Wiz's Computer and Website Security Blog

For the third week in a row, the percentage of spam to all of my accounts has dropped. This time it decreased by 9% from last week, which is a significant decline and might signal a trend (one can only hope).

My total email received this week is up by 81 from last week. But, the volume of spam only increased by 28 messages. I noticed a big increase (pardon the pun) in Male Enhancement pill scams and a slight increase in the amount of the phony "ClubVIP" Casino spam.

Happily, there was a significant drop in the number of spam messages containing links to malware. These scams typically pretend to be failed or pending ACH transaction notices from NACHA, or a bank. There have been some very significant arrests and naming of suspects who are behind many of the top botnets, including the KoobFace gang. Many of the persons named or arrested, or on the run, are Russian, Romanian and Ukrainian citizens who are responsible for installing banking Trojans onto victim's computers. My guess is that the remaining active bot masters are laying low right now, until the heat dies down.

The following is my analysis of spam for the week of January 22, through 29, 2012.

These spam statistics are derived from MailWasher Pro, which is a POP3 email screening program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Overview
Total incoming email from January 22 through 29 (about 2:30 PM EDT): 442
Good mail: 314
Classified as spam: 128
Percentage rated spam: ~29%

Breakdown by category of spam


Casino: 23%
Male Enhancement: 14%
Watches: 12.5%
Pharma and Pills: 10%
Blacklisted (my blacklist): 7%
Cialis: 6%
Viagra: 4.5%
Marked as Spam: 3%
Weight Loss: 3%
.Ru, .Ua link: 3%
.com.ua link: 2.5%
Russian Bride: 2.5%
Diplomas: 2.5%
Blocked Country: 1.5%
Software (pirated): 1.5%
Exploit Link: 1.17%
URL Shortener Link: 1.17%
Work at home Scam: 1.16%

I made the following additions or updates to my custom MailWasher filters

Casino Spam updated and split into #1 and #2,
Casino Spam #2,
Known X-Mailer Spam,
.RU or .UA Domain Link,
Russian Sender,
URL Shortener (Spam) Link,
Work At Home Scam #1,
Work At Home Scam #2


I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Posted by Wiz at 2:12 PM | Permalink

back to top ^

After surging around January 1, my level of spam has shown signs of decreasing. It has dropped 2% from last week, making spam 38% of my total incoming email, from January 16 through 22, 2012.

In addition to the percentage drop, there was also a large drop in the actual number of messages classified as spam. In fact, I saw about 50% fewer spam email messages this week as compared to the previous week.

The email threats this week were mostly BBB Fraud, with links to fake complaint reports, which redirected to malware servers. There were also several miscellaneous scams with fake query strings appended to .htm files. These links lead to compromised websites and redirected to the Russian Blackhole Exploit Kit. People with JavaScript enabled and out-dated versions of the Java Virtual Machine installed would be exploited silently. Their PCs would become members of a botnet and begin spewing out spam and DDoS attacks. Some of these exploits also install bank account stealing Trojans.

The following is my analysis of spam for the week of January 16, through 22, 2012.

These spam statistics are derived from MailWasher Pro, which is a POP3 email screening program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Overview
Total incoming email from January 16 through 22 (about 4 PM EDT): 361
Good mail: 261
Classified as spam: 100
Percentage rated spam: ~38%

Breakdown by category of spam


Casino spam: 17%
Pharmaceuticals spam: 13%
Cialis: 12%
Malware link with fake query strings appended: 10%
Replica Watches: 9%
Fake diplomas: 8%
Work at home scams:7%
Blacklisted (my blacklist): 6%
Learning filter classed as Spam: 5%
Russian Bride scams: 5%
Nigerian 419 scams: 3%
Russian or Ukrainian spam domain links: 1%
Male Enhancement scams: 1.%
Miscellaneous other filters: 3%

I made the following additions or updates to my custom MailWasher filters

BBB Fraud,
Casino Spam,
Loans Spam,
Work At Home Scam #1

The following wildcard email address was added to my MailWasher Blacklist:

None added this week


I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Posted by Wiz at 2:44 PM | Permalink

back to top ^

I just compiled my personal spam statistics for the 2nd week of January, 2012 and found that spam accounted for about 40% of my incoming email. This is down 4% from the same period last year, but 1% higher than the previous week.

The leading category by a long shot was for the fake ClubVIP Casino. There is no website with such a name, just a bunch of various recently registered domain names that all point to fake casino pages. As was the case last week, these casino pages display an image that is wrapped in a hyperlink, which leads to the downloading of a suspicious executable. Once you install that file, you will part with a lot more money than if you shot craps at a real casino.

The second highest spam category was for fake (replica) watches, followed by counterfeit Cialis and Viagra. All other categories had smaller percentages, as outlined in my extended comments.

These spam statistics are derived from MailWasher Pro, which is a POP3 email screening program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Total incoming email from January 9 through 16 (4 PM EDT): 516
Good mail: 308
Classified as spam: 208
Percentage rated spam: 40.3%

Here is a breakdown of spam by category, for the week of January 9 through 16, 2012.

