Wiz's Computer and Website Security Blog

During the past week I have been receiving, classifying, reporting and deleting scam emails pushing links to fake upgrades for Adobe, Skype and the now defunct LimeWire programs. The bulk of these arrived over the past 24 hours, right up until a short time before I wrote this article. You need to be aware of the nature of these scams and make sure you don't fall for them.

Let's start with the most prevalent of the new scams: the fake Adobe Reader upgrade notices. It starts with the arrival of unexpected email messages spoofing that they were sent from Adobe Support. The subjects contain wording such as: "New Acrobat PDF Reader Has Released !" - followed by either Download or Upgrade Now. While the From field contains a plain text name that includes Adobe Support, or email.adobe.com, in the Prefix, it does not have an Adobe domain in the actual sender's email address. Rather, one may find, as I did, that they are spoofing the sender as an account at "hotels.octopustravel.com."

The message body includes an introduction in all capital letters (as of this writing), claiming: "ADOBE PDF READER UPGRADE NOTIFICATION" - followed by descriptive text copied from the Adobe Reader web pages. The scammers then announce: "contains critical security updates" and provide you with a cleverly worded link that includes the words "adobe", "PDF" and/or "Reader", with dashes between words, ending with the word -download(s) or -upgrade,com. The links are leading to exploit websites in China, hosted on Windows servers at: 122.224.4.113, and possibly other nearby IP addresses.

The related Skype scams purport to come from Skype Support (but not from skype.com) and tell about all of the benefits of upgrading to the newest version of Skype. However, as in the previous Adobe scam, the links end in -download(s).com. Again, this domain is hosted on a Windows IIS web server in China, at 122.224.4.113 (or neighbors).

The latest round to arrive this evening claim to lead to an alternative to the now defunct LimeWire file sharing system. That illegal file sharing service was shut down by US Federal Court action, led by the D.O.J. The new scam claims to offer you free P2P software that allows you to send and receive illegal files with other law breakers and pirates. However, if you download that installer, instead of getting connected to a new file sharing service, you will become botted, with your PC becoming a contributing member of a peer to peer spam botnet. Then your PC will be used to send out messages like these to innocent people whose email addresses have been harvested by spam bots on their friends computers.

I have just finished writing three new filters for MailWasher Pro users, which detect these new software scams and block them (with either automatic or manual deletion). All of my custom spam filters are available in both the old (filters.txt - for up to v 6.5.4) and new (Filters.xml - for MWP 2010 onward) MailWasher formats. If you use MailWasher Pro to filter out spam, before downloading it to your desktop email client, you should take a look at my filters and see if they help reduce your time spent classifying what is good and what is spam email.

My filters are still free to download and use, but I most certainly do appreciate any donations that grateful MailWasher Pro users make, to show their appreciation for my work.

Posted by Wiz at 8:57 PM | Permalink

back to top ^

For two weeks in a row, spam levels have remained lower than usual. Spam for counterfeit watches maintained its lead over imitation Viagra and Cialis, by a ~9% margin. This was followed by the return of weight loss scams, male enhancement scams and various dating and lottery scams and links to .RU domains, all of which had lesser percentages.

The malware in attachments, for botnet installers,reappeared this week, in the form of fake links to Adobe Reader and Skype updates. I pity anybody who was fooled into clicking on those hostile links (they are now botted!). When the botnets lose zombie members from disinfection, their Bot Masters send out new rounds of malware infected attachments and links, to rebuild their armies of spam-bots.

Therefore, spam protection is still needed as it will get worse again (it always ebbs and flows). MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 23% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 22 - 29, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:23%; -1% from last week
Number of messages classified as spam: 114
Number classified by my custom spam filters: 99
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 17

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 34.62%
Fake Viagra and Cialis: 25.96%
Other Filters (with small individual percentages): 7.69%
Male Enhancement scams: 5.77%
Weight Loss Scams: 5.77%
Known Spam [From]: 3.85%
My Blacklist: 2.88%
Diploma Spam: 2.88%
Subject contains email address: 2.88%
LACNIC sender: 1.92%
DNS Blacklisted Servers: 1.92%
419 Scams: 1.92%
Subject All Capitals (419 scams): 1.92%

This week I made 2 updates and/or additions to my custom filters:
Known Spam Domains (2x)

I made 1 addition to my custom Blacklist:
[email protected]

There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

If you are having trouble caused by excess volumes of spam email, and are not using an effective filter, why not try out MailWasher Pro? It sure works for me!

