Wiz's Computer and Website Security Blog

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes, pirated software and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) falling further behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As is usually the case, the category "Other Filters" has the second largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some lottery and financial fraud and phishing scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 38% for the week ending May 4, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

Download MailWasher Pro Here

MailWasher Pro spam category breakdown for April 28 through May 4, 2008.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 3:33 PM | Permalink

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes, pirated software and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) falling further behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 38% for the week ending April 27, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 21 through 27, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

Continue reading "My Spam analysis for April 21 - 27, 2008" »

Posted by Wiz at 12:44 PM | Permalink

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) following closely behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 34% for the week ending April 20, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 14 through 20, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

Continue reading "My Spam analysis for April 14 - 20, 2008" »

Posted by Wiz at 2:42 PM | Permalink

After taking one week off from analyzing my spam (junk-mail) statistics, I am resuming them this weekend. I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

On to the spam analysis at hand!

My analysis of this week's spam shows that male enhancement pills and other pharmaceuticals have reclaimed the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) following closely behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 34% for the week ending April 13, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 7 through 13, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

Continue reading "My Spam analysis for April 7 - 13, 2008" »

Posted by Wiz at 11:55 AM | Permalink

Exim Spam Filters for Websites with CPanel

If you have a website that uses cPanel as the control panel and it has email filtering enabled, on an account-wide basis, the rules below will reduce the amount of spam you see, dramatically.

First of all, you should be aware that not all cPanel icon layouts are the same, nor are all of the same options available from various hosting companies. I have my websites hosted at Bluehost and enjoy lots of user configurable options, including account-wide user-created email filter rules. I gain access to the email filters by following this path: Login to cPanel > "Home" > "Mail" section > "Account Level Filtering" icon. This opens a new cPanel page with the heading: "Edit Filters for All Mail On Your Account" - "In this area you can manage filters for your main account. Note, that if you have add-on domains hosted under the main account, their email accounts will also be covered by these filters. My cPanel also has an icon that when clicked upon allows me to create filters on an individual account basis. This way I can apply more restrictive rules to the accounts receiving the most spam, leaving the others to be filtered less drastically.

For simplicity sake I have grouped all of my various account rules into one set, which can be applied site-wide. You'll still see some spam, but not nearly as much as you do before applying these rules.

On the cPanel "Account Level Filtering" page, click the button labeled "Create a new Filter." The first input field is labeled: "Filter Name:" and you should type in the name you want to assign to each rule, or use mine, shown below. Each rule must have a unique filter name.

The next section down is labeled "Rules" and is where you select the various criteria for the rules. The options list on the left is where you choose which part of the email message the rule on that line will apply to. Use the down-arrow button to open the options list. Most commonly used filter selections are: "From, Subject, To, Body and Any Header."

The options list on the right side of Rules section determines how that rule will be applied. The options in the flyout list are: "Equals, Matches Regex, Contains, Does Not Contain, Begins With, Ends With, Does Not Begin With, Does Not End With, Does Not Match."

The actual rule text goes into the input field under the flyout options. Type, or copy and paste my rules below, into the input field for each rule. Next, under Actions, choose Discard Message, then click on the button labeled: "Activate." You will be taken to a page reporting that rule "such and such" was successfully created, and which contains a button to take you back to the main Filters page. There, under "Filter Test," you can test your rules in the test message area. Just enter text, or headers to be tested into the appropriate section, adding to or replacing what is already there, then press the "Test Filter" button. The results page will tell you what, if any filter rule has been matched and that the results would be a delivery to "/dev/null" (the bit bucket).

If the results of a filter test are "Normal Delivery," for a filtered spam message, something is wrong with your input selections. Use the Edit button next to the filter that should have applied and check your options settings and look for typos in the actual rule text. Save changes by clicking the Activate button, then test again. You'll get it right eventually. Trust me, I know - I've gone through this already.

Every rule group has a plus and a minus button on the right side. These are used to add additional criteria to the rule set. Plus adds a new rule, while minus removes the last rule. Each rule can apply to a different part of the message and have a different matching criteria. Theoretically, one could apply all of my rules to one filter set, but that would make it very hard to debug if legitimate email gets sent to the bit bucket in the sky. Keep the rules separate and properly labeled to make it easy to edit or remove them, if it becomes necessary.

See my extended comments in the section below, for the actual rules.

Continue reading "Exim Spam Filters for Websites with CPanel" »

Posted by Wiz at 4:36 PM | Permalink

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that male enhancement pills and other pharmaceuticals were finally displaced from the top spot in my spam categories, with Nigerian 419 and lottery scams, counterfeit brands of watches, clothing and footware, fake diplomas and debt consolidation loans, leading the pack. Most of the spam emails have links to websites hosted in China or Korea. Most of the fake and counterfeit watches, clothing, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a huge portion of certain types of forged sender spam.

