Wiz's Computer and Website Security Blog

On July 9, 2023, I published a blog article about a Facebook ad violation scam I received in my email inbox. After I reported the scam to SpamCop, the scam stopped for me, but not for another person I know. Evidently, my break is over and the scam arrived afresh in my inbox, on August 16, 2023.

Apparently, scammers are following me and other people who maintain Facebook business pages. When they or their ad detection script detects that I've boosted a post, or created a new ad, they create an email-borne phishing scam targeting my page by its name. In the most recent scam email, the subject was: "Your ad account is currently inactive." The From field contained the words: "Meta for Business". The body text contained dire warnings, including the following:

We regret to inform you that your Advertising account was used to create one or more Ads that do not comply with our Advertising Policies or Community standards.
...
Your account will be permanently deleted in the next 24 hours.

This was followed by a call to action:

To request a review, if you believe your account follows our Community Standards, please use the form below:

SUBMIT NOW

Now that I've stated the visible basics, let's take a look behind the scenes and see just what the Hell is going on!

Continue reading "Return of the Facebook Ad Violation Scam" »

Posted by Wiz at 8:12 PM | Permalink

back to top ^

If you run ads, or pay to boost posts on your Facebook (business) pages, you may have received an email with a subject similar to these:

• Your ad does not meet Facebook's advertising standards.


• Your ad will be suspended and your ad account will be restricted


• Your Ads Account Has Been Disabled Due To Violation Of Community Standards

The email claims to come from Meta Business, or Meta for Business, and that's what most email clients will show in the From field. The message body contains wording similar to this:

Hello, (your Facebook "page" name)

We officially inform you that your advertising account has been found in violatin our ads policies. We ensure to take the safety of our user seriously, and we request all advertisers to follow our guidelines.

We've decided to permanently restrict your account. If you think this decision is incorrect you can appeal below:

SUBMIT

After you request a reconsideration, you usually have to wait 48 hours to get a different decision. Before new results are available, your account will be in a "pending review" status.

The Meta for Business Team,

Meta Platforms, Inc., Attention: Community Support, 1 Facebook Way, Menlo Park, CA 54902

Continue reading "Facebook Ads Scam" »

Posted by Wiz at 11:19 AM | Permalink

back to top ^

March 11, 2019

For a week or so, an email scam has been making the rounds claiming that a hacker has compromised you computer and caught you doing nasty things with yourself while watching porn videos online. He or she threatens to expose you (no pun intended) unless you pay a ransom of between $1000 and $2000 US in Bitcoins.

While this may cause some people to panic and pay up, most will see it for what it really is: a pathetic sextortion scam. Nobody hacked your computer or planted a video watching virus on it. This is FUD (Fear, Uncertainty and Doubt). But, because these scams are arriving in huge numbers, to multiple mailboxes, it is worth our time to create an email spam filter that detects and even auto-deletes these messages.

This article is mainly presented for MailWasher Pro users, but can also apply to any other email client that allows users to create spam filters from email headers. Think web server email systems...

If you don't use MailWasher Pro, but want to create this spam filter for another email client, or on your website's email server, read these articles I wrote in 2017:

1. Use RegEx to filter spam from your mail server - part 1


2. Use RegEx to filter spam from your mail server - part 2

Assuming your email client is MailWasher Pro, or otherwise allows for custom Regular Expressions filters, lets create a Sextortion Scam filter.

Continue reading "A simple spam filter for the current Sextortion scams making the rounds" »

Posted by Wiz at 3:31 PM | Permalink

back to top ^

September 16, 2018

If you run a website hosted on an Apache web server, and are using the domain for email, and are using cPanel as your control panel, you most likely have a section labeled "email" which contains a link labeled: "Account Filtering." In this article I will share some filters I made to block email spammers.

A domain name is an alpha-numeric name that has been chosen and registered — by an individual or legal entity — with an accredited domain registrar to represent a web property. "Example.com" is a sample of a domain name. A domain name can be parked until it is needed for use as a website, or can simply be a pointer/shortcut to an active website that has a different name.

Many people choose to send and receive email through a domain and website they own, or administer, or for which they act as the Webmaster. If your domain name represents a business, sending email from that domain looks more professional than using a free email system (gmail, hotmail, live.com, etc).

However, as usually happens to active email accounts, some or all of your domain email addresses will eventually be captured by email harvesting bots and added to spam lists. If you have multiple email accounts for your domain, they may all receive the same, or related spam messages at the same time. If you are a busy person trying to read business messages, these spam emails can become a serious nuisance. Some well written spam filters can put a big dent in the amount of spam emails getting through to your inbox. Here's how I do it.

Continue reading "Block spam sources from your website's email server" »

Posted by Wiz at 4:33 PM | Permalink

back to top ^

July 9, 2017

On the 4th of July I wrote an article explaining how you can use Regular Expressions (RegEx) to create spam filters that can be applied to a mail server for your commercially hosted domains. This article shows how to create RegEx filters to block spam based on the IP addresses of the mail servers found in the headers of incoming emails.

If you haven't read the first article in this series, I recommend you do so now. It has lots of important information that this article builds upon. It will open in a new tab so you can refer to it as necessary.

Email messages contain a section that is normally hidden from view when you read the body text. It is called the email headers and they contain the actual routing details for each incoming and outgoing message. Some of those details can be forged by spammers and frequently are. But, others are not easily forged, including certain numeric entries that relate to the IP addresses of the email servers through which the message has passed.

So, without any further ado, let's look at a spam filter to block unwanted IP addresses.

Continue reading "Use RegEx to filter spam from your mail server - part 2" »

Posted by Wiz at 7:25 PM | Permalink

back to top ^

July 4, 2017

For years now, I have been writing and publishing spam filters for MailWasher Pro, which is a desktop POP3 and IMAP email filtering program. My filters are very effective at flagging or deleting spam, scams and malware links or attachments. That's great if you use MailWasher Pro. But, if you don't use a spam filtering program and are using your own hosted domain for email, which you read in a desktop email client (not browser based Webmail or Gmail), my regular expressions email filters may protect you from spam threats.

First, the term "regular expressions" is usually abbreviated as: "RegEx" - which is how I will refer to them from henceforth in this article. They are characters and formatting that can match all manner of words, numbers, HTML codes, and even empty typed spaces and line feeds. While I usually write RegEx codes by hand, I always test them in a program called Regex Match Tracer. If you want to play around in RegEx land, get a copy of Match Tracer to find and fix errors before you upload them.

Even though I am a long time MailWasher Pro registered user and supporter, there are just some types and sources of email that I don't even care to see in MailWasher's Recycle Bin (you can restore accidentally or misinterpreted email that you deleted from the built-in Recycle Bin). Some are repeat spam senders, or Chinese or Russian senders who mistakenly think I give a crap about their counterfeit pills or dating scams. Still others are sent from botnets I have already identified and blocked by certain lines in their email headers.

Get it? Got it? Good! Let's move on to some examples of my own RegEx filters that I use on my mail server for my Bluehost web hosting account.

Continue reading "Use RegEx to filter spam from your mail server - part 1" »

Posted by Wiz at 8:19 PM | Permalink

back to top ^

September 14, 2014

This is a brief article describing a technique I use to block the current spate of email spam containing links to domains ending in the .EU (Europe) extension. It also demonstrates how to block certain other domains commonly used by Russian and Ukrainian spammers and cybercriminals.

I'd like to point out that spam operations that are based in Russia and The Ukraine have for a long time been setting up websites ending in the domain extension .RU (Russia). I still detect and delete a lot of .RU domain link email spam messages. But, the trend seems to be shifting now to spammers registering domains ending in .EU (Europe). Perhaps the rules for registering those domain names is less stringent than those required to obtain a .RU domain (Proof of Russian citizenship or residence).

Whatever the reason for the change in domain extensions, the outcome is the same. If you click on a link in an email spam message for weight loss panaceas, the .EU web page you land on will look exactly the same as one ending in a .RU domain name. That's because almost all of the weight loss scams and fake pharmacy sites are built using the same templates. Even the script names are the same on most of these spamvertised websites.

If your email system/provider/client allows you to create Regular Expressions spam filters, use the ones I've created to block virtually all spam containing links to .EU (and Russian) domains.

Continue reading "Use a Regular Expressions filter to block email spam for .EU domains" »

Posted by Wiz at 4:03 PM | Permalink

back to top ^

August 1, 2014

I just discovered an email scam that harvests the email addresses of active accounts, simply by opening an apparently blank message. The message contains no visible content or links, yet steals your email address and adds it to a database used by spammers.

How does the blank email steal your email address?

Each of these messages I have intercepted contains a simple subject, like: Whatup," or "What's up?" The From contains somebody's first name, like Dwight, Joan, etc. You won't recognize the domain it spoofs. The body text is blank to the eye, although there are a few lines of HTML code that don't render anything when displayed in your email client.

There is an image tag embedded inside these messages, but no image is displayed. That is because the alleged image is actually a php file named unsubscribe.php. The email address of each intended recipient is hard coded into the "query string" appended to /unsubscribe.php. If you simply preview these messages in an HTML capable email reader that allows images to be downloaded, your email address is sent to that file and is instantly added to a spam database.

The domains currently being used end in the .us extension and begin with "more." The servers are in a colocation datacenter. Thus far, one of their accounts has been suspended and says so if you investigate the URL

The purpose of this spam run is to accumulate a fresh list of active email accounts to be used in upcoming spam runs. Judging by the size of the list - plainly readable on the server - a lot of people are being tricked into adding their email accounts to the list.

Continue reading "Email addresses being harvested by blank email" »

Posted by Wiz at 11:23 AM | Permalink

back to top ^

July 10, 2014

For the past few days I have intercepted numerous email scam messages, with the subject: "Order Details" and claiming to be From: Amazon.com ([email protected]). All contain a zip file attachment with a Trojan downloader or installer.

Recipients are being targeted by malicious actors abroad who bought email lists that were harvested by professional spammers and by malware infections with email harvesting modules on people's computers. The emails do not come from Amazon.com in any way. Anything claiming to be from Amazon in these messages is totally spoofed to trick you into opening the attached file. Doing so infects your Windows computer with a dangerous Trojan virus, which is identified by about 35 different names, by different anti-virus companies, as reported on VirusTotal, at the time this article was composed.

So you can be on the lookout, here is a copy of the text used in these messages.

Subject: Order Details
From: "Amazon.com" <[email protected]>

The first line in the message body is in a light gray banner:

"National" (on left)     "AmazonLocal.com" (on right)

How are you,,
Thank you for your order. We'll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.

Order Details
Order R:121317 Placed on May 28, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com

The alleged invoice in the attached (over 100kb) file is a concealed Trojan Horse malware installer/downloader. If you open the zipfile, named "report_id.zip" and execute the enclosed file, your computer will be infected.

I have created a new spam filter to detect and block these scams spoofing Amazon.com orders, for MailWasher Pro users and added it to my published MailWasher Pro Filters. In the event you get a false positive detection and deletion from the Amazon filter, I suggest adding the exact email address used in their From field to your Friends list. I don't think you will find "delivers" to be one of the ones used by Amazon, but I've been known to be wrong before. ;-(

Posted by Wiz at 2:03 AM | Permalink

back to top ^

June 1, 2014

It seems to me that no matter what other types of email spam I get, Russian fake pharmacy links are always showing up. It appears to be their fallback money maker when other scams fail. This article describes how Windows Live Mail users can create a spam filter that blocks Russian domain messages.

If you are one of the many people Worldwide who bought into MailWasher Pro, you are probably already aware of and using my published MailWasher Pro Spam Filters. If you are monitoring that page using ChangeDetection.com, you are already aware of how frequently I have been updating my filters to respond to new spam tricks. I do this on a voluntary basis, working on my own time, with only a donate button to offer any chance of a payment.

While my spam filters can be added to MailWasher Pro using a simple, well documented procedure (explained on my filters page), folks using other email clients have to do more work to use them. Most modern desktop email clients and several of the better web browser based email systems allow users to create their own spam filters. The ones that work the best allow the use of Regular Expressions and multiple conditions (logical "AND" or "OR"). Windows Live Mail (WLM) has a half-decent spam rule system, that although it doesn't allow for Regular Expressions, can be used to at least approximate many of my spam filters. Instead of being able to combine multiple words or phrases into single line rules, WLM forces us to use plain text, one word or phrase at a time, which can then be combined using either AND or OR conditions. Rules can be set for various email fields, including the more important From, Subject and Body. The following is a rule I created to demonstrate how one might filter out Russian domain scam.

My definition of Russian domain spam includes email messages with Russian domains in the From field as well as in the message body. Russian domain names end in the Country Code: .RU (plus a few related former Soviet Union Country codes).

Continue reading "Windows Live Mail spam filter rule to delete Russian domain messages" »

Posted by Wiz at 4:31 PM | Permalink

back to top ^

March 12, 2014

Almost everybody who has used an email account to send or receive email has received 'tons' of spam messages promoting the illicit sale of counterfeit male performance drugs, such as Viagra.

These spam email messages often have the words "Viagra" or "Pfizer" in the From (Sender) field, to try to catch the attention of gullible people, imploring them to click on the enclosed links, leading to fake online pharmacies, selling counterfeit drugs, for which the spammers act as paid affiliates.

The folks that do knowingly click on links to buy Viagra (or Cialis, or Levitra) from these fake pharmacies are bypassing the only protection their country's medical system offers: the requirement to consult your physician and be tested to see if you are able to safely use that drug without the risk of serious consequences, and if so, at what dosage. They are placing themselves at serious medical risk by purchasing unregulated drugs that are produced by counterfeiters in Asia.

Most of the fake Viagra pharmacies dispensing Asian drugs are hosted on Russian domains, owned by Russian and Ukrainian drug spam syndicates using payment portals friendly to cybercriminals.

Last, but not least, Americans who purchase prescription drugs from foreign online pharmacies that ship the drugs to the USA, are violating Federal laws that forbid the personal importing of prescription drugs from abroad. Penalties start with seizure of the packages and may go up to fines and imprisonment for repeat offenders or distributors.

If you are not one of the gullible people who click on links in spam messages and are not interested in even seeing this kind of garbage in your email client's inbox, read on.

As a long-time spam fighter, I have been writing anti-spam filters for use in MailWasher Pro, which is made by Firetrust Ltd, based in New Zealand. I publish my own MailWasher spam filters for others to use, at no charge (other than the occasional donation). Note that these filters are specific to MailWasher Pro.

Lately, I have received a few requests from non-MailWasher users to show how them my spam filters can be "ported" for use in certain desktop email clients, like the long-deprecated Outlook Express or Windows Live Mail and even to Mac Mail. While I cannot "port" my entire filter set to another program, I can explain how particular filters can be composed in say Windows Live Mail, to do basically the same thing. I'll even go one step further and show how Webmasters and domain owners who have websites hosted on servers running cPanel can create custom spam filters to block email for counterfeit Pfizer drugs, or anything else that is known spam.

Continue reading "Email filter rules to block spam for counterfeit Pfizer products" »

Posted by Wiz at 7:31 PM | Permalink

back to top ^

February 20, 2014

I was wondering when they'd make a comeback? Well, they're here! I'm referring to the good old pump and dump penny stock scams, promoted by fraudsters, via spam email messages.

The last time I saw any of these email scams was briefly in December, 2013. Before that the last serious scam run for penny stocks petered out at the end of the summer, 2013. Each one of those pump and dump scams listed a 4 letter stock symbol with a very low valuation, along with grandiose subjects and body text proclaiming that it was about to explode, or was releasing huge news, etc. Recipients were urged to buy in quickly, in huge quantities, which drove the prices up. As soon as those artificial prices peaked, the fraudsters running the scam sold off all of their shares at a profit, leaving all of the later investors holding the bag.

After disappearing for a few months, the penny stock scam has just returned, today, February 20, 2014. This time around, the stock being pumped up is PRFC. The emails are all using the exact same language and template. All have the subject: Very important information. Please read, although this is likely to change by tomorrow. All are sent from botnetted computers. The goal is the same as before. Scammers have purchase huge blocks of super-cheap penny stocks for PRFC and are now using spam messages to pump them higher. If they succeed, it will be at the expense of the people who are fooled by their new newsletter and plain language format.

However, I did find some humor in this batch of scams. Every one of them so far has been signed at the bottom with this text: "Your favorite friend and only broker :)" But apparently, my favorite friend and only broker has multiple personality disorder and is confused as to who he or she is with any given email. Each email has a different name in the From field! So far, my "only broker" claims to be: Noemi Cooke, Markus Robertson, Jasmine Suarez, Arlene Adkins and Leandro Kinney!

I've said it before and will say it again: "A fool and his money soon will part!" Don't be a fool. Never buy anything spamvertised, especially penny stocks. The game is stacked against you by true con men and women. You will not beat them at their own game. Delete pump and dump messages on sight.

BTW: I have updated my MailWasher Pro spam filters to detect and delete these messages for you, if you are also a registered MailWasher Pro user.

Posted by Wiz at 10:23 PM | Permalink

back to top ^

February 20, 2014

Today, I received a suspicious email claiming to come from PayPal, with the subject: "Account Notification" - notifying me that I had to verify my account information - because of a "planned system upgrade." As I suspected, it was a Phishing scam, not only meant to steal one's PayPal credentials, but also your identity.

Here are the most important identifying features of this email scam.

PayPal Phishing Scam Email Contents

Received: from mail.xx11.com.br ([177.8.168.7])
by imta24.westchester.pa.mail.comcast.net with comcast
id UhP31n00w09uhKl0QhP56C; Thu, 20 Feb 2014 17:23:09 +0000
From: PayPal ([email protected])
Return-Path: [email protected]
Subject: Account Notification
Message body contents (text only):

PayPal Account System Upgrade Verification.

Technical services of the PayPal Inc. are carrying out a planned system upgrade. We earnestly ask you to start with the procedure of confirmation on customers data.

 This email has been sent to all PayPal customers, and we ask a few minutes of your online experience. We have sent you an attachment form through this email. Please download and open it in your web browser.

 Your personal information is protected by state-of-the-art technology. After you have filled in all the required fields in the form, our verification system will automatically update your account records.

 We apologize for any inconvenience, and thank you for your time.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

Copyright © 1999-2014 PayPal. All rights reserved.

My analysis follows.

Continue reading "Beware of emails containing a PayPal Phishing scam attachment" »

Posted by Wiz at 1:37 PM | Permalink

back to top ^

January 29, 2014

Email malware and phishing scams are nothing new and most will appear for a while, then disappear, then reappear some time later. So it is with a new scam targeting American Express card holders on January 29, 2014.

Earlier today, my spam protection program, MailWasher Pro, auto-deleted a message that was a phishing scam against American Express card holders. Here are the pertinent details to watch out for, lest you fall for this scam.

Subject: American Express Security Notification
From (spoofed): "American Express" <[email protected]>
Return-path: <[email protected]>
Date: Wed, 29 Jan 2014 17:23:53 +0000
Some normally hidden email headers:
Received: from [94.197.44.27] (port=53006 helo=94.197.44.27.threembb.co.uk)
Received: from 94.197.44.27 (account [email protected] HELO otpfh.ifxkmqeu.com)
X-Mailer: The Bat! (v3.51.10) Home

The message body in plain text reads as follows.

---

American Express Security Notification

Dear Customer,

As you may already know we ask our customers to update the contact details associated with American Express card account.

A recent review of your account determined that you need to confirm the information associated with your American Express account.

As the Primary Contact, you must verify your account activity before you can

continue using your card, and upon verification, we will remove any restrictions placed on your account.

We encourage you to use the following link and confirm your account details as soon as possible:

https://www.americanexpress.com/[Links to h**p://dychovka.eu/dissents/index.html]

Note: Failure to update your account may result in account limitations or even account closure.

We appreciate your prompt attention to this important matter.

Thank you,

Amber Justice

Level III Security Officer

American Express

? 2014 American Express Company. All rights reserved.
AMEX Account Security

---

Note: (I deactivated the hostile link for your safety)

Here are some pertinent details about this scam.

Continue reading "New Phishing scam targeting American Express card holders" »

Posted by Wiz at 5:27 PM | Permalink

back to top ^

December 26, 2013

It has been a month since my last blog article. During that time I have been pursuing other interests that demand much of my time. We all need to do what we must to earn a living and pay our bills. That said, here is a roundup of the security threats ans scams coming to you via your email inboxes during the Christmas shopping season of 2013, in order of the danger posed to recipients.

The most dangerous email threats are those with links leading to malware attacks, or Trojan downloads, or with file attachments containing malicious payloads. Examples of such threats that I have captured this month are as follows.

1. Costco Wholesale scam, claiming a failed delivery, spoofing "Costco Shipping Manager" as the sender, but with a totally non-Costco email domain. The message body states that the delivery of a Costco order (e.g.: COS-0034851919) was canceled due to an incorrect address.The scammer asks you to complete a form and send it back to them. The link provided goes to a compromised website where a zip file conceals an executable file that is a malicious Trojan installer.
2. BBB Fraud. This recurring fraud spoofs the Better Business Bureau, showing the sender as: Better Business Bureau with account names like: [email protected]. The subject is akin to: FW: Complaint Case 158402349343. As in most of these scams, the body text starts off with: "The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you." The ones I saw this month contained hostile zip file attachments (e.g.: Case 463252349343.zip) containing Trojan installers.
3. Dun & BradStreet Fraud. This scam is directly related to the BBB fraud mentioned above and is sent by the same spam gang. The sender is spoofed as: "Dun & BradStreet ([email protected])." The subject is something like: "FW : DNB Complaint - 0582564." Using similar language as the BBB scams, the body text contains this come-on: "Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you." They also contain hostile file attachments, with names like: "Case_0582564.zip."
4. My CV Scam. This scam attempts to fool employers or hiring agencies into opening a hostile file attachment, which the sender claims contains their resume in "CV" format. I doubt that anybody in the USA would be stupid enough to fall for the horrible language used in these scams, with text like this: "Hello, I sent you my detailed CV. I hope you will like me I am the winner of different beauty contests. My photos are added as images in the document, I need this job very much. Waiting for your soonest reply, Kisses, Chloe Mason"

Continue reading "Email scams circulating during Christmas season 2013" »

Posted by Wiz at 1:45 AM | Permalink

back to top ^

August 18, 2013

Last week, I wrote two articles (1 - 2) that revealed that the amount of spam for green coffee bean extract had been surpassed by a big pump and dump campaign, which was pushing two different stocks. Now, the pattern has reversed and weight loss spam exceeds pump and dump.

Regarding the weight loss scams; they no longer mention green coffee bean extract in the spam message bodies. You find this out if you click on the links, which have also morphed from Polish domains (.pl) to Russian domains (.ru). The rest is the same stuff, using Russian underground affiliate template web pages, hosted on Russian web domains. Most of the diet scams I saw this week are spoofing Dr. Oz as the sender, using a couple of different spellings. The message bodies even claim to be official Dr. Oz newsletters, which they are NOT! All of the details are bogus, as is the diet formula they promote.

Note: I researched Green Coffee Bean Extract and found reports on real forums (like WebMD) where most of the people using it got sick from it, until they stopped taking those capsules. The only weight loss was from vomiting, etc.