Posted by Wiz at 3:49 PM | Permalink

back to top ^

To a medium or large business, email correspondence is not something taken lightly or casually deleted after being read. In fact, most serious businesses keep all email for future reference, in the event of disputes, lawsuits, law enforcement subpoenas, to find customer registrations when customers lose their registration codes, to have a record of interchanges between customers and support staff, etc.

The safe storage of read email requires some forethought. Disasters can and do happen, affecting workstation computers, file servers, in-house mail servers and buildings housing the infrastructure. To safely keep thousands of important email messages from harms way, and in some cases to comply with Government regulations, companies are looking for safe storage and archiving solutions. This article gives you some insight into some options you should consider, if you are tasked with finding an email archiving solution for your company.


The process to deploy an email archiving solution can be broken down into concise steps, for both cloud-based offerings and in-house solutions. Below are some of these steps:

1. Meet with your stakeholders
   Email archiving solutions should help you meet legal, regulatory, and HR requirements; information security concerns; and likely existing document retention policies.
   


2. Estimate the size of the solution
   An in-house solution's most significant factor will be the amount of disk space required to store the archives. An outsourced solution's most significant factor will be the number of users. Estimate both, based on current sizes, projected growth of the company, and the feedback from the stakeholders regarding the length of time messages must be stored. I like to take this number and apply the Pi factor to it, which means I multiply the result by 3.14 to account for unanticipated growth. Use this to estimate the costs for your solution and include it in #3 below.
   


3. Determine whether you will deploy an in-house or cloud-based solution
   While most companies maintain email archives on-premises, some SMEs are looking at outsourcing as an attractive alternative. Cloud-based solutions are good for meeting e-discovery purposes. For those who want a more full-rounded solution that helps them not only meet legal requirements but also offload Exchange and get rid of PST files, than on-premise is the way to go. Others may prefer a combination of both on-premise and on-line, enabling them to split the archive for rarely accessed email (on-line) and current content (on-premise).
   


4. Plan for client deployment
   Some solutions require an agent to be installed on the client, and almost all companies will need to address the PST files that are no doubt scattered all over home drives, local disks in the case of laptops, and may even be on personal external storage. One benefit of an email archiving solution is that it reduces the need for PST files, and many archiving solutions include automatic imports of PSTs to the archive to ensure data is preserved and available. Better solutions enable users to search the archives and restore the email they may have deleted from their mailbox, so decide whether to use a portal, an Outlook plug-in, or both.
   


5. Pilot the solution
   Once you have chosen your solution, start by archiving a pilot group of users. Solicit regular feedback from these users on performance, ease of use, and their experiences with searches, restoring deleted emails, etc. Use their feedback to tune the system and to develop any training or informational materials for sharing with the rest of the company.
   


6. Deploy the solution to all users
   Once the pilot users have signed off on the system, deploy to the rest of the company. Monitor for the increase in Internet bandwidth if you deployed a cloud solution, or with disk i/o if you went with an in-house option, to ensure that the system is performing well.
   

Following these six steps will help to ensure a successful deployment of your email archiving solution, whether it is an in-house or outsourced solution. By including input from key stakeholders, getting feedback from your test users, and testing the solution with your existing systems, you will find email archiving to be a great addition to your email infrastructure.

This guest post was provided by Ed Fisher on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI email archiving solution. The preamble was written by Wiz Feinberg, owner of Wizcrafts Computer Services and this blog.

Posted by Wiz at 11:58 AM | Permalink

back to top ^

Following last week's increase, this week's spam levels have decreased slightly. Spam for counterfeit watches regained the lead over imitation Viagra and Cialis, by a 10% margin. This was followed by male enhancement scams and various dating and lottery scams and links to .RU domains had lesser percentages.

The malware in attachments from the previous week, for botnet installers, failed to reappear this week (so watch out next week!). When the botnets lose zombie members from disinfection, their Bot Masters send out new rounds of malware infected attachments and links, to rebuild their armies of spambots.

