Wiz's Computer and Website Security Blog

After briefly rising last week, spam levels have fallen again, following this week's takedown of the Rustock spam botnet's command and control servers, by Microsoft, Pfizer, Fire-eye and the US Marshall's Service. My statistics reveal a 7% decrease from the previous week. Prior to the shutdown of those servers, Rustock was responsible for over 40% of the world-wide spam.

Immediately following Rustock's takedown, on March 16, there was a big drop in spam. However, other botnets quickly rented out their services to spammers, so the amount of spam rebounded over the last few days to regain several percentage points. You can look for those botnets to become the next targets of Microsoft, Pfizer and other anti-spam agencies.

Pfizer was involved because so much spam is for counterfeit Viagra, which is a trademarked and controlled drug manufactured and distributed by Pfizer and it's legitimate partners. They do not license Russian, Indian, or Chinese based Internet pharmacies to make or distribute Viagra, or to use the trademarked name of the company or the drug. Anybody offering to sell Viagra (real or counterfeit) to US residents, without a valid prescription issued by a real US based and licensed doctor, after an actual physical examination, is violating US Federal law. Anybody attempting to purchase Viagra, or other controlled prescription drugs, from an Internet pharmacy located outside the USA, or any Internet pharmacy that sells pharmaceuticals that are not manufactured or licensed for sale in the USA, is guilty of violating US laws regulating the purchase of controlled substances. Those purchases are subject to seizure by US Customs and smuggling charges can be filed by Federal authorities.

This past 7 days, spam for various types of garbage amounted to 28% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Mar 14 - 20, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 28%; down 7% from last week
Number of messages classified as spam: 124
Number classified by my custom spam filters: 120
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 11

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 28.46%
Pharmaceuticals and illegal prescription drugs: 26.02%
Fake Viagra and Cialis: 15.45%
Other Filters (with small percentages): 7.32%
Male Enhancement scams: 4.88%
Known Spam Domains in links (usually Russian: .RU): 4.07%
Work At Home Scams: 3.25%
Subject contains e-mail address: 2.44%
Twitter Phishing Scam: 2.44%
419 scams:1.63%
DNS Blacklist Servers: 1.63%
Russian Sender: 1.63%
Blacklisted sender names and domains (my blacklist): 0.81%

This week I made 7 updates to my custom filters:
Consecutive digits or consonants,
Diploma Spam,
Russian Bride Scam,
Russian Sender,
Work At Home Scam.
New filters: Courier Scam #6 and Post Express Scam.
Disabled 28 out-dated filters.


There was one false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 1:06 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for various unlicensed prescription drugs from China, plus weight loss, male enhancement and phishing scams. The rise in Male Enhancement scams follows a total decline that occurred a month ago, after the takedown of the Mega-D Botnet. The spammers using that Botnet have hired other Botnets to distribute their enlargement scams.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Nov 30 - Dec 6, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Nov 30 - Dec 6, 2009" »

Posted by Wiz at 4:11 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 5% this week from last week's level. Furthermore, there has been a big drop in the number of male enhancement scam emails I have captured. This is almost entirely due to the hijacking and sinkholing of the Ozdok/Mega-D Botnet. That Botnet was taken down two weeks ago by the efforts of FireEye, a security firm that hijacked the Ozdok Bot command structure and redirected requests for updates from the zombies in the Botnet to a blackhole/sinkhole IP. They also notified all of the companies hosting the Command and Control servers used by the Botnet and those servers were all taken offline. This was all accomplished in a mere 24 hours, thanks to a lot of co-operation and investigative work. Unfortunately, those male enhancement spam emails are reappearing, so either Mega-D Botnet has been restored, or another Botnet is being used by the spammers promoting these fake, Chinese enhancement products.