My current statistics show that spam is now 55% of all my incoming email, for the week of March 24 through 30, 2008. Without my custom MailWasher Pro filters identifying and automatically deleting most of this crap, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters for you all). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by Trojans people are tricked into clicking on. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 24 through 30, 2008.

Download MailWasher Pro Here

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Continue reading "My Spam analysis for March 24 - 30, 2008" »

Posted by Wiz at 3:39 PM | Permalink

Lately, I have been getting lots of Nigerian 419 Lottery scams, with the originating IP located in Spain, especially the ISPs - Ono.com and Telefonica.es. However, when I report these scams to SpamCop, a lot of the sending (not originating) IP addresses end up belonging to residential customers of broadband services in the US, Europe and South America. This tells me that the Nigerian crime gangs have buddied up with the owners of a botnet and are using it to relay some of their scam messages. Furthermore, some, but not all, of the scam emails also contain clickable links that lead to instant downloads of Trojan Horse downloaders, Keyloggers and Backdoors. This stinks of the Storm-Worm-Zhelatin Gang, located in St. Petersburg, Russia, although it could be a different botnet being rented out to Nigerians.

The main point of this article is not about botnets. Rather, it is to point out that many Nigerian 419 fraudsters are moving out of Africa, and Amsterdam (where they got arrested, convicted and deported), and settling in Spain. Not wanting to have their scam/spam messages traced directly to them, they have taken to the airwaves, literally. They are "piggybacking" on their neighbors' unsecured wireless routers, in apartment complexes or houses, using IP addresses assigned to other legitimate customers, to send scam runs. The victims are completely unaware that anything illegal is happening, until the Police come knocking on their door. Fortunately, the Nigerians who are piggybacking on the broadband accounts are in the same buildings. This has allowed the Spanish Police to locate and arrest some of them, as happened on February 18, 2008. Here is a quote from the Sophos article about those arrests:

Ten Nigerians arrested in Spain for email lottery scam
February 18, 2008

The ten people, all Nigerian nationals, are suspected of making more than 19,000 Euros ($28,000) in three months by demanding payments from innocent internet users who believed they had won a lottery.

Police report that the emails sent by the suspects were sent from the Teatinos area of Malaga in Spain, by piggybacking on a neighbour's wi-fi internet connection without permission. Seven arrests were made in Malaga, and three more in Huelva province.

Malaga is no stranger to Nigerian-run email scams. In 2005, 310 people were arrested in Malaga in what was said to be the biggest ever bust of a lottery scam gang. The arrests followed an investigation by the FBI and Spanish police into a scam run by Nigerian gangs.

If you run a forum or website that is plagued by Nigerian scammers you can block them from accessing it by employing a "blocklist." I publish and maintain a Nigerian Blocklist in two common formats:

1. .htaccess - for most Apache-based, shared hosting websites, where the webmaster only has control over his/her own website. The .htaccess rules will only block browsing you site and form submissions, but not email scams.


2. iptables - for those administrator-webmasters, who have Root access to dedicated, or VPS - Linux based servers. Iptables rules can be imported into your APF firewall, to block all access to undesirables, including email access.

End users, who receive email via a POP client (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora), and are tired of sorting through dozens or hundreds of daily email scams and other spam, can use the program I use to filter out spam and scams. That program is MailWasher Pro, which you can read about here.

In the meantime, do not fall for any lottery scams, or other free money pitches coming from Nigerian criminals. To see the details about what they have been up to recently, read my blog article about the sudden surge in Nigerian lottery scams.

Posted by Wiz at 1:14 PM | Permalink

For the last two days I have been getting lots of spam messages sent by Nigerian criminals, who are running a new 419 Advance Fee Fraud campaign. The current crop of 419 scams are mostly composed using all capital letters in the subject (but not always), and when you read the message body, it appears to come from a Barrister, or Solicitor, or a lottery, or a Will Executor. Huge rewards supposedly await the Mugu's (Fools) who respond and are willing to pay some processing fees to get this money transferred into their soon to be emptied bank accounts.

This request for fees to be paid in advance of the transfer of the imaginary funds is referred to as a 419 scam. That is the number of the statute in the Nigerian Criminal Code that covers financial advance fee fraud.