Therefore, spam protection is still needed as it will get worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 24% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 15 - 22, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:24%; -6% from last week
Number of messages classified as spam: 109
Number classified by my custom spam filters: 103
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 16

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 37.61%
Fake Viagra and Cialis: 27.52%
Male Enhancement scams: 10.09%
DNS Blacklisted Servers: 4.59%
Other Filters (with small individual percentages): 4.59%
Dating Spam: 3.67%
Known Spam [From]: 2.75%
APNIC sender: 1.83%
LACNIC sender: 1.83%
Lottery Scams: 1.83%
.RU Doamin Links: 1.83%
My Blacklist: 0.92%
Hidden ISO 8859-2 (Latvia): 0.92%

This week I made 1 updates and/or additions to my custom filters:
Dating [Subject]

I made 0 additions to my custom Blacklist:

There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

If you are having trouble caused by excess volumes of spam email, and are not using an effective filter, why not try out MailWasher Pro? It sure works for me!

Posted by Wiz at 4:52 PM | Permalink

back to top ^

Most computer users are aware that particular file extensions will open in the program associated with that file type, which typically has the format of a prefix (file name), a period, then a suffix or extension. Double click on a .doc file and it will open in either Microsoft Word, or Oracle's OpenOffice, if either is installed and associated as the default program for the .doc file type. Double click on a .jpg file and the the graphics program associated with .jpg files will launch and display that image.

The majority of computer users are using computers that operate on various Microsoft operating systems. All operating systems published by Microsoft recognize .exe and .scr (screensaver) files as executables and will launch the program compiled inside those files, when they are double clicked. That .exe program may be a self-contained, stand-alone application, or the file might be a "setup" container for a program that needs to be "installed" into your computer before it can run.

It is a fact, that Microsoft operating systems are shipped out with a default folder view setting that hides the extensions of known file types; including .exe and .scr file types. If you haven't changed your Windows computer's default folder view settings, when you download a setup or installer file, all you see is the prefix, or file name, without the .exe extension. Thus, "Setup.exe" will usually appear on your PC as just "Setup". Similarly, a downloaded screensaver will appear without the .scr extension.

Windows is designed to extract information buried within most files, to display an "icon" that represents the type of file it claims to be. This allows Windows users, with default view settings that turn off file extensions, to get an idea about what type of file they are looking at, before they open it. So, an exe file might have an icon an open floppy disk box in front of a stacked PC and monitor, or an icon representing the program or its brand. That is what you might normally see for an executable file, unless the writers have embedded a custom display icon.

If a setup program has a manufacturer's custom icon, it is there because the writers inserted that icon into the program when it was "compiled." The people compiling that program can cause it to display any icon they choose to embed, including those representing a graphics image, or common text document, or a brand logo, or program name or initials. There is nothing stopping a malware distributor from having his installer compiled so it displays a .jpg image icon.

Now that you have these basic facts in mind, I am going to educate you (Windows users) about how these facts can be used against you, to trick you into manually installing malware.

If you allow a malicious program installer, or hostile coded screensaver to Run As (an) Administrator, and/or allow it when a Windows Vista, or newer UAC challenge prompts if you really want to continue, you could turn your PC into a remote controlled spam zombie, or install a key logging Trojan that steals your bank accounts and other important login credentials.

If you are fooled into downloading a rogue program, or Trojan Horse installer, thinking it is something else that is useful or desirable (remember the fall of Troy!), you will probably also be shown an innocent icon to set your mind at ease. The writers and distributors are going to assume that most victims will have not changed their default view settings, which turn off displaying extensions for known file types. You might think you are going to open a photo, or video, or sound track, or a document, when in reality you are giving away the keys to your digital kingdom.

But wait, there's more!

Back in 2007, H-Security published an article describing in theory how a Windows Vista computer could be tricked into displaying a file name and extension backwards! Using special "Unicode" characters in the file name, authors can cause it to be read from right to left, and displayed as such. Thus, a file named "jpg.zeustrojan.exe" can be crafted to actually be displayed on your Windows Vista, or Windows 7 PC as "exe.najortsuez.jpg". But, if your default display settings hide known extensions, all you would see is "najortsuez.jpg" - or even just "najortsuez" - if ,jpg extensions are also hidden on your PC.