Pump and Dump

The new pump and dump scam emerging over the last few days is a scam promoting a stock with the symbol MONK. The two previous campaigns seem to be mostly abandoned, after they failed to make the expected profits for the scammers running this dog and pony show. If you are smart, when you see emails promoting MONK, with or without underscores and/or spaces between the capitalized letters, don't be fooled into thinking they are legit. They are scams, run by professional con men, all of whom have conspired to purchase large volumes of shares in the penny stocks they pump up.

As always, the goal of a pump and dump campaign is to pump up interest in a stock, using botnet sent spam messages, driving up the volume of transactions and the value per share. When the value reaches an agreed-upon price, the scammers all sell off their shares, turning a profit for themselves, at the expense of everybody else whom they suckered in.

Today's take-away

1: Green coffee beans won't help you lose weight, but will sicken you and lighten your wallet.
2: Getting involved with a pump and dump stock scam will lighten your bank account when it fails. Further, these are Ponzi Scams, under US law.

Posted by Wiz at 4:46 PM | Permalink

back to top ^

July 30, 2012

Almost everybody who sends and receives email has to deal with spam, scams and security threats that are delivered by spammers and their botnetted computers, every day. Manually sorting through email subjects to detect and delete spam is time consuming and not always effective at first glance. It is more efficient to let my spam filters do the work for you.

Many people choose to use their web browsers to "do" email, which leaves them at the mercy of their email provider to filter out spam. Countless others prefer to use a real, desktop email client to compose, send and receive email, using the POP3 or IMAP email protocols. If you are in the second group and are using a real email client, like Windows Live Mail, adding MailWasher Pro and my custom MailWasher spam filters can reduce the amount of spam, scams and malware threats getting through to a few percentage points.

I currently have published almost 150 spam filters for MailWasher Pro users to download freely and apply to their copy of the program. These spam filters cover both the old version 6.x (last version is 6.5.4) and the new XML versions starting with v 2010. Only the new version is under development now. MailWasher Pro is currently at version 2012 - 1.20.1

Although I have created and published about 150 filters, in reality, only a few are needed nowadays to block most of the current crop of junk email. I shall list these filters below, along with the types of spam that they are able to detect and delete. Note, that in the new version of MailWasher Pro, automatic deletion occurs when a certain spam rating number has been reached, or, if you decide to set one or more filters to automatically delete messages matched by those filters. Some of my filters are set to what I call "Judge Dredd, Murder - Death - Kill" settings; meaning they auto-delete anything matching their conditions. The MailWasher spam filters can include both plain text and regular expressions matches and are very powerful.

Continue reading "How to block most spam with a few of my MailWasher Pro filters" »

Posted by Wiz at 7:56 PM | Permalink

back to top ^

July 10, 2012

UPS, USPS and other courier name email scams are nothing new. We've seen UPS, DHL and FedEx spoofed for several years in various malware campaigns. The payloads are usually delivered via malware laden attachments, disguised as invoices, shipping labels, or pickup instructions, which the victim is supposed to open and print out. This week there is a new twist to the courier scams: clickable images containing a message and instructions to click to "print a shipping label."

The scams I have intercepted over the last two weeks or so spoof two services in the same message: UPS (United Parcel Service) and USPS (United States Postal Service). Either the spammers who write the text for these scams aren't aware that these are two different entities, or are counting on recipients overlooking this fact and falling for the bait due to recognizing the names.

In either case, the purpose of these messages, like those before them, is to infect unwary email recipients with Trojans, like the ZeuS bank account stealing malware, a botnet installer, a backdoor remote controller, and sometimes, fake security programs that demand money to fix non-existent problems (the pop-up desktop alerts are fake and themselves are the problem!), or fake FBI or other Police notices which hold the computer hostage until a ransom is paid for alleged bad behavior.

The courier scams are sent in bulk to everybody (via botnetted PCs), but are really targeting businesses and people who frequently send or receive goods via UPS or USPS, like eBay buyers and sellers. The criminals responsible (in Russia) are hoping that a busy secretary or shipper will open the attachment, or click on the link without thinking it through, or reading all of the text carefully (for giveaway typos or mixed up brand names).

Next, let's take a look at the image being used in the latest incarnation of the UPS/USPS email scams.

Continue reading "Image links now being used in USPS email malware scam" »

Posted by Wiz at 11:05 AM | Permalink

back to top ^

A few days ago I discovered an email scam that tries to directly deliver the BlackHole Exploit Kit to victims, inside the message body of those emails. The Subject used was: "Re: URGENT" and the sender addresses spoofed Twitter, LinkedIn and sbcglobal.net customers. In all cases, the hostile code was no longer reached via links, but simply by opening the email in your email client, with HTML display enabled and iframes allowed.

Rather than delving into a big technical discussion about the exploit itself (which I have covered numerous times), this article will attempt to help protect you from being exploited by it, or another like it.

We first need to define how the attack inside these email messages is triggered. This is accomplished by a two pronged attack. One is the exploit code itself is embedded inside the message body, inside <script> tag sets. The second is by means of an HTML "iframe" tag, with the "src" (source) being a remote server or website that is hosting the BlackHole attack kit.

The criminals that sent this to you are hoping to exploit you if your email reader is set to render HTML and scripting. Many users allow these things by default. The second method is used to attack you in the event you disallow scripting, but do allow iframe contents to be rendered. This is a tricky one-two punch.

Here are some ways you can protect your computers from being exploited by the embedded BlackHole attacks.

Continue reading "New email BlackHole exploit attack has embedded JavaScript & iframe" »

Posted by Wiz at 1:22 PM | Permalink

back to top ^

For the past few days I have been receiving email scams claiming to come from LinkedIn, some of which are password reset scams, with the latest being an invitation to join somebody's LinkedIn network. Both are scams, with links leading directly to a compromised website that is hosting the BlackHole Exploit Kit.

Let's take a look at the most recent LinkedIn scam: "Join my network on LinkedIn"

The email Subject is: Join my network on LinkedIn.
The (spoofed) From (sender) address is: [email protected].
The Reply_to address is spoofed as: [email protected]
The first Received from line, from the final mail server is:
Received: from [182.182.16.190] (port=1664) - which is definitely not LinkedIn.com. Further details reveal that the message was sent from mail.bucklerboots.com, not LinkedIn.com.

The message body is loaded with images drawn from LinkedIn and text containing the following come-on:
"Mimi Kauffman has indicated you are a Friend ... I'd like to add you to my professional network on LinkedIn.- Mimi Kauffman ... View invitation from Mimi Kauffman (has payload link) ... WHY MIGHT CONNECTING WITH Mimi Kauffman BE A GOOD IDEA? Mimi Kauffman's connections could be useful to you After accepting Mimi Kauffman's invitation, check Mimi Kauffman's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future."

My apologies to Mimi Kauffman, whoever you are. Contrary to the claim in the message, we are NOT friends and do not know each other. Spammers are using your harvested name in scams, just like they might be using mine or anybody else's. It is a tactic used to gain trust; a con game; "a Joe Job."

The text is much like what a LinkedIn member would receive in a legitimate request. Spammers join LinkedIn so they can gather templates from actual email messages, for use in scam campaigns. Then, they substitute their own poisoned links for LinkedIn links, to drive victims to booby-trapped websites.

Continue reading "Fake Join my network on LinkedIn email scam has links to BlackHole Exploit Kit" »

Posted by Wiz at 12:11 PM | Permalink

back to top ^

May 25, 2012

Today, while reviewing my auto-deleted spam email messages, I found one that I decided to take a closer look at. It is an obvious Money Mule recruitment scam (to spam hunters like me), with the subject: "Re : Re : Please Complete Your Job Application." Let's see where it leads, shall we?

First of all, everything in the headers is garbage. Throw them out, except to report the unwitting sender to SpamCop, which I did. The sender was an open proxy in Greece. The spamvertised link was to a URL shortener service hosted in China.

The bait was as follows:

The salary available for open openings range from $35.77 /hr to $57.62 per hour.
Prior being considered, we will first need you to formally apply.
Please go here to begin the process:

I have seen these exact same words, with only slight variations, for a year or longer. In fact, I write spam filters for MailWasher Pro users which detect these phrases and others, to auto-delete such scams.

I decided to follow the URL shortened link and see where it leads.

Continue reading "New money mule email scams lead to infamous Rock Cruit Management" »

Posted by Wiz at 5:44 PM | Permalink

back to top ^

May 24, 2012

Cyber-criminals are once again ramping up their email scam campaigns to deliver messages with links to malware servers they control. One of the recent scams, happening this week, is a PayPal Payment scam, with links leading to an exploit attack kit.

The most recent PayPal scam arrives in your Inbox with the Subject: "You sent a payment" and a spoofed From address: "[email protected]" <[email protected]>. However, if you were to take a look at the actual normally hidden Header information, you would see that the email came from some other non-related website. The PayPal scam I am looking at came from Brazil:

Received: from [187.56.96.53] (helo=telesp.net.br).

See my article from 2006 for suggestions on how to display email headers.

The PayPal scam message body text is meant to both poke the curiosity of the recipient (by the dollar amount they allegedly sent) and to delay their checking into their PayPal accounts to see if they did make such a payment. Here is how the crooks accomplish these important tasks:

You sent a payment Transaction ID: 2T004487YM209135A
Dear PayPal User, You sent a payment for $334.85 USD to Otis Bauer (or another name). Please note that it may take a little while for this payment to appear in the Recent Activity list on your Account Overview...

This payment was sent using your bank account.By using your bank account to send money...

The call to action that they want victims to perform is NOT to login to their PayPal accounts to investigate this scam (See italicized sentence above), but to click on poisoned links provided amount keywords in the email message body. These inks are wrapped around every word that a PayPal user might normally expect to be available for seeing details about their accounts. The linked words were as follows:

• 2T004487YM209135A


• View the details of this transaction online


• Help Center | Resolution Center | Security Center


• h**ps://www.paypal.com/us/cgi-bin/webscr?cmd=_history (not URL in link)


• h**ps://www.paypal.com/us/cgi-bin/webscr?cmd=_contact_us (not URL in link)

Each one of the above anchor words were wrapped by a link to a compromised website that contained the following contents (placed there when they got hacked):

WAIT PLEASE
Loading...
<script type="text/javascript" src="h**p://REMOVED.com.tr/fu25e3pr/js.js"></script>
<script type="text/javascript" src="h**p://REMOVED-epices.com/X1RrZw4G/js.js"></script>
<script type="text/javascript" src="h**p://REMOVED.com.au/Xsqgw1AK/js.js"></script>


Continue reading "Anatomy of a PayPal email scam leading to malware" »

Posted by Wiz at 1:25 PM | Permalink

back to top ^

In case you didn't know it, spam levels have increased dramatically this week. For the first time in about a year, my own spam level has reached 60%. This is up 12% from last week. While the actual amount of spam has increased, the subjects and scams have not changed much. Only the percentages by category are changed this week.

For those who haven't read my spam reports before, I employ an email screening program named MailWasher Pro to act as a filter for known, or suspected spam, scams and virus threats. I obtain statistics at the end of each week, for each category of spam, based upon filters I write and publish (for other MailWasher Pro users).

The number of threats arriving in spam email was greatly reduced from the previous month. There were just a handful of ACH and Wire Transfer Rejected scams. They all contained links leading to Russian, Romanian, or Ukrainian malware servers. All spam for pirated software is still hosted on Ukrainian domains, ending in .COM.UA. Most of the rest of the spam this week was hosted on Russian .RU domains. This is especially true for the numerous Russian Bride online dating scams.

Let's look at my spam statistics for the week ending Oct 30, 2011, as obtained from my anti-spam program: MailWasher Pro.

Continue reading "Spam and email threat analysis for the week ending Oct 30, 2011" »

Posted by Wiz at 4:14 PM | Permalink

back to top ^

Spam is definitely increasing, compared to one month ago. For the last month it hovered around the 40% level. Now, it it approaching 50% of my incoming email. This may not jive with your figures, but my amount of good mail is fairly consistent, so my spam percentages are measurable.

Last summer saw spam levels drop way down, but I am not surprised at this constant increase. New spammers are being recruited and my guess is that the spam class of 2011 has graduated. These fools pay to get into the spam game, hoping to find enough suckers to make a big profit. Spammers are paid for leads, sales, credit card number theft and computer infections.

The biggest categories have not changed much over the last few years. I saw a lot of junk mail for Fake pharmaceuticals, male enhancement pills, weight loss capsules, pirated software, fake diplomas and some Nigerian 419 and lottery scams. What is interesting is the resurgence of Russian Bride dating scams.

The worst threats delivered via email were ACH fraud scams, containing links leading to infection of computers. The predominant infection from following the links in these scams is the Zbot, a.k.a Zeus Trojan, plus a Botnet installer. The Zeus hides and watches for you to login to your financial institution, then steals your credentials and money. it is also used to commit identity theft. I have a custom spam filter that blocks ACH scams.

Almost all of the spam I received last week had links to Russian or Ukrainian domains. They don't even try to cloak the links. Lax enforcement in Russia and The Ukraine makes it relatively easy for counterfeiters, fake pharmacies and software pirates to conduct illegal or shady businesses, without much fear of arrest. There are some high level arrests, now and then, but they are just the tip of the iceberg. There are more Russian spammers and Bot-Masters than their police can investigate. For every top spammer busted, five more seem to take his place.

Let's look at my spam statistics for the week ending Oct 23, 2011, as obtained from my anti-spam program: MailWasher Pro.

Continue reading "Spam and email threat analysis for the week ending Oct 23, 2011" »

Posted by Wiz at 11:52 PM | Permalink

back to top ^

I was reading my website's raw access logs today and saw that one visitor arrived on my blog when he or she searched Google for this phrase: ach+payment+canceled+spam+how+to+stop. This article will offer suggestions to block such messages from your inbox.

First of all, you need to understand that you are not alone in being a scam and spam recipient. Almost everybody who sends, receives, forwards or replies to any email message will probably end up on some spam database eventually. Master Spammers compile email address databases using various means. Then, these addresses are sorted by country and sold to other, second level spammers. These spammers then rent the use of botnets to blast out ginormous amounts of spam email, to promote various products and services, for which the spammers are affiliates (paid by the sale, or per infection, or referral).

The ACH payment canceled scam which my visitor was asking about is not your typical type of spam message. It comes under the category I call "mal-mail," meaning it contains either a malware laden attachment, or a link to malware exploit attacks or downloads. This is a very dangerous class of email to allow into your computer's email client.

Here are some methods you can try to use to block the ACH scam emails from your inbox.

Continue reading "How to block spam email fake ACH Canceled Payment messages " »

Posted by Wiz at 12:24 PM | Permalink

back to top ^

Despite the takedown of several of the top spam botnets this year, spam levels have remained at the same level of 40%. Most spam this week was still promoting Russian and Ukrainian domains, pushing counterfeit drugs, pirated software, replica ripoff watches, malware exploits and dating scams.

There is a trend that began developing a few weeks ago. That is the registration of spam domains ending in .com.ua, which is a new type of Ukrainian domain. The domains being spamvertised with links ending in ".com.ua" are spamming pirated software, fake watches, Russian and Ukrainian dating scams, fake Cialis, Viagra and other illegal to import (into the US and Canada) prescription drugs.

There was a big decline in the amount of spam emails that actually carried a malware payload in an attachment. They were replaced with several threats that use links to exploit their victims, rather than attached files. The end result is the same for those tricked into clicking those links: bots and various Trojan downloaders.

I compile my spam statistics from my spam screening program MailWasher Pro, which I use to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client. The categories represent custom spam filters which I write and publish.

The following are a list of categories of spam received this week, ranked by percentage, highest first.

Continue reading "Spam analysis by category, for week of Oct 2 - 9, 2011" »

Posted by Wiz at 3:42 PM | Permalink

back to top ^

Another week has gone by and spam levels have remained fairly static, at the same level (just under 40%) as the previous week. Most spam this week was promoting Russian and Ukrainian domains, pushing counterfeit drugs, pirated software, replica ripoff watches and dating scams.

Thankfully, there was a big decline in the number of scam emails containing malware in attachments, or at the end of hyperlinks. I did see a lot more spam messages for pirated software, all hosted on Ukrainian domains, ending with .com.ua. Also on those domains were male enhancement scams, weight loss, and someone named Elina who is looking for a man, but has an email address beginning with Maria.

Not to be left out, there were several Nigerian 419 scams and lots of junk mail for fake Cialis and Viagra. What few ACH Transaction Canceled scams I saw ended about mid-week. I have blogged about these threats numerous times since late August 2011. Search this blog for details about the ACH and FDIC scams leading to malware exploits and botnets.

The following are a list of categories of spam received this week, ranked by percentage, highest first.

Continue reading "Spam analysis by category, for week of Sept 26 - Oct 2, 2011" »

Posted by Wiz at 11:20 PM | Permalink

back to top ^

Why should email archiving be an important part of your company's email management?

Email is an intrinsic part of business communications and today is often the primary means of doing business with customers and communicating internally. Email is also a huge source of corporate and confidential data.

In a fast-paced environment, it's important to have a reliable email system in place as a well as a comprehensive email management strategy to minimize downtime, limit help desk calls, achieve compliance and, have a backup plan should anything go wrong.

One important facet of every email management strategy should be email archiving.

With most administrators imposing email quotas on their Exchange server because of storage restrictions and performance issues, employees tend to use Outlook's 'Auto-Archive' function to create PST files. This is often a problematic approach to email management because the administrator either has little control over the locations of the PST files (in some folder on the PC) or they are stored in a network share (with the resultant impact on storage space). Searching for old emails or conversations can be a major undertaking. Administrators simply do not have the time to search individual machines for missing PSTs and, if that PST is corrupt, go through the process to restore that file. If those emails are required for compliance or audit reasons, the administrator will be very concerned - what happens if the email cannot be located?

In small networks where the administrator has a lot more control, PSTs may be acceptable if there is a strict PST policy in place - but not in larger environments. The task to manage PSTs will reach a point where the admin has little control, PSTs are all over the place and the risk of email being lost or corrupted grows exponentially.

One way to address this set of problems and keep everyone happy is to take email storage off the Exchange Server and out of PSTs. This is achieved through email archiving. Administrators will have full control over how and where emails are stored and saved, emails are offloaded from the Exchange server and should the need arise, search for email from on single location with ease. Users, on the other hand, do not have to worry about deleting emails when their quota is reached because every email is stored for them in a central location, easily accessible via a web interface or through their email client (with the appropriate connector to the database).

While this addresses performance, storage and data loss issues, email archiving also makes the legal department happy because they know that all corporate email is stored in a central repository, is secure and easily searchable.

Email archiving is one element of your email management strategy. There are other important steps such as implementing antivirus and anti-spam at the gateway and on the Exchange Server.

In this post we have outlined how email archiving is a fundamental tool for administrators to manage their email infrastructure and to comprehensively deal with email storage issues, email compliance and e-Discovery, business records, and Exchange server performance.

This guest post was provided by Christina Goggi on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on email management.

All product and company names herein may be trademarks of their respective owners.

Posted by Wiz at 2:22 PM | Permalink

back to top ^

Over the last couple of weeks there has been a huge spam run with fake ACH canceled transaction notices, all of which came with malware inside attached files. Recipients were urged to open these files to read the failed transaction report. Effective 9/26/11, the same message text is being re-used, with the exception of how the victim is supposed to read the "Transaction Report."

Now, instead of send malware directly as attached files, the criminals behind this scam are providing links to read the "Transaction Report" at the "Nacha.org" website. At least, that is what the links show to the casual observer. If one hovers over these links they learn that the destination is not nacha.org, but a totally different website name. All of the domain names used in the spam run I saw today (9/26/2011) were registered today, with a company calling itself: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE. Most of the domains are not resolving at this time, but at least one is. That malware serving site is at na-chas-data-info DOT com (do not go there with a standard browser!).

Upon landing on this still active website, hosted on Yahoo.com, they see a fake "NACHA - ACH Transfer Rejected" titled page. Unknown to the victim, a hidden iframe is hijacking the browser away from that fake notice to a server that attacks the browser with the BlackHole Exploit Kit. That server is at: "huntcheerful.com" - hosted at p8p.geo.vip.sp2.yahoo.com.

UPDATE:
As I was typing this the malware account at huntcheerful.com began serving a 503 Service Unavailable notice. I guess that somebody at Yahoo finally read my SpamCop reports against this domain.

It appears that the six domains I reported earlier today have all been taken offline. However, the people behind this scam will keep registering new cheap domain names and will continue to abuse legitimate web hosts to serve malware to as many people that they can trick into clicking on those links.

To protect yourself, your family, and or employees, inform them that the US NACHA organization does not ever contact the public about any failed "ACH" transactions. Neither does anything going by the name ACH ever contact people whose transactions didn't go through. Only your bank will contact you if your check, deposit, or money transfer fails.

Any email about a failed ACH transaction, not coming from your known bank, is a fake and a scam and should be deleted on sight. If someone at your business receives such a notice and isn't sure if it is legitimate, call your bank and ask if a recent transaction has failed, or been canceled by the other party. In 99% of the calls they will tell you no such thing has occurred.

You can add a layer of protection to your email users by creating rules that block all emails claiming to be sent from nacha.net, nacha.org and nacha.us. If you are able to create wildcard rules, block all email from any address at nacha.anything. The email screening program MailWasher Pro, which I use, utilizes regular expressions to blacklist email senders, based on what is listed in the "From" field. The rule I use to block anything from any sender @ nacha.anything is: +@nacha.+

In addition to using blacklisted senders, MailWasher also uses custom filters, which I happen to publish for others to use. A couple of my MailWasher filters already detect, flag and or auto-delete these scams.

Continue reading "ACH email scams now using links to malware exploit sites" »

Posted by Wiz at 9:14 PM | Permalink

back to top ^

Since last Sunday night, Sept 18, my incoming percentage of spam email has dropped slightly, from 36% to 35%. This makes 4 weeks in a row of small, yet steady decreases in spam. Furthermore, the amount of malicious attachments has taken a drastic downturn from the previous few weeks.

With the welcome decline in the number of malware laden attachments, what is left is standard junk email for prescription drugs, illegal to import into the USA, sold without a prescription, from Russian and Ukrainian domains. Also there were many male enhancement (Max-Gentleman) and weight loss scams (pushing HCG pills), as well as the usual batch of fake Viagra and Cialis. Again, these are prescription drugs, and even though they're counterfeit, they are illegal to import into the USA from abroad. There were even a few spam emails selling fake diplomas and a bunch of Nigerian lottery and inheritance 419 scams.

I compile my spam statistics from my spam screening program MailWasher Pro, which I use to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client.

Spam Statistics for September 19 through 25, 2011 (compiled at about Midnight)

Total email received: 440
Amount classified as spam: 155
Percentage of spam: 35%
Number matched by my custom filters: 140
Number caught by my Blacklist: 11
Number identified by DNS Blacklists: 4
Reported to SpamCop: 38

Individual categories of spam follow...

Continue reading "Spam percentage continues to decline in percentage & threat level" »

Posted by Wiz at 11:44 PM | Permalink

back to top ^

While checking incoming email today, I received some new variations of recent malware threats, in email attachments. Upon examining the source codes I found that some are variations of the previous FDIC (Federal Deposit Insurance Corporation) warnings, directly related to the previous few weeks of scams for ACH (Automated Clearing House) canceled transactions notices.