Here is a list of the subjects from the email scams I have received in the past 60 hours (Updated 3/28/08):

Download MailWasher Pro here

ASSISTANCE
ATM PAYMENT
Attention, Attention,, Attention
Attn:Beneficiary
CONTACT EFEX COURIER COMPANY ASAP
CONTACT FEDEX COURIER COMPANY FOR YOUR DELIVERY
CONTACT FEDEX COURIER COMPANY FOR YOUR PARCEL
CONTACT REV. DR. KENNETH OKOM DIRECTOR OF ATM CARD BANK
CONTACT YOUR ATM MASETR CARD
CONTACT YOUR ATM PAYMENT CENTER
Contact your claims agent
Dear Friend
From Barrister James.
FROM: PETER SUMEN. (NPA)
GOOD NEWS
IMPORTANT NOTICE
THIS IS FOR YOUR ATTENTION.
WILL EXECUTION
YOUR CONTRACT PAYMENT
Your Payment
GOOD NEWS CONTACT HALLMARK DELIVERY COMPANY FOR THE DELIVERY OF YOUR CONSIGNMENT ASAP.

Many of the message bodies begin with "Dear Friend,". Every one of these spam messages was an attempted 419 scam. If you get any email with these subjects you can probably be safe deleting it without reading the crap inside. If your email system allows for special filter rules, create one to delete or flag as spam all messages containing ALL CAPS. Spam Assassin already has this rule built into it. I personally use MailWasher Pro to screen all of my incoming POP email, before I download it to Outlook Express. MailWasher Pro uses a variety of methods to recognize spam and scams, including user created custom filters. I happen to write and maintain a group of filters for MailWasher Pro. They are available on my MailWasher Filters Page.

If you already have MailWasher and need a filter rule to detect messages containing all capital letters, here it is (the rule should be on one long continuous line):

[enabled],"Subject All Caps/Missing (S)","Subject All Caps/Missing (S)",33023,OR,Delete,Subject,doesn'tContainRE,(?-i)[a-z],Subject,doesn'tContainRE,.

Here is my MailWasher filter for known 419 scams (one long line):

[enabled],"Nigerian 419 Scams","419 Scam",16711680,OR,Blacklist,Delete,Body,containsRE,"^(?-i)Dear\ (Sir/Madam|Friend),(
)?$",Body,contains,"URGENT AND CONFIDENTIAL",Body,contains,"BANK OF NIGERIA",Subject,is,"URGENT AND CONFIDENTIAL",Body,containsRE,"unclaimed\ (benefits|funds)",Subject,contains,"CONFIDENTIAL MUTUAL BUSINESS PROPOSAL",Body,contains,"contacting you based on Trust",From,contains,"Department of National Lotteries",Subject,contains,"UNITEDN NATION",Subject,containsRE,"TREAT\ (AS|VERY)\ (CONFIDENTIAL|URGENT)"

Just copy and paste that rule into your MailWasher filters.txt file, which is found in (Windows XP) your logged in identity > Documents and Settings > Application Data > MailwasherPro folder. Make sure MailWasher is closed before you add this rule, save the file, then open MWP again. The rule should be visible when you click on View > Filter Sidebar (Ctrl+F7). You can download MailWasher Pro here.

Do not ever fall for the pitches from these Con men in Nigeria. They are very good at relieving North Americans and Brits of their excess money, using greed as the bait.

Continue reading "Sudden surge in Nigerian 419 Scam emails" »

Posted by Wiz at 9:42 PM | Permalink

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that male enhancement pills and other fake pharmaceuticals dominated all spam categories, but, with counterfeit brands of watches, clothing and footware, along with fake diplomas, making a big comeback. Most of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Much of the fake and counterfeit drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a huge portion of certain types of forged sender spam.

My current statistics show that spam is now 50% of all my incoming email, for the week of March 17 through 23, 2008. This is 6% down from last week, much of which is attributable to me applying pattern matching spam filters to my mail server. However, 50% spam is still getting through and without my custom MailWasher Pro filters identifying and automatically deleting most of this crap, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters for you all). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by Trojans people are tricked into clicking on. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 17 through 23, 2008.

Download MailWasher Pro Here

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Continue reading "My Spam analysis for March 17 - 23 2008" »

Posted by Wiz at 12:45 PM | Permalink

If I got this, you will too. Be on the lookout for a spam email with the name of a major female recording artist in a subject and a message body claiming it has a link to a video or mp3 file. Clicking on said link will result in the download and possible execution of a file named mgp.exe, which has been identified by AVG as Backdoor IRCBOT.DNZ. Activating this threat will give control of your PC to hackers who will control it using IRC channels and commands. After that, there is no telling what other malware or spam-ware will be installed onto your computer.

The file I tested (mgp.exe) is 61.5 kb in size and was delivered from a compromised Italian website, AlterVista.org, whose IP address range is from 75.126.135.128 - 75.126.135.143, which is hosted on servers leased from Softlayer, Inc.