This right-left text trick is no longer theoretical. There is now Chinese malware in the wild that uses this tactic to hide its real file type, in order to fool people into manually installing the Trojan Horse into their computers. Soon, other cyber-criminals will have their code writers apply the same right to left tricks and this exploit will come to a Windows Vista or Windows 7 computer near you (XP computers don't have native support for this Unicode RTLO text display, unless you install a special package to allow it).

How to protect against right to left text attacks

This is a no-brainer: unhide known file types! Here's one easy way to proceed:

Open your "Folder Options" by clicking the Start button/orb, click on Control Panel, then click on Appearance and Personalization, and then on "Folder Options."

Click the "View" tab, then, then under "Advanced" settings, clear the Hide extensions for known file types check box, and then click OK, to display file extensions.

This should make it easier for you to know if a downloaded file that claims to be a video or audio, or image, is in fact an executable. Then, if you don't have the best anti-virus and malware protection money can buy, don't open that program! If you accidentally open it and UAC pops up, don't allow the installer to continue. If it requests Administrator privileges, don't grant them.

Next, make sure you have set Windows Updates to Automatically download and install, at a time when your PC is normally powered on. Microsoft usually releases their monthly and sometimes bi-monthly Windows Updates at about 2 PM, in the Eastern Time Zone.

Unless Microsoft issues a patch to halt this right to left encoding trick, or forces the unhiding of known file types, you need to protect your computer by your own actions. So follow my advice in this article and un-hide known file extensions!

Additionally, do not think that you can operate without any up-to-date anti-virus and anti-malware protection, which monitors your system in real time (not an after the fact, on-demand scanner). If you want a recommendation for a top-notch anti-malware solution, I recommend that you try out Trend Micro Internet Security (Titanium). It is industrial strength, with all manner of protection systems, but with very little impact on your PC's performance.

Posted by Wiz at 1:30 AM | Permalink

back to top ^

2011 is fast becoming one of the most dangerous years in recent memory. Bad things are happening in both the physical and cyber worlds, in which we live and conduct our daily affairs. Bad actors are reeking havoc on innocent people, almost everywhere. Cyber-criminals are exceedingly good at scamming and harming Netizens, wherever they may live.

That preamble leads me into the matter that is on my mind, which I want you to save in your minds also. Cyber-crime is big business. The puppet masters pulling the strings, controlling the botnets that send out spam, scams and launch DDoS attacks, are hardened criminals, not hackers looking for notoriety. They have invested a lot of money in paying programmers to write malware codes, botnet installers, banking Trojans, and in Command & Control Server hosting fees, and often, in paying bribes to local police, to avoid being arrested if identified.

The goal of all of the bot masters is to get their remote control malware installed on as many computers as possible, turning them into spam sending zombies. Then, they lease out the use of these botnets to spammers. Spammers have levels also. There are master spammers and affiliate spammers. The Master Spammers produce the spam templates, arrange for the questionable and illicit products to be sold from shady companies, maintain the affiliate payment systems and supply target email databases.

Affiliate spammers buy into spam operations at a lower level and use their money to drive sales to the websites where the fake, or counterfeit goods are being sold. They are responsible for maintaining the current spam sub-culture. Without the army of paying affiliates, the Master Spammers would have to do all of the spamvertising themselves; like in the old days. That would make them much larger targets than they are now.

Since it is the affiliates who actually drive the spam business, let's consider some of their recent tricks used to relieve you of your hard earned money.

Email spam has actually been with us for over three decades. At first, it was purely commercial, for real products, and was sent to members of particular user groups at universities and big companies. Later on, when more individuals bought home computers and began getting Internet access, unsolicited commercial email exploded on the scene. They were led by the personal efforts of one Sanford Wallace, a.k.a: The Spam King, who began his Internet spamming business in 1995.

Spammers have come a long way in the intervening years since 1995. However, many of the same products that were being pitched back in the 90's are still being promoted today. These include fake Viagra and Cialis, bogus male enhancement herbs and pills, illicit prescription drugs - sold with the required prescription, counterfeit watches and apparel, pump and dump stock scams, Nigerian 419 scams and dating scams.