Before the takedown, Mega-D was responsible for most of the World-wide plague of male enhancement spam messages, going back to at least 2007. Those are the messages promoting unreal enlargement results from various bogus pills and herbals.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for the fake Canadian Pharmacy and other unlicensed prescription drugs from China. Also, the Nigerian scammers were busy again last week, promoting their lottery scams, sent from various African countries.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Nov 23 - 29, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Nov 23 - 29, 2009" »

Posted by Wiz at 3:53 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 1% this week from last week's level. Furthermore, there has been a big drop in the number of male enhancement scam emails I have captured. This is almost entirely due to the hijacking and sinkholing of the Ozdok/Mega-D Botnet. That Botnet was taken down last week by the efforts of FireEye, a security firm that hijacked the Ozdok Bot command structure and redirected requests for updates from the zombies in the Botnet to a blackhole/sinkhole IP. They also notified all of the companies hosting the Command and Control servers used by the Botnet and those servers were all taken offline. This was all accomplished in a mere 24 hours, thanks to a lot of co-operation and investigative work.

Before the takedown, Mega-D was responsible for most of the World-wide plague of male enhancement spam messages, going back to at least 2007 (or late 2006). Those are the messages promoting unreal enlargement results from various bogus pills and herbals.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for fake Viagra and other unlicensed prescription drugs from China. Not surprisingly, the Nigerian scammers were busy again last week, promoting their advance fee fraud 419 scams. 100% of all email coming to me, with African IPs in the headers, are 419 scams. I have a MailWasher Pro filter to detect and block African Senders.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details)

See my extended comments for this week's breakdown of spam by category, for Nov 16 - 22, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Nov 16 - 22, 2009" »

Posted by Wiz at 4:31 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

The volume of spam coming to my various honeypots and user accounts has decreased again this week. This is probably attributable to the forced closure of Pricewert, a spam-friendly hosting company, where Botnet command and control (C&am;C) servers and malware hosting was carried out by its customers, with no action taken by the company to halt those activities. With the C&C controllers offline their Botnets cannot receive updates or new instructions and fall silent, like zombies. Spammers then find other means of delivering their crap to us.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake pharmacies, which sell illicit and counterfeit pharmaceuticals, Nigerian 419 scams, and dating scams. Also, the volume of phishing scams targeting customers of various banks and credit cards remained strong again this week.

See my extended comments for this week's breakdown of spam by category, for June 15 - 21, 2009 and the latest additions to my custom MailWasher Pro filters

Continue reading "My Spam analysis for June 15 - 21, 2009" »

Posted by Wiz at 4:29 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. The interesting fact about those two rules is that the same forged domain name prefix is used on both sides of the @ symbol. So, if you see an incoming email with a sender listed as kefsomedomaindiz@somedomain.com it will match that rule. These particular spam messages are sent from a Botnet that has fallen silent for some reason; possibly due to large-scale disinfection (e.g: by the Microsoft Malicious Software Removal Tool), or takedowns of command and control servers used by that Botnet (see takedown of McColo).

I am seeing a greatly reduced amount of spam, possibly due to me being white-listed by spammers, trying to avoid my honeypots, or because of troubles spammers might be having controlling their Botnets. Nonetheless, the types of spam I am getting are most likely the same types you are getting, just in a different quantity. The classifications can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake "Canadian Pharmacy" and Nigerian 419 advance fee fraud and money laundering scams. Other classifications, like Blocked Countries, usually include counterfeit drug promotions, sometimes in embedded images, or in vertical text and html tricks.

MailWasher Pro spam category breakdown for April 20 - 26, 2009. Spam amounted to 7% of my incoming email this week. This represents a 1% decrease from last week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

To protect your computer from malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security.

Continue reading "My Spam analysis for April 20 - 26, 2009" »

Posted by Wiz at 1:30 PM | Permalink

back to top ^

The newest version of the Conficker Worm, a.k.a. Downadup, said to have already infected over 10 million PCs, is programmed to begin contacting a huge list of new domain names, beginning on April 1, 2009. Each PC that is currently infected with the most recent variant of this Worm will begin generating a list of 50,000 domain names, many of which might be registered by the criminals behind this Worm. It will then pick names it generates on each infected computer and try to contact that domain, for further instructions, or program updates. If those domains are in fact active and under the control of the Botmasters running the Conficker Worm, updates will be sent to all of the PCs making contact on, or after April 1. Those updates are probably going to make it more difficult to disinfect these PCs, or to contact any security websites for malware removal tools.

