanted Programs)
+ Live-Player

Trojan
++ FakeAlert.gx
++ FakeAlert.lv
++ FakeBill.UPS
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Joleee.egx
+ Win32.ZBot

Worm
+ Win32.Allaple.ab
+ Win32.Socks.T

Spybot S&D currently has 1976598 fingerprints in 751278 rules for 5212 products.

False Positives Reported This Past Week

Teatimer had a false positive detection of "DoubleD.DesktopSmiley" in C:\WINDOWS\system32\msiexec.exe. Install the latest definition updates, then stop Teatimer, close it, wait a minute, then restart it. Instructions for restarting Teatimer are in my extended content.

This isn't a false positive, but a business decision that has been reversed. After reviewing the business email practices of VistaPrint, it was removed from HOSTS file IP blocking immunization with the update from the 2010-02-10. People who want to do business with VistaPrint and still use Spybot S&D's full immunization regime can now do so, without manually editing their HOSTS file.

The use of the Windows HOSTS file to block potentially bad IPs and URLS is getting carried to extremes lately. Since Spybot does not alert you when it is responsible for blocking a website via HOSTS entries (to 127.0.0.1), many users are unaware that the program is blocking websites they may wish to visit. If you used to be able to go to some website and after updating Spybot's definitions you find that the page cannot be displayed, it may have been added to the HOSTS blocklist by Spybot updates. You can edit the file manually, in Notepad, or in a HOSTS editor program, or uncheck the option for HOSTS in the Immunization list and reimmunize. That will remove all entries from HOSTS that were added by Spybot S&D.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 7, 2010

My Spam analysis for the week of Feb 1 - 7, 2010

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including Russian dating spam, fake diplomas and counterfeit brand name watches, pirated software, male enhancement scams, counterfeit Viagra, the fake Canadian Pharmacy, Nigerian 419 scams, DHL and UPS Courier scams and other phishing scams. My updated blacklisted senders list proved extremely effective again this week, auto-deleting ~19% of all incoming spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 1 - 7, 2010, and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Feb 1 - 7, 2010. Spam amounted to 51% of my incoming email this week. This represents a +2% change from last week.
finger pointing right MailWasher Pro by Firetrust
Viagra: 32.13%
Blacklisted Senders (mostly dating scams this week): 18.69%
Other Filters (misc filters): 13.11%
Counterfeit Watches: 5.90%
Male Enhancement Scams: 5.25%
Dating Spam: 5.25%
Diploma Scams: 4.92%
Phishing Scams: 4.26%
Pirated Software (like "Eurosoft"): 3.28%
Canadian Pharmacy Scams: 2.30%
Known Spam Domains: 1.97%
Nigerian 419 Scams: 1.97%
DNS Blacklisted Servers: 0.98%

The latest weekly updates to my custom MailWasher Pro filters were to the (DHL) Courier Phishing Scam, Dating Spam, Software Spam, Unlicensed Prescription Drugs, Viagra Spam [B], Herbal Spam, Male Enhancement [S], Nigerian 419 Scams, PayPal Scams #2, Pharmaceuticals [S], Phishing Scam [S] and [B], and Stud Tips filters. Everything else is working as it should. If you're not already using MailWasher Pro to filter out spam you should consider doing so! Read the next three paragraphs for more details about it.

The following recent MailWasher Pro Email Blacklist entries were able to block almost 19% of this week's spam.
+@+.de
+@+.hk
+@+.tw
+@+.jp
+@+.kr
+@+.ru
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

These expressions instantly delete any messages with a "From" email address ending with one of those domains. These expressions resulted in 18.69% of spam being captured by the MWP Blacklist. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 4, 2010

Spybot Search & Destroy updates for Feb 3, 2010

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 3, 2010, as listed below. 9 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 14 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. An Internet Worm detection was also added this week.

Additions made on 02/03/2010

Dialer
+ eGroup.InstantAccess

Malware
+ FakeAlert.gen
++ Fraud.MyPcSecure
++ Fraud.PcSecureNet
++ Fraud.PcsSecure
+ Fraud.WinPCDefender
+ Lop
+ SuperEasySearch
+ Win32.FraudLoad
+ Win32.FraudLoad.edt

Trojan
++ FakeAlert.be
+ FakeAlert.BraveSentry
++ FakeAlert.is
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.wu
++ Win32.DownloaderX.HAV
+ Win32.FakeAlert.ttam
+ Win32.FraudPack
+ Win32.TDSS.clt
+ Win32.Turkojan
++ Win32.Virut.ag
+ Win32.ZBot

Worm
+ Win32.Allaple.ab

Spybot S&D currently has 1948083 fingerprints in 743598 rules for 5207 products.

False Positives Reported This Past Week

No false positives were reported or discussed this past week.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 1, 2010

My Spam analysis for the week of Jan 25 - 31, 2010

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including Russian dating spam, fake diplomas and counterfeit brand name watches, pirated software, male enhancement scams, counterfeit Viagra, the fake Canadian Pharmacy and DHL Courier scams. My updated blacklisted senders list proved extremely effective again this week, auto-deleting ~25% of all incoming spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Jan 25 - 31, 2010, and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Jan 25 - 31, 2010. Spam amounted to 49% of my incoming email this week. This represents a +2% change from last week.
finger pointing right MailWasher Pro by Firetrust
Viagra: 25.19%
Blacklisted Senders (mostly dating scams this week): 24.81%
Other Filters (misc filters): 10.69%
Counterfeit Watches: 8.02%
Known Spam Domains: 6.11%
Canadian Pharmacy Scams: 4.96%
Diploma Scams: 4.20%
Pirated Software (like "Eurosoft"): 3.44%
Pharmaceuticals: 3.44%
Male Enhancement Scams: 3.05%
Phishing Scams: 3.05%
Dating Spam: 3.05%

The latest weekly updates to my custom MailWasher Pro filters were to the Exploit Link, UPS Phishing Scam #1, (DHL) Courier Phishing Scam, Viagra.com Spam, Canadian Pharmacy, Dating Spam, Credit Card Phishing Scam filters. Everything else is working as it should. If you're not already using MailWasher Pro to filter out spam you should consider doing so! Read the next three paragraphs for more details about it.

The following Email Blacklist entries were able to block almost 25% of this week's spam.
+@+.de
+@+.hk
+@+.tw
+@+.jp
+@+.kr
+@+.ru
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]

These expressions instantly delete any messages with a "From" email address ending with one of those domains. These expressions resulted in 24.81% of spam being captured by the MWP Blacklist. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.


CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter


Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.


MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.





Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^