The new scams have the Subject: FDIC message center

There is a new twist to the FDIC scams, which I saw for the first time, today, September 22, 2011. Instead of actual text, they are now using an embedded image to convey a message meant to scare recipients into opening the attached file. This image looks like it might be sent from the FDIC, complete with official logos. Rest assured it is a Photoshopped image, containing words directing victims to open the hostile attachment.

The wording on the first captured FDIC scams of 9/22/11 read as follows:

Dear Customer,
Your account ACH and WIRE Transaction have been temporarily suspended for security reasons due to the expiration of your security version. To download and install the newest installations read the document(pdf) attached below.

As soon as it is setup you transaction abilities will be fully restored.

Best regards, Online Security department, Federal Deposit Insurance Corporation.

The reason that the message is conveyed by an image is to get these scams past email spam filters, which work by identifying spam words. Since there are no actual text words, many of these scams will be delivered.

Presently, the malware attachment is named "FDIC information" - without any extension. This is an error on the part of the people who composed this template. Rest assured, there is a malware payload inside the attached file, which weighs in at 28,822 bytes. I am certain that the next batch of these scams will contain an extension, such as .pdf, .zip, or .pdf.zip, like the scams of the previous few weeks.

Continue reading "New twist in malware threats in email attachments - Sept 22, 2011" »

Posted by Wiz at 1:15 PM | Permalink

back to top ^

For the second week in a row, I have seen a decline in the overall volume and percentage of spam email. While the percentage is still high, at 36%, it is down 3% from last week. Most spam for counterfeit drugs, fake diplomas, Nigerian 419 scams and replica watches is profit driven by the suckers who respond to spammers' come-ons. But, a large amount is still coming in containing malware in attachments.

The weekend of September 12 through 18 saw a temporary decline of a prolonged spam run for fake ACH failure notices, all containing the Zeus/Zbot Trojan, but it picked back up mid week. Added to the mix of hostile attachments were emails claiming to be invoices and changelogs. they also contain the Zbot banking Trojan and botnet installers.

I obtain my spam statistics form the anti-spam program MailWasher Pro, which I use to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client.

Spam Statistics for September 11 through 18, 2011

Total email received: 426
Amount classified as spam: 155
Percentage of spam: 36%
Number matched by my custom filters: 129
Number caught by my Blacklist: 21
Number identified by DNS Blacklists: 4
Reported to SpamCop: 19

Individual categories of spam follow...

Continue reading "Spam volumes remain high, but are declining" »

Posted by Wiz at 11:52 PM | Permalink

back to top ^

After peaking two weeks ago, the volume and percentage of spam in my Inbox has declined again by 2%, to 39%. While most email spam is for counterfeit pharmaceuticals and watches, much of the spam over the past few weeks has contained malicious attachments, or links to exploit attack websites.

The weekend of September 9 through 11 finally saw the (temporary) end of a prolonged spam run for fake ACH failure notices, all containing the Zeus/Zbot Trojan, as well as the almost month long campaign of fake Facebook Friend Requests (with Arabic names in the subject). Those emails were scams and had links to a website that contained both on-page and hidden codes leading to serious malware infections, including the Zbot.

The purpose of the malware attachments and hostile link spam blasts was to infect unsuspecting computer users with key loggers that steal their online banking credentials (and all their money), and to install botnet remote control backdoor software on them.

See my recent posts (listed in the right sidebar) during August and early September, 2011, about the ACH and Facebook scams leading to botnet infections. They, and other articles like them, are also found in my "Spam" category listings.

I use the anti-spam program MailWasher Pro to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client.

Spam Statistics for September 5 through 11, 2011

Total email received: 440
Amount classified as spam: 172
Percentage of spam: 39%
Number matched by my custom filters: 155
Number caught by my Blacklist: 14
Number identified by DNS Blacklusts: 3
Reported to SpamCop: 10

Individual categories of spam follow...

Continue reading "Spam down slightly, as ACH and Facebook scams play out" »

Posted by Wiz at 12:24 AM | Permalink

back to top ^

For the second week in a row, my volume and percentage of spam has passed 40%.This week I saw 41%, which is down just 2% from the week before. Notably, much of the spam either contained malware in attachments, or had links leading directly to malware exploits.

There were two specific classes of malware threats this week, carried forward from last week: the ACH canceled payment-transaction under review scams, containing the Zbot/Zeus banking Trojan, or 2: fake Facebook Friend Requests, leading to the BlackHole Exploit Kit, plus the Zbot and botnet installers. The preceding links are to articles I have already written, explaining these threats and how you can identify them and deal with them.

While the ACH scams seem to have subsided, the Arabic name Facebook Friend Request threats are still persisting, as of the time I published this.

In a nutshell, from August 29, through September 4, I logged the following spam statistics, using MailWasher Pro, by Firetrust.

Total email received: 431
Amount classified as spam: 181
Percentage of spam: 41%
Number matched by my custom filters: 168
Number caught by my Blacklist: 13
Number identified by DNS Blacklusts: 0
Reported to SpamCop: 17

Individual categories of spam follow...

Continue reading "Spam % remains high, with malware attachments & hostile links" »

Posted by Wiz at 11:25 PM | Permalink

back to top ^

It was only a couple of days ago (8/26/2011) that I published a blog article warning people about the threats contained in fraudulent emails claiming that an ACH transfer had been canceled and that the recipient needed to read the report in the attached file.

Beginning at 3 AM, EST, I received four consecutive email scams in 15 minutes, with the subject: "FDIC notification," with the forged sender (the actual "sender" is an infected PC in a spam botnet): "[email protected]," and the following body text:

Dear customer,
Your account ACH and WIRE transaction have been temporarily suspended for
security reasons due to the expiration of your security version. To download and install the newest installations read the document(pdf) attached below.
As soon as it is setup, you transaction abilities will be fully restored.

Best Regards, Online Security departament, Federal Deposit Insurance Corporation.

The attached file is currently named "FDIC_document.zip" - although the filename may change soon.

Like the UPS and ACH scams that preceded it, this scam contains a variant of the Zeus or Zbot Trojan Horse. Its purpose is to install hidden malware that watches for you to visit targeted financial institutions, or your website's control panel, or PayPal, etc. Once you do it intercepts your login credentials and forwards them to the criminals running these scams. Your bank accounts, PayPal accounts and God knows what else may be emptied before you know what hit you!

If you use MailWasher Pro to screen your incoming email for spam and threats in attachments, my custom ZIP Attachment filter will alert you to these and similar threats. Never open the attachments in these scams! Delete the email on sight! Opening these messages will launch the installer for the Zbot. Your PC will not only have the Zeus keylogger installed, but will be made a part of the Botnet from which you received your recruitment message.

Posted by Wiz at 3:01 AM | Permalink

back to top ^

After a month of lower email spam volumes, this past week I saw an 11% increase over the previous week, which itself had a 7% increase from the week before. That makes about 18% more spam than two full weeks ago. Most troubling was the fact that a lot of this unwanted email contained malware infected attachments.

The last spam run containing infected attachments was a fake ACH Payment Canceled campaign. It started immediately after a run of fake Uniform Ticket email scams, and both contained the Zeus, a.k.a. Zbot Trojan. This is a hidden keylogger that watches for victims to login to particular banks, Trust companies, PayPal, website control panels, or trading companies. It collects the login credentials and sends them in a data stream to the criminals renting the use of the botnet responsible for sending the spam run. They then steal your money, or hack your websites.

There was also a continuation of the previous week's fake Facebook Friend Requests, containing links leading to direct downloads of Trojans. I wrote about this scam earlier this week, in this article: Beware Fake Facebook Friend Requests, Leading to Malware. To date, all of the requests I have received have contained Arabic names in the subject, but, that may change next time the miscreants behind this scam send another spam blast.

Since I noticed last Sunday that the volume of spam was staying high, I returned to using MailWasher Pro 6.4 to block spam and collect statistics that are easy to view and use in my reports. The current new version, 2011, is fully capable of blocking as much of the spam as the older version, but lacks a statistics page as of this writing.

In case you were wondering, one you can still purchase a licensed copy of MailWasher Pro 6.4, from the Firetrust website. Or, if you don't care about the Statistics readout, but want faster processing, try the new version (same link).

Here are the basic stats for the last week's spam:

Total email received: 501
Amount classified as spam: 219
Percentage of spam: 43%
Number matched by my custom filters: 208
Number caught by my Blacklist: 5
Number identified by DNS Blacklusts: 4
Reported to SpamCop: 29

Individual categories of spam follow...

Continue reading "Spam increases 11% over previous week: Aug 22-28, 2011" »

Posted by Wiz at 4:15 PM | Permalink

back to top ^

For the last 2 days I have seen a slowly building spam campaign featuring a previously used trick Subject: "ACH Payment (7 numbers) Canceled." The message body is short and sweet, along the line of the following:

The ACH transaction,
recently initiated from your checking account (by you or any other person),
was canceled by the other financial institution.

Rejected transaction

Reason for rejection: See details in the attachment

The "report" is in a double extension file, with a name like: "report_082011-65.pdf.ZIP (ZIP archive, Adobe PDF)" - although future variants may arrive with just a .zip or just a .pdf extension.

The From line is usually: "account manager" ([email protected], or [email protected]). You will be getting these sent to every one of your email accounts, should you have multiple accounts, like I do. Domains with email are especially hard hit in today's spam campaigns.

The actual "sender" is a PC in a spam botnet, operating under commands from the Bot Master running this show. All reply-to and From information is forged.

The payload in the current crop of malware in attachments is the "Zeus" aka: "ZBot" keylogger Trojan. The installer may also make the victim's computer a member of the same botnet from which their scam message was sent. This perpetuates and increases the size of the botnet and steals money from victims as they log into banks and payment portals targeted by this Zeus variant.

My advice to recipients of one of these, or future variations of these scams, is to phone you bank, or financial institution and ask them to check your account for problem transactions. Note, there have been some spam campaigns that include a fake contact phone number that actually leads to people hired by the criminals running particular campaigns. So, your safest bet is to look-up the number for your bank, or flip over your debit or credit card and call the number listed on it.

Interestingly, these malware in attachments scams began on August 25, just after the previous run of UPS malware scams ended. No doubt, the same botnet is sending both, rotating subjects and body text and attachment names, via templates downloaded to the zombie computers in the botnet.

I delete all such malware laden spam messages, which are automatically flagged by one or more custom spam filters I write, by my email screening program: MailWasher Pro - (learn about MailWasher Pro here). My advice to you is to delete them on sight, without opening them. Phone your bank if you are worried.

If your bank sends you email messages and alerts about problems, the message will include your proper name. None of these scams include any personal names as salutations. That is red flag number one in all such malware and phishing scams.

Stay alert to scams in spams. Do not open any email attachments out of curiosity. Only open attachments you are expecting, from senders you are expecting them from, and then, only if you have modern, fully updated anti-virus/anti-malware protection running on your computers.

Posted by Wiz at 10:47 AM | Permalink

back to top ^

Tonight I received what appeared to be a Facebook Friend Request, but it was addressed to an account not associated with Facebook. It was also suspiciously marked with gray icons in MailWasher Pro. This indicates that the anti-spam program wasn't sure if it was good or bad. That set off my alarm bells, because I have a custom filter that identifies all legitimate messages from Facebook as Good.

Luckily for me, I am a spam fighter and suspicion is my modus operandi. Had I been a casual computer user I may have curiously clicked on the link in this email and had my computer infected with a fake Flash Player update, plus an exploit attack kit, within seconds! Then I would have been Phished with a fake Facebook login page! Here is what I saw and what the source code revealed about the email message.

First, the headers:

Delivery-date: Sun, 21 Aug 2011 21:36:18 -0600
Received: from [123.236.135.113] (helo=ZDIHFSM)

my own server details removed

Received: from mta900.em.linkedin.com (mta900.em.linkedin.com [63.211.90.176])
by mail.rctengineering.com (8.13.8/8.13.8) with ESMTP id 2714Y3V654427
for ; Mon, 22 Aug 2011 09:05:39 +0530
Date: Mon, 22 Aug 2011 09:05:39 +0530

Subject: Zaahid Ababneh wants to be friends on Facebook.
From: Facebook <notification+gugsche@facebookmail.com>

Look at the bold portions of the above headers The first bold line contains the date when this email was delivered to me, by my email server, which is in Utah:
Sun, 21 Aug 2011 21:36:18 -0600

Directly underneath the arrival date is the last Received From line, indicating that the email was delivered to me from the IP address 123.236.135.113. If this email really came from Facebook, the IP address would resolve to one with facebook.com in a "Whois" look-up, and in a reverse IP look-up. However, running a Whois check on this IP address revealed that rather than belong to Facebook, it is registered to Reliance Communications, in Mumbai, India!

Moving down to the next Received line, it says that the email was relayed through LinkedIn. Now, why would Facebook need to use LinkedIn servers? They absolutely would NOT. Also, note that the email was handed to the LinkedIn mail server by the rctengineering.com domain, not Facebook. That domain belongs to a Bell South customer!

Now, look at the date when the email was relayed through the alleged LinkedIn server: Mon, 22 Aug 2011 09:05:39 +0530. That date is almost 12 hours in the future from when my email server in the USA received the message. I ran a look-up of timezones and found that +5:30 belongs to India. That coincides with the IP address of the Received From line at the beginning (which is the final email hand-off). That proves that the message did indeed come from India and was not associated with any Facebook email servers in the USA, or anywhere else.

More...

Continue reading "Beware Fake Facebook Friend Requests, Leading to Malware" »

Posted by Wiz at 2:03 AM | Permalink

back to top ^

This week I am changing the nature of my spam report. In all previous articles, I used the "Statistics" from MailWasher Pro, version 6.x. However, this past week I switched to the latest version of MailWasher Pro: 2011. At this time it lacks a "Statistics" readout, so I have compiled my own stats. They reveal some interesting facts about this week's email spam.

The first thing I learned when going over the spam categories, in the MailWasher Pro Recycle Bin, was that the overall volume of spam is way up from last week. For the week ending on August 14, 2011, the total amount of spam received was 128. This week, ending August 21, the total was 175, as of the time I wrote this. Without an exact stat report, I am guesstimating that this represents about 33% of my total email this past week. That would make it about 5% more than last week.

Of these 175 spam emails, 169 were identified by my custom spam filters. Six more were classified as spam manually and inputted into the learning filter, for future detections. The majority of spam was 44 messages touting fake Cialis. This was followed by 24 for counterfeit watches. Next in line was 15 emails promoting male enhancement herbs, then 13 each for weight loss drugs (illegal to import, or use without a face to face prescription; HGC drops) and finally, malware infected botnet Trojans inside zipfiles claiming to be invoices, delivery notices, etc.

Other lesser categories of spam included: Fake Diplomas, Lotteries, African senders, 419 scams, foreign language spam, miscellaneous pharmaceuticals, pirated software, Viagra, known spam domains and subjects, ISO encoded subjects, and my blocked countries filters.

The last major category, the infected zipfiles, are part of a huge attack that has been ongoing for three weeks in a row. Bot Herders, having lost control of millions of zombies, when Microsoft, FireEye, the DOJ and other security research companies decapitated the Bredolab (in October 2010), Coreflood, Rustock, Waledac and other spam-spewing botnets this year, are hard at work rebuilding their armies of robotic malware slaves. Their most successful weapon seems to continue to be exploiting the weakest link in the chain of infection: Human Curiosity. Send out a gazillion spam messages about a pending, or failed delivery. or an alleged speeding ticket, or failure to process an IRS refund or tax form, and thousands of curious, gullible people will open the attached zipfiles to see what the fuss is all about. Poof: they are botted!

More...

Continue reading "My Spam analysis & filter updates for the week of Aug 15 - 21, 2011" »

Posted by Wiz at 3:36 PM | Permalink

back to top ^

This week I saw an increase in the amount of spam hitting my inbox. The percentage of spam was up 7% from the previous week. Actually, the greatest volume of spam occurred from Thursday through today. It was on August 11 that a giant spam run began with malware infected attachments, in scam emails claiming to be from the IRS and UPS.

Due to the huge influx of malware laden attachments in fake IRS ("could not process your return/refund") and UPS ("your package delivered ... print out invoice") messages, the top category last week was Zip file attachments, which led by more than double the amount of the runner up: male enhancement. While the enhancement and enlargement spam is a nuisance, the ones pretending to come from the IRS and UPS were downright dangerous. They contain botnet and key logging Trojans in zip files.

This past 7 days, spam for various types of unsolicited commercial email (UCE) amounted to 28% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Aug 7 - 14, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 28%; +7% from last week
Number of messages classified as spam: 128
Number classified by my custom spam filters: 122
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 52

The actual percentages of spam by category follow below.

Continue reading "My Spam analysis & filter updates for the week of Aug 7 - 14, 2011" »

Posted by Wiz at 4:39 PM | Permalink

back to top ^

This week finally gave me some measurable decline in the amount of spam hitting my inbox. The percentage of spam is down 6% from the previous week and the actual volume is down by even more. This is a reflection of the decline in revenues from spamvertised products and in the recent closure of several spam affiliate payment processors.

As for the top categories of spam, Male Enhancement took first place, followed by counterfeit watches, then fake Viagra, Cialis, weight loss drops, and other scams. There are still a considerable number of bogus diploma spams coming in, so some people must be stupid enough to purchase these worthless documents.

I see a repetitive pattern in certain types of spam, mostly for fake diplomas. The subjects are "RE: Hello" - "RE:Re:Hello" - "RE: RE:News" and similar. My Diploma and other existing filters pick them off based on the body text, with zero mistakes.

This past 7 days, spam for various types of unsolicited commercial email (UCE) amounted to 21% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Aug 1 - 7, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 21%; -6% from last week
Number of messages classified as spam: 85
Number classified by my custom spam filters: 75
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 13

The actual percentages of spam by category follow below.

Continue reading "My Spam analysis & filter updates for the week of Aug 1 - 7, 2011" »

Posted by Wiz at 1:28 PM | Permalink

back to top ^

This week, my incoming spam level dropped 1% from last week. Viagra and Cialis spam regained the top position, with Male Enhancement and various Pharmaceuticals filling positions 2 and 3. Diploma spam has almost doubled since last week and many spam templates are using URL shorteners to hide the destination.

For the last two weeks, Spammers have been using a new template that adds huge amounts of space-bar spaces between the spam words in the plain text source code. This is done to evade spam filters. This is followed by HTML content that is identical. However, when HTML is rendered, only one space is shown between words, making the actual spam message readable by a Humans. I have created and published new custom filters for MailWasher Pro users, which easily detect and block this type of spam, whether for diplomas or drugstores.

This past 7 days, spam for various types of unsolicited commercial email (UCE) amounted to 27% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from July 24-31, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 27%; -1% from last week
Number of messages classified as spam: 122
Number classified by my custom spam filters: 112
Number and percentage of spam according to my custom blacklist: 9
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 21

The actual percentages of spam by category follow below.

Continue reading "My Spam analysis & filter updates for the week of July 24-31, 2011" »

Posted by Wiz at 3:38 PM | Permalink

back to top ^

This week, my incoming spam level was just 1% lower than last week. However, the types of spam have begun to change in order of percentages by category. Some previously strong categories have dropped way down as spammers find them unprofitable.

Spammers are using a new template that adds huge amounts of spacebar spaces between the spam words in the plain text source code. This is followed by HTML content that is identical. However, when HTML is rendered, only one space is shown between words, making the actual spam message readable by a member of the Human Race. Writing a filter for this trick is trivial. I already have one for Diploma Spam using the multiple spaces and am in the process of creating another for pharmacy spam.

This past 7 days, spam for various types of garbage amounted to 28% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from July 17-24, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 28%; -1% from last week
Number of messages classified as spam: 124
Number classified by my custom spam filters: 115
Number and percentage of spam according to my custom blacklist: 5
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 4
Number of spam messages seen, reported to SpamCop & manually deleted: 22

Continue reading "My Spam analysis & filter updates for the week of July 17-24, 2011" »

Posted by Wiz at 2:41 PM | Permalink

back to top ^

This week my spam percentage has increased slightly, to 29%, up 2% from last week. The subjects are exactly the same as they have been for the last year. Spammers are still pushing bogus male enhancement herbals, like the MaxGentleman, Chinese replica watches, counterfeit Cialis and Viagra, various illicit prescription pharmaceuticals, HCG weight loss scams, lottery and work at home scams.

Pharmaceutical spammers are still hosting their websites in Romania and are still using mostly .RU domains (Russian). All are advertising that they sell prescription drugs without the required prescription. Some are still falsely claiming to be "non-USA licensed pharmacies" - of which there is no such thing. The drugs they sell are counterfeit and both dangerous and unlawful to import into the USA or Canada.

This past 7 days, spam for various types of garbage amounted to 29% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from July 10-17, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 29%; +2% from last week
Number of messages classified as spam: 117
Number classified by my custom spam filters: 104
Number and percentage of spam according to my custom blacklist: 6
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 19

Continue reading "My Spam analysis & filter updates for the week of July 10-17, 2011" »

Posted by Wiz at 3:37 PM | Permalink

back to top ^

This is my third article (see links at end) this calendar year about email archiving solutions for small and medium sized businesses. If you own or administer a business that uses email as an important tool for doing business, these articles will be of high importance to you and your IT staff. Today's article is about choosing the right email archiving software.

In today's business environment, email communication has become an essential tool, especially for small and medium-sized businesses. Laws and regulations related to the retention of email and other types of digital communication have increased, putting most businesses in a tough spot in which to balance their business needs and complying with on-going regulatory requirements. In addition, most small and medium-sized businesses do not have a robust IT department so having to worry about email storage issues, quota limits, eDiscovery laws, and other technical issues related to email takes time away from growing and expanding the business.

Email archiving can help with most of these issues if the right solution is used. As with any type of software, one size does not fit all. Be aware of your business IT environment and your business needs before searching for any email archiving solution.

Here are the features to look out for when searching for the right email archiving solution:

1. The ability to archive one or more databases: I would not want the archiving solution to archive emails to the mail server. This can cause performance issues and cause quota limit issues with the email server. There is no point in implementing something to solve one problem and to then cause another.


2. Users should have offline access to archived emails: Having a company's email archived but not easily accessible by users is a major drawback, and that is why a solid email archiving solution will provide access to email either through the email client or through web access. Users want to be able to access their archives if they are on the road, they have problems with their email client or only have basic web access. Providing offline access ensures continuity for the company and puts minds at rest that all their email, old or new is available with a few keystrokes.


3. Solve the issue with PST files: This type of offline access feature is usually a much better solution than using PST files which are difficult to manage and which put your email at risk as they can be lost once the PST is corrupted. Once you deploy an email archiving solution within the organization, you automatically eliminate the need to use PSTs - meaning goodbye to the headache of having to dig through a store of PSTs manually, goodbye to the risk of losing emails, goodbye the need to do PST backups; and hello to automatic email archiving in a central archive accessible to all which saves your admins priceless time, and the organization money.

Most email archiving solutions come with a variety of features. The ones mentioned here are only the highlights of such software. I would evaluate all email archiving solutions based, at least, on their ability to archive to a database and to allow users both online and offline access to their email archive.