Those of you who use my exploited servers blocklist are already aware that Softlayer's IP range is in the list of servers being exploited for spam and hosting malware. The IP range is expressed as what is known as a CIDR and in the case of Softlayer the CIDR to block is 75.126.0.0/16 - which covers all IP addresses from 75.126.0.0 through 75.126.255.255. The CIDR assigned to the infected Italian website is 75.126.135.128/28. This message has already been reported to SpamCop, by numerous reporting recipients. They will notify the companies involved in hosting this malware threat, but, the timing of this spam threat is no coincidence. This threat was released on the Easter long holiday weekend, when support personnel may be out or short-handed until Tuesday, in the hopes of maximizing the usability of the ruse.

If you have control over incoming email on your web server, you may wish to apply a filter to block traffic from these CIDRs, unless you have business with websites hosted there. Otherwise, create a filter to block email where the Subject contains "Stunning video" and "Carmen Electra" - and the body contains "Only 1 day trial" and "download it now."

The full text of the spam threat I examined is as follows...

Subject: Stunning video without cowards Carmen Electra Message Body:

Milla Jovovich Interesting video with a naked celebrity.

The video is Kick-up!

Only 1 day trial - get this Full mp3 now!

{link removed} Download it now!

Read about what you should do if you have already clicked on such a link, in my extended comments...

Continue reading "New backdoor threat in spam email using recording artist names" »

Posted by Wiz at 11:35 AM | Permalink

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories, but, with counterfeit brands of watches, clothing and footware, along with fake diplomas, making a big comeback. Most of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Much of the fake and counterfeit drugs and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a major portion of certain types of forged sender spam.

My current statistics show that spam is now 56% of all my incoming email, for the week of March 10 through 16, 2008. This is the same amount as last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 10 through 16, 2008.

Download MailWasher Pro Here

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Continue reading "My Spam analysis for March 10 - 16, 2008" »

Posted by Wiz at 1:40 PM | Permalink

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories, but, with counterfeit brands of watches, clothing and footware making a big comeback. Most of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Much of the fake and counterfeit drugs and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a major portion of certain types of forged sender spam.

My current statistics show that spam is now 56% of all my incoming email, for the week of March 3 through 9, 2008. This is up 3% from last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 3 through 9, 2008.

Download MailWasher Pro Here

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Continue reading "My Spam analysis for March 3 - 9, 2008" »

Posted by Wiz at 2:07 PM | Permalink

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories. Most of the spam emails for pharmaceuticals have links to websites hosted in China, where fake and counterfeit drugs are produced. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters.

My current statistics show that spam is now 53% of all my incoming email, for the week of February 25 through March 2, 2008. This is the same as last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for February 25 through March 2, 2008.

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Continue reading "My Spam analysis for February 25 - March 2, 2008" »

Posted by Wiz at 1:44 AM | Permalink

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories. Most of the spam emails for pharmaceuticals have links to websites hosted in China, where fake and counterfeit drugs are produced. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters.

My current statistics show that spam is now 53% of all my incoming email, for the week of February 18 through 24, 2008. This is down 2% from last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for February 18 through 24, 2008.

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Continue reading "My Spam analysis for February 18 - 24, 2008" »

Posted by Wiz at 2:20 PM | Permalink

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories. Most of the spam emails for pharmaceuticals have links to websites hosted in China, where fake and counterfeit drugs are produced. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters.

My current statistics show that spam is now 55% of all my incoming email, for the week of February 11 through 17, 2008. This is up 1% from last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for February 1 through 17, 2008.

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Posted by Wiz at 3:30 PM | Permalink

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again (no surprise here). All of them have links to websites hosted in China, where the counterfeit drugs are produced, or Korea. Foremost among these are fake pharmacy websites, like the so called "CanadianPharmacy," which is not in Canada at all (China and Indo-China), and their drugs are definitely not FDA approved. Most of the "CanadianPharmacy" web pages are now hosted on compromised home PC's that are unknowingly members of various spam Botnets. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit, or contaminated medicine?

The Storm Botnet is actively spamming emails proclaiming love messages, getting an early start on the upcoming Valentine's Day greetings season. They all contain a short "love" message and (numeric) links to Storm Trojan infected computers. People who are tricked into clicking on those links will in all likelihood have their PCs drafted into the Storm Botnet. If past history tells us anything it is that the links will not always be numeric, for Storm Trojan spam messages. Just beware of any short email from unknown (or even known) senders, containing a brief (usually one line) message, with just a link that is either numeric, or has a word related to "love" or "Valentine" in the link.

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special filter rule, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being catagorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters.

My current statistics show that spam is now 54% of all my incoming email, for the week of February 4 through 10, 2008. This is down 2% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for February 4 through 10, 2008.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over a month now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for illicit Viagra, or male enhancement drugs.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 2% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.