Every week, I write an article reporting on the previous week's spam statistics, by category and percentages. This is of particular interest to users of MailWasher Pro, an anti-spam filter for people using desktop email programs. They often use filters that I write and update to block spam from their inboxes. I must say, that my spam filters have proved to be very effective. ;-)

Lately, as spam filters become more and more effective at blocking junk email from being delivered at all, spammers have begun to target social networking sites, especially Facebook. What began as fun scams launched for kicks has turned into big business for affiliate spammers. Facebook has been over-run with all manner of scams and spam. To their credit, Facebook is just now implementing new anti-spam measures, targeting four particular common avenues of attack. These include the following currently employed tactics: survey scams, spam, clickjacking and malicious cross-site scripting.

For the past several weeks there have been a series of spam attacks on Facebook, with changing subjects, but all with similar tactics and payloads. What began (and continues) as links to alleged spicy videos, has now morphed into a fake "Dislike Button" scam. Facebook users are enticed with specially crafted posts to click on a button to enable a fake Dislike button. This appeals to many Facebook users, who may have inadvertently Liked some topic, only to later change their mind (there is already a means of reversing unwanted likes: go to "Edit My Profile" - next to your profile picture on the upper left, and select "Activities and Interests" from the menu, then click on "Show Other Pages").

Note: there is no legitimate Dislike button currently offered by Facebook. Unless they officially release such a feature, which would be well publicized through official channels and trusted news sources, all Dislike buttons should be regarded as fake and potentially harmful to your identity and your computer's security.

The current round of scams revolving around the fake Dislike button attempt to get victims to click a button to enable the bogus feature. Those who do are actually clicking on the "Share" button, which is hidden under the overlayed "Enable" button! This is known as "Click-Jacking" and is a very common trick used against Facebook members.

After the victim clicks the Enable button, the same scam message is posted to their Wall, and is added to their Liked items. In the background, obfuscated (scrambled to conceal its purpose), hostile JavaScript is run on their computer. There is a variation of this "Dislike Button" scam that asks users to copy and paste the JavaScript code directly into the browser's address bar. This then runs the same routines as the scam that shows the Enable Dislike Button over the hidden Share button.

Other scams on Facebook lead you to take a short online survey. This makes money for affiliate spammers. After completing these surveys, some of the scams then forward you to a web page where you will be presented with a fake virus scanner, or fake video that requires a missing "codec" to view it, or to a dangerous and hostile online game site, like "Play Sushi," which leads to infection of your computer (with pop-up ad-ware) and compromises your Facebook account, spamming all of your Friends.

For more information on the Facebook Dislike Button scam, and all other scams afflicting Facebook users, read the Sophos Naked Security, Social Networks blog articles. They maintain a Facebook account, which Facebook users can subscribe to.

To stay protected against the myriad of cyber-threats targeting all personal and business computers, install the best, legitimate anti-malware protection you can afford. I recommend Trend Micro Internet Security programs. They are designed to block the latest threats and use in-the-cloud technology for constantly changing malware definitions. This reduces to strain on your computer and offloads the heavy work of checking for new threats to their servers. Trend security products all include their Smart Protection Network, which instantly blocks access to known infected web pages, or pages containing possibly hostile, obfuscated JavaScript (such as the ones going around on Facebook, right now).

I hope this helps my Facebook Friends and blog readers to stay safe through vigilance and awareness of the threat-scape that is constantly changing, as cyber criminals alter their attack methods and delivery systems. Enjoy your online experience, but please practice "safe hex!"

Posted by Wiz at 11:24 AM | Permalink

back to top ^

Following last week's decrease, this week's spam levels have increased slightly. Spam for counterfeit Viagra finally surpassed spam for counterfeit watches, by a small 3% margin. This was followed by male enhancement scams and various illegal to import prescription drugs. Various scams and malware in attachments had lesser percentages.

The malware in attachments last week was for botnet installers. When the botnets lose zombie members from disinfection, they send out new rounds of malware infected attachments and links, to rebuild their armies of spambots.