This guest post was provided by Sean McCreary on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI email archiving.

This is the third article about email archiving solutions, posted on this blog. See these previous articles for some background information:

• How to deploy an email archiving solution within your organization


• Mail archiving: Easing the load on your mail server - and yourself!

Posted by Wiz at 12:09 PM | Permalink

back to top ^

It appears that my spam percentage has stabilized at about 27%, plus or minus a few points. The subjects are exactly the same as they have been for the last year. Spammers are still wasting their money spamvertising counterfeit Cialis and Viagra and pushing bogus male enhancement herbals, like the MaxGentleman aka Dr. Maxman and various illicit prescription pharmaceuticals without the required prescription. Knockoff Chinese watches, weight loss herbs, loansharks, and Nigerian advance fee fraud round out the field.

The majority of this week's pharmaceutical spam was for various incarnations of the fake "My Canadian Pharmacy," et al. The domains are all owned by Russians, using cheap domain Registrars in Russia, Czechoslovakia, and other parts of the former USSR, as well as some from a dis-accredited Registrar in Australia. Almost all of the current fake pharmacy domains use either Russian or Chinese Name Servers. At least half of the links in the spam messages for these pharmacies are to .RU (Russian) domain websites, many of which are now hosted by spam friendly hosting companies in Romania.

This past 7 days, spam for various types of garbage amounted to 27% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from July 3 - 10, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 27%; +1% from last week
Number of messages classified as spam: 124
Number classified by my custom spam filters: 116
Number and percentage of spam according to my custom blacklist: 6
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 7

Continue reading "My Spam analysis & filter updates for the week of July 3-10, 2011" »

Posted by Wiz at 1:57 PM | Permalink

back to top ^

Prologue

Recently, I have published blog articles describing spam emails containing links to disreputable URLs. I have mentioned in these articles that one means of self defense against visiting obviously bad locations is to hover over a link and read the actual URL of that link - in your email client "Status bar." But, what if there is no Status bar showing in your email reader? How do you reveal it?

This brief technical article will show you how to show a hidden "Status Bar" on the most commonly email clients (in 2011). It also explains why having this bar visible is so important and a brief tutorial on making sense of the details that are displayed when one hovers over a link with their mouse pointer.

Displaying Email Client Status Bars

If you still have Windows XP (or, earlier; shudder the thought), you may have Microsoft's Outlook Express as your default POP3 email client. Others using XP, or Vista, have gotten the message about Outlook Express being deprecated (abandoned) by Microsoft and have moved up to Windows Live Mail (aka: WLM). People using Windows 7 are only offered Windows Live Mail 2011 (and newer, yet to come versions). All three versions have the means of turning the Status Bar on and off.

To show or hide the Status Bar in Outlook Express, Windows Mail (Vista only) and Windows Live Mail for XP and Vista, open the program, go to the menu bar item View, then click to place a check mark in Status Bar. It's that simple!

If you use Windows 7, your version of Windows Live Mail is probably version 2011 (or newer version, yet to come). Your interface is different than Outlook Express and the WLM for XP. To show the Status Bar, open the program, click on the "View" button in the row under the Title Bar, go to the right side and click the button labeled Status Bar. It appears (or disappears) instantly. Done!

If you are using Mozilla Thunderbird as your email client and for some reason the Status Bar is hidden, you can bring it back thusly: go to View > Toolbars > Status Bar and click to check it. The Status Bar will appear instantly.

Other email clients will have their own methods of turning the Status Bar on and off. I recommend leaving it on, all the time. Here's why...

Continue reading "How to display and use the statusbar in your email client" »

Posted by Wiz at 3:42 PM | Permalink

back to top ^

Spam levels are continuing to decline, at least in my email accounts. This time last year, my percentage of spam email was 56%. This week, this year, it measured just 26%. That is a 54% decline in 12 months. The spam detected and deleted by MailWasher Pro was mostly for bogus male enhancement pills, which led by a 2:1 margin over other types of pharmaceutical and weight loss scams. Counterfeit watches and Nigerian lottery scams had measurable percentages.

I managed to trace several spam domains with the Russian .RU and some .COM TLD's to Romanian web hosts. Additionally, the SpyEye/Zeus Trojan Tracker, at Abuse.ch has traced down several SpyEye command and control servers to a Romanian hosting company. From Count Dracula to the Zeus and SpyEye Trojans, to fake pharmaceuticals and male enhancement scams, the Romanians have it all covered, with help from Russian Botmasters and master spammers. It is Russian and Romanian spammers who are paying to register and host hundreds of throwaway domain names, used in bot-sent spam blasts, promoting all manner of fake and illicit pharmaceuticals and herbals and exploits.

There was a measureable uptick in the amount of email containing direct links to exploit websites. My "Exploit Link" filter detected and deleted them all (see info on my custom MailWasher Pro filters, further down). Most led to the Zeus or SpyEye bank credential stealing Trojans.

Despite the fact that the volume and percentage of spam is declining right now, the threats contained in what is being sent are becoming more dangerous all the time. More and more spam is being sent after recipients identities are researched by spammers, who buy stolen IDs after break-ins of big company member databases. Others use password breakers to steal weak login credentials to free email systems, then send out spam targeting the entire contact list of the people who own those compromised email accounts. This happens constantly to Hotmail users.

You may have already received spam and scams targeting you by your personal or nickname. Therefore, effective email protection is required to protect your computers, your money and your data. MailWasher Pro is the program I use to detect and delete spam and email-borne security threats. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 26% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from June 26 - July 3, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 26%; -1% from last week
Number of messages classified as spam: 114
Number classified by my custom spam filters: 104
Number and percentage of spam according to my custom blacklist: 6
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 11

Continue reading "My Spam analysis & filter updates for the week of June 26 - July 3, 2011" »

Posted by Wiz at 2:45 PM | Permalink

back to top ^

This week's spam levels have remained at about the same level as last week. The majority of spammers are trying to sell counterfeit pharmaceuticals and replica watches, followed by weight loss herbs, male enhancement gimmicks, fake Viagra, and some Nigerian lottery and 419 scams. The various percentages of spam, by category, are listed in my extended comments.

This past week saw a continuation of the previously dead and buried Canadian Pharmacy scams. However, spammers are affiliates of various fake pharmacy programs. They pay Bot Masters to lease the use of zombie computers making up spam botnets. Spammers expect to be paid for the traffic they drive to the fake pharmacies. It so happens that the co-founder of one of the remaining major spam payment processors, Chronopay, has been arrested in Russia. Directly related to his arrest, several affiliate payment systems related to his RX-Promotions spam business are going offline (details to follow soon).

Canadian Pharmacy is one of the spam programs created, managed and paid for in Russia. I expect to see a big drop in all variations of Canadian Pharmacy spam, in the next week or so. No pay, no spam!

Despite fluctuations in volumes of junk email, spam is still going strong. It's not just nuisance messages you need to look out for. There are many critical security threats contained in attachments and links to exploit sites, which are designed to infect your computers with malware. Keyloggers, disguised as Flash upgrades, missing codecs, scanned documents, or resumes in attachments, silently log your keystrokes when you log into your online bank, or PayPal, or your website control panel, stealing your credentials, then you money or company secrets. Therefore, effective email protection is required to protect your computers, your money and your data. MailWasher Pro is the program I use to detect and delete spam and email-borne security threats. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 27% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from June 19-26, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 27%; +1% from last week
Number of messages classified as spam: 119
Number classified by my custom spam filters: 115
Number and percentage of spam according to my custom blacklist: 2
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 15

Continue reading "My Spam analysis & filter updates for the week of June 19-26, 2011" »

Posted by Wiz at 4:31 PM | Permalink

back to top ^

On June 15, 2011, I wrote a blog article about the re-emergence of the previously killed off Canadian Pharmacy scams. When I published that article I also filed a spam report against the domain named used in the link in the spam email I received, with their Registrar of record. Two days later the domain was suspended for violating the Registrar's terms of service.

Tonight I received two more identical spam emails, with two different domains in the links, promoting a Canadian Pharmacy selling the same Anti-ED drugs. I have filed a report with the Registrar of record, nameregistrars.net, for the first one: eumbyhojbu.com. The second domain link was for: gffbn.ru. This is a Russian domain. The only information I can find on it is that it leads to the same IP address as the previous two spam links did. All of these fake Canadian-Pharmacy/My Canadian Pharmacy links are redirected to a rogue pharmacy website hosted on a Romanian PC or server (at 194.50.7.208), running a Russian Nginx web server.

Notably, all of these spam emails use hidden ISO codes in the From and Subject fields to evade spam filters. Your email client is happy to translate them into the names of the pharmacy and illicit drugs they are selling.

As was the case with the previous fake pharmacy landing page, this one uses a variety of Chinese and other Botnet sources to assemble the images used to fool people into believing it is a legit pharmacy. It is all snake oil and octopus juice. This is a fake pharmacy, hosted in Romania, using Russian Name Servers. The PCs used to deliver the spam emails for it are part of a world-wide spam botnet.

Do not believe anything found in the emails promoting these fake Canadian Pharmacy websites. Never buy anything from those sites. You will be handing over your credit or debit card details to Russian spammers and criminals. If you ever receive the illegal drugs you ordered, they will be counterfeit, made in Asia. They may harm or kill you. If you are lucky, you'll never receive them at all. Better to be out a few hundred bucks than pushing up daisies from OD-ing on fake Viagra laced with Melamine!

Posted by Wiz at 12:52 AM | Permalink

back to top ^

This article, short as it may be, could save both your money and identity, if you are a PayPal customer.

PayPal, now an eBay owned company, manages the money for all transactions conducted on eBay, plus those of a huge number of non-eBay customers who use PayPal to send and receive money online. In all, as of June 2011, PayPal claims to have 98 million active users, in 190 different markets and 25 currencies. You may be one of those members.

If you are not a PayPal member and do not make any purchases on eBay, nor send donations via PayPal Donate buttons, or make any other payments through them, you will automatically treat all email claiming to come from PayPal as spam and a probable Phishing scam (most are). You won't be tempted to click on any links to login to your PayPal account if you don't have one!

But, if you are one of the 98 million members of PayPal, whether you use them rarely, or often, you have to allow them to send you email messages. It is not optional. This leads me into the topic at hand:

PayPal is still sending official email messages to its members, containing clickable links, and urging you to login to your account via those links.

This is exactly the same behavior used by Phishing scam artists. They send official looking copies of the exact emails that companies like PayPal are sending to their customers. They include clickable logos and text links, urging you to use them to login to your PayPal account and give away your username and password and all of your money that is either in your PayPal account, or in the credit card linked to it, or in the bank account linked to it.

In the case of actual PayPal email messages, the only obvious distinction is that they always address you by your proper name, as it is registered with them (E.g.: Dear Joe Blow). The Phishing scams usually address you as "Dear Member." The actual difference in the links is that the real PayPal email links point to sub-domains on paypal.com, like: email0.paypal.com/servelet/whatever... whereas the links in Phishing emails will lead to a different domain than paypal.com.

You can learn to see the actual location of any link in most email messages by hovering your mouse or pointer over the links, but not clicking on them. The actual domain portion comes between the http:// and the first forward slash (/). Any domain names that follow the first forward slash are inserted to fool you. So, if the URL you see in the Status Bar show something like this: https://email0.paypal.com/servlet/cc6?iitgHQYRASQUV... it is an authentic PayPal link. On the other hand, if the hover link resembles this: http://account-verify-paypal.com/... it is a fake. The domain in the second link leads to a domain named account-verify-paypal.com - which is NOT the same domain as paypal.com! But, https://email0.paypal.com/ IS a sub-domain on paypal.com.

Sub-domains are separated from the master domain by a period (.); not a dash (-), nor an underscore (_). Only a DOT between the first name and the domain name is a legal sub-domain. Thus, this is a sub-domain: email0.paypal.com/ ... This is NOT a sub-domain: email0-paypal.com; it is a totally different Domain Name.

This information about hovering is fine for people using a standalone email program, like Microsoft Windows Live Mail, or the old Outlook Express, which display a Status Bar on the bottom by default. But, many people use their web browsers to do email and quite a few do not opt to display the Status Bar. Those folks will not see the true destination of links before they click on them.

It it a foolish act, in many opinions, for a huge financial firm, like PayPal, to send out email communications about Policy Updates, overdrafts, pending cases, etc, and include clickable links to log you into your account! This is the very same means used by fraudsters to trick victims into clicking on their links to look-alike login pages, where your credentials and money and bank details will be stolen.

PayPal would better serve all of its customers by instructing them to login to PayPal (or their bank) by typing in the URL, in the browser address bar, or by re-using a link they saved from a previous, legitimate online session. Most browsers save your frequently visited websites and will help you as you type. I opnly need to type a couple of characters for the legitimate PayPal URL to appear.

Note: All PayPal logins should have HTTPS at the beginning of the URL; NOT HTTP. HTTPS indicates a secure connection, to a website with a legitimate safety certificate issued by a secure (SSL) license issuer. Anything you type into input fields in an HTTPS connection is encrypted before being sent out from the browser. Anything typed into a form on an HTTP page is sent out in plain text.

The bottom line and message I am trying to impart to you is this: It makes no never mind what the links in a PayPal email (real or fake) lead to. DON'T USE THEM! They might be real, or fake and you may not be able to tell from how they are displayed in your Status Bar (if you have one showing). If an email arrives from PayPal, about an important matter, like their Policy Updates, or Disputes, or accounts added, ignore the links in the message. PERIOD. Go to your browser, open a new tab, or new window and type in https://www.paypal.com/ then make sure it still says exactly that in the location/address bar (watch out for typos that could lead to malware sites), then press Enter. Then and only then, type in your login credentials.

By always typing in the address of important financial websites, then verifying them before pressing the Go button, or Enter, you can hopefully avoid being phished by credential crooks. There are other ways they can ensnare you, so keep your computers protected with the best anti-malware program you can afford. I use and recommend Malwarebytes' Anti-Malware and also, Trend Micro Titanium Internet Security Pro

Posted by Wiz at 12:30 PM | Permalink

back to top ^

After decreasing last week, this week's spam levels have remained at the same level. The majority of spammers are trying to sell counterfeit replica watches, followed by illicit prescription pharmaceuticals (sans the req'd prescription), male enhancement herbs, fake Viagra, weight loss drugs and even some Nigerian 419 scams. The various percentages of spam, by category, are listed in my extended comments.

This past week saw a return of the previously dead and buried Canadian Pharmacy scams. This time, the spam sender uses the name "Canadian-Pharmacy" and the faked destination website says "My Canadian Pharmacy." Other than the addition of "My," the rest is identical to the old websites. They are still hosted on botted PCs, controlled by Russian spam gangs and Bot Masters. The landing pages include logos with links to alleged Accreditation sources, all of which all go right back to the same fraudulent web page, on the botted PC. I wrote a full analysis of this new Canadian Pharmacy scam in a recent article.

Despite fluctuations in volumes of junk email, spam is still going strong. It's not just nuisance messages you need to look out for. There are many critical security threats contained in attachments and links to exploit sites, which are designed to infect your computers with malware. Keyloggers, disguised as Flash upgrades, missing codecs, scanned documents, or resumes in attachments, silently log your keystrokes when you log into your online bank, or PayPal, or your website control panel, stealing your credentials, then you money or company secrets. Therefore, effective email protection is required to protect your computers, your money and your data. MailWasher Pro is the program I use to detect and delete spam and email-borne security threats. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 26% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from June 12-19, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:26%; 0% from last week
Number of messages classified as spam: 112
Number classified by my custom spam filters: 101
Number and percentage of spam according to my custom blacklist: 2
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 12

Continue reading "My Spam analysis & filter updates for the week of June 12-19, 2011" »

Posted by Wiz at 2:14 PM | Permalink

back to top ^

After an increase last week, this week's spam levels have decreased again. This yo-yo effect is possibly due to problems Bot Masters are having maintaining their spam botnets, in the face of strong pressure from Microsoft, the DOJ, FireEye and cooperation from law enforcement authorities in Russia. The various percentages of spam, by category, are listed in my extended comments.

Bot Masters, who send the orders and templates to the zombie spambots (robot agents on infected personal computers), depend on professional or newly recruited spammers to pay to rent the use of their botnets. Competition among botnet owners, dis-infection of botted PCs and interference from authorities tends to drive prices down for some services and up for others. These days, there seems to be more money to be made by renting out botnets for use in denial of service attacks, than for sending e-junk mail.

Despite fluctuations in volumes of junk email, spam is still going strong. It's not just nuisance messages you need to look out for. There are many critical security threats contained in attachments and links to exploit sites, which are designed to infect your computers with malware. Keyloggers, disguised as Flash upgrades, missing codecs, scanned documents, or resumes in attachments, silently log your keystrokes when you log into your online bank, or PayPal, or your website control panel, stealing your credentials, then you money or company secrets. Therefore, effective email protection is required to protect your computers, your money and your data. MailWasher Pro is the program I use to detect and delete spam and email-borne security threats. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 26% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from June 5-12, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:26%; -3% from last week
Number of messages classified as spam: 98
Number classified by my custom spam filters: 96
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam by the Bayesian Learning filter: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 7

Continue reading "My Spam analysis & filter updates for the week of June 5-12, 2011" »

Posted by Wiz at 3:09 PM | Permalink

back to top ^

After two weeks in a row of reduced spam volumes, spam levels have increased again, as anticipated. Spam for imitation Viagra lead counterfeit watches by a ~5% margin. This was followed by weight loss scams promoting the illegal sale of the controlled Schedule 4 drug: Phentermine. Spam for various pharmaceuticals and male enhancement scams had lower proportions than usual. I saw a lot of what appears to be French language spam, which I can't read, followed by fake Adobe and Skype upgrade exploit links and work at home scams.

Spam is still with us, along with security threats contained in scams and exploit email links, so, email protection is still needed as it will get worse again (it always ebbs and flows). MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 29% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 29 - June 5, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:29%; +6% from last week
Number of messages classified as spam: 127
Number classified by my custom spam filters: 116
Number and percentage of spam according to my custom blacklist: 4
Number classified as spam by the Bayesian Learning filter: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 15

Continue reading "My Spam analysis & filter updates for the week of May 29 - June 5, 2011" »

Posted by Wiz at 11:20 PM | Permalink

back to top ^

During the past week I have been receiving, classifying, reporting and deleting scam emails pushing links to fake upgrades for Adobe, Skype and the now defunct LimeWire programs. The bulk of these arrived over the past 24 hours, right up until a short time before I wrote this article. You need to be aware of the nature of these scams and make sure you don't fall for them.

Let's start with the most prevalent of the new scams: the fake Adobe Reader upgrade notices. It starts with the arrival of unexpected email messages spoofing that they were sent from Adobe Support. The subjects contain wording such as: "New Acrobat PDF Reader Has Released !" - followed by either Download or Upgrade Now. While the From field contains a plain text name that includes Adobe Support, or email.adobe.com, in the Prefix, it does not have an Adobe domain in the actual sender's email address. Rather, one may find, as I did, that they are spoofing the sender as an account at "hotels.octopustravel.com."

The message body includes an introduction in all capital letters (as of this writing), claiming: "ADOBE PDF READER UPGRADE NOTIFICATION" - followed by descriptive text copied from the Adobe Reader web pages. The scammers then announce: "contains critical security updates" and provide you with a cleverly worded link that includes the words "adobe", "PDF" and/or "Reader", with dashes between words, ending with the word -download(s) or -upgrade,com. The links are leading to exploit websites in China, hosted on Windows servers at: 122.224.4.113, and possibly other nearby IP addresses.

The related Skype scams purport to come from Skype Support (but not from skype.com) and tell about all of the benefits of upgrading to the newest version of Skype. However, as in the previous Adobe scam, the links end in -download(s).com. Again, this domain is hosted on a Windows IIS web server in China, at 122.224.4.113 (or neighbors).

The latest round to arrive this evening claim to lead to an alternative to the now defunct LimeWire file sharing system. That illegal file sharing service was shut down by US Federal Court action, led by the D.O.J. The new scam claims to offer you free P2P software that allows you to send and receive illegal files with other law breakers and pirates. However, if you download that installer, instead of getting connected to a new file sharing service, you will become botted, with your PC becoming a contributing member of a peer to peer spam botnet. Then your PC will be used to send out messages like these to innocent people whose email addresses have been harvested by spam bots on their friends computers.

I have just finished writing three new filters for MailWasher Pro users, which detect these new software scams and block them (with either automatic or manual deletion). All of my custom spam filters are available in both the old (filters.txt - for up to v 6.5.4) and new (Filters.xml - for MWP 2010 onward) MailWasher formats. If you use MailWasher Pro to filter out spam, before downloading it to your desktop email client, you should take a look at my filters and see if they help reduce your time spent classifying what is good and what is spam email.

My filters are still free to download and use, but I most certainly do appreciate any donations that grateful MailWasher Pro users make, to show their appreciation for my work.

Posted by Wiz at 8:57 PM | Permalink

back to top ^

For two weeks in a row, spam levels have remained lower than usual. Spam for counterfeit watches maintained its lead over imitation Viagra and Cialis, by a ~9% margin. This was followed by the return of weight loss scams, male enhancement scams and various dating and lottery scams and links to .RU domains, all of which had lesser percentages.

The malware in attachments, for botnet installers,reappeared this week, in the form of fake links to Adobe Reader and Skype updates. I pity anybody who was fooled into clicking on those hostile links (they are now botted!). When the botnets lose zombie members from disinfection, their Bot Masters send out new rounds of malware infected attachments and links, to rebuild their armies of spam-bots.

Therefore, spam protection is still needed as it will get worse again (it always ebbs and flows). MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 23% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 22 - 29, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:23%; -1% from last week
Number of messages classified as spam: 114
Number classified by my custom spam filters: 99
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 17

Continue reading "My Spam analysis & filter updates for the week of May 22 - 29, 2011" »

Posted by Wiz at 3:49 PM | Permalink

back to top ^

To a medium or large business, email correspondence is not something taken lightly or casually deleted after being read. In fact, most serious businesses keep all email for future reference, in the event of disputes, lawsuits, law enforcement subpoenas, to find customer registrations when customers lose their registration codes, to have a record of interchanges between customers and support staff, etc.

The safe storage of read email requires some forethought. Disasters can and do happen, affecting workstation computers, file servers, in-house mail servers and buildings housing the infrastructure. To safely keep thousands of important email messages from harms way, and in some cases to comply with Government regulations, companies are looking for safe storage and archiving solutions. This article gives you some insight into some options you should consider, if you are tasked with finding an email archiving solution for your company.


The process to deploy an email archiving solution can be broken down into concise steps, for both cloud-based offerings and in-house solutions. Below are some of these steps:

1. Meet with your stakeholders
   Email archiving solutions should help you meet legal, regulatory, and HR requirements; information security concerns; and likely existing document retention policies.
   


2. Estimate the size of the solution
   An in-house solution's most significant factor will be the amount of disk space required to store the archives. An outsourced solution's most significant factor will be the number of users. Estimate both, based on current sizes, projected growth of the company, and the feedback from the stakeholders regarding the length of time messages must be stored. I like to take this number and apply the Pi factor to it, which means I multiply the result by 3.14 to account for unanticipated growth. Use this to estimate the costs for your solution and include it in #3 below.
   