Casino spam: 24%
Replica Watches: 15%
Cialis and Viagra: 10%
Fake diplomas: 7.54%
Russian or Ukrainian spam domain links: 5.7%
Work at home scams: 5.7%
Pharmaceuticals spam: 4.8%
Weight loss scams: 4.8%
Miscellaneous other filters: 4.8%
Learning filter classed as Spam: 3.8%
Blacklisted (my blacklist): 3.36%
Unlicensed prescription drugs: 2.4%
Known Spam Domains: 1.9%
Russian Bride scams: 1.9%
Nigerian 419 scams: 1.9%
Male Enhancement scams: 1.44%
Malware link with fake query strings appended: 0.96%

I made the following additions or updates to my custom MailWasher filters

Counterfeit Goods,
Diploma Spam [B plain text],
Diploma Spam [B regexp],
Known Spam Domains (trlvi.com),
Male Enhancement [B],
Nigerian 419 Scam #3 [S, F, R],
URL Shortener (Spam) Link,
Work At Home Scam #1

The following wildcard email address was added to my MailWasher Blacklist:

[email protected].+

This wildcard account is being used by a persistent Nigerian 419 scammer and appeared in all of the 419 scams I received this week. The + sign in front of the @ means "anything"@potter.m.lawfirm plus any domain extensions (.com, .co.uk, etc).


I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Posted by Wiz at 3:23 PM | Permalink

back to top ^

For the second week in a row, my email spam percentage has exceeded the amounts recorded during the last quarter of 2011. At 39% it is 7% higher than the same period last year. I will review the various percentages of spam by category, as obtained from my anti-spam program, MailWasher Pro.

For the last couple of weeks there has been a huge amount of spam for the ClubVIP Casino. The links in the email messages spamvertising this currently Romanian based casino use various domain names, all of which redirect to a server running on the Russian Nginx software. When a victim is enticed to click on a link to this casino, rather than arriving at an actual online casino (currently hosted at 89.136.223.126), all they see is an image that is a clickable link to a suspicious file download, currently named SetupClubVIP.exe. This file hooks into the Windows Kernel file, Kernel32.dll, where it can do whatever evil it was designed to do. I tried to have it analyzed at VirusTotal, but the Romanian server is blocking their efforts to download that file.

I would advise anybody who asks my opinion to stay away from this type of scam. Do not download suspicious files to your computer to play any online games. Above all else, make sure you have the very latest and up-to-date anti-malware program installed, to protect your PC, just in case you slip up.

Now, on to the percentages of spam by category, for the week ending January 8, 2012.

The following categories and percentages of spam were obtained from the Statistics readout from the anti-spam program, MailWasher Pro. I write and publish custom MailWasher spam filters that detect and flag, or auto-delete any email spam matching the criteria in my spam filter rules.

Percentage classified as spam: 39%; down 10% from last week, but way up from December
Number of messages classified as spam: 148
Number classified by my custom spam filters: 139
Number and percentage of spam according to my custom blacklist: 7
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 7

The order of spam according to the highest percentages, is as follows:

Casino Spam: 31.08%
Pharmaceuticals (other than Cialis or Viagra): 19.59%
Diploma (fake documents) Spam: 10.81%
Male Enhancement scams: 7.43%
Cialis (counterfeit): 6.46%
Blacklisted by my custom blacklist: 4.73%
Russian Brides and Dating Scams: 4.05%
Counterfeit/Replica Watches: 4.05%
Other filters with small percentages: 3.38%
Viagra (counterfeit): 2.70%
Russian or Ukrainian Domain links: 2.70%
419 (Nigerian) Scams: 1.35%
DNS Blacklists: 1.35%

Changes or additions to my custom MailWasher filters:

Nigerian 419 Scam #3
Pump and Dump Scam


I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Posted by Wiz at 2:20 PM | Permalink

back to top ^

Here it is, New Years day, 2012 and I have just analyzed my email statistics for the past 9 days. After being down for months, spam levels have returned to last year's level of 49%, from Dec 23, through Jan 1. Spammers have indeed ended 2011 with a bang!

After some reading from my security sources blogs, I have learned that most of this spam blast over the last week+ was spewed out by one of the few remaining big botnets: the Cutwail Botnet. This botnet, like most of the others already taken down this year, is based in Russia. The Russian Bot Master may have just been fingered by Brian Krebs, in his "Pharma Wars" article posted on Jan 1, 2012.

The top categories of products and services being spammed the most over the last 9 days were for casinos, male enhancement gimmicks and various illicit pharmaceuticals sold from fake Internet pharmacies.

Lesser categories of spam included replica watches, fake diplomas, Russian dating and bride scams, Nigerian 419 scams and a few malware links to Russian exploit kits. I even got some unreadable spam in the Russian language and character set iso-1251.

As for totals, from December 23, 2011, through January 1, 2012, of the 339 messages I received, 169 were classified as spam, equaling 49% of all email for that period. This is exactly the same percentage of spam from the same time period last year.

I obtain my spam statistics from my anti-spam program: MailWasher Pro. This program sits on my desktop and inspects all email before I download it to Windows Live Mail (formerly Outlook Express). MailWasher uses a combination of tactics to determine if any email is spam, then either flags it as spam, for manual review and deletion, or follows my own spam filter rules and deletes it automatically.

I write my own spam filters for MailWasher Pro and publish them on my MailWasher Pro Custom Filters page. Any changes or updates to my filters are noted on that page. The most recent changes this past week were as follows.

Changes or additions to my MailWasher spam filters:

Loans,
URL Shortener spam links

I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Posted by Wiz at 12:03 AM | Permalink

back to top ^