If you are not already infected it is because you took the proper preventative measures last October 23, 2008. That was the date that Microsoft released a sudden, out-of-cycle critical update, in security bulletin MS08-067 and Windows Update patch kb958644, which plugged a vulnerability in the Windows Server Service. That vulnerability is what was exploited by the first two releases of the Conficker Worm (Conficker.A and .B). Since most Windows users who run legitimate copies of Windows have set their computers to receive and apply Automatic Windows Updates, they were protected when the Worm was first released in the wild, in November, 2008.

However, people who turned off Automatic Updates because they don't trust Microsoft updates, or because they are using pirated copies of Windows and don't want to get nagged about it, probably got hit by this Worm, soon after its release. The highest percentages of Conficker infections occurred in countries with the highest numbers of pirated Windows operating systems. These nations include China, Russia, Argentina, and Brazil.

I would like to point out that there is another group of vulnerable people, who may not realize that they are critically exposed to the Conficker Worm (and the likes). These are legitimately licensed users of Windows XP, or newer, who had to reinstall their operating systems to fix other problems or malware infections, any time after the MS08-067 patch was released. If you let any significant time elapse between reinstalling Windows and then obtaining all available patches, especially MS08-067, you could have been exposed to a Conficker attack and possibly been infected and don't know it yet (not likely - the Worm causes noticeable trouble on a PC). This is why I always make my first Internet connection after validation to Windows Updates (repeatedly, until all patches have been installed)!

If you want to know if your Windows PC is infected just try to go to Windows Updates, either via the link in your Start Menu, or using the link in Internet Explorer, under Tools. If you can't open Windows Updates at all, but can visit other non-security related websites (Yahoo, MSN, CNN, etc), you just may be Confickered. To find out for sure you should run scans with any anti virus software you have installed. Try to update it first, before scanning. If you are already infected with Conficker.B, or Conficker.C, you will not be able to update most anti virus definitions at all. This is caused by the Worm denying access to any website run by any major security vendor.

If this is the case for your PC(s) there is a downloadable Conficker Removal Tool available from Bit Defender, that removes Conficker A, B and C variants. The removal tool is available here. There is also an online scanner on the landing page, which you can run to see if you are indeed infected. If the Bit Defender page is inaccessible, here is the URL for the online scanner: http://91.199.104.31

Note, that licensed users of Trend Micro Internet Security products are already protected against the Conficker threats.

I will have more to tell you about this Worm after tomorrow comes and goes. We will see what we shall see!

Posted by Wiz at 7:08 PM | Permalink

back to top ^

After three months of reduced spam volumes I am now seeing a sudden resurgence, especially in the form of the fake Canadian Pharmacy, unapproved Asian made Viagra and various male enhancement pills, strips and patches. All of this spam, like all spam from the year before, is sent via compromised Windows computers which have been unknowingly recruited in spam Botnets. These Botnets are commanded and controlled by criminals in Eastern Europe (in the former Soviet Union) and other places where authorities tend to turn a blind eye to cyber criminal activities.

It is difficult to know which Botnet is sending out this new round of pharmacy spam without capturing a Bot and logging its actions and reading its spam templates, but this has all the earmarks of the Mega-D Botnet (speculation). Mega-D, otherwise know as Ozdok, was one of the most prolific Botnets still running after the takedown of the McColo Corp. spam control and command servers, on November 11, 2008. The majority of the colocation servers in that facility were used for illegal activities, including command and control of several Botnets. It was the first to re-emerge and resume spamming and is very likely responsible for the current resurgence I saw yesterday and today. If not, it is a similar Botnet, being rented out to spammers (the Bot Masters usually rent portions of their Botnets to spammers, rather than doing any spamming themselves).