Therefore, spam protection is still needed as it will get worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 30% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 8 - 15, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:30%; +3% from last week
Number of messages classified as spam: 135
Number classified by my custom spam filters: 125
Number and percentage of spam according to my custom blacklist: 4
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 10

The order of spam categories, according to the highest percentages, is as follows:

Fake Viagra and Cialis: 29.77%
Counterfeit Watches: 23.66%
Male Enhancement scams: 15.27%
Pills filter: 7.63%
Pharmaceuticals and illegal prescription drugs: 4.58%
Zip Attachments (Malware installers): 3.82%
My Blacklist: 3.05%
Other Filters (with small individual percentages): 3.05%
Hidden ISO Subject: 2.29%
Russian Bride Scam: 2.29%
Pump and Dump Scam: 1.53%
Known Spam Domains: 1.53%
DNS Blacklisted Servers: 1.53%

This week I made 3 updates and/or additions to my custom filters:
Pump and Dump stock scams,
Viagra [Subject]
Viagra [Body]

I made 2 additions to my custom Blacklist:
[email protected]
[email protected]

There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

If you are having trouble caused by excess volumes of spam email, and are not using an effective filter, why not try out MailWasher Pro? It sure works for me!

Posted by Wiz at 11:31 PM | Permalink

back to top ^

Following last week's increase, this week's spam levels have decreased measurably. Spam for counterfeit Viagra finally surpassed spam for counterfeit watches, by a huge 16% margin. This was followed by male enhancement scams and various illegal to import prescription drugs . Various scams and pirated software had lesser percentages.

The reduction in last week's spam levels might have been due to spammers holding back, or Bot Masters laying low, to try to avoid the authorities who are trying to track them down and shutter their operations. When the botnets lose zombie members from disinfection, they send out new rounds of malware infected attachments and links, to rebuild their armies of spambots.

Therefore, spam protection is still needed as it will get worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 27% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 1 - 8, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 27%; -7% from last week
Number of messages classified as spam: 117
Number classified by my custom spam filters: 108
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 17

The order of spam categories, according to the highest percentages, is as follows:

Fake Viagra and Cialis: 30.63%
Counterfeit Watches: 14.41%
Male Enhancement scams: 9.91%
Pills filter: 9.01%
Other Filters (with small individual percentages): 9.01%
Pharmaceuticals and illegal prescription drugs: 5.41%
Work At Home Scams: 5.41%
Software (pirated): 4.50%
BR, CN, or RU Domains in spam links: 3.60%
My Blacklist: 2.70%
Subject All Capital Letters (Nigerian 419 scams): 2.70%
Counterfeit Goods: 2.70%

This week I made 4 updates and/or additions to my custom filters:
Pharmaceuticals [S],
Pump and Dump stock scams,
Work At Home Scam,
Re-enabled the Exploit Link filter


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

If you are having trouble caused by excess volumes of spam email, and are not using an effective filter, why not try out MailWasher Pro? It sure works for me!

Posted by Wiz at 2:24 PM | Permalink

back to top ^

Following three weeks with little change in my level of spam, this week's levels have increased slightly. Spam for counterfeit watches led the pack by a 7% margin. This was followed by various illicit pharmaceuticals, counterfeit Viagra-Cialis, and male enhancement scams. Various scams and malware in attachments had lesser percentages.

Spammers depend on the cheap use of millions of infected PCs that have been involuntarily made zombies in spam botnets. As authorities shutdown one botnet another rises to claim their share of the spam pie. As the number of infected machines declines, due to the owners being made aware of their problem and disinfecting their computers, the bot herders use whatever means is available to them to regain zombies in their herds. Sending fake delivery notices with bot installers is one of the favorites of malware distributors.

You still need spam protection and it is showing signs of getting worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 34% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Apr 25 - May 1, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 34%; +3% from last week
Number of messages classified as spam: 175
Number classified by my custom spam filters: 165
Number and percentage of spam according to my custom blacklist: 5
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 10

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 29.71%
Pharmaceuticals and illegal prescription drugs: 22.86%
Fake Viagra and Cialis: 19.43%
Male Enhancement scams: 14.29%
Pills filter: 2.86%
DNS Blacklist Servers: 2.86%
My Blacklist: 2.86%
BR, CN, or RU Domains in spam links: 1.71%
Known Spam Subjects: 1.14%
Other Filters (with small percentages): 0.57%
Russian Bride Scams: 0.57%
Subject Contains E-mail Address: 0.57%
LACNIC Senders (South America): 0.57%

This week I made 3 updates and/or additions to my custom filters:
Image Spam #11
Known Spam [From]
Dating spam updated and split into two filters: [Subject] and [Body]


There was one false positive last week, which led to me adjusting the Watches filter. All other filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 3:51 PM | Permalink

back to top ^