3. Determine whether you will deploy an in-house or cloud-based solution
   While most companies maintain email archives on-premises, some SMEs are looking at outsourcing as an attractive alternative. Cloud-based solutions are good for meeting e-discovery purposes. For those who want a more full-rounded solution that helps them not only meet legal requirements but also offload Exchange and get rid of PST files, than on-premise is the way to go. Others may prefer a combination of both on-premise and on-line, enabling them to split the archive for rarely accessed email (on-line) and current content (on-premise).
   


4. Plan for client deployment
   Some solutions require an agent to be installed on the client, and almost all companies will need to address the PST files that are no doubt scattered all over home drives, local disks in the case of laptops, and may even be on personal external storage. One benefit of an email archiving solution is that it reduces the need for PST files, and many archiving solutions include automatic imports of PSTs to the archive to ensure data is preserved and available. Better solutions enable users to search the archives and restore the email they may have deleted from their mailbox, so decide whether to use a portal, an Outlook plug-in, or both.
   


5. Pilot the solution
   Once you have chosen your solution, start by archiving a pilot group of users. Solicit regular feedback from these users on performance, ease of use, and their experiences with searches, restoring deleted emails, etc. Use their feedback to tune the system and to develop any training or informational materials for sharing with the rest of the company.
   


6. Deploy the solution to all users
   Once the pilot users have signed off on the system, deploy to the rest of the company. Monitor for the increase in Internet bandwidth if you deployed a cloud solution, or with disk i/o if you went with an in-house option, to ensure that the system is performing well.
   

Following these six steps will help to ensure a successful deployment of your email archiving solution, whether it is an in-house or outsourced solution. By including input from key stakeholders, getting feedback from your test users, and testing the solution with your existing systems, you will find email archiving to be a great addition to your email infrastructure.

This guest post was provided by Ed Fisher on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI email archiving solution. The preamble was written by Wiz Feinberg, owner of Wizcrafts Computer Services and this blog.

Posted by Wiz at 11:58 AM | Permalink

back to top ^

Following last week's increase, this week's spam levels have decreased slightly. Spam for counterfeit watches regained the lead over imitation Viagra and Cialis, by a 10% margin. This was followed by male enhancement scams and various dating and lottery scams and links to .RU domains had lesser percentages.

The malware in attachments from the previous week, for botnet installers, failed to reappear this week (so watch out next week!). When the botnets lose zombie members from disinfection, their Bot Masters send out new rounds of malware infected attachments and links, to rebuild their armies of spambots.

Therefore, spam protection is still needed as it will get worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 24% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 15 - 22, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:24%; -6% from last week
Number of messages classified as spam: 109
Number classified by my custom spam filters: 103
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 16

Continue reading "My Spam analysis & filter updates for the week of May 15 - 22, 2011" »

Posted by Wiz at 4:52 PM | Permalink

back to top ^

Following last week's decrease, this week's spam levels have increased slightly. Spam for counterfeit Viagra finally surpassed spam for counterfeit watches, by a small 3% margin. This was followed by male enhancement scams and various illegal to import prescription drugs. Various scams and malware in attachments had lesser percentages.

The malware in attachments last week was for botnet installers. When the botnets lose zombie members from disinfection, they send out new rounds of malware infected attachments and links, to rebuild their armies of spambots.

Therefore, spam protection is still needed as it will get worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 30% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 8 - 15, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:30%; +3% from last week
Number of messages classified as spam: 135
Number classified by my custom spam filters: 125
Number and percentage of spam according to my custom blacklist: 4
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 10

Continue reading "My Spam analysis & filter updates for the week of May 8 - 15, 2011" »

Posted by Wiz at 11:31 PM | Permalink

back to top ^

Following last week's increase, this week's spam levels have decreased measurably. Spam for counterfeit Viagra finally surpassed spam for counterfeit watches, by a huge 16% margin. This was followed by male enhancement scams and various illegal to import prescription drugs . Various scams and pirated software had lesser percentages.

The reduction in last week's spam levels might have been due to spammers holding back, or Bot Masters laying low, to try to avoid the authorities who are trying to track them down and shutter their operations. When the botnets lose zombie members from disinfection, they send out new rounds of malware infected attachments and links, to rebuild their armies of spambots.

Therefore, spam protection is still needed as it will get worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 27% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 1 - 8, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 27%; -7% from last week
Number of messages classified as spam: 117
Number classified by my custom spam filters: 108
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 17

Continue reading "My Spam analysis & filter updates for the week of May 2 - 8, 2011" »

Posted by Wiz at 2:24 PM | Permalink

back to top ^

Following three weeks with little change in my level of spam, this week's levels have increased slightly. Spam for counterfeit watches led the pack by a 7% margin. This was followed by various illicit pharmaceuticals, counterfeit Viagra-Cialis, and male enhancement scams. Various scams and malware in attachments had lesser percentages.

Spammers depend on the cheap use of millions of infected PCs that have been involuntarily made zombies in spam botnets. As authorities shutdown one botnet another rises to claim their share of the spam pie. As the number of infected machines declines, due to the owners being made aware of their problem and disinfecting their computers, the bot herders use whatever means is available to them to regain zombies in their herds. Sending fake delivery notices with bot installers is one of the favorites of malware distributors.

You still need spam protection and it is showing signs of getting worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 34% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Apr 25 - May 1, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 34%; +3% from last week
Number of messages classified as spam: 175
Number classified by my custom spam filters: 165
Number and percentage of spam according to my custom blacklist: 5
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 10

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 29.71%
Pharmaceuticals and illegal prescription drugs: 22.86%
Fake Viagra and Cialis: 19.43%
Male Enhancement scams: 14.29%
Pills filter: 2.86%
DNS Blacklist Servers: 2.86%
My Blacklist: 2.86%
BR, CN, or RU Domains in spam links: 1.71%
Known Spam Subjects: 1.14%
Other Filters (with small percentages): 0.57%
Russian Bride Scams: 0.57%
Subject Contains E-mail Address: 0.57%
LACNIC Senders (South America): 0.57%

This week I made 3 updates and/or additions to my custom filters:
Image Spam #11
Known Spam [From]
Dating spam updated and split into two filters: [Subject] and [Body]


There was one false positive last week, which led to me adjusting the Watches filter. All other filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 3:51 PM | Permalink

back to top ^

Following two weeks with no change in my level of spam, this week's levels have declined significantly. Spam for counterfeit watches led the pack by a 10% margin. This was followed by counterfeit Viagra-Cialis, various illicit pharmaceuticals, and male enhancement scams. The Nigerian 419 scammers and Russian bride scams had a measurable percentage this past week.

Spammers depend on the cheap use of millions of infected PCs that have been involuntarily made zombies in spam botnets. As authorities shutdown one botnet another rises to claim their share of the spam pie. As the number of infected machines declines, due to the owners being made aware of their problem and disinfecting their computers, the bot herders use whatever means is available to them to regain zombies in their herds. Sending fake delivery notices with bot installers is one of the favorites of malware distributors.

You still need spam protection and it is showing signs of getting worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 31% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from April 18 - 24, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 31%; -10% from last week
Number of messages classified as spam: 166
Number classified by my custom spam filters: 152
Number and percentage of spam according to my custom blacklist: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 9

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 36.36%
Fake Viagra and Cialis: 26.62%
Pharmaceuticals and illegal prescription drugs: 14.29%
Male Enhancement scams: 10.39%
Pills filter: 3.25%
Nigerian 419 scams: 2.60%
DNS Blacklist Servers: 1.30%
Subject All Caps (mostly 419 scams): 1.30%
Other Filters (with small percentages): 1.30%
Russian Bride Scams: 1.30%
Subject Contains E-mail Address: 0.65%
LACNIC Senders (South America): 0.65%

This week I made 3 updates and/or additions to my custom filters:
Viagra Spam [S]
Misspelled Viagra [S]
Replica Watches


There was one false positive last week, which led to me adjusting the Watches filter. All other filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 11:44 PM | Permalink

back to top ^

Following last week's increase in spam, this week's levels remained the same. Spam for counterfeit watches led the pack by a 7% margin. This was followed by male enhancement scams and various illicit pharmaceuticals. The Nigerian 419 scammers were back at work this week, accounting for a little over 2% of my incoming spam.

Spammers depend on the cheap use of millions of infected PCs that have been involuntarily made zombies in spam botnets. As authorities shutdown one botnet another rises to claim their share of the spam pie. As the number of infected machines declines, due to the owners being made aware of their problem and disinfecting their computers, the bot herders use whatever means is available to them to regain zombies in their herds. Sending fake delivery notices with bot installers is one of the favorites of malware distributors.

You still need spam protection and it is showing signs of getting worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 41% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from April 11 - 17, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 41%; no change from last week
Number of messages classified as spam: 219
Number classified by my custom spam filters: 203
Number and percentage of spam according to my custom blacklist: 8
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 10

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 28.77%
Male Enhancement scams: 21.23%
Pharmaceuticals and illegal prescription drugs: 14.62%
Pills filter: 14.62%
Fake Viagra and Cialis: 7.55%
(.BR, .CN, or) .RU domain links: 3.77%
Blacklisted senders (my list): 3.77%
Other Filters (with small percentages): 1.42%
African Senders (usually 419 scams): 1.42%
Nigerian 419 scams: 0.94%
Known Spam [From]: 0.94%
Re: [digits] spam filter: 0.47%
DNS Blacklist Servers: 0.47%

This week I made 6 updates and/or additions to my custom filters:
E-Card Scam,
Nigerian 419 Scam #3 [S, F, R] (2x),
Re [digits] Spammer (2x),
Viagra Spam [B]


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 2:50 PM | Permalink

back to top ^

Following last week's slight drop in spam, this week's levels increased by 6% (of my incoming email). Spam for counterfeit watches led the pack by a 19% margin. This was followed by pharmaceuticals of the usual type. Also, there was a noticeable barrage of malware infected spam claiming to come from Express Services and Postal Express. I hope that none of my readers were curious enough to open one of the attachments from these fake courier scams. If you did, your PC is now probably a member of a botnet.

Spammers depend on the cheap use of millions of infected PCs that have been involuntarily made zombies in spam botnets. As authorities shutdown one botnet another rises to claim their share of the spam pie. As the number of infected machines declines, due to the owners being made aware of their problem and disinfecting their computers, the bot herders use whatever means is available to them to regain zombies in their herds. Sending fake delivery notices with bot installers is one of the favorites of malware distributors.

You still need spam protection and it is showing signs of getting worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 41% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from April 4 - 10, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 41%; up 6% from last week
Number of messages classified as spam: 270
Number classified by my custom spam filters: 256
Number and percentage of spam according to my custom blacklist: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 24

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 28.4%
Pharmaceuticals and illegal prescription drugs: 19.07%
Male Enhancement scams: 15.562%
(.BR, .CN, or) .RU domain links: 14.79%
Courier Spam (botnet Trojans in attachments): 6.23%
Fake Viagra and Cialis: 3.89%
Weight Loss Scams: 3.89%
Other Filters (with small percentages): 2.33%
Pills: 2.33%
Counterfeit Goods (bags, jewelry): 1.95%
Russian Bride Scam: 1.17%
DNS Blacklist Servers: 0.39%

This week I made 3 updates and/or additions to my custom filters:
Courier Scam #7 (2x),
Weight Loss Drugs


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 4:54 PM | Permalink

back to top ^

Following last week's big increase in spam, this week's levels dropped slightly, by 3% (of my incoming email). I know that the various honeypot bean counters say that spam is down by between 30 and 40 percent, following the takedown of the Rustock Botnet, but that's not what my statistics reveal. Spam for counterfeit watches led the pack by a ~17% margin.

You still need spam protection and it is showing signs of getting worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 35% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from March 28 - April 3, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 35%; down 3% from last week
Number of messages classified as spam: 183
Number classified by my custom spam filters: 172
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 25

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 37.93%
Pharmaceuticals and illegal prescription drugs: 20.69%
Male Enhancement scams: 8.62%
Other Filters (with small percentages): 7.47%
Pills: 5.75%
Fake Viagra and Cialis: 4.60%
Counterfeit Goods (bags, jewelry): 4.60%
.BR, .CN, or .RU domain links: 3.45%
Courier Spam (malware in attachments): 2.87%
African Sender: 1.72%
PDF Attachment: 1.15%
Blacklisted sender names and domains (my blacklist): 0.57%
DNS Blacklist Servers: 0.57%

This week I made 8 updates and/or additions to my custom filters:
Courier Scam #7 (2x),
Diploma Spam,
Lottery Scam,
Post Express (2x),
Work At Home Scam.
New filter: Known Spam Subjects #4


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 2:39 PM | Permalink

back to top ^

Following last week's big decline in spam, due to the sudden takedown of the Rustock botnet, other botnet operators have taken up the slack, bring spam levels back up to 38% of my incoming email. This week the majority of spam was for counterfeit name brand watches, followed by pharmaceuticals, male enhancement and fake Viagra.

This past 7 days, spam for various types of garbage amounted to 38% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Mar 21 - 27, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 38%; up 10% from last week
Number of messages classified as spam: 214
Number classified by my custom spam filters: 175
Number and percentage of spam according to my custom blacklist: 10
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 10

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 33.33%
Pharmaceuticals and illegal prescription drugs: 22.58%
Male Enhancement scams: 13.44%
Fake Viagra and Cialis: 11.83%
Blacklisted sender names and domains (my blacklist): 5.38%
Other Filters (with small percentages): 4.30%
African Sender: 2.15%
.BR, .CN, or .RU domain links: 1.61%
Subject contains e-mail address: 1.61%
Work At Home Scams: 1.08%
419 scams: 1.08%
Loans/Bankruptcy scams: 1.08%
DNS Blacklist Servers: 0.54%

This week I made 6 updates and/or additions to my custom filters:
Known Spam Domains
Watches Spam
Work At Home Scam
New filter: Courier Scam #7
New filter: .BR, .CN, .RU Domain Link
Re-enabled Weight Loss filter.


There was one false positive last week, resulting in my creating a new filter to detect .RU domains in the message body. All other filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 4:10 PM | Permalink

back to top ^

After briefly rising last week, spam levels have fallen again, following this week's takedown of the Rustock spam botnet's command and control servers, by Microsoft, Pfizer, Fire-eye and the US Marshall's Service. My statistics reveal a 7% decrease from the previous week. Prior to the shutdown of those servers, Rustock was responsible for over 40% of the world-wide spam.

Immediately following Rustock's takedown, on March 16, there was a big drop in spam. However, other botnets quickly rented out their services to spammers, so the amount of spam rebounded over the last few days to regain several percentage points. You can look for those botnets to become the next targets of Microsoft, Pfizer and other anti-spam agencies.

Pfizer was involved because so much spam is for counterfeit Viagra, which is a trademarked and controlled drug manufactured and distributed by Pfizer and it's legitimate partners. They do not license Russian, Indian, or Chinese based Internet pharmacies to make or distribute Viagra, or to use the trademarked name of the company or the drug. Anybody offering to sell Viagra (real or counterfeit) to US residents, without a valid prescription issued by a real US based and licensed doctor, after an actual physical examination, is violating US Federal law. Anybody attempting to purchase Viagra, or other controlled prescription drugs, from an Internet pharmacy located outside the USA, or any Internet pharmacy that sells pharmaceuticals that are not manufactured or licensed for sale in the USA, is guilty of violating US laws regulating the purchase of controlled substances. Those purchases are subject to seizure by US Customs and smuggling charges can be filed by Federal authorities.

This past 7 days, spam for various types of garbage amounted to 28% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Mar 14 - 20, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 28%; down 7% from last week
Number of messages classified as spam: 124
Number classified by my custom spam filters: 120
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 11

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 28.46%
Pharmaceuticals and illegal prescription drugs: 26.02%
Fake Viagra and Cialis: 15.45%
Other Filters (with small percentages): 7.32%
Male Enhancement scams: 4.88%
Known Spam Domains in links (usually Russian: .RU): 4.07%
Work At Home Scams: 3.25%
Subject contains e-mail address: 2.44%
Twitter Phishing Scam: 2.44%
419 scams:1.63%
DNS Blacklist Servers: 1.63%
Russian Sender: 1.63%
Blacklisted sender names and domains (my blacklist): 0.81%

This week I made 7 updates to my custom filters:
Consecutive digits or consonants,
Diploma Spam,
Russian Bride Scam,
Russian Sender,
Work At Home Scam.
New filters: Courier Scam #6 and Post Express Scam.
Disabled 28 out-dated filters.


There was one false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 1:06 PM | Permalink

back to top ^

For the second week in a row, spam levels have risen again. My statistics reveal a 2% increase from the previous week. The most recent spam runs have been for illegal to import, dangerous prescription drugs, followed by fake brand name watches, then Asian Viagra, male enhancement scams, various African 419 lottery scams and a new DHL courier scam carrying a the SpyEye Trojan in an attachment.

This past 7 days, spam for various types of garbage amounted to 35% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Mar 7 - 13, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 35%; up 2% from last week
Number of messages classified as spam: 212
Number classified by my custom spam filters: 190
Number and percentage of spam according to my custom blacklist: 4
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 36

The order of spam categories, according to the highest percentages, is as follows:

Pharmaceuticals and illegal prescription drugs: 21.03%
Counterfeit Watches: 21.03%
Fake Viagra and Cialis: 17.95%
Male Enhancement scams: 10.77%
Other Filters (with small percentages): 9.74%
Lottery Scams: 5.13%
Known Spam Domains in links (usually Russian: .RU): 3.59%
Blacklisted sender names and domains (my blacklist): 2.05%
African Sender (419 scams): 2.05%
SUBJECT ALL CAPS (mostly Nigerian scams): 2.05%
LACNIC (South American) spam sender: 2.05%
Known Spam [From]: 2.05%
DNS Blacklist Servers: 0.51%

This week I made 4 updates to my custom filters:
Known Spam [From],
Misspelled Viagra,
Pics Spam,
Russian Bride Scam


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 3:20 PM | Permalink

back to top ^

After decreasing sharply last week, spam levels have begun to rise again. My statistics reveal a 9% increase from the previous week. The most recent spam runs have been for illegal to import, dangerous prescription drugs, fake brand name watches and various African 419 scams.

This past 7 days, spam for various types of garbage amounted to 33% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Feb 28 - Mar 6, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 33%; up 9% from last week
Number of messages classified as spam: 164
Number classified by my custom spam filters: 146
Number and percentage of spam according to my custom blacklist: 10
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 13

The order of spam categories, according to the highest percentages, is as follows:

Pharmaceuticals and illegal prescription drugs: 40.51%
Counterfeit Watches: 13.92%
Known Spam Domains in links (usually Russian: .RU): 13.29%
Fake Viagra and Cialis: 10.13%
Blacklisted sender names and domains (my blacklist): 6.33%
Male Enhancement scams: 3.80%
Other Filters (with small percentages): 3.16%
Pics (Russian Bride) scam: 2.53%
Dating scams: 1.27%
Nigerian 419 scams: 1.27%
SUBJECT ALL CAPS: 1.27%
LACNIC (South American) spam sender: 1.27%
DNS Blacklist Servers: 1.27%

I made just 1 update to my custom filters:
"Pics" Scam (Russian Brides)


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions (which I refer to as my Judge Dredd, murder, death, kill rules!). You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 2:33 PM | Permalink

back to top ^

After increasing slightly last week, my incoming volume of spam has decreased significantly. However, botnets are still spewing out email spam for fake Viagra, counterfeit watches, fake and illegal to import Russian prescription drugs, Nigerian lottery/419 scams, pirated software and work at home kit scams.

This past 7 days, spam for various types of garbage amounted to 24% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Feb 14 - 20, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 24%; down 10% from last week
Number of messages classified as spam: 106 
Number classified by my custom spam filters: 97
Number and percentage of spam according to my custom blacklist: 8
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 18

The order of spam according to the highest percentages, is as follows:

Pharmaceuticals and fake prescription drugs: 25.47%
Fake Viagra and Cialis: 15.09%
Counterfeit Watches: 12.26%
Blacklisted sender names and domains (my blacklist): 7.55%
Work At Home Scam: 6.60%
Known Spam Domains in links (usually Russian: .RU): 5.66%
Male Enhancement scams: 5.66%
Other Filters (with small percentages): 5.66%
Diploma Spam: 4.72%
Counterfeit Goods: 3.77%
URL Shortener spam links (t.co, etc): 3.77%
Lottery Scam: 2.83%
DNS Blacklist Servers: 0.94%

I made these 2 additions/updates to my custom filters:
Counterfeit Goods
Work At Home Scam

I made 0 changes to my custom Blacklist:

See my extended content for more details about protecting your computers from the threats posed by email spam.

Continue reading "My Spam analysis & filter updates for the week of Feb 21 - 27, 2011" »

Posted by Wiz at 4:37 PM | Permalink

back to top ^

After declining for two weeks in a row, my incoming volume of spam has increased slightly. Botnets are still spewing out email spam for fake Viagra, counterfeit watches, fake and illegal to import prescription drugs, Nigerian lottery/419 scams and work at home kit scams.

This past 7 days, spam for various types of garbage amounted to 34% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Feb 14 - 20, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 34%; up 4% from last week
Number of messages classified as spam: 196 
Number classified by my custom spam filters: 168
Number and percentage of spam according to my custom blacklist: 10
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 39

The order of spam according to the highest percentages, is as follows:

Pharmaceuticals and fake prescription drugs: 31.84%
Other Filters (with small percentages): 12.29%
Fake Viagra and Cialis: 12.29%
Counterfeit Watches: 9.50%
Known Spam Domains in links (usually Russian: .RU): 7.82%
Blacklisted sender names and domains (my blacklist): 5.59%
Image Spam: 5.03%
Pills Spam: 4.47%
Male Enhancement scams: 2.79%
Pirated Software: 2.79%
Work At Home Scam: 2.79%
Subject is All Capital Letters: 2.23%
DNS Blacklist Servers: 0.562%

I made these 7 additions/updates to my custom filters:
APNIC (Asia-Pacific),
Image Spam #11,
Known Spam Domains,
Nigerian 419 Scam #3 [S, F, R],
Pills,
Work At Home Scam (2x)

I made 0 changes to my custom Blacklist:

See my extended content for more details about protecting your computers from the threats posed by email spam.

Continue reading "My Spam analysis & filter updates for the week of Feb 14 - 20, 2011" »

Posted by Wiz at 11:33 PM | Permalink

back to top ^

Every weekend I write an article about my spam analysis for that week. This often includes details about phishing scams that target individuals and company employees, for the purpose of stealing your identity, logins and passwords to important web sites, private or company information, or trade secrets.

The following is a guest article sent to me by GFI Software, a leading software developer that produces network and email/messaging security solutions for SMEs. GFI is also the owner of Vipre Antivirus. This article deals with protecting your employees from falling victim to phishing scams that arrive via email.

Data, the lifeblood of every organization, is also a magnet for phishing emails and other social engineering scams. Phishing scams come in a variety of flavors but predominately are pushed through email or, recently on the increase, through social networking sites and Instant Messaging. In essence these carefully crafted emails, appearing totally legitimate, aim to trick unsuspecting employees in giving up personal or financial information which the phisher, in turn, uses to commit fraud and for personal gain.