I didn't write my usual Sunday spam report this week, because the amount of spam for the week of February 2 - 8, 2009 was ridiculously low (around 7%) and only encompassed four categories, as defined by my MailWasher Pro custom filter rules. Still, a pattern was developing an I can now report on it. Maybe this will help others in identifying the Botnet behind this recent spam run. Most of the spam coming in from February 8 through 11 is identified by my "Hidden ISO or ASCII Subject" filter. The emails sent to English speaking North American inboxes do not require any ISO or ASCII codes to be read by the recipients, as long as the Subjects are typed in English. However, messages composed in European locations, or in Asia, by non-English speakers might require this code to become readable at various destinations. They can tailor the ISO code to display the spam subject in the language of the desired recipient country. This is what has been going on since the Mega-D Botnet emerged in late November, 2008.

For you folks who use MailWasher Pro to filter out spam and aren't using my custom filters already can apply the following filter to detect and either flag, or auto-delete any spam containing a hidden ISO subject. The following code must only occupy one long line and goes into your filters.txt file, located in your logged in identity's %AppData%\MailWasherPro folder. Note, that you must close MailWasher before editing filters.txt, save the changes, then reopen the program.

[enabled],"Hidden ISO Subject","Hidden ISO or Ascii Subject",16711680,OR,Delete,Automatic,EntireHeader,containsRE,^Subject:[^\n]*?=?ISO-8859-[^\n]*?\n,EntireHeader,contains,"Subject: =?us-ascii?",EntireHeader,contains,"Subject: =?windows-1251?B?",EntireHeader,contains,"Subject: =?gb2312?B?"

If you don't trust the accuracy of my filter you should remove the word: Automatic, from the rule. This will cause the rule to only flag such messages as spam, matching the Hidden ISO rule, with a checkmark in the Delete column, in MailWasher Pro.

Continue reading "Return of the Botnets- Spam is on the rise again" »

Posted by Wiz at 3:48 PM | Permalink

back to top ^

I analyze sources and destinations of various types of spam I capture in my honeypot accounts and I've begun seeing numeric IP links in spam for fake pharmacies. The numeric links point to Windows based PC's that are Zombie members of the Storm Trojan Botnet, because they did not have all available patches or good security programs installed and updated. These compromised computers are, unknown to their owners, hosting web pages containing advertisements for fake pharmacies and counterfeit drugs and male/female enhancement solutions.

As my regular readers already know, virtually all numeric links in spam messages are actually the IP addresses assigned to the modems of residential, or business customers, of DSL and Cable Internet companies. The people who think they own these computers are not aware that their computer is now owned by a criminal Botmaster, who has herded millions of insecure PC's into his network, called a Botnet. Most of the numeric links in spam messages are sent by computers in the "Storm" Botnet, the World's largest, at this time. Each one of these computers are acting like "sleeper agents," acting normally until their Botmaster sends them a remote command - to send spam, or launch a denial of service attack, or to receive a web page and file that they will host, to infect curious web surfers who are enticed there by cleverly worded spam messages.

We are 11 days away from this year's Valentine's Day celebration, and the Storm Botnet is already busy generating love messages to sucker as many people as possible, into infecting their own computers by following links in spam messages sent from other Storm Botnet zombie computers. Now, you also have them using pharmaceuticals and male enhancement as bait. The authors of these messages, while being 100% criminals, are nonetheless brilliant at social engineering. They jump on major news stories to rewrite scripts that their zombie computers will use to send spam runs, with current topics in the subject or body, all linking to infected computers that attempt to spread this Trojan to every sucker that is sent to them. Don't be one of those suckers!

I discuss how the Storm Trojan uses hidden rootkit technology to hide its presence from the computer owners, in my extended comments.

Continue reading "Storm Botnet Zombie computers now hosting spam web pages" »

Posted by Wiz at 4:05 PM | Permalink

back to top ^