Understanding how to identify phishing emails and scams is important because it will lead to better management of the problem and afford better protection for your network and data (before your employees thoughtlessly click on them). Below are some points to keep in mind:

1. Do not trust emails with urgent requests for personal or financial information. Such emails are often near-genuine messages from banks, credit agencies, official government bodies and online vendor or payment sites. They also tend to come with a lot of dire 'warnings' -deliberately attempting to scare the recipients and force them to click on links and give out details before they have time to properly assess the veracity of the claim. Keep in mind that the legitimate senders usually rely on other means to contact you, rather than through email. If you have any doubts about the content in, or the sender of, the email, pick up the phone and speak to them directly. Better safe than sorry.


2. Look out for misspelled URLs and incorrect English - A classic in phishing emails. They are great in tricking people but they are not always drafted by good writers. The content is usually peppered with grammatical areas. Phishers also make subtle changes to the spelling of website URL, for example: http://www.christinsblog.com instead of http://www.christinasblog.com. Look out for these errors.


3. When receiving an email which addresses you as 'Dear customer', rather than by your first and/or last name, it is probably a scam.


4. Look out for keywords, such as: 'verify your account' or 'verify your ID' - these are usually found in phishing emails.


5. Always be suspicious of emails which ask you to click on links. Unless you are sure that the sender is legitimate, never click on links in emails.

The next step is how to stop phishing emails in the first place?

Continue reading "How to protect your company's employees from phishing attacks" »

Posted by Wiz at 2:56 PM | Permalink

back to top ^

Something is up with the spam botnets. For the 2nd week in a row my incoming volume of spam has decreased. However, the remaining active botnets are still spewing out email spam for fake Viagra, counterfeit watches, fake and illegal to import prescription drugs, pump and dump stocks, Nigerian lottery/419 scams and work at home kit scams.

This past 7 days, spam for various types of garbage amounted to 30% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Feb 7 - 13, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 30%; down 5% from last week
Number of messages classified as spam: 138 
Number classified by my custom spam filters: 129
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 17

The order of spam according to the highest percentages, is as follows:

Pharmaceuticals and fake prescription drugs: 30.30%
Fake Viagra and Cialis: 25.00%
Counterfeit Watches: 20.45%
Known Spam Domains in links (usually Russian: .RU): 5.30%
Work At Home Scam: 4.55%
Nigerian 419 Scams: 3.04%
Lottery Scams: 3.03%
Other Filters (with small percentages): 3.03%
Blacklisted sender names and domains (my blacklist): 2.27%
Pump and Dump stock spam: 1.52%
URL Shortener Links to spam: 1.52%

I made 10 additions/updates to my custom filters:
Canadian Pharmacy,
E-Card Scam,
Known Spam Subjects #2,
Nigerian 419 Scam #3 [S, F, R],
Pump & Dump Scam (2x),
Watches Spam,
Work At Home Scam (3x)

I made 0 changes to my custom Blacklist:

See my extended content for more details about protecting your computers from the threats posed by email spam.

Continue reading "My Spam analysis & filter updates for the week of Feb 7 - 13, 2011" »

Posted by Wiz at 3:46 PM | Permalink

back to top ^

After three weeks of increases, my incoming volume of spam has decreased, this time by a whopping 14%. Still, Botnets are still spewing out email spam for fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, pirated software, dating scams and work at home (Money Mule - criminal money laundering) scams.

This past 7 days, spam for various types of garbage amounted to 35% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 31 - Feb 6, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 35%; down 14% from last week
Number of messages classified as spam: 166 
Number classified by my custom spam filters: 148
Number and percentage of spam according to my custom blacklist: 14
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 10

The order of spam according to the highest percentages, is as follows:

Pharmaceuticals and fake prescription drugs: 26.54%
Counterfeit Watches: 19.14%
Fake Viagra and Cialis: 16.05%
Known Spam Domains in links (usually Russian: .RU): 13.58%
Blacklisted sender names and domains (my blacklist): 8.64%
Male Enhancement scam: 3.09%
Other Filters (with small percentages): 3.09%
Pills spam: 3.09%
Dating spam: 2.47%
Software Spam: 1.85%
URL Shortener Links to spam: 1.87%
Work At Home Scam: 1.23%

I made 4 additions/updates to my custom filters:
Diploma Spam (now using HTML positioning tricks and salad words),
Known Spam Domains,
Unlicensed Prescription Drugs,
Work At Home Scam (money mule scams)

I made 0 changes to my custom Blacklist:

See my extended content for more details about protecting your computers from the threats posed by email spam.

Continue reading "My Spam analysis & filter updates for the week of Jan 31 - Feb 6, 2011" »

Posted by Wiz at 4:07 PM | Permalink

back to top ^

For the third week in a row, the volume has increased again. Botnets are again spewing out email spam for fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, pirated software, Russian brides and Work at home (Money Mule - criminal money laundering) scams.

This past 7 days, spam for various types of garbage amounted to 49% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 24-30, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 49%; up 3% from last week
Number of messages classified as spam: 328 
Number classified by my custom spam filters: 279
Number and percentage of spam according to my custom blacklist: 39
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 3
Number of spam messages seen, reported to SpamCop & manually deleted: 20

The order of spam according to the highest percentages, is as follows:

Pharmaceuticals and fake prescription drugs: 21.50%
Fake Viagra and Cialis: 17.13%
Counterfeit Watches: 16.82%
Known Spam Domains in links (usually Russian: .RU): 15.58%
Blacklisted sender names and domains (my blacklist): 12.15%
Male Enhancement scam: 4.67%
Russian Bride scam: 4.36%
Re: (digits): 1.87%
Other Filters (with small percentages): 1.87%
Software Spam: 1.25%
Work At Home Scam: 1.25%
DNS Blacklisted Senders: 0.93%
Lottery Scam: 0.62%

I made 9 additions/updates to my custom filters:
Dating Spam,
Russian Bride Scam,
Diploma Spam,
Facebook Scam,
Known Spam Domains,
Pump and Dump Scam,
Work At Home Scam (3x),
Viagra [B].
New filter: Russian Bride Scam.

I made 1 changes to my custom Blacklist:
[email protected]

Continue reading "My Spam analysis & filter updates for the week of Jan 24 - 30, 2011" »

Posted by Wiz at 5:03 PM | Permalink

back to top ^

For the second week in a row, the volume has increased again. Botnets are again spewing out email spam for fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, pirated software and Work at home (Money Mule) scams.

This past 7 days, spam for various types of garbage amounted to 46% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 17-23, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 46%; up just 2% from last week
Number of messages classified as spam: 285 
Number classified by my custom spam filters: 255
Number and percentage of spam according to my custom blacklist: 18
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 8

The order of spam according to the highest percentages, is as follows:

Fake Viagra and Cialis: 35.90%
Pharmaceuticals and fake prescription drugs: 29.67%
Counterfeit (Rolex, etc) Watches: 10.99%
Known Spam Domains in links (usually Russian: .RU): 8.79%
Blacklisted sender names and domains (my blacklist): 6.59%
Male Enhancement scams: 2.20%
Other Filters (with small percentages): 1.83%
Nigerian 419 Scam: 1.10%
Software Spam: 1.10%
Work At Home Scam: 1.10%
Re: (digits): 0.73%

I made 2 additions/updates to my custom filters:
Work At Home Scam (2x)

I made 0 changes to my custom Blacklist:

Continue reading "My Spam analysis & filter updates for the week of Jan 17 - 23, 2011" »

Posted by Wiz at 4:43 PM | Permalink

back to top ^

After three steady weeks of declining spam, the volume has spiked up again. Botnets are again spewing out email spam for fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, pirated software and Russian dating scams.

This past 7 days, spam for various types of garbage amounted to 44% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 10-16, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 44%; up 12% from last week
Number of messages classified as spam: 237 
Number classified by my custom spam filters: 228
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 12

The order of spam according to the highest percentages, is as follows:

Fake Viagra and Cialis: 34.50%
Pharmaceuticals and fake prescription drugs: 21.83%
Counterfeit (Rolex, etc) Watches: 13.54%
Male Enhancement scams: 10.92%
Dating Spam (Russian Bride scams): 7.42%
Known Spam Domains in links (usually Russian: .RU): 3.49%
Software Spam: 3.06%
Other Filters (with small percentages): 2.18%
Numeric IP (to malware attack sites): 0.87%
Lottery Scam: 0.87%
Work AT Home Scam: 0.87%
Blacklisted sender names and domains: 0.44%

I made 3 additions/updates to my custom filters:
Lottery Scam
Work At Home Scam
Pump and Dump Stock Scam

I made 0 changes to my custom Blacklist:

Continue reading "My Spam analysis & filter updates for the week of Jan 10 - 16, 2011" »

Posted by Wiz at 2:52 PM | Permalink

back to top ^

Emails are a significant part of a business's records, and need to be stored to meet organizational needs as well as legal and compliance requirements. How this is done can make an incredible difference to the lives of both end-users and administrators.

Is your organization archiving email the right way?

An Exchange or email server may easily be brought down when its mailboxes contain too many large email attachments or when there are large numbers of email accounts. System administrators usually solve this by putting a quota on each mailbox so as to limit the amount of information stored on the server while moving older emails to a different location so as not to surpass this limit. This can irritate or frustrate end-users, especially when they need to retrieve emails that date back to many years before. In order to save these emails and respect the quota simultaneously, some end-users store their email in PST files (open proprietary file formats that are used for storing copies of messages) which they either save on their local machine or on a network share. If this sounds like the system in place at your organization, steady yourself: You might be in for a few problems.

When stored locally, PST files cannot be backed up regularly. This means that if one of them is damaged or accidentally deleted, the emails within it are lost. On the other hand, when end-users store their PST files on a network share, this simply transfers the whole issue of storage space from one location (the server) to another (the network share), while also presenting the need to increase the number of backups coupled with the ordeal of having to manage all those PST files - a pet hate for many administrators.

How to tackle this storage problem

Continue reading "Mail archiving: Easing the load on your mail server - and yourself!" »

Posted by Wiz at 1:15 PM | Permalink

back to top ^

Again this week, fewer spammers than previously are still promoting fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, fake e-cards or messages containing only a link to malware exploit sites, fake product recommendations and dating scams.

This past 7 days, spam for various types of garbage amounted to 32% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 3 - 9, 2011. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 32%; down 6% from last week (-16% over 2 wks!)
Number of messages classified as spam: 139 
Number classified by my custom spam filters: 127
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 1

The order of spam according to the highest percentages, is as follows:

Pharmaceuticals and fake prescription drugs: 31.25%
Fake Viagra and Cialis: 21.88%
Counterfeit (Rolex, etc) Watches: 19.53%
Male Enhancement scams: 19.53%
Pills: 3.91%
Known Spam Domains in links (usually Russian: .RU): 1.56%
Blacklisted sender names and domains: 0.78%
Dating Spam (Russian Bride scams): 0.78%
E-Card Scam (containing Botnet infection links): 0.78%

I made 1 additions/updates to my custom filters:
New filter: E-card Scam (Storm 3.0 or Waledac 2.0 Botnet)

I made 0 changes to my custom Blacklist:

Continue reading "My Spam analysis & filter updates for the week of Jan 3 - 9, 2011" »

Posted by Wiz at 3:07 PM | Permalink

back to top ^

This week, fewer spammers than usual are still promoting fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, fake e-cards or messages containing only a link to malware exploit sites, fake product recommendations and Nigerian 419 scams.

This past 7 days, spam for various types of garbage amounted to 38% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Dec 27, 2010 - Jan 2, 2011. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 38%; down 10% from last week
Number of messages classified as spam: 172 
Number classified by my custom spam filters: 161
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 6

The order of spam according to the highest percentages, is as follows:

Counterfeit (Rolex, etc) Watches: 26.32%
Male Enhancement scams: 26.32%
Fake Viagra and Cialis: 25.73%
Pharmaceuticals and fake prescription drugs: 11.70%
Known Spam Domains in links (usually Russian: .RU): 2.92%
Blacklisted sender names and domains: 1.75%
Other miscellaneous filters (small percentages each): 1.74%
African Sender (419 scams): 1.17%
DNS Blacklisted Servers (RBL): 1.17%
Hidden ISO Subjects: 0.58%
Re: or Fwd spam: 0.58%

I made 1 additions/updates to my custom filters:
New filter: Dating Spam #2

I made 0 changes to my custom Blacklist:

Continue reading "My Spam analysis & filter updates for the week of Dec 27, 2010 - Jan 2, 2011" »

Posted by Wiz at 2:40 PM | Permalink

back to top ^

With Christmas just over, spammers took what they could from the pockets of gullible Netizens. They used a variety of come-ons, including appeals to male vanity and a few Trojans to deceive and rob people of their hard earned money.

This week, spammers are still promoting fake Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, fake e-cards (malware) and Russian dating scams.

This past 7 days, spam for various types of garbage amounted to 48% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from December 20 - 26, 2010. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 48%; up 1% from last week
Number of messages classified as spam: 240 
Number classified by my custom spam filters: 237
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 5

The order of spam according to the highest percentages, is as follows:

Fake Viagra and Cialis: 24.58%
Male Enhancement scams: 20.83%
Counterfeit (Rolex, etc) Watches: 19.58%
Pharmaceuticals and fake prescription drugs: 16.67%
Known Spam Domains in links (usually Russian: .RU): 10.83%
Dating (Russian Bride scams): 3.75%
Blacklisted sender names and domains: 1.26%
Other miscellaneous filters (small percentages each): 1.25%
Charset=iso-8859-2 (Latvia, etc): 0.83%
Nigerian Lottery Scam: 0.42%

I made 2 additions/updates to my custom filters:
APNIC,
Known Spam Domains

I made 1 change to my custom Blacklist:
*e-card-delivery@+

Continue reading "My Spam analysis & filter updates for the week of Dec 20 - 26, 2010" »

Posted by Wiz at 1:49 PM | Permalink

back to top ^

With Christmas arriving this coming weekend, spammers have ramped up their efforts into overdrive, in order to divert some of your hard earned dollars into their purloined pockets. Don't be fooled by their email pitches. Spam offers are fraudulent, dealing in fake goods and payment ripoffs.

This week, spammers are mostly promoting fake Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, and Russian dating scams.

This past 7 days, spam for various types of garbage amounted to 47% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from December 13 - 19, 2010. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 47%; down 4% from last week
Number of messages classified as spam: 322 
Number classified by my custom spam filters: 242
Number and percentage of spam according to my custom blacklist: 13
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 13

The order of spam according to the highest percentages, is as follows:

Fake Viagra and Cialis: 40.86%
Counterfeit (Rolex, etc) Watches: 19.84%
Male Enhancement scams: 10.51%
Dating (Russian Bride scams): 6.61%
Pharmaceuticals and fake prescription drugs: 6.23%
Blacklisted sender names and domains: 5.06%
Known Spam Domains in links (usually Russian: .RU): 4.67%
Numeric IP hostile link (hijacked PCs): 1.95%
Other miscellaneous filters (small percentages each): 1.95%
Charset=iso-8859-2 (Latvia, etc): 0.78%
Nigerian Lottery Scam: 0.78%
DNS Blacklisted Servers: 0.78%

I made 1 additions/updates to my custom filters:
Known Spam [From]

I made 1 change to my custom Blacklist:
*easy-e-card*@+

Take my advice and never reply to spam email, just delete it. Don't bother trying to unsubscribe from spam mail lists. Nobody ever gets de-listed; you will only confirm that your email address is valid by using the bogus unsubscribe links. Think about it: if you never signed up to receive the (fake) goods advertised in a spam email, why should you have to unsubscribe? The unsubscribe links are not honored. However, people using them are added to databases of proven live accounts and their names are sold to other spammers.

Spammers are slimeball criminals and fraudsters, not legitimate business people. Never buy anything that is spamvertised. If you do, you will give your credit or debit card details to hardened criminals, in far away places. If you purchase illicit controlled drugs from abroad, they are subject to seizure by US Customs. It is against the law to import prescription drugs without a valid prescription issued by a physician who is validly licensed in the USA. And, if you actually receive Asian prescription pills ordered from a spam email link, the drugs may do nothing, or may harm you, or even kill you.

A word regarding knockoff watches: they are made in China, have no applicable warranty, cannot be returned if defective, are sold by criminal spammers, and are inferior to the real items they are copying. If you buy a counterfeit name brand watch, know that a fool and his money soon will part! Ditto for fake diplomas that are offered from time to time and all of the fake Viagra pills and enlargement scams that appear every day.

Posted by Wiz at 12:00 AM | Permalink

back to top ^

With Christmas around the corner, spammers are ramping up their efforts to get some of your hard earned dollars and infect more machines, for use in Botnets. There is a virtual flood of crap mail deluging email inboxes this week, mostly hawking things like fake Viagra, counterfeit watches and designer bags and jewelry, illegal to import prescription drugs, bogus male enlargement herbs and pills, the tail end of a Pump and Dump penny stock scam (DYNV) scam and a handful of work at home money laundering scams (money mule recruiters for bank account stealing Trojans, like Zeus and similar info stealing Bots). There were a few phishing scams thrown into the mix, earlier in the week.

This past 7 days, spam for various types of garbage amounted to 51% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from December 6 - 12, 2010. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 51%; down 5% from last week
Number of messages classified as spam: 370 
Number classified by my custom spam filters: 353
Number and percentage of spam according to my custom blacklist: 15
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 39

The order of spam according to the highest percentages, is as follows:

Fake Viagra and Cialis: 37.30%
Counterfeit (Rolex, etc) Watches: 14.05%
Pharmaceuticals and fake prescription drugs: 13.24%
Male Enhancement scams: 7.30%
Other miscellaneous filters (small percentages each): 6.22%
Known Spam Domains in links (usually Russian: .RU): 5.68%
Counterfeit Goods: 5.41%
Blacklisted sender names and domains: 4.05%
Charset=iso-8859-2 (Latvia, etc): 2.16%
Numeric IP hostile link (hijacked PCs): 1.62%
Russian Sender: 1.35%
Work At Home Scams (money laundering stolen funds): 1.08%
DNS Blacklisted Servers: 00.54%

I made 1 additions/updates to my custom filters:
Counterfeit Goods

I made no changes to my custom Blacklist:

Take my advice and never reply to spam email, just delete it. Never buy anything that is spamvertised. If you do, you will give your credit or debit card details to hardened criminals, in far away places. If you purchase illicit controlled drugs from abroad, they are subject to seizure by US Customs. It is against the law to import prescription drugs without a valid prescription issued by a physician who is validly licensed in the USA.

A word regarding knockoff watches: they are made in China, have no applicable warranty, cannot be returned if defective, are sold by criminal spammers, and are inferior to the real items they are copying. If you buy a counterfeit name brand watch, know that a fool and his money soon will part! Ditto for fake diplomas that are offered from time to time.

Posted by Wiz at 2:47 PM | Permalink

back to top ^

Look out Christmas shoppers! Spammers are ramping up their efforts to get some of your hard earned dollars. There is a virtual flood of crap mail deluging email inboxes this week, mostly hawking things like fake Viagra, counterfeit watches, illegal to import prescription drugs, bogus male enlargement herbs and pills, Russian dating and "chat" scams and work at home money laundering scams (money mule recruiters for bank account stealing Trojans, like Zeus/Licat and similar Bots).

Note: if you fall for a money mule recruiter scam (work at home and make $$$ per day/week) and become involved in transferring stolen funds overseas, you could go to jail for being an active accomplice in a money laundering scheme (of money stolen from bank accounts by hidden keystroke logging Bots). Always use the best anti-malware protection you can afford, like Trend Micro Titanium Internet Security and Malwarebytes' Anti-Malware (MBAM). These two commercial programs can detect, remove and block most badware being released on a daily basis. If you run MBAM as freeware, make sure you update it before scanning, and scan every day!

This past 7 days, spam for various types of garbage amounted to 56% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from November 29, through December 5, 2010. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 56%; down 4% from last week
Number of messages classified as spam: 469 
Number classified by my custom spam filters: 419
Number and percentage of spam according to my custom blacklist: 23
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 30

The order of spam according to the highest percentages, is as follows:

Counterfeit (Rolex, etc) Watches: 23.49%
Fake Viagra and Cialis: 22.82%
Illegal to import and fake prescription drugs: 19.02%
Male Enhancement scams: 9.4%
Blacklisted sender names and domains: 5.15%
Other miscellaneous filters (small percentages each): 5.15%
Known Spam Domains in links (usually Russian: .RU): 4.25%
Dating/Chat scams ("Russian Brides"): 2.91%
Work At Home Scams (money laundering stolen funds): 2.24%
Numeric IP link (hijacked PCs): 1.79%
Pump and Dump Stock scams (like DYNV): 1.57%
Russian Sender: 1.12%
DNS Blacklisted Servers: 1.12%

I made 5 additions/updates to my custom filters:
APNIC (China, etc)
Dating Scams
Male Enhancement scams
Watches (fake, counterfeit Rolex, etc)
Work At Home Scams ("money mule" recruiters)

I made these changes to my custom Blacklist:
[email protected] (fails to honor repeated unsubscribe requests!)

Take my advice and never reply to spam email, just delete it. Never buy anything that is spamvertised. If you do, you will give your credit or debit card details to hardened criminals, in far away places. If you purchase illicit controlled drugs from abroad, they are subject to seizure by US Customs. It is against the law to import prescription drugs without a valid prescription issued by a physician who is validly licensed in the USA. Finally, there is no actual Canadian Pharmacy. If you see email purporting to come from Canadian Pharmacy, or any variation of those words, delete it. The non-existent company was conceived by Russian spammers. Any drugs actually shipped come from illicit pharmaceutical knockoff factories in Asia.

Posted by Wiz at 11:41 PM | Permalink

back to top ^

Look out Holiday shoppers! Spammers are ramping up their efforts to get some of your hard earned dollars. There is a virtual flood of crap mail deluging email inboxes this week, mostly hawking things like fake Viagra, counterfeit watches, illegal to import prescription drugs and bogus male enlargement herbs and pills.

This past 7 days, spam for these types of garbage amounted to 60% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from November 22, through 28, 2010. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 60%; up 6% from last week
Number of messages classified as spam: 479 
Number classified by my custom spam filters: 393
Number and percentage of spam according to my custom blacklist: 58
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 4
Number of spam messages seen, reported to SpamCop & manually deleted: 19

The order of spam according to the highest percentages, is as follows:

Counterfeit watches: 22.42%
Fake Viagra and Cialis: 21.98%
Illicit pharmaceuticals: 19.34%
Blacklisted sender names and domains: 12.75%
Male Enhancement scams: 8.57%
Known Spam Domains in links (pirated software): 4.40%

Other filters that had some measurable percentages included pump and dump stock scams, fake diplomas, counterfeit goods, numeric links (to Botnetted computers) and bogus loan services.

I made only one addition to my custom filters:
Eastern European Sender

I made these changes to my custom Blacklist:
*penis+@+
en1arge+@+
[email protected]
[email protected]

Take my advise and never reply to spam email, just delete it. Never buy anything that is spamvertised. If you do, you will give your credit or debit card details to hardened criminals. If you purchase illicit controlled drugs from abroad, they are subject to seizure by US Customs. It is against the law to import prescription drugs without a valid prescription issued by a physician who is validly licensed in the USA. Finally, there is no actual Canadian Pharmacy. If you see email purporting to come from Canadian Pharmacy, or any variation of those words, delete it. The non-existent company was conceived by Russian spammers. Any drugs actually shipped come from illicit pharmaceutical knockoff factories in Asia.

Posted by Wiz at 1:48 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 5% this week, to 48% of all my incoming email. Most of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs and male enhancement scams. There was also a new type of spam in the wild, with the subject "hello" and the body text: "How are you?" I'm not sure if this was a dry run for a spam blast, or if the reply to addresses are being monitored by Botmasters, or spammers.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Sept 13 - 19, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Sept 13 - 19, 2010" »

Posted by Wiz at 11:49 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 1% this week, to 54% of all my incoming email. Most of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs and male enhancement scams.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Sept 6 - 12, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Sept 6 - 12, 2010" »

Posted by Wiz at 4:06 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 1% this week, to 53% of all my incoming email. I saw a few new fake FedEx courier infected attachment exploits this week. These contain the Bredolab Trojan downloader that downloads and installs the Zeus banking credentials stealer. All the the rest of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs, male enhancement scams and fake diploma scams.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Aug 30 - Sept 5, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Aug 30 - Sept 5, 2010" »

Posted by Wiz at 10:32 AM | Permalink

back to top ^

For a couple of days I have been seeing a new round of nasty Trojan attachments in emails posing as FedEx invoices. This scam is not new. It has been ongoing for months now. The payload, in an attached zipfile, has been either the Bredolab or Zeus Trojan in the recent past. The Bredolab makes a PC a member of a spam and DDoS Botnet. The Zeus (Zbot) plants and info stealing keylogger on your system, then protects it wilh a rootkit. The Zeus monitors logins to a long list of popular banks, payment processors and online game sites, then captures the key strokes as you log in, and soon, most of your money is gone to Russia.

Although the scam is not new, the method of delivering the convincing con has changed. This week has seen the arrival of the con being embedded in an inline image, in the .jpg format. The message I am looking at right now has the following text embedded as its content:

"Dear,
Unfortunately we failed to deliver the postal package you sent on the 27th of July in time because the recipient's address is erroneous. Please print out the invoice copy attached and collect the package at our office."

The message then screws its own pooch by displaying this odd text: "'Spiderman' climbs again in Sydney ." However, I'm sure that will disappear, as spam filters around the world tune in to that phrase.

The attachment, which claims to be a FedEx document (invoice) is inside a .zip file and is in fact a very dangerous Trojan. If you open the zip file and launch the embedded executable, your PC will become a zombie member of a spam and attack Botnet, and or will have the Zeus Trojan installed, to steal your logins and money.

If you may have already fallen for this scam, please scan your computer with the Trend Micro online Housecall malware scanner. Then, if at all possible, update your existing anti-virus program and scan with it. If your anti-virus is old and the subscription is expired, download a free, fully functional trial of Trend Micro Internet Security. Install it, update it, then scan the entire computer.

Further, I recommend downloading and installing/scanning with Malwarebytes Anti-malware (MBAM). Both of these security applications will detect the threats contained in the fake FedEx scams attachments and will halt their hidden processes and delete their files. You will have to restart the PC and scan again and may have to disable System Restore. Many types of malware hide as backups in the hidden system restore folder and are restored after you clean the machine, then reboot. Turning off System Restore kills the malware backups. Don't forget to turn it back on after cleaning has completed!

If the malware prevents you from updating, or installing, or running a real security program, go to Bleeping Computers malware removal forum, sign up for an account, read the instructions, then open a new topic requesting personal help. A trained, volunteer malware removal expert will assist you as soon as he or she is able to. They will recommend free tools you can use to restore your PC to normal working condition. Read every word carefully and only do what you are asked to do.

Malwarebytes also has an expert malware removal assistance forum. Their forums are meant for people attempting to use MBAM to remove malware.

Both of the aforementioned programs will protect you from getting infected in the first place! Trend Micro Internet Security not only has regularly updated onboard malware definitions and behavioral analysis engines, but also consults a definitions server referred to as a "Cloud Server." As new releases of malware are captured (by security company honeypots), they are rapidly examined and new definitions are published to the Cloud servers, before they are pushed to client computers. Further, the destination websites are instantly blocked by the "Trend Micro Smart Protection Network." All subscribers to Trend Micro security programs are instantly protected from visiting those hostile websites and servers. You can learn more, download and purchase a subscription here.

Malwarebytes Anti-Malware is free to use in purely manual mode, but this won't protect you against reinfection. You can get realtime protection and automatic updating and scanning by paying $24.95 US dollars or equivalent in your currency, for a lifetime license. Read the details and download or purchase a license for MBAM here.

Posted by Wiz at 12:58 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 6% this week, to 54% of all my incoming email. I saw a few new courier infected attachment exploits this week. All the the rest of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs, male enhancement scams, pirated software, and fake diploma scams.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for August 23 - 29, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Aug 23 - 29, 2010" »

Posted by Wiz at 11:16 PM | Permalink

back to top ^

In early July, 2010, Firetrust, the makers of the famous anti-spam program: MailWasher Pro, released a brand new version. The new MailWasher 2010 was several years in the making and touts a new user interface, new spam weighting system and a brand new spam filter format.

Previously, MailWasher spam filters were in a plain text file, aptly named "filters.txt" - with each filter on a long separate line, ending with a line feed, but no blank lines between them. Some filters have many individual rules and trying to read and debug them is a challenge. The new version uses a well formed XML format, with indented sections and rules. This is a visually pleasing layout that is easy to read and edit, rule by rule. However, because each rule and condition is on a separate line, the file size is much larger than the old flat text file filters.

As many of you know, I write and publish spam filters for use in MailWasher Pro. I have been writing and updating these filters for years. But, with the release of the new MailWasher 2010, a lot of work was needed to convert the old filter format into the new one. The good news is that as of today, August 22, 2010, I completed the conversion and placed the new "Filters.xml" online. You can view and download them from my aforementioned Custom Filters page

If you already know where to save downloaded filters you don't need this article. Otherwise, you need this information to learn where to save updated filters. Where you save your filters file depends on both your operating system and the version of MailWasher Pro you have installed. Some, like me, use both the old and new versions simultaneously. I continue using the previous version 6.5.4, because it contains direct reporting of spam to SpamCop, for reporting members. And, the previous version has full-featured Mail Statistics and Spam Categories charts. I use the statistics and percentages reports in my weekly spam analysis articles, published on this blog, every Sunday (see my Spam and Email categories). These features are going to be added to the new version 2010 of MailWasher, at which time I and others will stop using the previous version.

If you are here out of curiosity, you can learn more about MailWasher Pro, or try it, or buy it here.

Let's move on with the locations of your spam filters, for various operating systems and versions of MailWasher Pro...

Continue reading "Where to save my updated MailWasher Pro spam filters" »

Posted by Wiz at 1:38 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 8% this week, to 48% of all my incoming email. This represents a 12% decline over two weeks. I saw 2 new DHL infected attachment exploits this week. All the the rest of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs, male enhancement scams, pirated software, and a few Nigerian lottery and 419 scams.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for August 16 - 22, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Aug 16 - 22, 2010" »

Posted by Wiz at 12:52 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

There was news today on the anti-spam front. It was just reported that the #2 spammer in the world, Leo Kuvayev, is sitting in jail, awaiting trial in Russia, on charges of molesting over 50 young girls he lured away from Russian orphanages. Kuvayev is responsible for operating bogus online pharmacies, porn sites, including child porn, pirated OEM software and related affiliate programs for these illegal activities. His organization is called BadCow and his partner in crime is running it in his absence. Many of the spam messages we receive on a daily basis are sent by Botnets under his control, or operated by his associates. The spammers themselves are affiliates of BadCow. When spam recipients are foolish enough to purchase a spamvertised item, the affiliate spammers earn a commission and Leo Kuvayev lines his pockets even more.

My incoming spam levels have decreased 4% this week, to 56% of all my incoming email. I didn't see any new types of spam this week. All the the spam that botnets are sending out this week is typical junkmail for counterfeit Chinese watches, fake Viagra, illicit prescription drugs - sans the prescription, male enhancement scams, pirated software, fake diplomas and Nigerian lottery and 419 scams. Many of the pirated software domains this week are hosted in the Ukraine. Most Russian sender spam was for counterfeit watches.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was fairly effective this week, auto-deleting ~5.5% of all incoming spam. 57 of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra or male enhancement junk. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for August 9 - 15, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of August 9 - 15, 2010" »

Posted by Wiz at 3:06 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 9% this week, to 60% of all my incoming email. I didn't see any new types of spam this week. All the the spam that botnets are sending out this week is typical junkmail for counterfeit Chinese watches, fake Viagra, illicit prescription drugs - sans the prescription, male enhancement scams, pirated software, fake diplomas and Nigerian lottery and 419 scams. Many of the pirated software domains this week are hosted in Vietnam and China. Most Russian sender spam was for counterfeit watches.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was quite effective this week, auto-deleting ~7% of all incoming spam. 66 of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra or male enhancement junk. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for August 2 - 8, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of August 2 - 8, 2010" »

Posted by Wiz at 12:27 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 2% this week, to 51% of all my incoming email. I didn't see any new types of spam this week. All the the spam that botnets are sending out this week is typical junkmail for fake Viagra, illicit prescription drugs - sans the prescription, male enhancement scams, Nigerian lottery and 419 scams, Fake diplomas, counterfeit watches and pirated software. All of the pirated software is hosted on websites ending with .RU, which are Russian domains. The servers allowing this crap to go on are located in China.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was quite effective this week, auto-deleting ~10% of all incoming spam. 41 of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra or male enhancement junk. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for July 26 - Aug 1, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of July 26 - Aug 1, 2010" »

Posted by Wiz at 4:01 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 5% this week, to 49% of all my incoming email. New this week is a run of fake, but authentic looking scams forging Amazon.com order confirmations, complete with a fake, but properly formatted purchase order code in the subject. The message bodies should be a giveaway to anybody who reads them thoroughly, because the greeting lists your email address, instead of your legal name (real Amazon orders always include your real name). Plus, the dollar amounts shown don't match or add up. Further, when you hover your pointer over the links they all go to the same destination, which is NOT on Amazon.com! These links lead to a scripted exploit attack which results in unprotected PCs becoming members of a Botnet.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was quite effective this week, auto-deleting 10.46% of all incoming spam. Many (53) of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for July 19 - 25, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of July 19 - 25, 2010" »

Posted by Wiz at 2:41 PM | Permalink

back to top ^

As I write this I am looking at the fourth Amazon.com scam message I have received in the last 24 hours. These messages are professionally composed and very closely resemble an actual similar email that one receives after making a purchase at Amazon.com. However, there are some telltale differences, listed below, that give away the fake notices. All of the current scams have this subject:

Your Amazon.com Order (D2 numbers-7 numbers-7 numbers). This is exactly the same layout as a real confirmation for Amazon.com.

Before I tell you how to differentiate between a legitimate Amazon order confirmation and the fakes, I want to show you where you will end up if you are tricked into clicking on a link in a fake Amazon notice. In the sample of the fake notice before me, everything looks like an official order confirmation for an Amazon.com purchase, all the way down to the graphics and most, but not all of the text (see next paragraph). The main difference is that every single clickable link in the fake message leads to a domain that is not on amazon.com at all. All links lead to the same hostile location, via a 301 Apache web server redirect, created in an .htaccess file on a compromised VPS web server. The new location of this redirection is, in this instance: actcountry.ru:8080, which is hosted on a an nginx Russian web server, on an unconfigured dedicated server in France, belonging to OVH Hosting.

At this moment the payload is offline, but it could return at any time, or may appear on another server used in the domain redirection scripts. There is no doubt that the payload was not friendly to most browsers on Windows operating systems.

The rest of the details about identifying fake Amazon purchase confirmations, follow in my extended comments.

Continue reading "Beware of fake Amazon.com purchase order scams" »

Posted by Wiz at 2:23 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 2% this week, to 54% of all my incoming email. New this week is a dangerous attachment pretending to be a scann from a Xerox WorkCenter Pro. This attack is probably targeted at businesses which may exchange Xerox documents online, or via email. In the case of this spam run, the attachments are inside a Zipfile and are actually the Trojan downloader named "Oficla," or "Meredrop." If you execute that enclosed fake document your PC will be taken over by criminal Botmasters in Eastern Europe.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was quite effective this week, auto-deleting almost 11% of all incoming spam. Many (51) of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for July 12 - 18, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of July 12 - 18, 2010" »

Posted by Wiz at 1:44 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 4% this week, to 52% of all my incoming email. This decline is partly caused by my rerouting all Russian language spam to a blackhole on my server. Previously, I allowed MailWasher to classify and auto-delete all Russian sent and Russian language spam. Now, only a few Russian senders (but English language) get through, only to be automatically deleted by my MailWasher Blacklist entry: +@+.ru

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by fake Viagra, illicit pharmaceuticals and male enhancement scams, followed by Russian senders, counterfeit watches, fake diplomas and pirated software. If you are using my custom MailWasher Pro filters, keep the filters for these types of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was very effective this week, auto-deleting almost 19% of all incoming spam. Many (61) of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for July 5 - 11, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of July 5 - 11, 2010" »

Posted by Wiz at 2:35 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 6% this week, to 56% of all my incoming email. This decline is partly caused by my rerouting all Russian language spam to a blackhole on my server. Previously, I allowed MailWasher to classify and auto-delete all Russian sent and Russian language spam. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by fake diplomas, fake Viagra, unlicensed pharmaceuticals and male enhancement scams, Russian senders, counterfeit goods and pirated software. Keep the fake diplomas, Viagra, male enhancement, Russian sender and pirated software filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

I have noticed that with school now out for the summer and graduation ceremonies over, fake diplomas are the number one classification of spam, for two weeks in a row. I guess that the arrogant foreign spammers behind these scams believe that our students lack the parts to earn a diploma fair and square. But, in case you are reading this and were thinking about buying a fake diploma in the hopes of getting a high paying job, you should be alerted to this cold hard fact of life. If you buy a fake diploma, when, not if, you are found out, if that diploma landed you a job you will be fired as soon as they learn the truth. Then, your former employer will notify any hiring agencies who referred you and you will be blacklisted by all US and Canadian HR companies, including Temp placement companies. They share information about people who lie on applications and use fake diplomas and credentials. If you need to get more credits to graduate, go to summer school and get it honest!

My blacklisted senders list was slightly effective this week, auto-deleting 9.39% of all incoming spam. Many (37) of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for June 28 - July 4, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of June 28 - July 4, 2010" »

Posted by Wiz at 2:09 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 8% this week, to 62% of all my incoming email. This decline is partly caused by my rerouting all Russian spam to a blackhole on my server. Previously, I allowed MailWasher to classify and auto-delete all Russian sent and Russian language spam. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by fake Viagra, counterfeit diplomas, Russian spam, male enhancement and pirated software. Keep the Viagra, Russian sender, counterfeit diplomas, male enhancement and pirated software filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

If you are also getting a lot of unreadable Russian spam, my custom MailWasher "Russian Sender" filter and a Blacklist addition of +@+.ru should kill all of it, if set to Automatically Delete. You can kill this Russian junk off of your domain email system, if you are hosted on a cPanel website. Go to the Email Account Level Filtering and add the following conditions and rule: If ANY HEADER contains: "koi8-r" OR if the BODY contains: "charset=koi8-r" - Discard Message.

My blacklisted senders list was slightly effective this week, auto-deleting 5.71% of all incoming spam. Many of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for June 21 - 27, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of June 21 - 27, 2010" »

Posted by Wiz at 3:15 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 4% this week, to 70% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by lots of unreadable Russian language spam, counterfeit Viagra, counterfeit college diplomas and counterfeit watches. Runners up were the bogus Canadian Pharmacy and Male Enhancement scams. Keep the Viagra, Canadian Pharmacy, Russian Sender, counterfeit Watches and Diploma filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

If you are also getting a lot of unreadable Russian spam, my custom MailWasher "Russian Sender" filter and a Blacklist addition of +@+.ru should kill all of it, if set to Automatically Delete.

My blacklisted senders list was effective this week, auto-deleting ~7% of all incoming spam. Many of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for June 14 - 20, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of June 14 - 20, 2010" »

Posted by Wiz at 12:51 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 4% this week, to 66% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by lots of unreadable Russian language spam, counterfeit Viagra, fake diplomas and counterfeit watches. Runners up were the bogus Canadian Pharmacy and Male Enhancement scams. Keep the Viagra, Canadian Pharmacy, Russian Sender, counterfeit Watches and Diploma filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

If you are also getting a lot of unreadable Russian spam, my custom MailWasher "Russian Sender" filter and a Blacklist addition of +@+.ru should kill all of it, if set to Automatically Delete.

My blacklisted senders list was effective this week, auto-deleting ~7% of all incoming spam, which included a huge amount of the aforementioned Russian language spam (see my extended content for details). I saw a slight increase in the number of emails forging my own accounts as the senders, with 50 this week, which was ~10% of my total spam. Many of these spam messages also included the same account names in the Subject and all were selling fake Viagra. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for June 7 - 13, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of June 7 - 13, 2010" »

Posted by Wiz at 4:17 PM | Permalink

back to top ^

I don't know if a Botnet has been mis-programmed, or if some Russian spammers have mistaken my domain for a Russian speaking domain, but I am seeing huge amounts of unreadable Russian language spam over the past month. However, I doubt that I am the only totally English speaking person in the USA who is getting this unintelligible Cyrillic spam.

The why's are unimportant to me, or to you, if you are also getting foreign language spam. A few years ago I was getting Chinese language spam, which is totally weird to look at. Both the Russian and Chinese alphabets look like something out of Star Trek to me. Most people are annoyed when they get any spam at all. But, getting spam you can't even read is worse. Since I can't read the content I have no use in looking at this crap, so I have created spam filters to automatically delete it off my email servers, and I will share them with you.

I have certain systems in place to filter out spam before I download it, but you all might have altogether different measures in place. I will outline my countermeasures, then suggest others that you may be able to use.

My primary tool in the war to secure my inbox is an anti-spam program called MailWasher Pro (MWP). It is a desktop application that intercepts all incoming POP3 email, from all of the various email servers that I use to get and send email. In my extended comments I will reveal two powerful filters that I have created, which combined will automatically delete 100% of the Cyrillic coded spam sent to my various POP3 accounts.

My second tool is my desktop email client; Windows Live Mail (WLM). This is the most recent child of the no longer supported Outlook Express email client, from Microsoft. Outlook Express died when Windows Vista was released. At the same time, Windows Mail was included with Vista. With the advent of Windows 7, Windows Live Mail is the only email client available from Microsoft, as an optional download. Unlike Outlook Express, Windows Live Mail includes a junk filter module, which receives updates from time to time. You can also block incoming messages from your inbox by applying the new "International" filter, which reads the sender's From address or language encoding. If the domain listed in the From field, or the text coding matches one on the blocked countries list, it automatically goes to the Junk Mail folder, or is automatically deleted, according to your choices.

The previous anti spam countermeasures are for people using a POP3 or IMAP desktop email client to download, read, compose and send email. But, many people are still using browser based email systems, like Hotmail, Yahoo, AOL, Comcast, Charter, and other proprietary mail systems from free mail providers, or from their web hosting companies. You folks must search out and apply any junk mail rules available from your email service. I will show you how to apply junk filters to Yahoo and Hotmail, using your web browsers.

Most web hosting accounts now come with the option to enable Spam Assassin. You can turn on Spam Assassin and add the regular expression to block any "From" address containing the domain .ru

Continue reading "Blocking Russian language spam with junk filter rules" »

Posted by Wiz at 11:31 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 3% this week, to 62% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by blacklisted domains, counterfeit Viagra, counterfeit watches, and lots of unreadable Russian language spam. Keep the Viagra, Russian Sender, counterfeit Watches filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

If you are also getting a lot of unreadable Russian spam, my custom MailWasher "Russian Sender" filter and a Blacklist addition of +@+.ru should kill all of it, if set to Automatically Delete.

My updated blacklisted senders list proved extremely effective this week, auto-deleting ~35% of all incoming spam, which included a huge amount of the aforementioned Russian language spam (see my extended content for details). I saw another decrease in the number of emails forging my own accounts as the senders, with 45 this week, which was ~9% of my total spam. Many of these spam messages also included the same account names in the Subject and all were selling fake Viagra. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for May 31 - June 6, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of May 31 - June 6, 2010" »

Posted by Wiz at 3:54 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 3% this week, to 59% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by counterfeit Viagra and other illicit and counterfeit pharmaceuticals, including spam for the totally fake Canadian Pharmacy. Other measurable categories of spam included counterfeit diplomas and counterfeit watches, and lots of unreadable Russian language spam. Keep the Viagra, Canadian Pharmacy, Male Enhancement, Russian Sender, Diploma and the counterfeit Watches filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

If you are also getting a lot of unreadable Russian spam, my custom MailWasher "Russian Sender" filter and a Blacklist addition of +@+.ru should kill all of it, if set to Automatically Delete.

My updated blacklisted senders list proved extremely effective this week, auto-deleting ~32% of all incoming spam, which included a huge amount of the aforementioned Russian language spam (see my extended content for details). I saw a decrease in the number of emails forging my own accounts as the senders, with 82 this week, which was ~19% of my total spam. Many of these spam messages also included the same account names in the Subject and all were selling fake Viagra. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for May 24 - 30, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of May 24 - 30, 2010" »

Posted by Wiz at 3:18 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 2% this week, to 62% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit and counterfeit pharmaceuticals, including spam for the totally fake Canadian Pharmacy. Other categories of spam included counterfeit diplomas and watches, Russian sender spam, weight loss scams and porn video link scams. Keep the Viagra, Canadian Pharmacy, Male Enhancement, Russian Sender, Diploma and the counterfeit Watches filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My updated blacklisted senders list proved extremely effective this week, auto-deleting ~30% of all incoming spam (see my extended content for details). I saw a huge increase in the number of emails forging my own accounts as the senders, with 124 this week, which was ~22% of my total spam. Many of these spam messages also included the same account names in the Subject and all were selling fake Viagra. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for May 17 - 23, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of May 17 - 23, 2010" »

Posted by Wiz at 4:12 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 3% this week, to 60% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit and counterfeit pharmaceuticals, including spam for the totally fake Canadian Pharmacy. Other categories of spam included counterfeit watches, Trojan attachments in fake resumes, Nigerian 419 scams and fake diplomas. Keep the Viagra, Canadian Pharmacy, Male Enhancement, 419 Scams and the counterfeit Watches filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

By the way, the zipfile attachments claiming to be a resume in CV format actually contain Trojan downloaders. Open them on a Windows PC and you will probably become Botnetted!

My updated blacklisted senders list proved quite effective this week, auto-deleting ~17% of all incoming spam (see my extended content for details). I saw a big increase in the number of emails forging my own accounts as the senders, with 96 this week, which was ~20% of my total spam. Many of these spam messages also included the same account names in the Subject. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for May 10 - 16, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of May 10 - 16, 2010" »

Posted by Wiz at 3:47 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have remained exactly the same this week as last week, at 57% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit and counterfeit pharmaceuticals, including spam for the totally fake Canadian Pharmacy. Other categories of spam included counterfeit watches, courier Trojan scams, pirated software and fake diplomas. Keep the Viagra, Canadian Pharmacy, Male Enhancement, Courier Scams and the counterfeit Watches filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

By the way, the Courier Scams all contain Botnet Trojan attachments. Open them on a Windows PC with any vulnerable software they target and you will probably become Botnetted!

My updated blacklisted senders list proved quite effective this week, auto-deleting ~19% of all incoming spam (see my extended content for details). I saw a slight increase in the number of emails forging my own accounts as the senders, with 75 this week, which was ~18% of my total spam. Many of these spam messages also included the same account names in the Subject. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for May 3 - 9, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of May 3 - 9, 2010" »

Posted by Wiz at 3:16 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased slightly this week as last week, at 57% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit and counterfeit pharmaceuticals, including spam for the totally fake Canadian Pharmacy. Other categories of spam included counterfeit watches, Nigerian 419 and lottery scams, pirated software and fake diplomas. Keep the Viagra, Canadian Pharmacy, Male Enhancement and the counterfeit Watches filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My updated blacklisted senders list proved quite effective this week, auto-deleting ~17% of all incoming spam (see my extended content for details). I saw a slight decrease in the number of emails forging my own accounts as the senders, with 66 this week, which was ~14% of my total spam. Many of these spam messages also included the same account names in the Subject. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for April 26 - May 2, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of April 26 - May 2, 2010" »

Posted by Wiz at 2:55 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased slightly this week as last week, at 54% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit and counterfeit pharmaceuticals, including spam for the totally fake Canadian Pharmacy. Other categories of spam included counterfeit watches and brand name goods and some Nigerian scams and Zbot threats in fake courier failed delivery notices. Keep the Viagra, Canadian Pharmacy, Male Enhancement and the counterfeit Watches filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My updated blacklisted senders list proved quite effective this week, auto-deleting 15.90% of all incoming spam (see my extended content for details). I saw a decrease in the number of emails forging my own accounts as the senders, with 69 this week, which was 18% of my total spam. Many of these spam messages also included the same account names in the Subject. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for April 19 - 25, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of April 19 - 25, 2010" »

Posted by Wiz at 12:59 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased slightly this week as last week, at 52% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit and counterfeit pharmaceuticals, including spam for the totally fake Canadian Pharmacy. Other measurable categories of spam included many for counterfeit watches, Russian bride dating scams (via Live.com spam links) and fake courier failed delivery notices that have attachments containing the Zbot, a.k.a. the Zeus banking Trojan.

My updated blacklisted senders list proved slightly effective this week, auto-deleting 7.52% of all incoming spam (see my extended content for details). I saw a huge increase in the number of emails forging my own accounts as the senders, with 101 this week, which was 33% of my total spam. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so I can easily detect and delete Joe Job spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for April 12 - 18, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of April 12 - 18, 2010" »

Posted by Wiz at 3:12 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have remained the same this week as last week, at 48% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit and counterfeit pharmaceuticals, including spam for the totally fake Canadian Pharmacy. Other measurable categories of spam included many for counterfeit watches and Russian bride dating scams.

My updated blacklisted senders list proved very effective this week, auto-deleting 12% of all incoming spam (see my extended content for details). I saw a huge increase in the number of emails forging my own accounts as the senders, with 90 this week, which was 30% of my total spam. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so I can easily detect and delete Joe Job spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for April 5 - 11, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of April 5 - 11, 2010" »

Posted by Wiz at 2:05 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 8% this week from last week's level, making two consecutive weeks of declines in spam volumes. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit pharmaceuticals. The totally fake Canadian Pharmacy is back in the count, with a lot of landing pages hosted on spaces.live.com pages, as well as on Botnetted PCs. Other measurable categories of spam included counterfeit watches and other knockoffs, fake diplomas, Russian bride dating scams and UPS Phishing scams.

My updated blacklisted senders list proved very effective this week, auto-deleting almost 15% of all incoming spam (see my extended content for details). I saw slight decrease in the number of emails forging my own accounts as the senders, with 48 this week, which was 16% of my total spam. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 29 - April 4, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of March 29 - April 4, 2010" »

Posted by Wiz at 1:45 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit prescription drugs dispensed without the required prescriptions. The totally fake Canadian Pharmacy is back in the count, with a lot of landing pages hosted on spaces.live.com pages. Other measurable categories of spam included counterfeit watches, fake diplomas, pirated Adobe software, Russian bride dating scams and Phishing scams. The Phishing scams included a bunch forging the US IRS as the sender, with subjects pertaining to alleged underreported income. The links in those scams lead to the download and installation of the ZBot/Zeus Trojan keylogger and backdoor.

My updated blacklisted senders list proved very effective this week, auto-deleting over 20% of all incoming spam (see my extended content for details). I saw another increase in the number of emails forging my own accounts as the senders, with 60 this week. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 22 - 28, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of March 22 - 28, 2010" »

Posted by Wiz at 11:48 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 8% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit prescription drugs dispensed without the required prescriptions. The totally fake Canadian Pharmacy is back in the count, with a lot of landing pages hosted on spaces.live.com pages. Other measurable categories of spam included counterfeit watches, fake diplomas, offshore casinos, phony car warranties hosted in Korea and Russian bride dating scams.

My updated blacklisted senders list proved very effective this week, auto-deleting over 30% of all incoming spam (see my extended content for details). I saw another increase in the number of emails forging my own accounts as the senders. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 15 - 21, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of March 15 - 21, 2010" »

Posted by Wiz at 1:35 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 5% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit prescription drugs, sold unlawfully without a real prescription. Other measurable categories of spam included counterfeit watches and other goods, fake diplomas, pirated software, and Russian dating scams.

My updated blacklisted senders list proved effective this week, auto-deleting almost 10% of all incoming spam (see my extended content for details). I saw another increase in the number of emails forging my own accounts as the senders. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 8 - 14, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of March 8 - 14, 2010" »

Posted by Wiz at 4:41 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches and phones, illicit prescription drugs, fake Viagra, Canadian Pharmacy scams, pirated software, dating scams, and fake diplomas.

My updated blacklisted senders list proved less effective this week, auto-deleting only 4% of all incoming spam (see my extended content for details). The decline in blacklisted matches is the result of spammers changing their tactics from previous weeks. In fact, I saw a giant increase in the number of emails forging my own accounts as the senders. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 1 - 7, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of March 1 - 7, 2010" »

Posted by Wiz at 3:27 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 5% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches, illicit drugs, fake Viagra, Canadian Pharmacy scams, pirated software, casinos and fake diplomas. My updated blacklisted senders list proved effective again this week, auto-deleting over 9% of all incoming spam (see my extended content for details).

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb Feb 22 - 28, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of Feb 22 - 28, 2010" »

Posted by Wiz at 1:21 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 5% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches and phones, illicit drugs, fake Viagra, Russian dating scams, pirated software, casinos and fake diplomas. My updated blacklisted senders list proved extremely effective again this week, auto-deleting over 16% of all incoming spam (see my extended content for details).

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 15 - 21, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of Feb 15 - 21, 2010" »

Posted by Wiz at 11:03 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 4% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including a lot of spam for counterfeit diplomas, watches and Viagra, the totally fake "Canadian Pharmacy," Russian dating scams, Nigerian 419 and lottery scams and various identity phishing scams. My updated blacklisted senders list proved extremely effective again this week, auto-deleting over 24% of all incoming spam (see my extended content for details).

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 8 - 14, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of Feb 8 - 14, 2010" »

Posted by Wiz at 2:27 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including Russian dating spam, fake diplomas and counterfeit brand name watches, pirated software, male enhancement scams, counterfeit Viagra, the fake Canadian Pharmacy, Nigerian 419 scams, DHL and UPS Courier scams and other phishing scams. My updated blacklisted senders list proved extremely effective again this week, auto-deleting ~19% of all incoming spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 1 - 7, 2010, and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Feb 1 - 7, 2010" »

Posted by Wiz at 12:55 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including Russian dating spam, fake diplomas and counterfeit brand name watches, pirated software, male enhancement scams, counterfeit Viagra, the fake Canadian Pharmacy and DHL Courier scams. My updated blacklisted senders list proved extremely effective again this week, auto-deleting ~25% of all incoming spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Jan 25 - 31, 2010, and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Jan 25 - 31, 2010" »

Posted by Wiz at 1:19 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have thankfully decreased 10% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including Russian dating spam, fake diplomas and counterfeit brand name watches, male enhancement scams, counterfeit Viagra and the fake Canadian Pharmacy. My updated blacklisted senders list proved extremely effective again this week, auto-deleting ~17% of all incoming spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Jan 18 - 24, 2010, and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Jan 18 - 24, 2010" »

Posted by Wiz at 1:59 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased a whopping 25% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including Russian dating spam, fake diplomas and counterfeit brand name watches, counterfeit Viagra and the fake Canadian Pharmacy. My updated blacklisted senders list proved extremely effective again this week, auto-deleting ~27% of all incoming spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Jan 11 - 17, 2010, and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Jan 11 - 17, 2010" »

Posted by Wiz at 4:33 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased a whopping 15% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, led by spam for Viagra, casinos, pirated software, counterfeit watches, the fake Canadian Pharmacy and other pharmaceuticals, and fake diplomas. Saturday, Jan 9, was the "spamiest" day this week. My blacklisted senders list proved effective again this week, catching ~13% of all incoming spam.

Not included in my statistics were several spam messages sent from hijacked PCs, faking a personal friend's account as the sender. The same message was sent to his entire group of contacts. The only body content was a link which led to an exploit web page, hosted on computers in a Botnet, all running an Nginx web server, from Russia. The exploit was based on a bogus Flash Player upgrade file, which is a Trojan Horse.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Jan 3 - 10, 2010, and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Jan 3 - 10, 2010" »

Posted by Wiz at 2:29 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 3% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including spam for Viagra, pirated software, counterfeit watches, the fake Canadian Pharmacy and other fake pharmacies, phony loans, fake diplomas, plus some Nigerian 419 scams. Thursday, Dec 31 was the "spamiest" day this week. My blacklisted senders list proved effective again this week, catching 10% of the incoming spam.

Not included in my statistics were several spam messages sent from hijacked PCs, faking a personal friend's account as the sender. The same message was sent to his entire group of contacts. The only body content was a link which led to an exploit web page, hosted on computers in a Botnet, all running an Nginx web server, from Russia. The exploit was based on a bogus Flash Player upgrade file, which is a Trojan Horse.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Dec 28, 2009 - Jan 3, 2010, and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Dec 28, 2009 - Jan 3, 2010" »

Posted by Wiz at 3:55 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 3% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including spam for pirated software, counterfeit watches, the fake Canadian Pharmacy and other fake pharmacies, illegal-to-import Viagra from China and India, HTML positioning tricks, plus some Nigerian 419 scams. Monday, Dec 21 was the "spamiest" day this week. Further, my blacklisted senders list proved very effective this week.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Dec 21 - 27, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Dec 21 - 27, 2009" »

Posted by Wiz at 2:31 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 6% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including spam for the fake Canadian Pharmacy and other fake pharmacies, illegal-to-import Viagra from China and India, acai berry weight loss scams, counterfeit watches, loan scams and lottery scams. Also continuing this week was a run of pornographic spam subjects. Thursday, Dec 17 was the "spamiest" day this week.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Dec 14 - 20, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Dec 14 - 20, 2009" »

Posted by Wiz at 1:58 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 7% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week saw a large variety of categories of spam, including the return of male enhancement scams, spam for the fake Canadian Pharmacy, Illicit Viagra from China, weight loss scams, counterfeit watches, loan scams and identity theft phishing scams targeting bank and UPS customers. New this week was a run of very pornographic spam promoting a dating service with a very nasty name. Such websites are places where people have their credit or debit cards stolen, or where extremely hostile scripts are run against your browser, trying to infect your computer.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Dec 7 - 13, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Dec 7 - 13, 2009" »

Posted by Wiz at 3:46 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for various unlicensed prescription drugs from China, plus weight loss, male enhancement and phishing scams. The rise in Male Enhancement scams follows a total decline that occurred a month ago, after the takedown of the Mega-D Botnet. The spammers using that Botnet have hired other Botnets to distribute their enlargement scams.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Nov 30 - Dec 6, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Nov 30 - Dec 6, 2009" »

Posted by Wiz at 4:11 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 5% this week from last week's level. Furthermore, there has been a big drop in the number of male enhancement scam emails I have captured. This is almost entirely due to the hijacking and sinkholing of the Ozdok/Mega-D Botnet. That Botnet was taken down two weeks ago by the efforts of FireEye, a security firm that hijacked the Ozdok Bot command structure and redirected requests for updates from the zombies in the Botnet to a blackhole/sinkhole IP. They also notified all of the companies hosting the Command and Control servers used by the Botnet and those servers were all taken offline. This was all accomplished in a mere 24 hours, thanks to a lot of co-operation and investigative work. Unfortunately, those male enhancement spam emails are reappearing, so either Mega-D Botnet has been restored, or another Botnet is being used by the spammers promoting these fake, Chinese enhancement products.

Before the takedown, Mega-D was responsible for most of the World-wide plague of male enhancement spam messages, going back to at least 2007. Those are the messages promoting unreal enlargement results from various bogus pills and herbals.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for the fake Canadian Pharmacy and other unlicensed prescription drugs from China. Also, the Nigerian scammers were busy again last week, promoting their lottery scams, sent from various African countries.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Nov 23 - 29, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Nov 23 - 29, 2009" »

Posted by Wiz at 3:53 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 1% this week from last week's level. Furthermore, there has been a big drop in the number of male enhancement scam emails I have captured. This is almost entirely due to the hijacking and sinkholing of the Ozdok/Mega-D Botnet. That Botnet was taken down last week by the efforts of FireEye, a security firm that hijacked the Ozdok Bot command structure and redirected requests for updates from the zombies in the Botnet to a blackhole/sinkhole IP. They also notified all of the companies hosting the Command and Control servers used by the Botnet and those servers were all taken offline. This was all accomplished in a mere 24 hours, thanks to a lot of co-operation and investigative work.

Before the takedown, Mega-D was responsible for most of the World-wide plague of male enhancement spam messages, going back to at least 2007 (or late 2006). Those are the messages promoting unreal enlargement results from various bogus pills and herbals.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for fake Viagra and other unlicensed prescription drugs from China. Not surprisingly, the Nigerian scammers were busy again last week, promoting their advance fee fraud 419 scams. 100% of all email coming to me, with African IPs in the headers, are 419 scams. I have a MailWasher Pro filter to detect and block African Senders.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details)

See my extended comments for this week's breakdown of spam by category, for Nov 16 - 22, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Nov 16 - 22, 2009" »

Posted by Wiz at 4:31 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 4% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for unlicensed prescription drugs from China, plus the usual male enhancement and fake pharmacy scams and counterfeit Viagra. Not ot be out-done, the Nigerian scammers were busy again last week, promoting their lottery scams. 100% of all email coming to me, with African IPs in the headers, are 419 scams.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Nov 9 - 15, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Nov 9 - 15, 2009" »

Posted by Wiz at 1:40 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have decreased 6% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for knock-off (counterfeit) Chinese watches, male enhancement and fake pharmacy scams and counterfeit Viagra. Not ot be out-done, the Nigerian scammers were busy again last week, promoting their usual 419 and lottery scams. 100% of all email coming to me, with African IPs in the headers, are 419 scams.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Nov 2 - 8, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for the week of Nov 2 - 8, 2009" »

Posted by Wiz at 3:50 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have decreased 3% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for knock-off (counterfeit) Chinese watches clothes and handbags, closely followed by male enhancement and fake pharmacy scams. Not ot be out-done, the Nigerian scammers were busy again last week, promoting their usual 419 and lottery scams.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Oct 26 - Nov 1, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for Oct 26 - Nov 1, 2009" »

Posted by Wiz at 3:45 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have increased 4% this week, after two weeks in a row that spam levels had declined here. This might mean that the Bot Masters running spam Botnets may be sorting out problems maintaining their command and control (C&C) servers, used to reactivate their sleeping zombie computers (Almost all spam is now sent from "zombie" computers in spam Botnets).

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for Nigerian 419 advance fee fraud scams, counterfeit Viagra and other brand name knock-offs. There was also a resurgence in spam using Yahoo! Groups web pages, mostly for the fake "Canadian Pharmacy," so Yahoo! needs to set up some keyword filters to detect and take down these illicit pages. Many of the "Known Spam Domain" spamvertised pharmaceutical websites were domains ending in ".cn" - which is the designation for websites hosted in China. Coincidentally, these spam messages were usually promoting the fake Canadian Pharmacy sites. Spammers try to confuse their victims with .cn domain links, because actual Canadian websites end in .ca, which many people don't realize.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Oct 20 - 25, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for Oct 20 - 25, 2009" »

Posted by Wiz at 3:59 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have decreased again this week, making two weeks in a row that spam levels have declined here. This might mean that the Bot Masters running spam Botnets may have problems maintaining their command and control (C&C) servers, used to reactivate their sleeping zombie computers (Almost all spam is now sent from "zombie" computers in spam Botnets). Or, maybe those zombie PCs have been disinfected or taken offline. Or, maybe they are putting most of their efforts into scams on social networking sites and server exploits.

However, Bot Herders and spammers don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for the fake Canadian Pharmacy and counterfeit watches and other "knock offs." There were also several Nigerian 419 advance fee fraud scams. Most spamvertised pharmaceutical websites were domains ending in ".cn" - which is the designation for websites hosted in China. Coincidentally, these spam messages were usually promoting the fake Canadian Pharmacy sites. Spammers try to confuse their victims with .cn domain links, because actual Canadian websites end in .ca, which many people don't realize.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Oct 12 - 18, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for Oct 12 - 18, 2009" »

Posted by Wiz at 1:36 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have decreased a bit this week, after a significant increase last week.This might mean that the Bot Masters running spam Botnets may have problems maintaining their command and control (C&C) servers, used to reactivate their sleeping zombie computers. Or, maybe those zombie PCs have been disinfected or taken offline. Whatever the explanation, spam dropped this week.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" and "Known Spam Domains" categories was for the fake Canadian Pharmacy, male enhancement scams and counterfeit Viagra. There was also some spam for counterfeit watches-handbags-software, and several Nigerian 419 advance fee fraud scams.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Oct 5 - 11, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for Oct 5 - 11, 2009" »

Posted by Wiz at 12:33 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have increased again this week, after a significant decrease last week.This means that the Bot Masters running spam Botnets regained access to their command and control (C&C) servers, used to reactivate their sleeping zombie computers. Those zombie PCs are now sending out normal volumes of spam, as commanded by their Bot Masters. This will continue until the people hosting the C&C servers cut off the accounts, or get shut down by authorities.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" "Known Spam Domains" and "Yahoo Groups Spam Link" categories, was for the fake Canadian Pharmacy, male enhancement scams and counterfeit Viagra. There was also some spam for counterfeit watches-handbags-software, phishing and weight loss scams.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Sept 28 - Oct 4, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for Sept 28 - Oct 4, 2009" »

Posted by Wiz at 1:57 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have decreased for the first time in five weeks.This means that the Bot Masters running spam Botnets may only have intermittent access to their command and control (C&C) servers, used to reactivate their sleeping zombie computers. Those zombie PCs are now sending out medium volumes of spam, as commanded by their Bot Masters. This will continue until the people hosting the C&C servers cut off the accounts, or get shut down by authorities.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" and "Yahoo Groups Spam Link" categories, was for the fake Canadian Pharmacy, male enhancement scams and counterfeit Viagra. There was also some spam for counterfeit watches, software, lottery, phishing and weight loss scams.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Sept 21 - 27, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for Sept 21 - 27, 2009" »

Posted by Wiz at 4:58 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have increased for four weeks in a row.This means that the Bot Masters running spam Botnets have regained access to their command and control (C&C) servers, which have reactivated sleeping zombie computers. Those zombie PCs are now sending out large volumes of spam, as commanded by their Bot Masters. This will continue until the people hosting the C&C servers cut off the accounts, or get shut down by authorities.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" and "Known Spam Domains" categories, was for the fake Canadian Pharmacy, male enhancement scams and counterfeit Viagra. There was also some spam for counterfeit watches and weight loss scams.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Sept 14 - 20, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for Sept 14 - 20, 2009" »

Posted by Wiz at 1:27 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have increased for three weeks in a row.This means that the Bot Masters running spam Botnets have regained access to their command and control (C&C) servers, which have reactivated sleeping zombie computers. Those zombie PCs are now sending out large volumes of spam, as commanded by their Bot Masters. This will continue until the people hosting the C&C servers cut off the accounts, or get shut down by authorities.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" and "Known Spam Domains" categories, was for male enhancement scams and fake Viagra. There was also a bunch of spam for illegal casinos and the fake Canadian Pharmacy.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Sept 7 - 13, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for Sept 7 - 13, 2009" »

Posted by Wiz at 1:57 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have increased for two weeks in a row.This probably means that the Bot Masters running spam Botnets have regained access to their command and control servers, which have reactivated sleeping zombie computers. Those zombie PCs are now sending out large volumes of spam, as commanded by their Bot Masters.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" and "Known Spam Domains" categories, was for male enhancement scams and fake Viagra. There was also a bunch of spam for illegal casinos and the fake Canadian Pharmacy.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Aug 31 - Sept 6, 2009 and the latest additions to my custom MailWasher Pro filters.

Continue reading "My Spam analysis for Aug 31 - Sept 6, 2009" »

Posted by Wiz at 2:34 PM | Permalink

back to top ^

On September 1, 2009, Microsoft changed the way their Hotmail email servers communicate with POP3 - SMTP desktop email clients. As of this day you cannot send or receive Hotmail through Outlook Express, period; finito, kaput! You must change to a different desktop email client, like Windows Live Mail. Microsoft Outlook users can download and install the Microsoft Outlook Connector to continue to access Hotmail. The details about these changes and what you need to do follow.

If you use Microsoft Office Outlook to send and receive through Hotmail, you can download the free Office Outlook Connector to continue accessing your Windows Live Hotmail within Outlook 2003 or 2007. If you run an older version, read this information.

If you use Outlook Express (OE) to view Hotmail, you can choose to download the free Windows Live Mail (WLM), which resembles Outlook Express, but is much more powerful, less prone to crashes and contains a junk filter. You can import all of your saved .eml messages and accounts from OE into WLM (via Export/Import, or drag and drop between email clients). You can also import your personal folders from OE. The view is a little different, but you'll get used to it. You can find help on this page with exporting messages from Outlook Express into WLM.

If you are using Entourage to send and receive Hotmail, read these instructions to continue connecting to the new servers.

New Mail Server Names:
There are also changes to the names of the Hotmail POP3 and SMTP mail servers, which now use a technology known as "Delta Sync." The new incoming POP server is: pop3.live.com and the new outgoing SMTP server is: smtp.live.com. You must also change the incoming and outgoing ports, as outlined in my extended content, under "New mail servers and ports."

Continue reading "Hotmail POP access method changed on Sept 1, 2009" »

Posted by Wiz at 2:51 PM | Permalink

back to top ^